Published: February 26, 2020 on our newsletter Security Fraud News & Alerts Newsletter.
People often use the term "confidential information" or “sensitive information” when they are really referring to personally identifiable information (PII). However, it certainly can be confusing knowing the difference between them all. To clarify a bit, PII should always be considered confidential, but not all confidential or sensitive information is actually PII. For example, confidential documents regarding business strategy may or may not include PII. However, it’s probably not viewed favorably if documents of that sort are lying around exposed to all, even if they don’t include PII or violate any regulations or laws. For the most part confidential and sensitive can be used interchangeably, but PII should be handled differently.
When deciding how to treat information, perhaps it’s best to think of what could be used against someone for identity theft, healthcare fraud, or for discrimination. If it includes a social security number, it’s a no-brainer. However, what if a document includes someone’s email address? While generally not considered confidential, it may be PII. For example, if an email address is used as the login name for an online account, then it may be considered PII.
PII should also be considered confidential for the purposes of documentation and communication in any form, as well as with file transfers and within email messages. Don’t forget that when you’re talking to others either on the phone or in person, PII still needs to be kept on the down low. So, if you’re discussing a particular case where a social security number, for example must be vocalized, remember to step into a room where you can close the door.
To help make the determination of whether or not information should be treated as PII, keep the following list in mind. While it is long, it is by no means exhaustive.
Social Security Number (SSN)
Driver’s license number or state-issued identification card number
Security codes, access codes, or passwords that could permit access to an individual’s accounts
Medical information, including any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
Health insurance information, including an individual’s health insurance policy number or subscriber identification number
Any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history
Place of birth
Date of birth
Mother’s maiden name
Personal financial information, including credit scores and history
Credit card or purchase card account numbers
Potentially sensitive employment information, e.g. personnel ratings, disciplinary actions, and results of background investigations
Any information that may stigmatize or adversely affect an individual
Because the list of information that falls under the umbrella of PII continues to grow, the best advice we can give is this. If there are any names, numbers, addresses or other identifying data of any kind, assume that it probably falls under PII. If you follow that simple practice, you will always be protecting your customers and your organization from data leaks and loss.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org