Archive 4 min read

Cybersecurity Basics #10 - Personally Identifiable Information

Personally identifiable information (PII) and Personal Health Information (PHI) are critical concepts. They help identify information that needs additional safeguards and care.

Cybersecurity Basics #10 - Personally Identifiable Information

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Morning everybody. How are you doing today? Thanks for jumping on the show as you can see a little bit of a different look outside this morning again, doing a little bit of a Precor to avoid some noise in the neighborhood as the fiber network gets connected, which is cool.

Um So today I wanted to continue the cybersecurity basics, wanted to tackle a related terms. So they normally show up as acronyms pi I and P so personally identifiable information and personal health information. The reason why I wanted to tackle these topics today on the show was that it's actually the one year anniversary of the Equifax credit reporting agency breach.

On that specific topic, I've got a blog going up on the trendmicro site. So, looking back at what's changed in here. If anything, here's the secret, nothing's changed. But if P I plays an essential part of this story as to why it's crucial why this breach was absolutely monumental.

So personally, identifiable information refers to a broad set of information, things like your name, your address, your phone number, your email address, potentially your driver's license, your social security number or social insurance number, any government issued ID, things that directly tie to identifying you as a person.

Now, there's no hard line as to what makes P I or what doesn't, but there are various definitions. So at the European GDPR, the general data protection regulation, they have a definition for P I here in Canada, we have a definition for P I in the States.

It's kind of hit or miss state by state has different regulations. California has the new landmark legislation coming into effect in 2020. If it doesn't get changed, that has a better definition of P I. But essentially it's information that can be used to identify you as a person.

Now, why is this? Why do we call this out? Well, we call this out because this is a higher class of information that you need to protect. So if you are building a system, if you're doing security for a system, if you are handling P I, you need to have a higher level of classification, keep that safe.

So I'll give you an example if you are running a public forum and people have account information and in that account information, let's say there's billing in the back end and you keep address. So you say, you know, Mark lives at this place in this city and here's his address here, that information that's P I.

So that's personally identifiable information. But other information that you have about me in that system is maybe my posts on these public forms. Well, you don't need to protect those posts because they're public nearly to the level that you need to protect the P I in my account, the personal information in my account.

So P I is a handy way for us to identify a class of information, a set of attributes about somebody that needs to be protected to a higher degree. Now, there's a bunch of legislation that ties to P I that is the community has said, hey, this is so important that we're going to put law behind it.

Now, a related term is ph I now we're not simply going backwards in the alphabet. It's personal health information. Again, this refers to a class set of information related to your health. So you can think digital medical records. Again, another higher level of classification is required.

So if you're building a system for a hospital or medical provider, you may have information that's public, you may have personally identifiable information about me like my address and my health insurance number. And then you also probably have personal health information. If I broke my arm, what have been run the results of those tests, the diagnosis, the prognosis, all this type of information is personal health information and it would typically require an even greater level of security.

So P and P are handy ways for us to refer to sort of a general classification of data. And if that for implies that there are greater precautions needed. Now, this is far more effective than c top secret confidential because all of those attributions and you see that in government work and law enforcement work quite often, those have different meetings depending on the context where going with generic P I personally identifiable information, personal health information, those are broadly applicable and you very rarely run into any sort of challenges around those categorizations.

The biggest debate ends up being around personally identifiable info. What is and what isn't around things like an email address because an email address by definition needs to be public. So is that actually personally identifiable information? I lean on the case that it is you need to look no further than the complaint that the US government put against the Lazarus group.

They use email addresses to tie these various cyber attacks to North Korean hackers that shows how important email can be as an identifier. And so even though it's public, it still should be protected, even just outside of data classification just to prevent spam is always a good idea.

So just to recap real quick P IP I critical because of that Equifax anniversary again, check out the trend micro blog for some thoughts for me specifically on the Equifax attack. But in general P IP I personally identifiable information, personal health information is a way for us to oddly categorized data that requires additional care, additional protections, additional defenses versus public information.

So it's a really handy thing to know. It's a really handy thing to be aware of. You should know every point where that type of information is processed and stored within your systems because you really want to make sure that it's protected because it has a deeply personal impact.

That's what the P is for. Let me know what you think. Hit me up online at marknca for those of you on the blogs. Hit me in the comments down below as always by email I hope you are set up for a fantastic day.

I will be back on the show most likely on Tuesday, but I'm back in the European Union, so we'll see about timing, but Monday is definitely off because I'm on a flight, but I will talk to you either Tuesday or Wednesday. Stay tuned online for the latest updates.

There. Have a fantastic weekend. We'll talk to you soon.

Read next