PowerDMARC

Identifying and Safeguarding PII (Personally Identifiable Information)

personally identifiable information

Who would want their personally identifiable information and sensitive data to be compromised and used by someone for fraudulent activities? But the sad reality is, this has now become common practice.

It was recently revealed that almost 50% of the data breaches between 2021 to 2023 were of the customers’ Personally Identifiable Information (PII), and 40% of that data was from ‌ employees. This data was recorded during a survey in Oct 2023.

PII isn’t very complicated, but it is still important to understand what it is and the importance of securing it. This guide contains all the answers to help you protect your PII and yourself. 

What is PII (Personally Identifiable Information)?

PII, or Personally Identifiable Information, is information that is a significant part of your identity and can point directly at you. 

Imagine it as a secret code that, on its own or when mixed with other information, can reveal your identity. So, it’s not just your name and address; it’s like the puzzle pieces that, when put together, create the full picture of “you.” 

For example, suppose your name is John. There are many other people around the world having the same name due to which it cannot be considered PII. But what if we say your name is John Doe, and you live in Manhattan with a social security number AXY123? Now, it becomes a PII and can uniquely identify you from other Johns living in some other areas.

PII can be divided into non-sensitive and sensitive. We will be covering it next.

Non-Sensitive & Sensitive PII Information

The US Department of Defense provides a list of examples with respect to PII. From social security numbers to personal addresses, all of these can fall under personally identifiable information. 

Let’s take a look at the two distinctive categories of PII: 

Sensitive PII

Sensitive PII is information that can single out an individual very easily. This type of PII can be damaging to the individual it belongs to if it is retrieved by a cybercriminal. 

Examples of Sensitive Personally Identifiable Information

Non-sensitive PII

Any information, such as a maiden name, which can identify a person but cannot be used to harm them is defined as Non-sensitive PII. 

Examples of Non-Sensitive Personally Identifiable Information

If you or any business wants to collect PII, they’ll have to use online forms, surveys, and social media with preferably a non-disclosure agreement attached. Make sure that whenever you’re providing your PII to someone, check if they have a proper plan in place for using, storing, and protecting the information.

Why is PII Important?

PII is critical because it protects your data. Any businesses or organizations that have your PII are legally obligated to safeguard it at all costs. It provides a guarantee of the safety and security of your personal information.

Businesses can use your information for multiple purposes, like:

How can PII be Stolen?

Attacks such as social engineering using a spoofed domain name or email can trick people into revealing PII. It is also possible for private information to be leaked via instances of a hacked email account, data breaches, etc. 

Here are some common ways using which PII can be stolen: 

  1. Phishing emails: Fake emails luring victims to disclose their PII 
  2. Data breaches: Attackers exploit system vulnerabilities to breach sensitive databases
  3. Dumpster diving: Retrieving deleted documents from trash that contain PII
  4. Social engineering: Manipulating unsuspecting victims into sharing personal information
  5. Malware: Malicious software that infiltrates files containing PII on your computer
  6. Insider threats: Your own employees disclosing PII for malicious intent or money
  7. Cyber Eavesdropping: eavesdropping on online communications to steal PII
  8. Hacked email accounts: Gaining access to email accounts to read chats containing PII 
  9. Man-in-the-middle attacks: Attacker intercepting online communications to steal PII  
  10. Brute-force attacks: Gaining unauthorized access to accounts by using brute force like constant retrials, and then stealing PII

Methods to Safeguard PII

Various countries have adopted multiple data protection laws to create guidelines for companies that gather, store, and share clients’ personal information. Let’s look at the ways in which you can safeguard your PII.

If you’re a business owner, you should consider the below-mentioned steps:

The US Department of Homeland Security has also published an insightful document defining how to protect and share your PII safely. 

Importance of Protecting PII from Data Breaches

A data breach occurs when someone who has no authorization from the company accesses computer systems, potentially leading to the acquisition of sensitive information. 

While researching, we found a study that showed over 6 million records were breached worldwide in 2023. It is one of the most concerning factors for company leaders.

These data breaches may occur due to various reasons, like:

Businesses can follow the practices mentioned below to protect their data from breaches:

PII Laws & Regulations

PII is regulated by many laws and regulations. These ensure that individuals’ privacy is safe and they don’t have to worry about threats like impersonation. Some of these federal laws are:

1. Privacy Act of 1974

The Privacy Act of 1974 lays down the rules for federal agents when it comes to collecting, using, and spilling the beans on PII. This act also makes it a must for federal agencies to let people know if they can disclose their PII, and there are penalties waiting if one fails to do so. However, there are certain special cases and exceptions to this. 

2. Health Insurance Portability and Accountability Act

Then there’s HIPAA, the Health Insurance Portability and Accountability Act, the superhero for health records. It demands that healthcare institutions and providers must keep patient information under wraps, and not disclose their health records without consent. 

3. Freedom of Information Act

And don’t forget the FOIA, the Freedom of Information Act. It’s the golden ticket for people wanting to dig into government files. It tells federal agencies, “Show your cards unless it’s super secretive.” So, basically, it’s the public’s backstage pass to government info! However, the FOIA also acts as a protector of PII by asking law enforcement agencies to withhold information that can be personally identifiable or damaging. 

4. General Data Protection Regulation (GDPR) 

In 1995, there was a Data Protection Directive, but later, GDPR took over to safeguard personal information. Now, any company dealing with the personal data of EU citizens, whether they’re based in the EU or elsewhere (yes, even the US!), has to follow the same set of rules. 

Non-compliance may result in hefty fines – 4% of your global annual revenue or €20 million, whichever is more painful – for the violation of certain provisions. Plus, individuals have the right to complain if they think their GDPR rights were violated. 

Remember, GDPR is the global sheriff for data privacy, making sure companies don’t play fast and loose with people’s personal information. It’s the guardian of your data, keeping the digital world in check.

How Can Businesses Protect their Customers’ Data?

For businesses looking to up their security game, consider these handy tips:

Impact of Identity Theft and Misuse of PII

Identity theft is no joke – it can bring serious financial headaches. Imagine someone impersonating you and going on a shopping spree or taking out loans in your name without asking – or worse, carrying out illegal activities! 

Identity theft and stolen PII can lead to: 

  1. Severe financial damages 
  2. Emotional distress and anxiety 
  3. Legal turmoil for crimes committed in your name
  4. Loss of credibility and reputation in the industry 
  5. Loss of customer trust

Final Words

A popular vector for retrieving PII is phishing emails impersonating or spoofing your domain name. We recommend setting up a DMARC for your emails and domains to remain safe from this. And there is no better way to configure and monitor your implementation safely than PowerDMARC! We are a team of domain security experts who specialize in helping you minimize email fraud through authentication. Get in touch today for a free DMARC trial

Remember to share as little personal information as you can on the internet! Stay safe and stay vigilant online.

Exit mobile version