Personally identifiable information (PII): What it is, how it's used, and how to protect it

No matter what kind of device you're using or what you're doing on it, data is constantly being created that can be traced back to you.

Personally identifiable information (PII) comes in many forms, and in many cases is created without you even realizing it. That data can be used to learn things about you, your habits, your interests, and can be monetized or used by malicious actors to steal your identity or hack your accounts.

Knowing what PII is, what it's used for, and how to protect it are all essential parts of staying safe online. 

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

What PII is, and what it isn't

Special Feature

Special Report: Navigating data privacy (free PDF)

This ebook, based on the latest ZDNet / TechRepublic special feature, provides the information CIOs need to better meet the growing demand for data privacy, without stifling innovation.

Read now

Multi-factor authentication provider Okta, in its 2020 Cost of Privacy report, lists 13 distinct categories of data that can be considered PII :

• Usernames and passwords
• Emails and sent messages
• Data entered into online forms
• Online profiles
• Internet history
• Physical location when online
• Online purchase history
• Search history
• Social media posts
• Devices used 
• Work done online
• Online videos watched
• Online music, playlists 

The Okta report lists those categories in descending order (as seen above) to show how aware survey respondents were that those types of data were PII. By the time you reach 'physical location when online', less than half of respondents realized that type of data could be used to identify an internet user.

SEE: SSL Certificate Best Practices Policy (TechRepublic Premium)

The US National Institute of Standards and Technology (NIST) defines PII fairly broadly as "any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information." 

That definition breaks PII into two categories: linked data, which is data directly connected to a person; and linkable data, which is not directly associated with a person's identification but can be used to connect to them with a bit of work.

NIST's definition of PII goes beyond online data and includes paper documents, ID cards, bills, bank statements, and other records. In the case of online data, much of it falls into what NIST calls 'linkable' data, especially if that data is anonymized or doesn't contain data about you as a person, like some tracking cookies, IP addresses, and machine IDs.

Some of the more ambiguous forms of PII, like IP addresses, have been argued both ways and nothing clear has emerged from more than a decade of debate over whether they can be used to identify someone.

In 2009, the Johnson v. Microsoft decision found that IP addresses were not PII because IP addresses identify a computer, not a person. This conflicts with a 2008 court case in New Jersey, which held that customers had a reasonable expectation of privacy in regards to IP addresses. It also conflicts with guidance from NIST that describes IP addresses as PII.

Ambiguous data comes in many forms, like website tracking data, cookies, advertising profiles, and other information that can be kept separated from more easily linked PII, but can be combined by the companies that operate those services. In 2016, Google amended its privacy policy (which has since been changed) to allow it to connect cookie information to PII for the sake of "improving Google's services." 

SEE: TechRepublic Premium editorial calendar: IT policies, checklists, toolkits, and research for download (TechRepublic Premium)

How PII is used

PII is used in both legitimate and illegitimate ways. A user's browsing history, cookies served by websites, and search history are often used to serve targeted advertisements, which is why social media advertisements can be so oddly specific.

It's illegitimate uses of PII that garner more interest, and should be of greater concern, for internet users. Yes, targeted ads and the privacy violations that have been committed in service to them are a problem, but the fallout from a cybercriminal gaining access to your PII can be far worse. 

PII leaks were the leading type of data breaches in 2018 because of how valuable that data is: With one bit of information an attacker can hone in on an individual target for a phishing attack, use that data to search for additional information about a person, or use it to break directly into an online account.

PII can also be used to launch social engineering attacks, which are one of the most popular hacking methods currently in use: Why go through the work of developing a complicated hack when you can simply use PII stolen in a breach and some social media posts to guess your way into someone's account? 

SEE: VPN usage policy (TechRepublic Premium)

Protecting your PII

It can be tough to protect your PII, especially since so much of it is collected in the background by websites and services you use everyday. In other cases, websites you trust with more sensitive PII like your name, address, email address, and banking information, can be breached and there's nothing you can do about it.

That doesn't mean you're completely unable to protect your PII, though. There are many precautions you can take to minimize your PII footprint and protect your information when you absolutely have to provide it.

Identity theft protection provider NortonLifeLock recommends the following PII protection steps:

1. Be careful what you post on social media: It's easy to guess password hints and other personal info from posts. When possible, limit your social media audience to people you know.
2. Invest in a paper shredder to protect physical PII.
   
3. Don't just hand over sensitive info like your social security number when asked -- find out why it's needed and how it will be protected first.
   
4. Leave sensitive documents, like your social security card and passport, at home unless you need them.
   

Other steps include using an intermediary payment service like PayPal or Privacy.com instead of giving vendors your credit card or banking information. Users can also find out how web browsers can block tracking cookies and enable the do not track mode (not always effective), or install a browser add-on like Ghostery that allows users to block individual elements that may be tracking or harvesting data.

In addition, you should regularly clear your browser history, cookies, and other temporary files that contain PII, use a VPN when handling sensitive information or browsing the web on an unsecured public wi-fi network, and use incognito mode on your web browser to prevent tracking and storage of records tied to your identity.

Also see

• How to become a cybersecurity pro: A cheat sheet (TechRepublic)
• Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
• Shadow IT policy (TechRepublic Premium)
• Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
• All the VPN terms you need to know (CNET)
• Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)