In the broadest sense, PII is Information which can be used to distinguish or trace an individual’s identity. Personal Information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Recently, “Biometrics” were added to the list of PII in a handful of states. I always tell my client’s to keep their list as broad as possible to avoid any unintended data breach.
Finally, if the PII is encrypted, even if you have a data breach, there is a safe harbor provided in most data breach law that says it is not a data breach as the data cannot be read by third parties.
Below is my most current list of individual items considered to be PII:
1. First and last name;
2. Home or other physical address, including street name and name of a city or town;
3. Email address;
4. Telephone number;
5. A government issued identifier (e.g. Drivers license) ;
6. Any other identifier that permits the physical or online contacting of a specific individual;
7. Biometric Identifiers (e.g. fingerprint or eye scan);
8. Any complete login information (which is usually a big surprise to the client.); or
9. An individual’s name plus one or more of the following: a) Social security number, b) Driver’s license or State identification card number, c) Financial account numbers, d) Medical information or e) Health insurance information.
As I said above, encryption of this information provides a safe harbor. I always insist the client encrypt any and all of the above information.
Please feel free to contact me with any questions you may have about this list.