What Is Personal Identifiable Information?
Personal Identifiable Information (PII)
Corey Heinrich
March 20, 2016
Personal Identifiable Information Personally identifiable information (PII) is “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” (McCalisster, Grance, & Scarfone, 2010) The risk is now greater than ever that consumers will have their personal data misappropriated. Recent Data Breaches demonstrate how vulnerable …show more content…
consumers can become through the simple act of going to the store and using a credit card. “On Black Friday 2013, at the height of the holiday shopping season, seventy million Target customer records were hacked in one of the largest U.S. retail data breaches to date. The hacked data included account numbers and payment card information as well as the personal data of customers. The breach required banks to perform a massive reissuance of credit cards to customers, costing hundreds of millions of dollars, and created the need for Target customers who had recently shopped at the retailer to sign up for credit monitoring services as protection against future unauthorized charges to their accounts.” (Wheatley, 2015)
Personal Information Risks Data security is only one slice of the privacy pie.
Consumers have more to fear than just a breach of their financial information. They have to be wary of companies that change privacy policies without notice, publish their personal email contacts without consent, and sell their personal information to advertisers for a profit. In fact, companies are continually finding new ways to leverage the customer data they control by analyzing customer buying trends to discover new insights, which they can sell for a profit. In addition, with the rise of the Internet of Things, the data available about consumer habits is set to increase dramatically. The data is collected through accessing a variety of online and offline consumer activities revealing personal information disclosed in connection with such activities. n22 These activities include: purchasing products online; browsing the Internet; filling out a form or survey to get a coupon; social media; subscribing to websites; or mobile …show more content…
applications. When approved companies gather personal information and disseminate it to third parties, it is often to data brokers - companies that gather, analyze, store, and sell personal online information - which has, in turn, given rise to the data market. n34 Data brokers exist largely unknown to the average consumer. n35 Although they have no direct contact with consumers, data brokers collect, manipulate, and share consumers' information.
Protection of Your PII In regulating privacy online, the United States has preferred to let businesses take a self-regulation approach.
Self-regulation is considered the “least intrusive and most efficient means” to use in such a rapidly evolving area as the Internet. This approach relies on notice and consent, whereby a company is required to provide notice to consumers of how it will collect and use their information, and consumers consent by using the goods or services the company provides. Furthermore, the notice-and-consent model for privacy that currently predominates in unregulated industries in the United States has been roundly criticized as a failure. Often taking the form of End User License Agreements (EULAs) or Terms and Conditions forms, these notices are prohibitively long and written in legalese that most consumers do not understand. The result is that no one reads the terms and conditions for a given product or
service. “There were a total of 290,056 identity theft complaints reported to the Federal Trade Commission’s Consumer Sentinel Network (CSN) in calendar year 2013, which represented 14% of over 2 million complaints received”. (Manion, 2015) The rate of accumulation and dissemination of PII is increasing, and there are currently no federal regulations or laws in place to ensure the proper use and collection of this data. n105 Thus, the data industry remains free to collect, store, and disseminate consumers' personal information without restriction, which erodes consumers' privacy rights when browsing the web and conducting online transactions, and leaves consumers with limited ability to enforce and protect these rights. n106 Approved companies, whether small retailers or Internet giants, such as Google, collect consumer information for a variety of purposes. The consumer is aware of some of this collection activity and benefits from it, such as when the consumer provides information to verify identity for purchases, to ship a purchase, or to further the company's internal marketing purposes for generating focused advertisements. Companies defend such collection by asserting that it is for the good of consumers. For example, Google's privacy policy provides a laundry list of the uses for consumer data that is beneficial to the consumer. This list includes making ads more effective; improving users' experiences; protecting against fraud and other security risks; and improving Google products. Privacy primarily becomes an issue when the information is shared outside of the approved company. In many instances, approved companies share that personal information with a third party. This type of transaction has developed a vast market for data, in which users' personal information is being used to make a profit. Consumers' personal information is a hot commodity and has a value that is unknown to the average consumer when they disclose it to the approved companies. Additionally, the primary enforcer of privacy law, the Federal Trade Commission (FTC), does not have the capacity to enforce every privacy violation claim of which it is made aware. While the FTC has an excellent track record of obtaining settlements with consumer privacy infringers, because of its limited budget it goes after only the biggest companies, leaving many smaller privacy infringements un-remedied. In the event of a data breach an organization that does not protect the personally identifiable information of its employees, members or customers risks incurring a significant financial cost, as well as a blow to its reputation. Well-run organizations employ numerous security protocols to ensure that personally identifiable information is safe and secure at all times. Protecting PII involves a combination of encryption, threat protection, data-loss prevention and policy compliance. When handling PII, organizations will establish rules regarding access to the data, how the data is received, stored and transmitted, what information can be sent within the organization and what can be passed along to third parties. Consumers worried about their privacy can check with each organization they are considering doing business with to ensure the proper privacy protocols are in place.
