Protecting PII?

Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.

Personally Identifiable Information (PII), is considered as any information that can be used to distinguish or trace to an individual’s identity.

Examples include:

  • Name

  • Social Security Number (SSN)

  • Passport number

  • Driver’s license number

  • Financial account and personal identification numbers (PINs)

  • Street or e-mail address

  • Phone number

  • Associated data –data that when alone may not be able to identify an individual but when associated with other data leads to identification (e.g. IP addresses, groups or associations)

Today more than ever it is extremely important for organizations to protect their personally identifiable information (PII). Knowing WHAT (above), WHEN, and WHERE you have PII is extremely important for organizations today. PII data must be treated and identified on its own in order to comply with the guidelines and provide the protection required. 

Organizations need to know the thresholds of WHEN PII enters and exits the data and company boundaries. Organizations should get into a habit of periodically reviewing and auditing their environment for PII. PII can also exists in several different forms - employee PII, as customer PII, created, received, or maintained, and business partners PII. An organization needs to determine the flow of the PII as it enters and WHERE it is recorded/stored to ensure its security and confidentiality.

Organizations need to know the laws and contractual obligation requirements for protecting PII data. It’s very important for organizations to be aware of any laws or contractual obligations that are required to protect PII. Commonly known laws and obligations we are familiar with include: the Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach Bliley (GLB). There are State and Local Laws are to be equally considered for the management of PII, and additionally other laws and guidelines pertaining to an organizations industry as well.

What should you do to be and remain safe?

Perform a PII Risk Assessment (Assess all data). Risk assessments should be performed at least on an annual basis.

A central component of many privacy compliance standards and regulations is the performance of a risk assessment. This not only serves as the basis for compliance with the various compliance and reporting efforts but is also essential for good corporate governance. In the context of safeguarding PII, this risk assessment should provide specific coverage over the at least the following:

  • Identification of regulated PII

  • Identification of other sensitive data

  • Identification applicable laws and regulations described earlier

  • Determine threats to compliance with the external and internal processes

  • Risk management strategies

    • Identify avoidance, sharing and common practices

    • Define the control procedures for handling and securing all data

·         Ensure all internal and external stakeholders and partners are involved, understand the requirements, and are kept informed of any practices and policies

Create safeguards for protecting PII according to Confidentiality and Privacy impact

Organizations should create safeguards according the risk assessment (as described earlier) and confidentiality and privacy impact associated with the PII data. These safeguards should clearly reflect the organization’s risk mitigation strategy and be evaluated on a periodic basis for design and operational effectiveness and be revised accordingly. Listed below are a few safeguards that organizations can utilize:

·         Categorize Data and PII. Some data may be less risky to collect and retain than others - email address vs social security numbers

o    Only collect and retain PII that is necessary to perform the business function related to its collection

  • Create policies and procedures – organizations should have policies for the collection, use, retention, disclosure and destruction of PII and all organizational data to include but not limited to (email, meeting notes, documents, bills, etc.). A periodic review of Records Retention and a company standard should be established for the organization. These policies should be adopted and communicated to employees.

  • Training – organizations should train their employees how to protect and handle PII to reduce the likelihood of a incident or breach.

  • Archive Practices – organizations can protect PII and all data by archiving and removing it where it may no longer be needed. These practices can be defined in conjunction with the Records Retention standards for an organization.

  • Encryption – organizations can encrypt databases and repositories where PII is stored.


Contact us to learn more about securing data can provide you benefits and make better use of your Time, Talent, and Treasure.  Call or contact EIS at 440-918-1040 or