What is Pii in cybersecurity? Different types of Pii, and all you should know

The internet is all about sharing information. Whether you are relaxing watching what your friends are up to, reading the latest headlines, or binge-watching your favorite show, etc., information is shared or consumed in some way or the other. In this context of the internet, and sharing information online, cybersecurity policies play the most important role in safeguarding the information we share online. 

When the topic is cybersecurity, we often come across the term PII (Personal Identifiable Information). No this is not the mathematical ‘Pi’ that refers to 3.14 approximately, and it is irrelevant in terms of cybersecurity. So what is Pii? How does Pii impact the internet? Let’s have a look at this term in detail today in this article.

So, without any further delay, let’s get started with what Pii is.

What is Pii?

By Pii in cybersecurity, it refers to Personally Identifiable Information. It means Pii refers to any information that can be used to uniquely identify a person or an individual. This can be any identification document number ID like PAN number, Aadhaar number, etc., or employee ID, roll number, etc. Everything refers to just one individual.

However, the concept of Pii is not that straightforward. In all the above examples I just discussed, I referred to a specific type of Pii. When it comes to Pii, it is not that just one identifier should always be enough to refer to an individual. For example, if you are from Delhi, that is also a piece of Pii, however, there are millions of people living in the city. So, this isn’t enough to identify you. So, let’s go deeper

Different types of Pii

Pii can be classified into two categories. Direct and indirect. If just one piece of information or identifier can be used to identify a person, that is a direct Pii. It can be the PAN number, Epic number, etc., just like I discussed above.

However, just like in the example I have given earlier, if it is known that a person lives in Delhi, that can refer to everyone living in the city. So, that is an example of indirect Pii. While just one such information cannot refer to an individual, if more information, or better, multiple identifiers can be collected, the results are narrowed down, and the individual can be identified.

To give you a better perspective of how powerful multiple indirect identifiers can be, as per Dataprivacylab, around 87% of the US population can be identified if the date of birth, sex, and ZIP Code, are known. This also means that for 87% of the population, there is always a unique combo of DOB, sex, and ZIP Code.

Sensitive and non-sensitive Pii

Besides categorizing Pii based on how powerful they are, to uniquely identify individuals, Pii can also be classified into sensitive and non-sensitive Pii, based on how essential they are.

There is no doubt there are several identifiers that can be used to identify you as an individual. However, if any type of sensitive Pii is in the wrong hands, it can cause significant damage to an individual. For example, if somebody gets your Aadhaar number or UID, it can be used against you or the cyber thief can enjoy benefits on behalf of you.

Sensitive Pii

So, sensitive Pii refers to identifiers like identification document numbers, biometric data, your bank account, or credit card number, and even your medical records. In most cases, these types of identifiers are not available in the public domain, and even if it is available, or you need to provide them somewhere, there is some sort of authentication to prevent their misuse and ensure the data is used only for the purpose you have given it for.

For example, if you are using your credit card online, you have to enter the CVV and OTP, or if you use it in a POS, you need to enter the PIN. The same applies to bank accounts. If you need to withdraw or transfer money, you must enter the password or the correct signature at the branch. The same goes with UID where you must authenticate with your biometrics.

Non-sensitive Pii

On the other hand, non-sensitive Pii won’t cause the same class of damage, if it is misused. Non-sensitive Pii include your Instagram username, mobile number, email address, your IP address, etc. Sometimes most of the non-sensitive Pii can be available in the public domain, like your mobile number and email address should be available to people you might or might not know, based on your scenario, like if you have a business or public need to contact you.

However, non-sensitive Pii can still cause significant damage to your reputation or be misused against you. It all depends upon who you are, and how exactly the cybercriminal is using those identifiers against you. This can damage you financially, as well.

For example, if someone gets a new copy of your existing SIM, they can transact on your behalf, and send messages to people you might know personally. Such targeted attacks can damage you financially or ruin your reputation.

What is not considered Pii?

It is quite natural from the above explanations that every information you share cannot be counted as Pii. For example, your shopping behavior, videos, and movies you watch won’t be counted as Pii. Yes, all these informatics can be used to build a profile for targeted advertisements, and can hence be useful collectibles for companies, but they cannot be used to identify you as an individual, and hence can’t be considered Pii.

Laws safeguarding Pii

Undoubtedly, personally identifiable information should be safeguarded in every situation to prevent serious problems. As per Section 43A of the IT Act 2000, amended in 2008, if a unit is handling personal data, and is negligent in securing the data, eventually resulting in damage or loss of the individual whose data is at stake, the unit is liable to pay for the damages.

To make things better in safeguarding Pii, the Indian Parliament passed the Digital Personal Data Protection Act in August 2023 which brings in tighter provisions for safeguarding personal data, and this is the need of the hour. The act will come into effect once it is notified by the Government of India. The act once it becomes law will apply to all types of personal data that is digitally maintained, not just in India, but also beyond borders if it is related to offering goods and services within the Indian subcontinent.

So, that’s all about Pii that you should know, being a netizen. Do you have any questions? Feel free to comment on the same below.