PII Encryption Requirements. Cheatsheet

Sensitive data definition

What is considered to be PII

There is no single unified data protection law in the USA

The exact definition of PII can vary depending on:

● Regulation,

● Context,

● The state where the PII is identified.

For instance, California Consumer Privacy Act defines PII as any “information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household”.

The GSA definition of PII is:
“information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual”.

In FTC, HIPAA, or GLB the definition of PII is much broader and extends to all other mediums beyond the data in electronic form (i.e. hard copy records).

The PII in the USA federal legislation is subdivided into “always sensitive” and “sensitive in certain contexts” types.

Bonus:

● US Internet privacy laws by state.

● DHS of the USA Handbook for Safeguarding Sensitive PII.

Generally considered to be PII in most states:

● Social security number,

● Credit card number,

● Financial/Bank account number,

● First name,

● Last name,

● Address,

● Zip code,

● Email address (especially as login),

● Date of birth,

● Password or passphrase,

● Military ID,

● Passport,

● Drivers license number,

● Vehicle license number,

● Phone and Fax numbers.

Sensitive PII even when not linked with additional PII or contextual information:

● Complete (9-digit) SSN,

● Alien Registration number (A-number),

● Driver’s license or state identification number,

● Passport number,

● Biometric identifiers (i.e., fingerprint, iris scan, voice print).

Sensitive PII when linked with the person’s name or other unique identifiers (i.e. phone number):

● Citizenship or immigration status,

● Criminal history,

● Medical information,

● Full date of birth,

● Authentication information such as mother’s maiden name or passwords,

● Portions of SSNs such as the last four digits,

● Financial account numbers,

● Other data created by DHS to identify or authenticate an individual’s identity, such as a fingerprint identification number (FIN) or Student and Exchange Visitor Information System (SEVIS) identification number.

PII sensitive in a certain context:

PII that might not include the data elements described above may still be sensitive and require special handling if those could cause:

● Substantial harm,

● Embarrassment,

● Inconvenience,

● Unfairness to an individual.

Sensitive data definition

FISMA is one of the most important cyber security laws affecting the U.S. federal agencies. It applies to all federal information and information systems including data, information systems, information technology), and all forms of information.

PII according to FISMA is the information that allows identifying and contacting the data subjects without their consent to be identified and/or contacted, and the loss of which may lead to identity theft or other fraudulent use, resulting in substantial harm, embarrassment,
and inconvenience to individuals.

● First/Last names,

● Aliases,

● Social Security numbers,

● Biometric records,

● Other personal information linked or linkable to an individual.

Bonus:

● List of specifically restricted services that can’t be used under FISMA.

Sensitive data definition

HIPAA uses the term Protected Health Information (PHI) to refer to protected data, which overlaps a lot with PII defined in the other US legislative acts.

While PII is the information that can identify a person, PHI is subject to strict confidentiality and includes anything used in a medical context that can identify patients.

The disclosure requirements are much stricter than those that apply to most other industries in the United States. Protecting PHI is always legally required, but protecting PII is only mandated in some cases.

Certain information like full name, date of birth, address and biometric data is always considered to be PII.

Other data, like first name, first initial and last name or even height or weight may only count as PII in certain circumstances, or when combined with other information.

● First/Last name,

● Address (incl. ZIP code and country),

● Birthday,

● Credit card number,

● Patient payment information,

● Health plan beneficiary numbers,

● Driver’s license,

● Medical records,

● Medical record numbers,

● Patient diagnostic information (past, present, future physical or mental health),

● Patient treatment information,

● Biometric identifiers (incl.fingerprints),

● Full facial photographs and images,

● Device identifiers and serial numbers,

● IP address numbers and web URLs,

● Any other individual’s identifiable information.

Sensitive data definition

What is considered to be PII

GDPR identifies 2 types of personal data:

● Personal data,

● Sensitive personal data.

See below.

