Protecting Your Personally Identifiable Information (PII) – But What Are You Actually Protecting?

by

Personally Identifiable Information (PII) is data that can be used to indirectly identify a specific individual, such as a social security number, driver’s license number, or login name. PII is important to protect as a part of overall data security because PII is often used by banks, healthcare providers, and government agencies as a means of unlocking information or of proving your identity in order to get access to loans, credit cards, health records, etc.

PII has continued to be a hot topic both in terms of legal protections and in the numerous high-profile hacking cases that have occurred, including the recent break-ins to the Democratic National Committee emails that were a big discussion during, and even after, the 2016 Presidential election.

Even a small piece of PII can be used to expose individuals, for example: AOL anonymous user 4417749.  In 2006, AOL anonymized and sent out data on the searches being performed on its platform in hopes of helping academic researchers. However, one particular anonymous user had made various searches that enabled her to be identified, including: “numb fingers”, “dog that urinates on everything”, “60 single men”, “landscapers in Liburn, Ga”, and the last name “Arnold.” With only the last name as a potential piece of PII, researchers were still able to identify that anonymous AOL user 4417749 as 62-year-old Georgian widow Thelma Arnold, who often researched medical ailments for her friends and loved her three dogs.

So, if someone’s simple search history can potentially identify them to others then what should be on the list of PII that should be carefully guarded? While many technology professionals tend to think that they know exactly what PII is (“I know it when I see it”), there are multiple approaches to categorizing it used in federal regulations that may help shed light on the challenges (see Paul M. Schwartz * Daniel J. Solove, The PII Problem: Privacy and a New Concept of Personally Identifiable Information, 86 N.Y.U. L. Rev. 1815 (2011)):

The Tautological Approach

This approach defines PII as any information that identifies a person. For example, the Video Privacy Protection Act (VPPA), which was enacted to keep private the sale and rental of home videos, defines PII as “… information which identifies a person.” Of course, the problem with this approach is that it provides no actual guidance on what does and does not identify a person. For example, SSN would be included, but what about a US Postal address which might identify a family instead of an individual? What about an IP address?

The Non-Public Approach

The Gramm-Leach Bliley Act (GLB Act), enacted to regulate how personal information is used by financial institutions, defines PII as “… nonpublic personal information.” The issue with this type of definition is that it also leaves out which specific information can identify a person.

The Specific-Types Approach

The federal Children’s Online Privacy Protection Act (COPPA), enacted to help ensure the privacy of persons under the age of 13 while using the Internet, uses this third approach by providing a list of items that would constitute PII, including: first and last name, physical address, SSN, e-mail address, telephone number, etc. COPPA goes further to include “… any other identifier that the [Federal Trade Commission (FTC)] determines permits the physical or online contacting of a specific individual.” Such FTC items include IP addresses. While this approach is the most concrete and may allow for some expanded PII in the future, it still fails to fully encompass future technologies that may be used to identify individual people (or a combination of pieces of information that may be used to identify individuals).

As regulators continue to grapple with the definition of PII, it is incumbent on technology professionals to continue to make their systems secure and to continue to update security policies to encompass advances in technology. While there may be no single approach that is bullet-proof, a continued focus on security and privacy will help ensure the best outcomes.

READ MORE

The Magic of Mortals

The Magic of Mortals

Daily we wake up to new developments in automation, Artificial Intelligence (AI), and Machine Learning (ML). Across sectors and industries, automated solutions prove highly successful in surpassing the capacity of the human brain for certain tasks, improving...

read more
Leveling Up: How to Hone Your Skills at Home

Leveling Up: How to Hone Your Skills at Home

Leaders have been trying to crack the code on talent development for years. Recent studies have shown, however, that strength-focused leadership [read: intentionally elevating the qualities that already come naturally to us] is the clear winner for developing talent...

read more
Fake Case Study: Jack of all trades vs. Master of One

Fake Case Study: Jack of all trades vs. Master of One

  Listen to any earnings call or executive presentation and you will likely hear the terms “top line” and “bottom line.” These are words used to describe a business’s performance. According to Investopedia, the words are defined as follows: Top line refers to the...

read more
Your Personality Is Showing

Your Personality Is Showing

There I was, minding my own business one evening, digging into my organization's SEO performance (as one does), when I came across something interesting. Search terms related to "MBTI" — or the Myers-Briggs Type Indicator, developed by Katherine Cook Briggs and Isabel...

read more
Lessons From a Change Manager Who Hates Change

Lessons From a Change Manager Who Hates Change

Hello. My name is Monique, and I’m a change manager who hates change.   After years of receiving “consulting therapy” from various mentors, I am now able to say these words out loud and proudly. But for a long time, it felt more like an admission of guilt. I mean, who...

read more
Creativity as a Cure

Creativity as a Cure

The topic of creative solutioning has been front and center these days as we talk more and more about organizational adaptability in the face of dynamic and uncertain times. For example, I recently read about a project that got me thinking about specific priorities...

read more
Thought Ensemble, a Pariveda Company — Why Now?

Thought Ensemble, a Pariveda Company — Why Now?

Big news over here as we close out the year - we have been acquired by Pariveda, a 750-person consulting firm in 12 markets across North America! We are now “Thought Ensemble, a Pariveda Company” and I’ll be serving as the Managing Vice President continuing to lead...

read more
Thought Ensemble Joins Pariveda Solutions!

Thought Ensemble Joins Pariveda Solutions!

Dallas, December 9, 2021 /PRNewswire/ -- Pariveda, a leader specializing in solving complex technology and business problems, announces the acquisition of Thought Ensemble. With the addition of Thought Ensemble, Pariveda now provides holistic business strategy,...

read more
Thoughts on Colorado’s Equal Pay for Equal Work Act

Thoughts on Colorado’s Equal Pay for Equal Work Act

It was about a year ago that we first started hearing about Colorado’s Equal Pay for Equal Work Act (SB19-085) and I knew it was going to be national news. We’d just gotten past the “Rocky Mountain High” jokes, and our lovely state was trying to break new ground...

read more