We’ve all heard of ‘Personally Identifiable Information’ (PII)—those pieces of information about ourselves that are unique to us, and therefore make us identifiable and distinguishable from others. Well-known PII includes data such as full name, social security number, driver’s license number, passport information, medical records, and financial account numbers.
Yet, there are other types of PII that we, as individuals and consumers, put out there about ourselves which we do not consider to be personally identifying. These pieces of information include email addresses and social media usernames, phone numbers, mailing addresses, and even religion. Then there’s quasi-identifiers that are also available in public sources like your race, zip code, gender and birth date, that when used with other relevant data can easily identify you, too.
Moreover, we often underestimate the power of some of our PII when, in fact, this information provides access to many facets of everyday life including our ability to drive, receive health care, and make large purchases (like buying a home).
Sensitive & Non-Sensitive PII: The Difference
Personally identifiable information falls within one of two groups: sensitive and non-sensitive. While many experts tout that sensitive data is what should be protected and encrypted, non-sensitive data is just as important to safeguard against unauthorized access and theft.
The following, although by no means exhaustive, are lists of most of these types of data:
• Full name
• Social Security Number (SSN)
• Driver’s license
• Passport information
• Passwords and PIN numbers
• Biometric information (e.g. fingerprints, iris and retina scan, DNA, facial recognition)
• Medical records (e.g. PHI, all data under HIPAA regulations)
• Financial information (e.g. bank accounts and loans, credit and debit card numbers)
• Employee personnel records and tax information (includes Employer Identification Number)
• Digital/Electronic account information (e.g. email addresses, internet account numbers, digital account passwords)
• School identification numbers and records
• Private phone numbers (especially cell phone numbers)
• Mailing and/or home address
• Zip code
• Date of birth
• Place of birth
• Sexual orientation
• IP addresses
• Cookies stored on a web browser
• Outside-of-home addresses (e.g. workplace)
• Business phone numbers and public personal phone numbers
• Employment-related information (e.g. job title and status)
The Pervasiveness of PII
Too many individuals overlook the sensitivity of their personal information, or don’t realize how they are interconnected and how easily they can be pieced together to form a unique identity. What’s more, people often use unprotected means to share their personal information with family and friends, such as through text and SMS message, email, social media, and other messenger apps.
Many people even allow their personal, sensitive data to be saved on their computers and other electronic devices and drives so as to provide convenience when accessing digital accounts and places where information is stored. A survey conducted by Experian reported that the average person stores three to four pieces of sensitive information online, and 25% of Americans share credit card and PIN numbers with family and friends.
The Importance of Proper Data and Drive Destruction
PII holds immense value to identify thieves who want to use your information for their personal gain. Criminals (including cybercriminals) therefore also find value in stealing this information, either for the use of financial gain through sale to an identity thief or for ransom payment directly from the victim. This is why it is imperative that you not only make sure all of your sensitive data and PII is secure and protected, but that the data is rendered unreadable and unable to be reconstructed from the drive, device, or material that it’s stored on when it’s no longer needed. Moreover, this end-of-life destruction needs to extend to the drive, device, and/or material on which the data is stored.
Landfills and trash and recycling centers are easy targets for someone to rummage through and find a device or material that potentially contains PII and that can be restored. For instance, it’s not enough to clear data from a laptop hard drive. To ensure the total destruction of sensitive data to the point that it cannot be reconstructed, both data and device must be destroyed by overwriting non-sensitive information with software or hardware to clear the data, and by degaussing the media and rendering the magnetic field permanently unusable or destroying the media by shredding, melting, pulverization, disintegration, or incineration.