“Personal data” is “any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

Any information relating to a physical individual, ranging from someone’s name to their physical appearance i.e.:

● First and last name, patronymic,

● Email, phone, and fax numbers,

● Date and place of birth,

● General medical information,

● Physical address, ZIP code,

● Social security number,

● Driver/vehicle license numbers,

● Passport number,

● Military ID,

● Credit card number,

● Bank account number,

● Automated personal data which can be used for identification,

● Password or passphrase, etc.

Some of the sensitive data types defined in GDPR are new and extremely modern in comparison to other data privacy regulations, and we’d like to expand the list of the sensitive data with more detailed examples when it comes to technology-centric and digital-native data types and mediums.

(Some) Sensitive personal data expanded:

● Genetic data is personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person.

● Biometric data is personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, i.e. facial images, voice print, iris scan, or dactyloscopic data, including with fingerprint login info.

● Data concerning health is personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about their health status.

● Automated personal data, unique online identifiers (i.e. “cookies”, IP address, other info gathered by various user behaviour trackers), location data that can be used for identification or location of the natural person.

● Pseudonymized data – once the pseudonymisation process has taken place (the “personal” is “decoupled” from the personal data), no third party data processors/collectors shall be able to trace the data back to identify or locate the natural person the data belongs to.

What is considered to be PII

“Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”.

According to the CCPA, PII includes roughly 11 categories and inferences:

● Identifiers (Name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers)

● Customer records information

● Characteristics of protected classifications under California or federal law (ace, religion, sexual orientation, gender identity, gender expression, age)

● Commercial information

● Biometric information

● Internet or other electronic network activity information (browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement)

● Geolocation data

● Audio, electronic, visual, thermal, olfactory, or similar information

● Professional or employment-related information

● Education information

● Inferences (preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, aptitudes)

Publicly available information (e.g. data contained in publicly available federal, state, or local government records) is an exception and is not considered to be PII.

Sensitive data definition

FERPA follows the GSA/Federal definitions of the PII with some additions and exceptions.

For instance, schools may disclose, without consent, "directory" information about a student, but must first warn parents and allow them to make a request not to disclose the “directory” information on students.

Directory information (can be disclosed in some cases):

● Student's full name,

● Address,

● Telephone number,

● Date and place of birth,

● Honours and awards,

● Dates of attendance.

Sensitive information:

● Student ID number,

● Family member names,

● Mother’s maiden name,

● Student educational records,

● Immunization records,

● Health records,

● Individuals with Disabilities (IDEA) records.

Sensitive data definition

What is considered to be PII

The Payment Card Industry Data Security Standards (PCI DSS) require that merchants protect sensitive cardholder information from loss and use good security practices to detect and protect against security breaches.

Sensitive data according to this regulation is the data used for authentication and authorization.

May be stored if protected in accordance to PCI DSS (in an encrypted form):

Primary Account Number (PAN; must be masked whenever it is displayed),
sensitive data for authentication and authorization.

Payment card data:

● cardholder’s name,

● expiration date,

● service code

can only be stored if required for business purposes and properly protected

Data on the magnetic stripe or chip (referred to as full track, track, track 1, track 2, or magnetic stripe data, CVV, CVV2, etc.) must never be stored, even in encrypted form.

Sensitive data definition

What is considered to be PII

Non-public Personal Information (NPI) must be protected by banks, credit unions, and other financial institutions. This information includes personally identifying financial information.

In addition to Personally Identifying Information, sensitive customer information must also be protected according to FFIEC.

All personally identifiable financial information, i.e.:

● Income,

● Credit score,

● Collection history,

● Family members’ PII and NPI;

● Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any “personally identifiable financial information” that is not publicly available.

Sensitive customer information:

● Customer’s name,

● Address,

● Telephone number, in conjunction with the customer’s social security number,

● Driver’s license number,

● Account number,

● Credit or debit card number, or

● Personal identification number or password that would permit access to the customer’s account.

Also sensitive:

Any combination of components of customer information that would allow someone to log into or access the customer’s account is also considered to be sensitive customer information, i.e.:

● Username + password,

● Password + account number, etc.

Other sensitive information

Need to have more extensive controls to guard against alteration (i.e. integrity checkers and cryptographic hashes):

● System documentation,

● Application source code,

● Production transaction data.