Understanding Personally Identifiable Information (PII)

October 15 , 2020

SHARE ARTICLE

Since the 1970s, US privacy regulations have governed the collection and use of personally identifiable information—commonly referred to as PII—via sectoral laws, such as HIPAA for the health industry and FERPA for the education industry. 

As consumers move from antiquated brick-and-mortar models to digital offerings, the risks associated with protecting PII appear to increase exponentially. These risks, such as phishing, malware, and ransomware, were not contemplated in these older regulations. As such, new regulations and laws are coming out at, what feels like, an alarming rate. 

As these new regulations take effect, it’s important for companies to have robust information security and privacy programs in place. At minimum, such programs should include physical, administrative, and technical safeguards to protect the security, confidentiality, and integrity of PII.

It would take many blog posts to detail such programs, so, for now, let’s start at the beginning: what exactly is PII?  

What is personally identifiable information (PII)?

Broadly speaking, personally identifiable information (“PII”) is any data or information that can be used to link to, or potentially identify, a specific individual, whether directly or indirectly.

As mentioned above, the US privacy landscape is governed by sectoral federal and state laws, as well as some comprehensive state laws. The lifecycle of particular PII may be governed by many regulations simultaneously. Each regulation establishes its applicability, its scope, and, amongst other things, its definition of PII. 

If that sounds like a tricky minefield to navigate, it’s because it is.  

For example, one of the most impactful privacy regulations to govern the financial industry is the Gramm-Leach Bliley Act (“GLBA”). In the GLBA, the applicable PII is referred to as “Nonpublic Personal Information” (“NPPI”). NPPI is defined as “personally identifiable financial information (i) provided by a consumer to a financial institution; (ii) resulting from any transaction with the consumer or any service performed for the consumer; or (iii) otherwise obtained by the financial institution.” 

The recently-enacted California Consumer Privacy Action (“CCPA”), a comprehensive state law, refers to the concept of PII as “Personal Information.” The CCPA goes on to define Personal Information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” 

Although the GLBA and CCPA represent only a fraction of the current privacy regulations in the US, these two regulations highlight the differences in terminology used to define PII.

Which PII definition to use

The applicable definition of PII should be determined by the method of, and the reason for, its collection. Take, for example, Jane Doe, a California resident: 

Jane’s email address is listed in her LinkedIn profile so that prospective employers can contact her. In this capacity, Jane’s email would likely be categorized, amongst other things, as Personal Information under the CCPA. 

Later, Jane lists her email address, the exact same email address, in her application for a personal loan with a financial institution. Despite the fact that Jane’s email address can be found easily via her LinkedIn profile, her email address as listed in the application is now also NPPI under the GLBA. Why? Because her email address is PII that she provided to her financial institution via a confidential application for credit. As such, Jane’s financial institution is now charged with all the responsibilities associated with NPPI, as conferred by the GLBA. 

In the end, the same PII could be covered by multiple rules and regulations.

How PII can be collected and processed

There are many ways in which PII can be collected and processed. Each entity that collects PII (a “Collecting Entity”) must be cognizant of the applicable privacy regulations that will govern such PII. In addition to regulations, the Collecting Entity may also be governed by contractual obligations. 

For example, if a Collecting Entity is collecting and processing PII on behalf of a financial institution (an “FI”), then that Collecting Entity is subject to (1) all the contractual obligations imposed on it by that FI and (2) regulations that apply to Collecting Entity in its capacity as a service provider for the FI. To add an additional layer to this already-complex relationship, the FI is, itself, subject to a myriad of privacy regulations, including the GLBA. Thus, the relationship would look like this: 

The FI is subject to the GLBA, which requires, inter alia, consumer consent at the time NPPI is collected;

The FI hires a Collecting Entity and, in the written contract, the FI requires that the Collecting Entity obtain the requisite consumer consent; 

The Collecting Entity must facilitate and obtain the consumer consent on behalf of the FI, as required by the GLBA and the FI’s written instructions. 

A failure to obtain the necessary consumer consent could expose a variety of liabilities: some for breaches of regulatory requirements and some for breaches of contract. Thus, it is imperative for a company to understand the relationships that govern, and the parties who interact with, the collection and processing of PII in its custody. 

Protecting PII  

Companies holding PII are responsible for safeguarding that PII based on applicable law, industry standards, and, as explained above, contractual obligations. A company’s failure to keep PII safe can result in hefty monetary damages, but it can also lead to reputational harm. Given the constant growth and competition within the digital space, the latter may have a larger, longer-lasting impact on a company.

Businesses can protect its customers’ PII by having a strong fraud, verification, and authentication strategy in place. For example, financial institutions  that are capable of detecting and mitigating fraud in a digital environment can help protect PII by remaining vigilant for fraudulent activity. This type of detection and prevention not only saves the institution money, but it also cultivates customer trust and satisfaction.

Is your company taking the right steps to protect PII?

Within the last few years, privacy has proven itself to be one of the most dynamic areas of the law; each year brings on new regulations, amendments to existing framework, and updated industry standards. Every company collecting and processing PII, regardless of industry, should continuously monitor the foregoing. As previously mentioned, successful information security and privacy programs should take into account the different factors that impact a company’s collection and use of any PII. Commonly, one of the first steps in this process is understanding that PII. 

To learn more, read on to see how Amount’s fraud and verification tool, Amount 360, identifies and prevents modern fraud attacks by using personal data.

Footnotes

The information in this post is provided for informational and advertising purposes only. Amount's service may vary for each customer. For more information, email us – media@amount.com.

