What is personally identifiable information (PII)? 

Your personal information is used by government agencies, banks, medical offices and even retail stores. Unique identifiers like your driver’s license and online passwords can be part of your daily life. This information is what tells you apart from everyone else on the planet. 

But if your information isn’t properly managed, it could leave you vulnerable to identity theft. That’s because data breaches and cyberattacks can expose your personally identifiable information, also known as PII. Read on to learn what PII is and the steps you can take to protect it.

Key takeaways

• PII can be used alone or with additional data to identify a person.
• The two main types of PII are sensitive PII and non-sensitive PII. Sensitive PII, such as your driver’s license or Social Security number, can directly reveal your identity. 
• Non-sensitive PII includes information that could be in a public record, like your birthday or phone number. It can’t directly identify you, but it might be used with other information to reveal your identity. 
• Cybercriminals could use your PII to apply for loans, open credit cards or drain money from your accounts. 
• You can take steps to help protect your PII, like using secure networks and passwords.  

Personally Identifiable Information (PII) refers to any information that can be used alone or with additional data to identify an individual. The Consumer Financial Protection Bureau defines PII as information “that can be used to distinguish or trace an individual’s identity.” That includes your name, address, Social Security number and birthday. 

Governments and corporations have increased the amount of online information they collect and process. Sharing information online can make it easier to access medical records, pay bills and work remotely, but there can be risks.

Identity thieves can use data breaches and cyberattacks to access your valuable information. Criminals could use your PII to open credit cards and withdraw money from your accounts, which can impact your credit scores. 

The good news is: There are steps you can take to limit your chances of falling victim to identity theft. But first, it’s important to know about the different types of PII and how they can be accessed.

PII can be broken down into two categories—sensitive and non-sensitive PII. 

Sensitive PII includes any data that can be directly linked to your identity. Here are some examples:

• Bank account number
• Birth certificate
• Credit card information
• Driver’s license
• Full legal name
• Medical records
• Passport
• Social Security number

Encrypting sensitive PII can help prevent it from falling into the wrong hands. That’s why government regulations and company policies may require PII to be removed from data sets using a process called anonymization. 

However, non-sensitive PII can be accessed from public sources like the internet. This data can’t be used alone to directly identify someone. But when it’s combined with sensitive information, it may reveal a person’s identity. 

For example, many people can have the same birthday, so that information alone is not enough to directly identify someone. But when a person’s birthday is combined with their full legal name, their identity could be exposed. 

Other examples of non-sensitive PII include:

• Address
• Ethnicity
• Gender
• IP address
• Public phone numbers

There isn’t one specific government agency that is responsible for safeguarding PII. However, there are several federal, state and industry-specific laws that protect PII and prohibit unlawful use of this information. 

In the U.S., the Privacy Act of 1974 established a code that governs how information can be collected, managed, used and shared by federal agencies. The act also gives people the right to:

• Request their records, but there are some exemptions
• Request changes to inaccurate records
• Be protected from unauthorized collection, use and disclosure of their personal information

It’s important to note: The Privacy Act of 1974 only applies to government records that can be retrieved using personal identifiers. These identifiers could include a person’s full name or Social Security number.

But government records aren’t the only type of information that can be considered PII. Companies could have access to sensitive personal data such as an employee’s Social Security number or a customer’s credit card information. That’s why certain laws were created to protect how PII is used and shared in certain industries.

Here are some laws that regulate how companies handle sensitive personal information:

• Federal Trade Commission (FTC) Act. This law prohibits unfair or misleading collection, use and disclosure of PII. It “applies to all persons engaged in commerce, including banks.”
• Gramm-Leach-Bliley Act (GLBA). Under the GLBA, financial institutions are required to disclose information-sharing practices to customers. They also have to protect sensitive data, including PII.
• Health Insurance Portability and Accountability Act (HIPAA). This sets national standards for how a patient’s medical records and health information can be used and disclosed. 

If organizations don’t have a plan in place for protecting PII, they could put their employees and their customers at risk of identity theft if there’s a data breach. If organizations lose sensitive data, they could face legal penalties, financial losses and damaged reputations. That’s why many companies have policies in place for handling sensitive data. These policies might include:

• Conducting risk assessments to combat potential security breaches
• Requiring sign-in verifications for employees who need access to sensitive data
• Using encryption to protect PII 
• Documenting through policies how to handle sensitive information 
• Educating employees who handle sensitive information on best practices

Identity theft has become more common. According to the FTC, 1.4 million Americans filed identity theft reports in 2021.

There’s no way to fully prevent someone from stealing your identity. But there are steps you can take to make it harder for your data to fall into the wrong hands. Here are nine tips for protecting your PII online:

• Encrypt sensitive data if you need to store or transfer it. Most devices have encryption options under security settings. You could also research online tutorials and encryption software tools.
• Make sure your devices are password protected.
• Avoid using the same password for all of your accounts. You can read the Cybersecurity & Infrastructure Security Agency’s guide on passwords to learn more. 
• Wipe all devices before you sell them or throw them away.
• Limit the types of personal information you share online.
• Some public Wi-Fi networks may not be secure. You can read the FTC’s guide to learn how to safely use virtual private networks (VPNs) and public Wi-Fi. 
• Recognize and avoid phishing emails, calls or text messages. 
• Check your financial statements for fraudulent charges and report these issues to your financial institution. 
• Check your credit reports. You can visit AnnualCreditReport.com to get free copies of your credit reports. CreditWise from Capital One may also help you monitor your credit.

You can protect your PII from being lost or stolen offline too. Store important documents—like passports and Social Security cards—in a secure area. It’s a good idea to also shred bank statements and financial records before you throw them away.

More interactions are happening online, which means more of your PII may be shared online. This can put you at risk for identity theft. But knowing what PII is and how it’s used could help you protect your sensitive data. 

You can use CreditWise from Capital One to check your TransUnion® credit report for any changes. CreditWise also scans the dark web and will send you an alert if it finds PII, like your Social Security number or email address, on unsafe sites. It’s free to use—whether or not you’re a Capital One cardholder—and it won’t impact your credit scores.

You can read more about protecting your digital identity and how Capital One can help you avoid online fraud.