Personally Identifiable Information (PII) is any piece of information meant to identify a specific individual. This often includes data such as a Social Security number, driver's license number, financial accounts, email addresses, login credentials and passwords, addresses, phone numbers, and birth date.
This information is your unique identifier, singling you out among billions of others. PII connects you to every facet of your life: to the credit scores that allows you to purchase a home, the DMV so you can drive, and to your doctor's office and your medical records.
However, this information also holds immense value to identity thieves, who use your PII for their financial gain. They may open credit card accounts and take out mortgages, for example, using all of your data, but for their advantage. They get the goods, while your credit ratings and reputation are destroyed.
Once your personal information is compromised, it's complicated to fix all the problems created. Many victims spend ample time and money trying to regain their identity (and sometimes prove their innocence). That's why protecting personally identifiable information has to be a top priority for individuals, and for organizations that use and store customer data.
Different Types of PII
According to the Identity Theft Resource Center, what makes up personally identifiable data varies from one jurisdiction to another. The general consensus, however, is that data that uniquely identifies you as a person is the most sensitive form of PII. Full names and birthdates also identify you, but they aren't unique. However, they link back to other quantifiers that make them PII.
Yet, too many consumers ignore the sensitivity of unique information markers or don't realize how they are interconnected, and they regularly share data that should be kept private. According to an Experian survey, we store, on average, 3.4 pieces of sensitive information online, and a quarter of us share credit card and PIN numbers with family and friends.
Personal data is typically put into two categories: sensitive and non-sensitive (sometimes referred to as non-PII). Sensitive data includes anything that has legal, contractual, or ethical requirements for restricted disclosure. Non-sensitive PII is information that is public record (in phone books and online directories, for instance).
The best way to determine the difference is sensitive data should be encrypted and would result in personal damage if lost or compromised, while non-sensitive data can be shared openly and freely. But again—and this point can't be stressed enough—non-sensitive data can be combined with sensitive data in a way that can result in identity theft.
Sensitive personally identifiable information includes:
- Employee personnel records and tax information, including Social Security number and Employer Identification Number
- Passport information
- Medical records covered by HIPAA laws
- Credit and debit card numbers
- Banking accounts
- Electronic and digital account information, including email addresses and internet account numbers
- Biometric information
- School identification numbers and records
- Private personal phone numbers, especially mobile numbers
Non-sensitive information includes:
- Birth dates
- Place of birth
- Sexual orientation
- Business phone numbers and public personal phone numbers
- Employment-related information
- IP addresses
- Cookies stored on a web browser
Names are a mix of sensitive and non-sensitive. Most first-last name combinations are shared by multiple people, and names are regularly shared in public records. When you add in middle names, hyphenated last names, including an otherwise unused maiden name, and suffixes, each name becomes a little more individualized. Although the name you regularly use for business and personal transactions may not be sensitive, your entire formal name could be.
Where Thieves Steal Each Type of PII
Data theft and data breaches are in the news a lot lately. The problem with all data is that we have no control over our own PII once it is in the hands of a third party.
We hear a lot about data breaches because they are an increasingly frequent and sophisticated way for a tech-savvy identity thief to gather large amounts of sensitive data at one time. But it is not the only technique thieves use. A few popular methods used to gather someone else's data include both high- and low-tech options, such as:
1. Dumpster Diving
This is still a common way for thieves to gather non-sensitive data. Junk mail and subscription publications not only have names and addresses, but can also signal your personal interests, your age range, and even your income status. Dumpsters also contain an assortment of old bills and financial statements that reveal sensitive PII.
To prevent documents from falling into the wrong hands, shred anything with any personally identifiable information on it.
2. Mailbox Theft
Like dumpsters, mailboxes are a treasure trove of non-sensitive data. But dumpsters contain your trash, and you control what you toss. Mailboxes contain unopened mail that gives the thief all kinds of sensitive details about your household.
3. Lost and Found
Many people carry various things in a wallet, purse, backpack or suitcase and there's a lot of PII and sensitive data included. There's also a lot of valuable information on your smartphone. When wallets and phones are lost or misplaced, it gives a stranger the opportunity to steal everything inside.
By carrying only what you need—such as one or two credit cards, a drivers license or Passport, small amounts of cash, and a healthcare card—you can ensure that even if you misplace your wallet you minimize the damage. Don't carry your Social Security card and credit or debit cards that you don't regularly need or use. Keep them in a secure, locked location at home.
