PII or personally identifiable information, is data that is used to identify an individual. PII can be a single type of information, such as a social security number, or a combination of information types, like a birthdate and a first and last name. PII includes information such as name, work email, personal email, home address, or phone number, as well as information such as gender, race, ethnicity, and medical data. PII also includes photographs, geolocations, medical records, and log-in credentials.
Examples
- Full name
- Home address
- Social Security, driver’s license, or passport numbers
- Financial account numbers
- Fingerprints and other biometric identifiers, such as retinal scans or voice signatures
- Social media information, including photographs
- Birthdates
- Emails
- Phone numbers
- Gender, race, ethnicity, religion
- Medical information
- Geolocations
- Log-in credentials (usernames and passwords)
- Mother’s maiden name
- Employment information
- Security clearance information
- Marital status
What are the types of PII?
Personally identifiable information typically includes any information that relates to an individual’s identity. Definitions differ slightly between the United States and the European Union.
United States—Sensitive PII
Within the United States, personally identifiable information is often further defined based on the level of damage or problems it may cause the individual if the data were to be exposed. This type of information is known as ‘sensitive PII.’ The U.S. Department of Homeland Security (DHS) defines sensitive PII as “Personally Identifiable Information, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.” PII that is defined as sensitive can be a standalone data, like a social security number, or a combination of multiple data types, such as a name, date of birth, place of birth, and mother’s maiden name.
Examples of Standalone Sensitive PII (source: Department of Homeland Security)
- Social Security Numbers
- Driver’s license or state ID numbers
- Passport numbers
- Alien Registration numbers
- Financial account numbers
- Biometric identifiers
Examples of In Combination Sensitive PII (source: Department of Homeland Security)
- Citizenship or immigration status
- Medical information
- Ethnic or religious affiliation
- Personal email, address, and name
- Account passwords
- Last 4 digits of an SSN
- Date of birth
- Mother’s maiden name
- Criminal history
Personal Data (European Union)
The European Union’s General Data Protection (GDPR) regulations define personal data as “…any information relating to an identified or identifiable natural person (data subject).” The GDRP includes, in some circumstances, information like a person’s job, hair color, or political opinion in the definition of personal data. The GDRP further defines “sensitive data” based on a set of special categories.
Examples of Personal Data (source: GDPR)
- Name and surname
- Email address
- Phone number
- Home address
- Date of birth
- Race
- Gender
- Political opinions
- Credit card numbers
- Data held by a hospital or doctor
- Photograph where an individual is identifiable
- Identification card number
- A cookie ID
- Internet Protocol (IP) address
- Location data (for example, the location data from a mobile phone).
- The advertising identifier of your phone.
Examples of Sensitive Special Category Data (source: GDPR)
- Ethnic or racial origin
- Political opinions
- Cultural or social identity
- Philosophical or religious beliefs
- Trade union memberships
- Genetic data
- Biometric data (that can be used to uniquely identify someone)
How is stolen personal data used?
PII is stolen by cybercriminals primarily for monetization purposes. Credit card information can be sold on the dark web for $50 to $1,000 per card, depending on the credit limit. PII such as passport numbers, social security numbers, and driver’s license numbers range in price from a few dollars for an SSN to several thousand dollars for passport information.
How do businesses protect personally identifiable information (PII)?
Businesses can protect any PII that passes through their systems with the following best practices:
Regularly scan the client side: Regularly conduct deep-dive scans into client-side applications and software to reveal intrusions, behavioral anomalies, and unknown threats.