Personally Identifiable Information

What is personally identifiable information?

Personally identifiable information (PII) is any information that can be used to identify an individual, either on its own or when combined with other information. There are direct identifiers like names, Social Security numbers, and biometric records, as well as indirect identifiers like birth date, zip code, or gender. 

Example: Our robust cybersecurity measures prevented a data breach that could have leaked sensitive personally identifiable information, saving the company nearly $5 million. 

The disclosure of sensitive PII—like financial records or medical history—can result in harm to the individual, prompting organizations large and small to spend millions each year on cybersecurity measures like data anonymization.

Why is protecting PII important?

As the amount of personal data collected and stored digitally increases each year, both individuals and organizations have a role in protecting PII more than ever. Unauthorized access to PII—even something as simple as a driver’s license number—can lead to identity theft, financial fraud, or other forms of personal harm. 

Organizations that don’t take measures to protect an individual’s identity are more likely to be susceptible to costly and harmful data breaches, thereby reducing customer loyalty. While the cost to protect PII can seem large up front, the cost of not doing so can be much larger, both to an organization’s public image and bottom line. 

Data privacy laws

The European Union’s comprehensive data privacy law—General Data Protection Regulation (GDPR)—guides the lawful processing of personal data and outlines rights individuals have over their personal data.

In the United States, there are federal laws governing heavily-regulated sectors like the Health Insurance Portability and Accountability Act (HIPAA) for the healthcare industry and the Graham-Leach-Bliley Act (GLBA) for the financial sector. Many state-level data privacy laws—like the California Consumer Privacy Act—generally follow GDPR regulations, but there has yet to be a national standard for PII protection in the U.S.