DHS defines personally identifiable information or PII as any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual, regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to the Department.
Sensitive PII includes but is not limited to the information pictured here, which includes Social Security Numbers, driver’s license numbers, Alien Registration numbers, financial or medical records, biometrics, or a criminal history. This data requires stricter handling guidelines because of the increased risk to an individual if the data are compromised.
Even though the definition of personally identifiable information differs from state to state, and the states use different terminology to define the data that triggers reporting obligations, personally identifiable information in general is information that does, or can be used to, identify, locate or contact an individual, alone or when combined with other personal or identifying information and is usually information known to create a significant risk of identity theft, fraud or other harm if compromised. When considering the differing definitions in the U.S. you can usually expect personally identifiable information that triggers a breach reporting requirement to include a person’s first name or first initial and last name, together with one or more of the following:
Identification Numbers such as a –
- Social Security Number,
- Passport Number,
- Driver’s License Number,
- State Non-Driver’s Identification Card Number, or
- Other government-issued ID number;
Account Numbers such as a –
- Financial account number,
- Credit card number, or
- Debit card number
- (sometimes requiring the account number be disclosed in conjunction with a security code, access code, or password that permits access to the account)
Personal Characteristics / Biometrics, including
- photographic images,
- iris scans,
- handwriting, or
- other unique characteristics;
Medical information or medical history
Enforcement and Penalties
Just as the requirements of the various state statutes differ, the methods of enforcing these statutes and the penalties that can be assessed differ by state as well. Most states authorize their Attorney General to enforce the statutes, but some states also have options for private causes of action seeking damages for failure to properly protect information or failure to properly notify individuals under the breach notification requirements.
The remedies available for failure to comply with data breach notification laws include injunctions to prevent further violations, monetary penalties, and reasonable costs. The range of the monetary penalties varies significantly, and while some states include caps for the total penalties that can be assessed either per consumer or per incident, other penalties can reach well into six figures particularly when the violations impact 10,000 or more residents.
Beyond the injunctive or monetary penalties, organizations should also consider the negative publicity that accompanies failure to protect the personally identifiable information of its employees, customers, or other parties. Such a determination can cause consumers to lose confidence in the organization and cause other organizations or individuals to seek greater contractual assurances that the organization will comply with the privacy laws. In addition, if you are seeking insurance coverage for future incidents, you may find that it is harder or at least more expensive to obtain such coverage. Litigation risks in states with a private cause of action also open the door for class action lawsuits or other claims for damages arising as a result of the breach.