Personally identifiable information: What is PII and why does it matter?

If your PII is exposed, cybercriminals may attempt to exploit it in several ways, including selling the data on the dark web, attempting unauthorized access to accounts, or committing identity theft. Understanding what PII is and how it can be misused helps strengthen data protection and reduce risk.

Read on to learn more about PII and what it takes to keep it safe.

What is personally identifiable information (PII)? 

PII, or personally identifiable information, is any data that can identify a specific person. PII data can be sensitive or nonsensitive, depending on how easily it can be used to identify someone. It includes personal details like your name, demographics, Social Security number, or medical records.

Government and security organizations define personally identifiable information (PII) in similar terms. For example, the U.S. National Institute of Standards and Technology (NIST) describes PII as any information that can distinguish or trace an individual’s identity, either on its own or when combined with other data.

Sensitive vs. nonsensitive PII

Sensitive PII is personal information that can uniquely identify an individual and poses a serious risk of harm or fraud if exposed. By contrast, nonsensitive PII is generally publicly available information that doesn’t represent a significant threat to the individual on its own if shared or exposed.

Some organizations also use the term Sensitive Personally Identifiable Information (SPII) to refer to a subset of PII that could cause significant harm if exposed. These include Social Security numbers, financial account details, biometric data, or medical records. Because it can more directly enable identity theft or fraud, sensitive PII requires stronger safeguards.

Examples of sensitive PII:

• Social Security number
• Driver’s license number
• Passport number
• Credit card number
• Account numbers
• Biometric, genetic, or medical records

Certain types of personal data may not identify an individual on their own but can become sensitive when combined with other details. For example, a ZIP code, birth date, and gender may appear harmless individually, yet together they can be sufficient to identify a specific person.

Examples of nonsensitive PII:

• Full name
• Race
• Gender
• Zip code
• Birth date
• Employment information

Regardless of whether certain information is officially classified as sensitive or not, aim to protect all of your personal data as much as possible. Avoid sharing sensitive information online whenever possible. When transmitting personal data is necessary, use secure websites and encrypted connections — such as those provided by a VPN — to reduce the risk of interception on unsecured networks.

Examples of PII identifiers

PII identifiers refer to how easily certain pieces of personal information can be used to identify an individual. Some PII may be enough on its own to identify someone (direct identifier), while other types can only expose someone’s identity when combined with other data (indirect identifier).

For example, medical records are a type of sensitive PII that contain multiple PII identifiers: Social Security number (direct identifier), birth date (indirect identifier), and full name (direct identifier).

Examples of direct identifiers:

• Full name
• Social Security number
• Passport number
• Driver’s license number
• Biometric identifiers (fingerprints, facial recognition)

Examples of indirect or quasi-identifiers:

• Birth date
• Zip code
• Demographic data
• Occupation
• Geolocation data
• IP addresses
• Device identifiers
• Advertising IDs
• Web cookies

PHI vs. PII

Protected health information (PHI) is a specific type of PII that’s protected by the Health Insurance Portability and Accountability Act (HIPAA). PHI is any personal information in medical records that could be used to identify an individual and relates to their health, healthcare services, or healthcare payments.

Some examples of PHI PII information include:

• Medical history
• Diagnosis
• Treatment plans
• Prescriptions
• Lab results
• Insurance information
• Patient identifiers (name, SSN, address, etc.)

Why is it so important to keep PII private?

Protecting PII is important because it reduces the risk of synthetic identity theft, account takeovers, financial fraud, and medical identity theft. With enough personal data, criminals can open accounts, impersonate victims, or carry out other forms of traditional identity theft and fraud.

How does PII usually get stolen?

PII data can be exposed or stolen through phishing attacks, data breaches, hacking, and unauthorized access to systems storing personal information. According to the FBI’s Internet Crime Complaint Center (IC3), phishing and other social engineering attacks consistently rank among the most commonly reported methods used to obtain personal information.

Here’s a closer look at common ways PII gets exposed:

• Phishing scams: Targets may accidentally reveal personal information by downloading malicious attachments that trigger malware, or clicking on fake links that guide them to spoofed websites. Bad actors often disguise these attacks inside innocuous-looking texts or emails.
  
• Cyberattacks: Personally identifying information may be stolen via data breaches, ransomware, and man-in-the-middle (MITM) attacks on businesses, individuals, and government agencies. These attacks aim to steal Social Security numbers, account credentials, and other sensitive PII.
  
• Social engineering: Identity thieves may craft ruses to trick their targets into sharing sensitive information of their own free will. Social engineering tactics can range from simple flattery to complex impersonation schemes.
• Lost or stolen items: Stolen passports or devices, like laptops and smartphones, containing personal data can result in unauthorized access to sensitive information if they’re not properly secured.
  

8 ways to protect your personally identifying information

If you’re still not sure where to start with protecting your PII, here’s a breakdown:

1. Create strong passwords: Use a password generator to create complex passwords or create your own using a mix of upper and lowercase letters, numbers, and symbols.
2. Set up two-factor authentication: Use 2FA to help keep your online accounts safe, even if your password gets stolen. Set up biometric safeguards on your phone to help protect your credit cards saved in digital wallets.
3. Look out for phishing attempts: Avoid clicking suspicious links or downloading attachments, especially before you have a chance to vet the sender.
4. Limit social media sharing: Be cautious about sharing personal information, like your home address, that someone can use to identify you online.
5. Secure your devices: Use security software, firewalls, and encryption to protect your devices. And keep your software and apps updated.
6. Monitor your finances: Regularly review statements from your bank and credit card for indicators of fraud like unauthorized changes, incorrect balances, and suspicious activity.
7. Safely discard sensitive documents: Shred sensitive documents or black out sensitive details with a marker before throwing them away.
8. Be careful about using public Wi-Fi: Avoid accessing sensitive information or paying bills on unsecured networks unless you have a VPN to encrypt your connection and help protect the data you send and receive from hackers.

Is your personal information at risk?

While taking proactive measures can limit your risk of falling prey to identity theft, the reality is that no one is completely immune. That's why a robust identity theft protection service like LifeLock is essential.

It can help by alerting you if your personal information is found on the dark web or has been exposed in known data leaks, giving you the time you need to take restorative action. You can also use the automatic data broker removal feature to quickly and easily reduce online exposure of your PII. And, if your identity is ever stolen, dedicated U.S.-based Restoration Specialists will be on standby to assist you.