1.6k Views inPrivacy

Securing Your Personal Data in the Digital Age

Our personal details increasingly exist across a complex web of servers, apps, and databases. While this digitized world offers convenience, it also leaves us vulnerable to data breaches and identity theft if our information isn‘t properly protected.

As a cybersecurity professional helping companies keep sensitive data secure, I‘m often asked by friends and family how they can safeguard their own personal info. Here‘s my in-depth guide on identifying what falls under "personally identifiable information," cyber risks to be aware of, and most importantly – how you can take control of your data.

Defining Personally Identifiable Information

Personally identifiable information (PII) refers to any details that could potentially be used, either alone or in combination with other data, to identify a specific individual. This encompasses a wide range of both online and offline information.

Name, Address and Identifiers

Full legal name, mother‘s maiden name, mailing address, phone number, IP address, email address, Social Security number, passport number, driver‘s license number, state IDs, license plates, and digital identity details like usernames.

For example, your driver‘s license contains your full name, license number, residential address, height, date of birth, eye color, and other identifiers.

Financial Information

Credit/debit card numbers, bank account numbers, payment histories, loan details, and credit scores.

For instance, your credit report includes your current and previous addresses, birth date, employment history, and comprehensive list of all credit accounts including card numbers, balances, limits, and repayment records.

Medical Information

Health insurance details, medical histories, treatment records, diagnoses, prescriptions, doctor‘s notes, birth/death certificates, biometric data, X-rays, MRIs, and any other health-related data.

A patient‘s medical file at a doctor‘s office would contain health insurance information, contact information, Social Security number, full medical history, current medications, family medical history, vaccination records, and results from medical tests and procedures.

Demographic Data

Age, date of birth, marital status, ancestry, ethnicity, race, religion, military status, criminal records, educational history, photographs, fingerprints, facial images, DNA, and other demographic information.

A school transcript contains a student‘s full legal name, home address, birth date, contact details, student ID number, classes taken, grades received, test scores, behavior incidents, and graduation date.

Location Data

IP addresses, mobile device IDs, MAC addresses, and any other digital signals that could identify location. Retail loyalty programs also connect purchases to specific stores.

Mobile apps gather GPS coordinates, nearby WiFi networks, Bluetooth beacons, and cell tower locations to pinpoint and track geographic data. Marketing companies build profiles by linking devices that frequently appear together.

This expansive combination of identifiers, demographics, contacts, financials and biometrics enables the extensive collection and monetization of personal data in today‘s economy. But it also significantly magnifies risks should this data fall into the wrong hands.

How Companies and Agencies Collect and Use PII

Personally identifiable information is gathered both online and offline by all types of organizations for a wide variety of purposes:

  • Retailers collect contact and payment information for processing purchases, marketing, and building buyer profiles. Loyalty programs connect data to individual store visits.

  • Banks and lenders require extensive financial and identifying details to provide loans and other financial services. Data brokers may also sell consumer financial information.

  • Employers and staffing agencies gather resumes, tax forms, background checks, payroll details, and performance data on employees.

  • Healthcare providers and insurers maintain patient medical histories, treatment records, prescriptions, insurance claims, and other protected health information.

  • Technology companies use registration data, device identifiers, IP addresses, browsing habits, purchase histories, and app usage to deliver customized services and targeted advertising.

  • Government agencies like the DMV, Social Security Administration, IRS, law enforcement, and benefits programs collect sensitive data necessary for identity verification, tax reporting, criminal investigations, administration of programs, etc.

  • Universities retain student registration information, class rosters, academic records, disciplinary records, and other education-related data.

  • Hotels, cruise lines and other hospitality companies gather personally identifiable data to book reservations and enhance guest experiences.

While organizations collect varying types of PII for legitimate business functions, they also have an ethical responsibility to:

  • Minimize unnecessary data collection
  • Encrypt stored information
  • Limit internal access
  • Obtain clear consent
  • Allow people to access their own data
  • Securely delete information when no longer needed

Proper data governance controls like data minimization, access controls, consent requirements, and encryption protect individuals‘ privacy rights while still enabling business operations. Unfortunately, not all organizations invest adequately in PII security – as the many massive data breaches in recent years demonstrate.

Massive Data Breaches Put PII at Risk

Despite periodic publicity around large-scale cyber attacks, alarming data breach statistics indicate companies still have a long way to go in safeguarding consumers‘ personal information:

  • 1,862 publicly reported data compromises occurred in the US in 2021 according to the Identity Theft Resource Center, exposing nearly 1.9 billion records.

  • The healthcare sector reported the most breaches at 637 incidents (34% of total breaches) impacting 45.5M individuals.

  • Ransomware attacks increased by 105% in 2021 and commonly target hospitals, schools and government entities. They limit access to PII until ransom is paid.

Other frequent data breach targets include retailers, tech companies, financial firms, universities, and government agencies. Lost or stolen laptops and insider threats also compromise data.

Year # Breaches # Records Exposed
2017 1,579 179 million
2018 1,244 446 million
2019 1,473 164 million
2020 1,108 36 million
2021 1,862 1.9 billion

Data breach statistics source: Identity Theft Resource Center

Once hackers gain access to consumer databases, compromised PII often ends up sold on dark web marketplaces to identity thieves. Stolen data enables criminals to:

  • Take over financial accounts
  • Make unauthorized purchases
  • Access medical services with victims‘ health insurance
  • Commit tax fraud using Social Security numbers
  • Apply for loans and credit cards to steal identities
  • File fake unemployment claims

The ID Theft Center estimates that losses from identity theft totaled $56 billion in 2021. Recovering from identity theft can take countless hours for victims to resolve – often requiring filing police reports, calling banks to cancel cards, disputing fraudulent transactions, and repairing damaged credit.

