What is 'Personally Identifiable Information (PII)'

Personally identifiable information (PII) is information that, when used alone or with other relevant data, can identify an individual. PII may contain direct identifiers (e.g. passport information) that can identify a person uniquely, or quasi-identifiers (e.g. race) that can be combined with other quasi-identifiers (e.g. date of birth) to successfully recognize an individual.

BREAKING DOWN 'Personally Identifiable Information (PII)'

Nascent technology platforms have changed the way businesses operate, governments legislate and individuals relate. With digital tools like cell phones, the internet, e-commerce, and social media, there has been an explosion in the supply of data of all kinds. Big data, as it is called, is being collected, analyzed, and processed by businesses and shared with other companies. The wealth of information provided by big data has enabled companies to gain insight into how to better interact with customers. However, the emergence of big data has also increased the number of data breaches and cyberattacks by entities who realize the value of this information. This has raised concerns over how companies handle the sensitive information of their consumers. Regulatory bodies are seeking new laws to protect the data of consumers, while users are looking for more anonymous ways to stay digital.

Sensitive vs. Non-Sensitive PII

Personally identifiable information (PII) can be sensitive or non-sensitive. Sensitive personal information includes stats like full name, Social Security Number (SSN), driver’s license, mailing address, credit card information, passport information and financial information. This is by no means an exhaustive list of what makes up PII. Companies that share data about their clients normally use anonymization techniques to encrypt and obfuscate the PII so it is received in a non-personally identifiable form. An insurance company that shares its clients’ information with a marketing company will mask the sensitive PII included in the data and leave only information related to the marketing company’s goal.

Non-sensitive or indirect PII is easily accessible from sources like phonebooks, the internet and corporate directories. Zip code, race, gender, date of birth are all quasi-identifiers and examples of non-sensitive information that can be released to the public. This type of information cannot be used alone to determine an individual’s identity. Non-sensitive information, although not delicate, is linkable. This means that non-sensitive data, when used with other personal linkable information, can reveal the identity of an individual. De-anonymization and re-identification techniques tend to be successful when multiple sets of quasi-identifiers are pieced together and can be used to distinguish one person from another.

Safeguarding PII

Several data protection laws have been adopted by various countries in order to create guidelines for companies that gather, store, and share personal information of clients. Some of the basic principles outlined by these laws state that some sensitive information need not be collected unless for extreme situations; data should be deleted if no longer needed for stated purpose; and personal information should not be shared with sources that cannot guarantee its protection.

Cybercriminals breach data systems to access PII, which is then sold to willing buyers in underground digital marketplaces. For example, in 2015 the IRS suffered a data breach leading to the theft of more than a hundred thousand taxpayers’ PII. Using quasi-information stolen from multiple sources, the perpetrators were able to access an IRS website application by answering personal verification questions that should have been privy to the taxpayers only.

PII Around the World

The definition of what comprises PII differs depending on which part of the world you're in. In the United States, the government defined "personally identifiable" in 2007 as anything that can "be used to distinguish or trace an individual's identity" such as name, SSN, biometrics information — either alone or with other identifiers such as date of birth, or place of birth. 

In the EU, the definition expands to include quasi-identifiers. These data sets will become subject to the General Data Protection Regulation (GDPR) that comes into effect in May 2018. 

RELATED TERMS
  1. Data Breach

    A data breach is an unauthorized access and retrieval of sensitive ...
  2. Data Anonymization

    Data anonymization seeks to protect private or sensitive data ...
  3. De-Anonymization

    De-anonymization is a reverse data mining technique that re-identifies ...
  4. Customer Information File (CIF)

    A Customer Information File (CIF) is a computerized file that ...
  5. General Data Protection Regulation ...

    The General Data Protection Regulation (GDPR) sets guidelines ...
  6. Identity Theft

    Identity theft is the crime of obtaining the personal or financial ...
Related Articles
  1. Insights

    5 Overlooked Places Where Your Identity Can Be Stolen

    Identity theft affects many Americans, and are often caught off guard. These are 5 places thieves target.
  2. Personal Finance

    Financial Data Analyst: Job Description & Average Salary

    Learn about the average salary for a financial data analyst position and the skills, education and experience employers require of candidates.
  3. Tech

    How to Protect Your Data From Being Hacked

    Identity theft and credit card fraud can happen to anyone. Use these tips to help keep your personal information safe.
  4. Managing Wealth

    Data Integrity Analyst: Job Description & Average Salary

    Learn about the average salary of a data integrity analyst and the required skills, education and previous experience needed to fill this role.
  5. Tech

    Avoid Becoming An Identity Thief's Next Victim

    Use these 7 techniques to keep yourself under the radar and out of the way of identity thieves.
  6. Tech

    How to Protect Yourself After the Epic Equifax Fail

    It's time to take action and protect your personal finances from identity thieves.
  7. Tech

    Millennials at Higher Risk of Identity Theft

    Tech savvy Millenials are particularly prone to becoming a victim of identify theft.
  8. Tech

    Cybersecurity and Identity Theft Protection Tips

    Taking these steps will help protect your online data following the Equifax security breach.
  9. Tech

    Staying Safe After the Equifax Data Breach

    The recent Equifax breach illustrates why you need to protect your identity. Here's how.
  10. Tech

    Hackers Steal Medical Records from Quest Diagnostics (DGX)

    Quest Diagnostics is the latest company to disclose it was the victim of a hack, putting information on around 34,000 individuals at risk.
RELATED FAQS
  1. Why would someone change their Social Security number?

    Learn the reasons a person might choose to change his Social Security number, including identity theft and abuse, and discover ... Read Answer >>
  2. How do financial market exhibit asymmetric information?

    Understand how financial markets exhibit asymmetric information. Learn how asymmetric information by any party can result ... Read Answer >>
  3. Is a private company required to show financial information?

    Understand whether a private company is required to disclose financial information to the public. Learn what is required ... Read Answer >>
Trading Center