1 2
Dana Caproni

Dana Caproni, In-House Legal Counsel at Amount, specializes in contracts and privacy work. As a Certified Information Privacy Professional (CIPP/US), she ensures that Amount and its partners are compliant and protected in the modern privacy landscape. In her free time, Dana enjoys cooking new recipes with her husband.

Understanding Personally Identifiable Information (PII)

Posted by Dana Caproni on October 15 , 2020
Dana Caproni
Find me on:

Understanding Personally Identifiable Information (PII)

Since the 1970s, US privacy regulations have governed the collection and use of personally identifiable information—commonly referred to as PII—via sectoral laws, such as HIPAA for the health industry and FERPA for the education industry.

As consumers move from antiquated brick-and-mortar models to digital offerings, the risks associated with protecting PII appear to increase exponentially. These risks, such as phishing, malware, and ransomware, were not contemplated in these older regulations. As such, new regulations and laws are coming out at, what feels like, an alarming rate.

As these new regulations take effect, it’s important for companies to have robust information security and privacy programs in place. At minimum, such programs should include physical, administrative, and technical safeguards to protect the security, confidentiality, and integrity of PII.

It would take many blog posts to detail such programs, so, for now, let’s start at the beginning: what exactly is PII? 

What is personally identifiable information (PII)?

Broadly speaking, personally identifiable information (“PII”) is any data or information that can be used to link to, or potentially identify, a specific individual, whether directly or indirectly.

As mentioned above, the US privacy landscape is governed by sectoral federal and state laws, as well as some comprehensive state laws. The lifecycle of particular PII may be governed by many regulations simultaneously. Each regulation establishes its applicability, its scope, and, amongst other things, its definition of PII.

If that sounds like a tricky minefield to navigate, it’s because it is.  

For example, one of the most impactful privacy regulations to govern the financial industry is the Gramm-Leach Bliley Act (“GLBA”). In the GLBA, the applicable PII is referred to as “Nonpublic Personal Information” (“NPPI”). NPPI is defined as “personally identifiable financial information (i) provided by a consumer to a financial institution; (ii) resulting from any transaction with the consumer or any service performed for the consumer; or (iii) otherwise obtained by the financial institution.”

 

The recently-enacted California Consumer Privacy Action (“CCPA”), a comprehensive state law, refers to the concept of PII as “Personal Information.” The CCPA goes on to define Personal Information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Although the GLBA and CCPA represent only a fraction of the current privacy regulations in the US, these two regulations highlight the differences in terminology used to define PII.

Which PII definition to use

The applicable definition of PII should be determined by the method of, and the reason for, its collection. Take, for example, Jane Doe, a California resident:

Jane’s email address is listed in her LinkedIn profile so that prospective employers can contact her. In this capacity, Jane’s email would likely be categorized, amongst other things, as Personal Information under the CCPA.

Later, Jane lists her email address, the exact same email address, in her application for a personal loan with a financial institution. Despite the fact that Jane’s email address can be found easily via her LinkedIn profile, her email address as listed in the application is now also NPPI under the GLBA. Why? Because her email address is PII that she provided to her financial institution via a confidential application for credit. As such, Jane’s financial institution is now charged with all the responsibilities associated with NPPI, as conferred by the GLBA.

In the end, the same PII could be covered by multiple rules and regulations.

How PII can be collected and processed

There are many ways in which PII can be collected and processed. Each entity that collects PII (a “Collecting Entity”) must be cognizant of the applicable privacy regulations that will govern such PII. In addition to regulations, the Collecting Entity may also be governed by contractual obligations.

For example, if a Collecting Entity is collecting and processing PII on behalf of a financial institution (an “FI”), then that Collecting Entity is subject to (1) all the contractual obligations imposed on it by that FI and (2) regulations that apply to Collecting Entity in its capacity as a service provider for the FI. To add an additional layer to this already-complex relationship, the FI is, itself, subject to a myriad of privacy regulations, including the GLBA. Thus, the relationship would look like this:

  • The FI is subject to the GLBA, which requires, inter alia, consumer consent at the time NPPI is collected;
  • The FI hires a Collecting Entity and, in the written contract, the FI requires that the Collecting Entity obtain the requisite consumer consent;
  • The Collecting Entity must facilitate and obtain the consumer consent on behalf of the FI, as required by the GLBA and the FI’s written instructions.

A failure to obtain the necessary consumer consent could expose a variety of liabilities: some for breaches of regulatory requirements and some for breaches of contract. Thus, it is imperative for a company to understand the relationships that govern, and the parties who interact with, the collection and processing of PII in its custody.

Protecting PII  

Companies holding PII are responsible for safeguarding that PII based on applicable law, industry standards, and, as explained above, contractual obligations. A company’s failure to keep PII safe can result in hefty monetary damages, but it can also lead to reputational harm. Given the constant growth and competition within the digital space, the latter may have a larger, longer-lasting impact on a company.

Businesses can protect its customers’ PII by having a strong fraud, verification, and authentication strategy in place. For example, financial institutions  that are capable of detecting and mitigating fraud in a digital environment can help protect PII by remaining vigilant for fraudulent activity. This type of detection and prevention not only saves the institution money, but it also cultivates customer trust and satisfaction.

Is your company taking the right steps to protect PII?

Within the last few years, privacy has proven itself to be one of the most dynamic areas of the law; each year brings on new regulations, amendments to existing framework, and updated industry standards. Every company collecting and processing PII, regardless of industry, should continuously monitor the foregoing. As previously mentioned, successful information security and privacy programs should take into account the different factors that impact a company’s collection and use of any PII. Commonly, one of the first steps in this process is understanding that PII.

To learn more, read on to see how Amount’s fraud and verification tool, Amount 360, identifies and prevents modern fraud attacks by using personal data.

Topics: Fraud and Risk