4. Unsecure Internet Activity
Public WiFi leaves data transmissions unsecure and easy for a hacker to infiltrate. If you are using public WiFi to do some quick banking and bill paying, you are opening up sensitive data for theft. Other sensitive data at risk are email addresses and passwords.
Also, thieves take advantage of websites without security to steal both sensitive and non-sensitive data. You can also ensure that you're on legit sites and keep from clicking links in emails unless you're certain the destination is secure. There are moves to make public WiFi more secure by major companies now to address these issues.
5. Phishing and Pretexting Scams
Phishing emails are a common tactic for thieves. They send an email that looks to be from a legitimate source to trick you into sending along sensitive and non-sensitive information. Spear phishing and pretexting are more targeted.
The thief uses something he or she already about you—perhaps from a previous theft or from non-sensitive info easily found on the web— and leverages that information to get you to provide more details to them. There are also methods of phishing that use text messaging (known as smishing) or phone calls rather than email.
6. Social Engineering and Social Media
As much fun as social media is, thieves know this is where you share a lot of non-sensitive information that can be pieced together with sensitive data to steal your identity. Synthetic identity theft is when thieves create a fictitious identity by grabbing various pieces of information from different sources or people. They might merge fake and real data, making it even harder to track down or identify the theft has happened.
Making it worse, many users don't apply the privacy settings on social media apps, so the information they share can be viewed by anyone. If a thief knows your name, he has open access to anything you share with the public online. Scammers can also use what they learn in social media to create socially engineered attacks against you to gain even more info.
How Different Types of PII Can Be Used Together to Create Identity Theft
Once thieves have your personally identifiable information in their hands, it takes them minutes to begin using it. Sometimes it comes together easily—they have your credit card information, so they begin making charges on your card. Other times, they will use the mix of sensitive and non-sensitive data to dig deeper into identity theft and fraud.
In many identity theft situations, the key is matching your name with other identification quantifiers. Here are some examples of how thieves can create identity theft.
It's important to also realize that criminals don't always act immediately. Sometimes, they hold onto information for a while after a data breach before using it because they know your guard may be down as time goes on. Information can be bought and sold on the dark web for months or years after it's obtained. (You can run a free dark web scan now to see if your information is out there here on Experian.com.)
How to Prevent PII Theft
Unfortunately, we often have to depend on others to keep our identity from getting into the wrong. Our employer, government agencies, medical facilities, insurance companies, and favorite retail outlets combined know almost everything about us via the data stored in their system. We are at their mercy if there is a data breach or other security threat.
Try to limit the amount of personal information gathered by these organizations, if you can, but also don't hesitate to ask what steps they are taking to protect PII. Do they really need to have your Social Security number on file? Get a reason why if they insist; chances are they don't really need it but rather are just continuing old practices. You are entitled to know how companies will use and secure the information they hold.
While not everything is in your control, you can take steps to prevent identity theft by doing the following:
- Sensitive data should always be encrypted when sending or storing electronically.
- Lock and password protect phones, tablets, and laptops.
- Use different passwords for every website and application. A password manager like SaferPass can help you keep track of them all.
- Make up answers to website security questions.
- Remove and destroy hard drives before donating or disposing computers. Also restore to the original settings of any device before discarding.
- Use a shredder before throwing any important documents in the trash.
- Don't leave sensitive personal documents on the copier at work.
- Remove your address and other identifiers from everything before throwing it out or giving it away.
- Lock your mailbox if possible. If not, consider renting a Post Office Box or signing up for Informed Delivery from the postal service to verify you are receiving all of the mail that's been delivered.
- Be smart about what you share on social media and always use privacy settings.
- Never carry your Social Security card with you. Memorize the number and keep the card in a safe place.
We all generate vast amounts of personally identifiable information, both sensitive and non-sensitive. Each piece of data gives a thief a new piece of a puzzle necessary to steal your identity. The more information a fraudster has, the more at risk you are.
Editorial Disclaimer: Opinions expressed here are author's alone, not those of any bank, credit card issuer or other company, and have not been reviewed, approved or otherwise endorsed by any of these entities. All information, including rates and fees, are accurate as of the date of publication.
This article was originally published on May 31, 2018, and has been updated.