While reporting regulations require companies to notify individuals of data breaches involving their PII, it‘s impossible to fully eliminate exposure risks given the vast amount of sensitive data centralized in vulnerable databases.

So in addition to pushing for stronger security regulations, consumers also need to take proactive steps themselves to minimize risks.

How to Keep Your Personally Identifiable Information Safe

While we can‘t control how well companies secure the sensitive data they collect about us, there are important steps individuals can take to be proactive about our own privacy and identity protection.

Strengthen Account Security

  • Use unique, randomly generated passwords over 15 characters for each account. Password managers make this effortless.
  • Enable two-factor authentication (2FA) everywhere it‘s offered. 2FA requires entering a temporary code from your phone when logging in for added protection.
  • Be cautious accessing sensitive accounts on public WiFi and consider using a VPN app to encrypt your connection.
  • Install antivirus and anti-malware software to detect viruses, ransomware and spyware that may steal entered passwords and data.

Monitor Financial Accounts

  • Review credit reports from Equifax, Experian and TransUnion annually to check for errors or unfamiliar credit accounts opened in your name.
  • Set up transaction alerts through your bank and credit cards to be notified of large purchases.
  • Monitor financial statements and accounts regularly for any unauthorized activity.

Limit Personal Information Shared

  • Be thoughtful about sharing birthday, address and other identifiers on social media sites. Make your profiles private.
  • Avoid online quizzes and surveys requesting extensive personal details. Only provide necessary information.
  • Watch out for phishing emails attempting to trick you into entering passwords and sensitive information. Verify legitimacy before clicking any links.
  • Shred documents containing PII rather than just throwing them out.

Explore Identity Theft Protection

Proactive monitoring services can provide an added safety net by scanning the web, public records, and even dark web sources to alert you about fraudulent use of your PII:

  • Identity monitoring notifies you when names, addresses, credit information, or credentials appear online.

  • Dark web monitoring alerts you if your information appears for sale on black market sites.

  • Credit monitoring tracks credit inquiries and new accounts to detect identity theft early.

  • Identity restoration provides assistance with reporting, paperwork, calls, etc. if you do become an identity theft victim.

While no single solution is perfect, combining strengthened account security, financial vigilance, limited personal data sharing, and identity theft monitoring provides layers of protection.

What Companies and the Government Can Do Better to Protect Our Data

From my perspective as a cybersecurity professional, governments need to enact stronger data protection regulations – particularly when consumer data is collected or used without clear consent. Specific safeguards I‘d like to see include:

  • Requiring data minimization so companies only gather essential PII for core services, not secondary uses like marketing and analytics.

  • Mandating IT security controls like multi-factor authentication, encryption, access limitations, and employee security training.

  • Enforcing data deletion requirements when information is no longer necessary to avoid stale data accumulation.

  • Restricting sale of consumer data without opt-in consent.

  • Implementing right to access so people can review what PII a company retains and request correction or deletion.

  • Establishing data stewardship rules so consumers "own" their data and choose what to share across services rather than companies owning it forever.

Technology also offers promising options to improve personal data privacy and security:

  • Decentralized identity systems would allow people to selectively disclose validated identity attributes to access services while minimizing data sharing.

  • Similarly, blockchain-enabled self-sovereign identity lets individuals securely manage and share only certain verified claims with third parties when required.

  • Federated learning allows machine learning model training on sensitive data sets without the data having to move off-site.

  • Differential privacy injects controlled noise into datasets to anonymize PII during analytics.

  • Homomorphic encryption enables certain types of computations on encrypted data without decrypting it first.

Policy, technology and consumer education together can help civilization benefit from personalization and efficiencies of data while controlling risks and protecting privacy. There are always tradeoffs to balance.

Take Control of Your Personal Data

While cyber threats feel ubiquitous, there are certainly tangible steps you can take to gain more control over your privacy and identity protection.

Start with an inventory of what accounts and apps may have your details, and determine which already offer 2FA. Scan emails for risky quizzes and data requests. Freeze unused credit reports. Monitor financial statements routinely.

Reduce public details shared online, and consider services that remove your info from data broker sites. Enable transaction alerts everywhere feasible, and explore dark web monitoring for additional threat detection.

No single action makes you bulletproof. But raising your awareness, being proactive, and employing a combination of protective measures can help safeguard your identity and peace of mind. We have an opportunity to demand better data stewardship while also watching our own backs.

Luis Masters

Written by Luis Masters

Luis Masters is a highly skilled expert in cybersecurity and data security. He possesses extensive experience and profound knowledge of the latest trends and technologies in these rapidly evolving fields. Masters is particularly renowned for his ability to develop robust security strategies and innovative solutions to protect against sophisticated cyber threats.

His expertise extends to areas such as risk management, network security, and the implementation of effective data protection measures. As a sought-after speaker and author, Masters regularly contributes valuable insights into the evolving landscape of digital security. His work plays a crucial role in helping organizations navigate the complex world of online threats and data privacy.