Personally identifiable information is any data that could potentially identify a specific individual. A data breach is an unauthorized access and retrieval of sensitive information by an individual, group, or software system. Companies will undoubtedly invest in ways to harvest data, such as personally identifiable information , to offer products to consumers and maximize profits. Still, they will be met with more stringent regulations in the years to come. The Personal Information Protection and Electronic Documents Act regulates the use of personal information for commercial use. This is defined as information that on its own or combined with other data, can identify you as an individual.
Regularly reviewing current cybersecurity strategies and the infrastructure deployed will help IT staff better realize weaknesses in current defenses. For instance, HIPAA and PCI-DSS might require organizations to use SSL/TLS when transferring sensitive data and PII. The organization would then be required to encrypt any sensitive data in the database. However, you still need to define a set of strategies for internal access, backups, archives, and who within the organization can view PII.
In a data breach, PII is a target for attackers due to its high value when sold on darknet markets. Such as the person’s full name, phone number, passport number, home address, social security number, driver’s license number, email address and other digital data like IP address, geolocation. There are other items which are considered sensitive data, particularly biometric data or medical records. But government records aren’t the only type of information that can be considered PII.
Kenneth C. Laudon developed a model in which individuals own their data and have the ability to sell it as a product. He believed that such a system should not be regulated, to create a free market. Similar identity protection concerns exist for witness protection programs, women’s shelters, and victims of domestic violence and other threats. Another key case can be referred to as Financial Identity Theft, which usually entails bank account and credit card information being stolen, and then being used or sold. It appears that this definition is significantly broader than the Californian example given above, and thus that Australian privacy law may cover a broader category of data and information than in some US law.
As stressed by the US General Services Administration, the “definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified”. In response to businesses collecting and storing more and more individuals’ PII , individuals and regulators have been applying greater scrutiny to how businesses use and safeguard that data. As a result, various jurisdictions have passed legislation to limit the use, distribution, and accessibility of PII, while allowing companies who need it to manage the data safely. Additionally, organizations establishing procedures for access control can prevent inadvertent disclosure of PII. Other best practices include using strong encryption, secure passwords, and two-factor and multifactor authentication .
