PERSONALLY IDENTIFIABLE INFORMATION (PII)

Updated July 11, 2024

Personally Identifiable Information (PII) – A Crucial Cyber Risk

In plain language: Personally Identifiable Information (PII) is any data that can identify an individual, such as their full name, address, or social security number. It's like a personal username the outside world can use to locate you, so it needs to be protected. 

Technical definition: PII refers to specific data elements that can link, trace or otherwise identify an individual, directly or indirectly. It commonly appears in control requirements, privacy laws, cybersecurity policies, and data breach notifications. Notably, PII forms a significant part of cyber liability insurance considerations due to its gravity and widespread regulation. 

Imagine a regular office setting - your company's customer database gets hacked, and suddenly your client's sensitive data is at risk. This data often contains PII, making this a major risk you need to tackle. 

TL;DR

    PII is any information that can identify an individual. 
    A vital part of cyber risk management for all insurance agencies. 
    Common pitfall: Overlooking the protection of non-sensitive PII. 
    Quick Win: Regular staff training on data privacy and pii compliance. 

What Is Personally Identifiable Information in Insurance?

In the world of insurance, Personally Identifiable Information plays a significant role. All insurance applications contain PII, from a name and contact details to more sensitive pii, like a social security number or financial information. This data needs to be handled sensitively; agencies must have solid data protection measures in place to protect pii and observe compliance requirements around data privacy and information security. 

The role of PII extends to both the front and back ends of insurance operations. The sales process often starts with gathering customer information, including personal identifiers which fall under the legal definition of personally identifiable information. Behind the scenes, claims, underwriting, and policy servicing all involve handling and managing PII. The abuse, mishandling, or misplacement of such data can lead to serious data breaches, resulting in identity theft and lawsuits. 

One notable aspect of PII is the existence of 'non-sensitive pii,' like telephone numbers. While these might seem insignificant, when combined with other data, they can still lead to individual identification and so should be secured. 

Key Related Terms to Know

    Data Privacy - The practice of ensuring personal information is used, stored, and disposed of in a secure and lawful manner. 
    Data Breach - An incident where unauthorized individuals gain access to confidential data, risking the security and privacy of those data subjects. 
    Identity Theft - The fraudulent use of another person’s PII, often to gain financial benefit. 
    Compliance Requirements - The regulations and laws businesses must adhere to when handling data, especially PII. 
    PII Compliance - The act of adhering to regulations covering the management and protection of PII. 
    Cybersecurity Measures - The technological solutions and strategies implemented to protect sensitive data from cyber threats. 

Common Questions About Personally Identifiable Information

What types of PII are most common? 

The most basic examples of personally identifiable information (pii include names, birthdays, and addresses. More sensitive pii examples include social security numbers, bank account details, medical information, and biometric information. 

Is an insurance policy number PII? 

An insurance policy number by itself is not considered PII. However, when used in conjunction with other personally identifiable information, it can aid in identifying an individual and thus should still be safeguarded. 

What makes data 'personally identifiable'? 

Data becomes personally identifiable if it can be used on its own or with other information to identify, locate or contact an individual. For instance, an isolated phone number might seem innocuous, but when coupled with an address or full name, it becomes personally identifiable. 

How can agencies protect Personally identifiable information (PII)? 

Agencies can implement cybersecurity measures such as consistent data anonymization, data masking, and secure access controls to protect PII. Regular staff training on data handling and privacy laws is also crucial. 

Personally Identifiable Information vs. Sensitive Personal Information

Comparison Area 

Personally Identifiable Information (PII) 

Sensitive Personal Information 

  

Primary use case 

Identify or contact individuals 

Identify individuals and potentially harm reputation or finances 

Coverage / concept type 

Widely applicable 

Applies to data with high risk 

Typical exclusions 

Publicly available information 

Information already publicly disclosed by the individual 

Who is most affected by errors 

Any individual 

Persons with high-risk data, such as medical or financial records 

Common mistakes 

Poor data handling, lax privacy regulations, non-compliance 

Inadequate security controls, poor risk assessment, breaches 

Real Claim Examples Involving Personally Identifiable Information

Scenario 1: Your agency emails a claims report to a client, but the document accidentally included another customer's PII. The breach of personally identifiable information led to a liability claim. 

Scenario 2: A CSR mistypes an email address, unknowingly sending a client's policy documents, containing PII, to a third-party. This leads to a data loss prevention failing resulting in a data breach claim. 

Scenario 3: Cybercriminals hack into your agency’s cloud storage, accessing and leaking a slew of PII from insurance applications. Your agency faces a class-action lawsuit and regulatory penalties.

Limitations and Common Mistakes

    Confidentiality of PII isn't always appreciated - some staff may wrongly assume non-sensitive pii is fine to share internally. 
    PII can be disclosed in everyday communications, like emails or chats. 
    Overlooking weak points in data privacy and security controls can allow breaches. 
    Insufficient or infrequent staff training on pii compliance can lead to unintended data leaks. 

How to Explain PII to Clients

Personal Lines client "Your personal information - your name, address, social security number and so on - is what we call 'personally identifiable information'. It's our duty and in our best interest to guard this information diligently." 

Small Business owner "Personally identifiable information is shared routinely in business, such as when you insure your vehicles or take out a policy for your premises. This information is sensitive, valuable and legally protected, which is why we ensure it is secure." 

CFO or Risk Manager "PII is any information that can identify your employees or customers, such as a social security number or an email address. The misuse of such data not only brings about a loss of trust but can also lead to regulatory issues. We have robust systems in place for the protection of such data." 

Coverage knowledge your team can actually use.

Total CSR trains insurance agency staff on the concepts behind the terminology — so they can explain it to clients, not just recite it.

Book a Demo