Businesses and criminals covet consumer data, but what is personally identifiable information, and how can you best control how your personal data is used?
What is considered Personally Identifiable Information?
Personally identifiable information is any data that can be used to “distinguish or trace an individual’s identity” (think Social Security number or fingerprint), as well as information that could be linked to a specific person, for example, their medical or financial records.
PII is any piece of information that, on its own or combined with other data, can lead back to you.
Here’s what the National Institute of Standards and Technology, an agency of the U.S. Department of Commerce, considers PII:
- Names, including maiden names and aliases.
- Personal identification numbers, such as your passport number, Social Security number, driver’s license number and financial account numbers.
- Address information.
- Telephone numbers.
- IP addresses.
- Biometric data, including X-rays, fingerprints, retina scans and voice signatures.
- Personal property information, such as vehicle registration and title numbers.
- Other linked information, for example, date and place of birth, race, weight, medical data, employment and financial information.
Some PII, like your Social Security and passport numbers, is sensitive. This is information you wouldn’t share on your social media profiles. Other data points, such as date of birth or phone number, may appear less sensitive: this information can be linked back to your identity, and it is generally searchable from public sources.
How can PII be a problem for me?
Some publicly available PII may seem innocuous: your work phone number and email address published on your employee profile, your office-hour schedule and location posted for students to view or even maps of runs or bike rides that start and end at your home uploaded to social fitness network sites like Strava.
“The important thing to remember about PII is that there are sometimes good reasons to share it on the internet,” said Gennie Gebhart, associate director of research at the Electronic Frontier Foundation. “You want people to be able to find you or you want to be able to be contacted by members of the public.”
But information that, on its own, seems harmless, can still cause problems. For example, an individual or group may target you physically using basic contact information. Doxxing is the practice of broadcasting a target’s personally identifiable information (including addresses and phone numbers) online, which can bring on widespread harassment. Then there’s SIM swapping, where a hacker links your phone number with their device—which gives them access to every account you’ve associated with that number.
We also share much of this information ourselves in everyday life, she added. Every time you fill out a digital form or sign up for a new account with an online retailer, you’re giving out PII.
Of course, there are also problems that arise if you have weak security in place for your networks, devices and accounts. For example, cybercriminals use tactics like phishing (and neighbor spoofing) to trick you into offering up your personal information, and hackers may obtain it through data breaches. This puts you at risk for identity theft.
How can I protect my personal information?
To protect your personal information, Gebhart recommends starting with good digital hygiene practices.
For example, you may want to update your social media privacy settings and audit the information you share to your profiles (and who you’re sharing with). You can also take commonly recommended measures to protect your data, such as creating stronger passwords, using encryption and keeping your devices up to date.
Here are a few other strategies to secure your PII:
Google yourself. Gebhart suggests periodically typing your name, phone number and email address into Google. Take steps to minimize information if you’re uncomfortable with how much pops up. For example, remove old public profiles, or delete unused social media accounts.
Limit the information you give out. Before you provide any PII to a company or service, find out how your data will be used. Avoid signing up for new accounts, even those that simply require an email address or phone number, that you don’t absolutely need.
Check your credit report. If an identity thief has stolen your personal information and used it to open fraudulent accounts, you’ll likely see odd entries on your credit report. You can get a free copy of your report from each credit bureau once a year at AnnualCreditReport.com. This is also a good way to find addresses and other data associated with your name and personal history.
Be wary of suspicious communication. Don’t give out any personal information to those you don’t know. Use a reverse phone or email lookup tool, which may help confirm that the person who is contacting you is who they say they are.
For most people, most of the time, there’s not much to worry about, Gebhart said. But even without an immediate threat, you can and should be thinking about how the choices you make today will impact you in the future.
“Maybe you trust the place where you shared this right now, but in 10 years, the ownership of that could change, available technology will evolve, and that information could be found or used in different ways,” Gebhart said.