Have you ever had one of those dreams where you were naked in front of a crowd? We could dive deep into the metaphorical meaning of this, but let’s use it as an analogy instead. What if the latest results of your proctology exam along with your ultrasound image of certain reproductive organs suddenly appeared on a website your brother-in-law found “by accident” late last Tuesday evening?
I bet you it would feel just like that old dream you had. Only now it would be a real nightmare. How could you ever get such information off of the Internet? Everybody knows there’s some creep at the endpoint of a Scandinavian network salivating to get his hands on the pictures of your bottom half. That stuff never goes away. And what’s more, is you have no idea what havoc they will wreak in your name with your PII.
Personally Identifiable Information
PII? What is PII you say? Clearly it’s an acronym, and it stands for Personally Identifiable Information. What is Personally Identifiable Information? Well, it’s you, really. It is what exists of you in cyberspace, anyway. It is literally the information and behaviors that describe your presence on this planet in more detailed ways than Mother Nature intended.
Different organizations have different definitions of PII, but it all comes down to the same thing. It is information that in the hands of someone else makes you vulnerable to exploitation. As we can see from our previous example, embarrassment is even enough to warrant the protection of your PII. In fact, if leaking your PII could result in harm, embarrassment, inconvenience, or unfairness to you, that PII can be protected by law.
Assess your cybersecurity
One Legal Definition
According to 2 CFR § 200.79 (in the Code of Federal Regulations for the United States of America), Personally Identifiable Information is …
“information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. Some information that is considered to be PII is available in public sources such as telephone books, public Web sites, and university listings. This type of information is considered to be Public PII and includes, for example, first and last name, address, work telephone number, email address, home telephone number, and general education credentials.”
“The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. Non-PII can become PII whenever additional information is made publicly available, in any medium and from any source, that, when combined with other available information, could be used to identify an individual.”
Some examples of PII include but are by no means limited to:
First and Last Name | Social Security Number |
Driver’s License Number | Passport Number |
Address | Phone Number |
Signature | Insurance Policy Number |
Education | Employment |
Employment History | Physical Characteristics |
Biometrics | Bank Account Number |
Credit Card Number | Debit Card Number |
Sexual Orientation | Information About Your Sex Life |
IP Address | MAC Address |
Now, oh, my, God, you have just realized that your Medical Record Number was on that image and so was your first and last name along with your home phone number. You should know that your medical information is called PHI, or Protected Health Information. The Protected part means that that data should have never been exfiltrated or simply slipped out to the public sector in the first place.
Protected Health Information
This is because PHI is a very special category of PII that has a whole host of regulations that explain to people, medical people, how not to let this happen, and what will happen to them if they let this happen, which in this case, they did. I know I should eschew obfuscation, but I get a little bit cheeky about this subject — not to be punny about your recently published proctology report. Because once this stuff is leaked, all you can do is try to develop a good sense of humor about it.
The Health Insurance Portability and Accountability Act of 1996 or HIPAA, as those hip to healthcare call it, provides harsh penalties for the people who let this happen. Basically, they are going to pay some money, from 100 dollars per incident to 50,000 dollars per incident, to the government for doing this to you if they did it on accident or somebody is going to have to do some time in jail if they did it on purpose according to HIPPA Journal.
You will get a letter of apology explaining exactly what was leaked, when it was leaked, and how it was leaked, which just doesn’t seem fair. If you can get enough people together whom this has happened to, you might even be able to gather together a class action lawsuit. Good luck.
What Just Happened?
Now that we’ve got a sense of what kind of feelings we would feel if someone embarrassed us by publishing our PII or PHI, let’s dive into some of the other things that can happen when someone gets hold of your personal information. “Personal information” or just plain old PI is what the state of California calls PII. So, let’s say someone gets a hold of your personal information. What’s the worst they could do?
Criminals buy and sell your information like chickens in a flea market. There is a market value for credit card personal access numbers (PAN), account numbers, CVV numbers, social security numbers or any other information that lets someone else pretend to be you. They buy one-offs, and they buy it in batches. They pay small amounts of money like about a buck for your social security card number, and they pay lots of money, up to 1,000 dollars, for something like medical records according to Experian.
Why is your information so valuable to them? Because they can really pretend to be you with it including getting access to all your financial accounts, like bank accounts and credit card accounts, taking out new credit in your name and charging those accounts up to the max, committing other crimes and giving your social security number when asked to provide their identity, and they can also use your medical insurance information to hoodwink the hospital and have surgery on you. You won’t see any of this coming until the bills show up at your door. There are a lot more possibilities here. Just use your imagination. If you can dream it, they can do it.
Protecting PII
If you’re a business, and you deal with credit cards, you have to comply with the PCI DSS 4.0. If you are anywhere in the supply chain of the DoD, you will soon have to comply with the CMMC, and if you are part of the Medical Industrial Complex of the United States of America, you will most assuredly have to comply with HIPAA. If you’re a customer, a user, or any person who enters your information onto the web, lookout and check the data privacy policy of the business you are dealing with before you go any further.
For those businesses looking to get certified and earn that consumer trust, there are companies like RSI Security who are able to supply you with expert guidance and implementation of complex compliance frameworks. Because these frameworks are requirements under the law, and great harm can come to a company through a data breach both financially and in reputational damage, you want the greatest expertise at the right price to help you.
That’s where RSI Security comes in. We have over 10 years of cybersecurity compliance expertise with the intellectual power to keep you one step ahead of hackers. And we are cost-effective. There’s no reason to wait to find out how your business can become compliant. Contact us today for a no-obligation free consultation and see why Our Success Is In Securing Yours!
Download Our Personally Identifiable Information (PII) Scanner Technology Whitepaper
Explore the cybersecurity use cases and technical foundation of PII scanner technology by reading this whitepaper. Upon filling out this brief form you will receive the whitepaper via email.