Personally Identifiable Information (PII) Protection

Personally Identifiable Information (PII) sits at the center of US data protection law, regulatory enforcement, and organizational security practice. This page covers the legal definition of PII, the technical and administrative controls that govern its handling, the sector-specific contexts where PII protection requirements differ materially, and the boundary decisions organizations face when classifying data for protection purposes. The scope spans federal and state regulatory frameworks, applicable standards bodies, and the operational structure of PII security programs.

Definition and scope

The National Institute of Standards and Technology (NIST) defines PII in NIST Special Publication 800-122 as "any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any information that is linked or linkable to an individual, such as medical, educational, financial, and employment information."

Two distinct categories structure most classification frameworks:

• Directly identifying PII — information that, standing alone, identifies a specific individual: Social Security Number (SSN), full legal name combined with date of birth, biometric identifiers (fingerprints, iris scans), passport numbers, and financial account numbers.
• Indirectly identifying (linkable) PII — information that, when combined with other data, enables identification: ZIP code, employer, job title, device IP address, or general geographic location. The combination of ZIP code, birth date, and sex has been shown in published research (Latanya Sweeney, Carnegie Mellon University, 2000) to uniquely identify approximately 87 percent of the US population.

Scope is not uniform across regulatory regimes. The Federal Trade Commission Act (15 U.S.C. § 45) authorizes enforcement against "unfair or deceptive acts" in PII handling without specifying a single statutory definition. The California Consumer Privacy Act (CCPA), codified at Cal. Civ. Code § 1798.100 et seq., extends PII scope to household-level data and inferred characteristics. The HIPAA Privacy Rule (45 CFR § 164.514) defines 18 specific identifiers whose removal is required before health data can be considered de-identified.

For a structured overview of classification tiers as they apply to broader data assets, see Data Classification Frameworks.

How it works

PII protection programs operate across three functional layers: identification, controls implementation, and ongoing governance.

1. Data inventory and discovery
Organizations conducting a PII program begin by cataloging where PII is collected, stored, transmitted, and processed. NIST SP 800-122 prescribes a structured inventory methodology. Discovery tools scan structured databases, unstructured file stores, and data streams to flag identifiers matching defined patterns (SSN format, email syntax, credit card Luhn-check patterns).

2. Risk assessment and classification
Identified PII is assessed for sensitivity level, volume, and regulatory jurisdiction. NIST SP 800-30 (Guide for Conducting Risk Assessments) provides the risk assessment framework most federal agencies reference. Data classified as high-sensitivity receives stricter access, encryption, and retention controls. For methodology detail, see Data Security Risk Assessment.

3. Technical controls
- Encryption at rest and in transit (see Data Encryption Standards)
- Access control enforcement based on least-privilege principles (Data Access Controls)
- Data masking and tokenization for PII used in non-production environments (Data Masking and Tokenization)
- Data loss prevention (DLP) tooling to detect and block unauthorized exfiltration

4. Administrative controls
- Privacy Impact Assessments (PIAs), mandatory for federal agencies under the E-Government Act of 2002 (44 U.S.C. § 3501)
- Staff training on handling procedures
- Vendor management protocols for third-party PII processors

5. Breach response
Federal agencies must report PII breaches to the US-CERT within one hour of discovery under OMB Memorandum M-17-12. State breach notification statutes impose parallel obligations on private-sector entities — all 50 states maintain breach notification laws as of 2018 (NCSL State Security Breach Notification Laws). For breach response structure, see Data Breach Response Procedures.

Common scenarios

PII protection requirements manifest differently across sectors and use cases:

Healthcare — The HIPAA Privacy and Security Rules govern protected health information (PHI), which functions as a specialized PII category. The HHS Office for Civil Rights enforces civil monetary penalties capped at $1.9 million per violation category per year (45 CFR § 160.404). See Protected Health Information Security for sector-specific treatment.

Financial services — The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (16 CFR Part 314) requires financial institutions to implement written information security programs covering customer PII. The FTC amended the Safeguards Rule in 2023, requiring covered institutions with 5,000 or more customer records to report breaches to the FTC within 30 days.

Federal government — The Privacy Act of 1974 (5 U.S.C. § 552a) governs federal agency PII held in systems of records. Agencies publish System of Records Notices (SORNs) in the Federal Register for each system containing PII.

Children's data — The Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501–6506) imposes heightened controls on PII collected from children under 13, with FTC penalties reaching $51,744 per violation as adjusted by the Federal Civil Penalties Inflation Adjustment Act.

Decision boundaries

Three boundary questions recur in PII program design:

PII vs. non-PII — The linkability test is the operative standard in most frameworks. Data that cannot be linked to an individual, even in combination with other reasonably available data, falls outside PII scope. De-identification methods must satisfy either the Safe Harbor method (removing all 18 HIPAA-specified identifiers) or the Expert Determination method under 45 CFR § 164.514(b). See Deidentification and Anonymization.

Sensitive PII vs. non-sensitive PII — NIST SP 800-122 distinguishes "sensitive PII" requiring stricter protection — SSNs, financial account numbers, biometrics, medical information — from non-sensitive PII that presents lower risk when disclosed. This distinction governs encryption requirements, breach notification thresholds, and access control tiers.

PII vs. PHI — PHI is a subset of PII restricted to health information linked to individuals and held by HIPAA-covered entities or their business associates. Standard PII frameworks apply to health data held outside HIPAA-covered entities, while PHI triggers HIPAA-specific obligations regardless of sensitivity classification.

Privacy vs. security controls — PII protection spans both privacy law (governing permissible collection and use) and security standards (governing technical safeguards). The distinction is addressed in Data Privacy vs. Data Security. An organization may satisfy technical security requirements while remaining non-compliant with privacy law if collection practices exceed authorized purpose.

References

• NIST Special Publication 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
• NIST Special Publication 800-30 Rev. 1: Guide for Conducting Risk Assessments
• HIPAA Privacy Rule — 45 CFR Part 164 (eCFR)
• [Federal Trade Commission Act — 15 U.S.C. § 45](https://www.ftc.gov/legal-library/browse/statutes