Conclusion
Despite the fact that there is an enormous amount of consumer data being collected every day by companies, there is no comprehensive federal law establishing the proper standards for how that data is to be securely stored and transferred. Once a consumer has consented to a company’s collection of his or her personal information, with few exceptions the company is free to use it as it wishes. The Current Legislative and Regulatory Landscape Fails to Protect Consumers and Uphold an Expectation of Privacy As discussed above, there is no legislation currently in place to protect consumers in transactions with approved companies. When consumers share information with a company online, they should be able to feel confident that it will not be shared with third parties without their permission, and if it is stored, that it will be properly stored. Strict guidelines need to be laid down that describe the proper scope of use for consumer data based on the context in which that information is given. This will prevent companies from exceeding the scope of consent and traveling outside the expectations consumers have regarding how companies will use their personal data.
References
Hutchinson, E. E. (2015). Keeping Your Personal Information Personal: Trouble for the Modern Consumer. Hofstra Law Review, 43(Summer), 1149-1187.
Manion, R. F. (2015). Incentivizing the Protection of Personally Identifying Consumer Data After the Home Depot Breach. Indiana Law Journal, 91(1), 143-164.
McCalisster, E., Grance, T., & Scarfone, K. (2010, April). Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). NIST Special Publication 800-122. U.S. Department of Commerce.
Wheatley, A. (2015). Do -It-Yourself Privacy: The Need for Comprehensive Federal Privacy Legislation with a Private Right of Action. Golden State University Law Review, 45(3), 265-286.
Corey Heinrich
March 20, 2016
Personal Identifiable Information Personally identifiable information (PII) is “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” (McCalisster, Grance, & Scarfone, 2010) The risk is now greater than ever that consumers will have their personal data misappropriated. Recent Data Breaches demonstrate how vulnerable …show more content…
consumers can become through the simple act of going to the store and using a credit card. “On Black Friday 2013, at the height of the holiday shopping season, seventy million Target customer records were hacked in one of the largest U.S. retail data breaches to date. The hacked data included account numbers and payment card information as well as the personal data of customers. The breach required banks to perform a massive reissuance of credit cards to customers, costing hundreds of millions of dollars, and created the need for Target customers who had recently shopped at the retailer to sign up for credit monitoring services as protection against future unauthorized charges to their accounts.” (Wheatley, 2015)
Personal Information Risks Data security is only one slice of the privacy pie.
Consumers have more to fear than just a breach of their financial information. They have to be wary of companies that change privacy policies without notice, publish their personal email contacts without consent, and sell their personal information to advertisers for a profit. In fact, companies are continually finding new ways to leverage the customer data they control by analyzing customer buying trends to discover new insights, which they can sell for a profit. In addition, with the rise of the Internet of Things, the data available about consumer habits is set to increase dramatically. The data is collected through accessing a variety of online and offline consumer activities revealing personal information disclosed in connection with such activities. n22 These activities include: purchasing products online; browsing the Internet; filling out a form or survey to get a coupon; social media; subscribing to websites; or mobile …show more content…
applications. When approved companies gather personal information and disseminate it to third parties, it is often to data brokers - companies that gather, analyze, store, and sell personal online information - which has, in turn, given rise to the data market. n34 Data brokers exist largely unknown to the average consumer. n35 Although they have no direct contact with consumers, data brokers collect, manipulate, and share consumers' information.
Protection of Your PII In regulating privacy online, the United States has preferred to let businesses take a self-regulation approach.
