Glossary / PII

PII

Stands for personally identifiable information. Information that when used (alone or with other relevant data) can identify an individual. PII may contain direct information (e.g., passport information) that can identify a person uniquely, or quasi-identifiers (e.g., race) that can be combined with other quasi-identifiers (e.g., date of birth) to successfully recognize an individual.

What is PII?

PII stands for “personally identifiable information.” This information, when used alone or with other relevant data, can identify an individual. PII may contain direct information (e.g., passport information) that can identify a person uniquely, or quasi-identifiers (e.g., race) that can be combined with other quasi-identifiers (e.g., date of birth) to successfully recognize an individual.

PII vs. PHI

Protected health information (PHI) should be handled carefully by healthcare organizations. The government mandates certain rules regarding the handling of protected health information. This includes medical records, billing information, insurance claims, and any other information about your physical or mental health. Healthcare organizations are prohibited from selling your private information to third parties without your consent. Healthcare organizations are also obligated to protect your privacy.

Why does PII need to be secured?

Protecting PII is essential for personal privacy, data privacy, data protection, information privacy, and information security. With just a few bits of an individual's personal information, criminals can create false accounts in the person's name, incur debt, create a falsified passport or sell a person's identity to another criminal.

Who is responsible for safeguarding PII?

From a legal perspective, your organization is responsible for protecting PII. However, individuals should also take some responsibility for protecting their personal information.

What is a Data Privacy Framework?

Data privacy frameworks are used to protect people's information. People should know what companies are doing with their personal information. This framework includes policies and procedures for handling sensitive personal information. These policies and procedures must be made available to employees and customers.

Creating a data privacy framework for your organization

A data privacy framework is a documentation structure that helps organizations protect sensitive data. This includes payment card numbers, personal information, and other intellectual property. There are several existing frameworks that companies use, but this document provides an overview of them and shows how they differ.

Types of PII

There are three main categories of personal information: Personally Identifiable Information (PII), Sensitive Personal Information (SPI), and Non-Sensitive Personal Information (NSPI).

Sensitive vs. Nonsensitive PII

PII is information about you that can be used to identify who you are. It includes your name, address, Social Security number, driver’s license number, credit card numbers, bank account numbers, passport numbers, medical record numbers, and other similar types of information. Your personal information may also be considered “sensitive” because it contains information that could cause harm to you if it were released.

Sensitive personal information should be encrypted while being transmitted, stored, and accessed. This information includes biometrics, medical information covered by HIPAA laws, personally identifiable financial info, unique identifiers, employee personnel records, tax info, passwords, credit cards, bank accounts, electronic and digital account info, and school ID numbers.

Non-sensitive personal information may not be protected by encryption. Examples include phone numbers, email addresses, mailing addresses, birth dates, gender, race/ethnicity, or hobbies.

Data Classification

The classification of information into sensitive and non-sensitive is based on whether the information is likely to lead to the subject’s identification.

The U.S. Department of Health and Human Services has developed a set of guidelines called the Privacy Rule which defines what constitutes sensitive personal information. These guidelines apply to any organization that uses or discloses PHI.

How Does PII get into the hands of criminals?

  • Theft

  • Vandalism

  • Malicious Acts

  • Accidental Loss

  • Data Breaches

  • Misuse/Abuse by Employees

  • Inadvertent Disclosure

  • Malicious Dissemination

What are some examples of how PII gets into the wrong hands?

  • Employee theft

  • Malicious acts

  • Vandalism

  • Theft

  • Accidental loss

  • Misuse/abuse by employees

  • Inadvertent disclosure

  • Malicious dissemination

What steps should you take for PII Protection?

  • Use strong passwords

  • Encrypt sensitive documents

  • Use two-factor authentication

  • Keep devices secure

  • Regularly backup files

  • Use encryption software

  • Be vigilant about who has access to your PII

What are Common Mistakes When Protecting PII?

  • Individuals don't use strong passwords

  • Individuals don't encrypt their hard drives

  • Individuals don't have a backup plan

  • Individuals store all of their PII on one device

  • Individuals share their PII with others without permission

How is PII used in identity theft?

Many people’s personal information is being stolen by criminals. People’s names, addresses, social security numbers, birth dates, driver's license numbers, phone numbers, email addresses, etc., are being taken away from them. Identity thieves are using these stolen identities to steal money from people.

They can also sell this information to other criminals. This information includes bank account numbers, social security numbers, driver's license numbers, etc. These criminals use the stolen information to open new accounts and withdraw money from existing ones.

PII Laws and Regulations

People are concerned about what happens when companies collect personal information. They want to know if there are any regulations governing this type of activity. Users are looking for ways to protect themselves online. Regulations are being hammered out to make sure consumers' privacy is protected.

The EU's General Data Protection Regulation (GDPR) is one of a growing list of regulations and privacy laws affecting how organizations conduct business. The GDPR holds those organizations fully accountable for protecting personal data, no matter where it might be located.

PII Security Best Practices

Organizations should take steps to protect personal information. Employees should be aware of what types of data are being collected, how it is used, and who has access to it. Data breaches can happen if an employee loses or misplaces a laptop containing sensitive information, or if someone hacks into a company network. Companies should also implement policies and training programs to ensure that staff understands the risks associated with handling personal information.

Encourage employees to follow security guidelines and practices. Safely destroy or remove old media with sensitive data. Install the software, applications, and mobile updates. Use secure wireless networks, rather than public Wi-Fi. Use VPNs. Protect PII by limiting what you share on social media. Shred important documents before discarding them. Be aware of whom you give your Social Security number to. Keep your Social Security card in a safe place. Make sure to avoid shoulder surfing, tailgates, or dumpster diving. When shopping online, purchase items over secure sites. Avoid uploading sensitive documents to the cloud. Lock devices when not in use.

In Conclusion

Unfortunately, it’s a foregone conclusion that cybercriminals will make every effort to compromise your account credentials. Everyday news breaks of another major data breach, leaked personally identifiable information (PII), or malware campaign that pilfers usernames, passwords, and other sensitive data. It’s now a foregone conclusion the credentials of your employees and customers, often through no fault of their own, will be compromised at some point or another. The same can be said of your key suppliers and vendors who are holding your customer data or providing business-critical services. Compromised credentials, a highly sought-after commodity in the underground marketplace, are often an easy entry point into networks or the start of an account takeover (ATO) scenario that can leave your business reeling. Just sitting back and reacting to account anomalies, alerts, or even worse – a blog or news story – no longer is an effective way to manage the risk

Intel 471's range of intelligence products can help security teams defend against threats and mitigate risks from the underground. Our Adversary Intelligence provides security teams with visibility into the cybercrime underground, including insight into actor TTPs, motivations and operations. Users also can monitor for compromised credentials proactively via Intel 471's Credential Intelligence service, track weaponized malware via our Malware Intelligence and determine patch prioritization of vulnerabilities via our Vulnerability Dashboard.

Intel 471 cybercrime intelligence empowers analysts to monitor and respond to threats in near real-time — enabling them to support the cyber defense mission with timely and actionable intelligence. These analysts can also explore the alert context in our intelligence reports and data collection giving them a richer understanding of your organizational risk to better mitigate threats.