QUESTION
We passed our information security review by our banking department. However, they found that our description of personally identifiable information was too narrow.
We need to revise our policies and procedures and submit them to the banking department. Hopefully, you can offer a broader understanding of this area of customer privacy.
What is a good working description of personally identifiable information for our policy?
ANSWER
Most people
have heard of nonpublic personal information, called “NPI.” To be precise, as
it relates to financial institutions, NPI is personally identifiable information
(“PII”) that:
1. The consumer provides to a financial institution;
2. Results from a transaction or service provided
for the consumer; or
3. The financial institution otherwise obtains, and
that is not publicly available.[i]
As a practical matter, most information that a financial institution collects from a consumer or customer is NPI. In fact, NPI also includes lists, descriptions or groupings of consumers, even if the data is publicly available, if the financial institution has derived the data from an individual’s nonpublic personal information.
Personally identifiable information, PII, is any information a consumer or customer gives to a financial institution in connection with applying for or receiving a product or service.[ii]
To broaden the foregoing description, PII is (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.[iii]
Here are a few common
examples of PII:
· Name: full name, maiden name, mother’s maiden
name, or alias;
· Personal identification numbers: social security
number (SSN), passport number, driver’s license number, taxpayer identification
number, patient identification number, financial account number, or credit card
number;
· Personal address information: street address or
email address;
· Personal telephone numbers;
· Personal characteristics: photographic images
(particularly of face or other identifying characteristics), fingerprints, or
handwriting;
· Biometric data: retina scans, voice signatures,
or facial geometry
· Information identifying personally owned property: VIN or title number; and
· Asset information: Internet Protocol (IP) or
Media Access Control (MAC) addresses that consistently link to a particular
person.
However, there are examples that, on their own, do not constitute PII, as more than one person could share these traits. But when linked or linkable to one of the above examples, the following could be used to identify a specific person:
·
Date of birth;
·
Place of birth;
·
Business telephone number;
·
Business mailing or email address;
·
Race;
·
Religion;
·
Geographical indicators;
·
Employment information;
·
Criminal history;
·
Medical information;[iv]
·
Education information;[v]
and
·
Financial information.
Thus, PII refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information linked or linkable to a specific individual.
It is essential to note that the definition of PII is not anchored to any single category of information or technology.[vi] Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, the financial institution should recognize that “non-PII” – non-personally identifiable information – can become PII whenever additional information is made publicly available – in any medium and from any source – that, when combined with other available information, could be used to identify an individual.
Indeed, there is even PII that is considered high risk, called “High Risk PII.” The Department of Energy describes High Risk PII as PII which, if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.[vii] Examples of High Risk PII include Social Security Numbers (SSNs), biometric records (i.e., fingerprints, DNA, etc.), health and medical information, financial information (i.e., credit card numbers, credit reports, bank account numbers, etc.), and security information (i.e., security clearance information).
While all PII must be handled and protected appropriately, High Risk PII must be given greater protection and consideration – especially following a breach – because of the increased risk of harm to an individual if it is misused or compromised.
Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
[i] 15
USC §
6809(4)
[ii]
16 USC §
313.3(o)(1)
[iii] Safeguarding
Against and Responding to the Breach of Personally Identifiable Information,
OMB Memorandum M-07-16, May 22, 2007
[iv] May
be subject to HIPAA requirements
[v]
May be subject to FERPA requirements
[vi] Op.
cit. iii
[vii] Department
of Energy Privacy Program, DOE O 206.1 Chg1 (MinChg), January 16, 2009