Self-regulation is considered the “least intrusive and most efficient means” to use in such a rapidly evolving area as the Internet. This approach relies on notice and consent, whereby a company is required to provide notice to consumers of how it will collect and use their information, and consumers consent by using the goods or services the company provides. Furthermore, the notice-and-consent model for privacy that currently predominates in unregulated industries in the United States has been roundly criticized as a failure. Often taking the form of End User License Agreements (EULAs) or Terms and Conditions forms, these notices are prohibitively long and written in legalese that most consumers do not understand. The result is that no one reads the terms and conditions for a given product or
service. “There were a total of 290,056 identity theft complaints reported to the Federal Trade Commission’s Consumer Sentinel Network (CSN) in calendar year 2013, which represented 14% of over 2 million complaints received”. (Manion, 2015) The rate of accumulation and dissemination of PII is increasing, and there are currently no federal regulations or laws in place to ensure the proper use and collection of this data. n105 Thus, the data industry remains free to collect, store, and disseminate consumers' personal information without restriction, which erodes consumers' privacy rights when browsing the web and conducting online transactions, and leaves consumers with limited ability to enforce and protect these rights. n106 Approved companies, whether small retailers or Internet giants, such as Google, collect consumer information for a variety of purposes. The consumer is aware of some of this collection activity and benefits from it, such as when the consumer provides information to verify identity for purchases, to ship a purchase, or to further the company's internal marketing purposes for generating focused advertisements. Companies defend such collection by asserting that it is for the good of consumers. For example, Google's privacy policy provides a laundry list of the uses for consumer data that is beneficial to the consumer. This list includes making ads more effective; improving users' experiences; protecting against fraud and other security risks; and improving Google products. Privacy primarily becomes an issue when the information is shared outside of the approved company. In many instances, approved companies share that personal information with a third party. This type of transaction has developed a vast market for data, in which users' personal information is being used to make a profit. Consumers' personal information is a hot commodity and has a value that is unknown to the average consumer when they disclose it to the approved companies. Additionally, the primary enforcer of privacy law, the Federal Trade Commission (FTC), does not have the capacity to enforce every privacy violation claim of which it is made aware. While the FTC has an excellent track record of obtaining settlements with consumer privacy infringers, because of its limited budget it goes after only the biggest companies, leaving many smaller privacy infringements un-remedied. In the event of a data breach an organization that does not protect the personally identifiable information of its employees, members or customers risks incurring a significant financial cost, as well as a blow to its reputation. Well-run organizations employ numerous security protocols to ensure that personally identifiable information is safe and secure at all times. Protecting PII involves a combination of encryption, threat protection, data-loss prevention and policy compliance. When handling PII, organizations will establish rules regarding access to the data, how the data is received, stored and transmitted, what information can be sent within the organization and what can be passed along to third parties. Consumers worried about their privacy can check with each organization they are considering doing business with to ensure the proper privacy protocols are in place.
Conclusion
Despite the fact that there is an enormous amount of consumer data being collected every day by companies, there is no comprehensive federal law establishing the proper standards for how that data is to be securely stored and transferred. Once a consumer has consented to a company’s collection of his or her personal information, with few exceptions the company is free to use it as it wishes. The Current Legislative and Regulatory Landscape Fails to Protect Consumers and Uphold an Expectation of Privacy As discussed above, there is no legislation currently in place to protect consumers in transactions with approved companies. When consumers share information with a company online, they should be able to feel confident that it will not be shared with third parties without their permission, and if it is stored, that it will be properly stored. Strict guidelines need to be laid down that describe the proper scope of use for consumer data based on the context in which that information is given. This will prevent companies from exceeding the scope of consent and traveling outside the expectations consumers have regarding how companies will use their personal data.
References
Hutchinson, E. E. (2015). Keeping Your Personal Information Personal: Trouble for the Modern Consumer. Hofstra Law Review, 43(Summer), 1149-1187.
Manion, R. F. (2015). Incentivizing the Protection of Personally Identifying Consumer Data After the Home Depot Breach. Indiana Law Journal, 91(1), 143-164.
McCalisster, E., Grance, T., & Scarfone, K. (2010, April). Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). NIST Special Publication 800-122. U.S. Department of Commerce.
Wheatley, A. (2015). Do -It-Yourself Privacy: The Need for Comprehensive Federal Privacy Legislation with a Private Right of Action. Golden State University Law Review, 45(3), 265-286.