PII (Personally Identifiable Information)

Personally Identifiable Information (PII) is any information that can identify a specific individual, either on its own or when combined with other data. This term is primarily used in US federal regulations, information security standards, and business contexts. PII encompasses obvious identifiers like names, Social Security numbers, driver's license numbers, passport numbers, and financial account numbers, but also includes less obvious identifiers like IP addresses, device identifiers, biometric data, and even combinations of data that together could identify someone (like date of birth plus zip code). The concept has evolved with technology—what wasn't considered PII decades ago may be now due to advanced analytics and data linkage capabilities. Federal agencies often distinguish between sensitive PII (whose loss could seriously harm individuals, like SSN or financial data) and non-sensitive PII (like zip codes or business phone numbers). Organizations handling PII must implement security controls proportionate to sensitivity, conduct risk assessments, provide breach notifications when PII is compromised, and limit collection and retention to what's necessary. While similar to the GDPR's "personal data," PII is often more narrowly interpreted in practice, though this varies by context and regulation.