Personally identifiable information (PII)

Personally identifiable information, or PII, is a broad term commonly used in the cybersecurity industry for data that can directly or indirectly identify an individual.

While there is no universally accepted definition of PII, a commonly used one, especially in U.S. government sources, is as follows:

information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.

(Source: United States Office of Management and Budget (OMB) Circular No. A-130)

There are two types of PII by type of reference:

1. Direct reference. PII can have a direct reference (also called “linked reference”) to an individual’s identity, like full name, phone number, email, national ID (such as a social security number, or SSN, in the United States), passport info, photo ID, etc.
2. Indirect reference. This involves information that, merely on its own, cannot identify an individual. However, when combined with other similar pieces, identities can be inferred. For instance, date of birth, gender, and zip code together can identify over 60% of US citizens.

PII has significant monetary value to criminals, making it a common target for identity theft, insurance fraud, impersonation, or blackmail. For example, in the US, social security numbers (SSN) are often used for these kinds of malicious activity.

Note

Piiano Vault is a secure storage for PII and sensitive personal information. We’ve designed it so that sensitive data is easily protected when controlled by the Vault in a scalable way for both developers and security teams.

PII vs personal information vs personal data

Personally identifiable information (PII) is closely related in meaning to:

• “Personal information”, a term primarily used in the US and North America in general, including “sensitive personal information” as defined in the California Privacy Rights Act (CPRA).
• “Personal data”, the predominant term for information identifying an individual in Europe, including “sensitive personal data” as defined in the General Data Protection Regulation (GDPR).

The exact relationship between these three terms is, however, a topic of debate, with at least two common interpretations.

PII, “personal data” and “personal information” are sometimes used interchangeably. Here are a few examples of this interpretation:

• This US Government Accountability Office report explicitly states that it uses both “personal information” and “personally identifiable information” to refer to any information linkable to individuals.
• NIST Special Publication 800-122, a guide developed by NIST (the leading US standards institute) to protect the confidentiality of PII, uses “PII” interchangeably with “personal information” and “personal data.”
• NIST Special Publication 800-63-3, a NIST guide for US federal agencies implementing digital identity services, explicitly defines “personal data”, “personal information”, and “PII” as bearing the same meaning.

An alternative interpretation suggests that:

• “Personal information” and “personal data” are largely equivalent, covering a broad spectrum of information that belongs to or describes a person.
• PII refers to a more limited set of identifiers. Both “personal information” and “personal data” include PII but are not restricted to it.

Here are examples supporting this interpretation:

• In this help center article, Google clarifies its use of the term “PII” in contracts, terms of service, and policies to distinguish it from “personal data” and “personal information”. Specifically, Google interprets PII as information that could be used on its own to directly identify, contact, or precisely locate a person.
• In this article about PII, VentureBeat cites a Gartner VP Analyst who explains that, in the US, “PII historically refers to two or three dozen identifiers like name, address, SSN, driver’s license or credit card number and such”.

Top threats to PII security

The reason protecting PII is crucial is that it can be misused in various ways if it falls into the wrong hands: from revealing information about a person that they would rather keep private to identity theft with severe financial consequences.

Here are a few examples of threats to PII security:

1. Cyberattacks. Hackers might break into computer systems and networks to steal information. This can lead to identity theft and financial problems.
2. Phishing scams. Deceptive emails or messages try to trick you into giving up your personal details and credentials. Be cautious of anything that seems suspicious.
3. Insider threats. Even trusted people like employees can be a risk. They might accidentally or even purposefully misuse personal information.
4. Third-party breaches. Companies often share data with other businesses. Weak security measures by these partners can expose your information.
5. New technology risks. Advancements like the Internet of Things create new ways for your data to be accessed. Staying aware of these evolving threats is important.