You Are Now PII Certified!
May 08, 2023 | 7 minutes read
What is PII
If a stranger walks up to you and says “Hey, what’s your name?”, you may quickly and naturally react by providing your name. If the stranger instead asked, “Hey, what is your mother’s maiden name and last four digits of your social security?”, you may consider calling the authorities. The question here is, what makes one question socially acceptable and feels harmless and the other feels intrusive, to say the least? Both of these questions are asking for PII, Personal Identifiable Information, but there is a major difference in our willingness to give one and not the other.
Let’s first clearly establish the definition of PII. Personal Identifiable Information (PII) is any information that can be used to identify an individual and this information can be considered sensitive or non-sensitive. Information that is considered non-sensitive, for example, your phone number, will not directly identify you. Think of non-sensitive information as the type of information that will be in your public records. You can and probably have provided your first name, email, and phone number to be contacted by strangers without feeling like you’ve exposed too much information about yourself. Other examples of non-sensitive PII are ethnicity, address, IP address, and gender. Having information about you that falls into those categories does not necessarily put you at risk of identity theft.
Sensitive Information
PII that is considered sensitive means that anyone with that information has an opportunity to specifically and correctly identify you, as you. A perfect example is your social security number. If you’re well versed, you can differentiate what country an individual is from based on the format of their Social Security Number or whatever system the country uses as a way to identify individuals.
In the United States, social security numbers follow the format of XXX-XX-XXXX. In Canada, the format for their Social Insurance Number is XXX-XXX-XXX, and the same for Australia except they do not have the dashes separating their Tax File Number evenly into three groups.
There are countries such as Russia that don’t have a nine-digit identifying number. They have a fourteen-digit Personal Identification Number with birthday, birthplace, and gender identifying digits followed by a random combination of numbers to further uniquely identify Russian citizens. It is more than possible that someone from across the world can identify you simply with your social security number. This is easily considered sensitive personal identification information.
Other examples of sensitive information are your birth certificate, bank account information, passport number, medical record number, driver’s license, and legal full name. All of the listed examples can easily allow someone to identify you. Driver’s license might be a bit confusing to some since it provides what we already elected as non-sensitive information; age and address. But driver’s licenses also have one piece of information considered sensitive, your full legal name.
This means that some sensitive PII though can identify you, other PIIs considered “non-sensitive” can actually make it easier by providing more context and confirmation of your identity. It is likely to have the same full legal name as someone else, you may even have the same birthday, but having your full legal name, birthday and address be identical is not likely. If there are 10 John Robinson Smiths, the list would be cut down when I am looking for a John Robinson Smith with a date of birth of May 8th, 1963. If there are a couple with that same birthdate, when adding an address into the mix, I am more than likely to land on only one person, identifying who I’m looking for.
Non-sensitive and sensitive PII are not the only things that can work together to identify someone’s identity. There are other types of information that are not considered PII and will be able to give access to your sensitive information. Passwords, though not considered a PII, in conjunction with other information may lead to the exposure of your personal information and identity. For example, someone having your email address is not a big deal, especially since it is meant to be shared so you can be reached, but if the same person has your email account password, they now have full access to your emails which can contain sensitive PII.
Your bank account information, medical accounts, and private data may be exposed if someone has full access to your email account. They may even be able to reset passwords of other accounts created with your email address, giving them further access to your sensitive information.
Where Your PII Can End Up
Now that you can consider yourself PII Certified, it is important to know what you are using your PII for. You have your PII for important reasons, it allows you to carry out transactions, open portals to private communication, grant access to bank accounts, and more. This means that your PII is not solely in your possession since they were provided externally to gain needed services.
How can we be sure that our data is consistently kept safe? The short answer is, we can’t always be 100% certain. There are news reports that tell us how some businesses have sold our data for their own nefarious purposes, data breaches via cyber security attacks, and private information leaks.
These unsettling occurrences remind us that once our information has left our hands, we have almost no control over where it ends up. The best practice is to ask questions and be more knowledgeable of security measures that can be taken to protect your information. Password best practices are the beginning of your journey to protect your information.
When you’ve decided on a business worth sharing your information with, make sure to ask questions regarding how they manage and protect your data, their disaster recovery process, and the tools they use to protect your information as it’s traveling through their pipeline. One method that the majority of businesses that handle private information are familiar with is the action of redacting private information.
Redacting is the action of editing or removing confidential information from any media source which includes documents, videos, audio, and images. There are many tools that work to redact one or more of these media types to help maintain privacy but there is one company that is perfecting redacting all assets in one place, CaseGuard.
CaseGuard is able to easily redact identifying information such as faces and heads, license plates, cars, and PII from all assets. The software also allows redacting PII from audio and documents possible with a few clicks and has many unique features to allow businesses to redact all assets quickly and easily. Most importantly, the information that is redacted is scrubbed away, meaning that no one is able to recover the information unless they have the original media, take a look at this example below.
Health Record – Patient: John Smith Date of Birth: 03/01/1950.
If you highlight the blocks that are redacting the private information, you can see that the data is very much accessible. This is not a rare form of redaction. There have been many cases where poor redacting has exposed information that was intended to be hidden. CaseGuard makes sure that you do not have this experience when redacting with their tool.
Redact Right or Pay the Price
Redacting is so important that there are multiple rules and regulations that fight for your rights for it to be done properly. Some of the well-known laws and regulations are the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), Family Educational Rights and Privacy Act (FERPA), and Freedom of Information Act (FOIA).
Each of these laws applies to different industries but has the common goal of protecting the privacy of individuals. Any industry, whether it be healthcare, education, or government agencies has a responsibility to you to secure your privacy and these laws ensure this by also outlining the consequences if they do not comply. There will be amendments and new rules regarding redaction regulations that arise but your privacy being kept safe is consistent. Following best practices and ensuring your places of service are using reliable redaction tools will help you rest assured that your data is secure.