The term personally identifiable information refers to information that can be used to infer or trace an individual's identity—such as their name, social security number, e-mail address, or biometric records—alone or when combined with other personal or identifying information that is linked or linkable to a specific individual—such as date and place of birth, mother’s maiden name, etc.

And information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic, or other media.

The loss of PII can result in substantial harm to individuals, including identity theft or other fraudulent use of the information. The loss of PII in data breaches or other cyber incidents can create legal liability for companies that have been entrusted with their customers’ PII.

Similarly, the loss of PII in data breaches or other cyber incidents can create legal liability for companies that have been entrusted with their employees’ PII.

Sensitive PII

Sensitive PII is PII that if lost, compromised, or disclosed without authorization, could result in harm, embarrassment, inconvenience, or unfairness to an individual. This data requires stricter handling guidelines because of the increased risk to an individual if the data are compromised.

The following types of PII are considered sensitive when associated with an individual:

• Social Security Number (including truncated form)

• place of birth

• date of birth

• mother’s maiden name

• biometric information

• medical information (excluding brief references to absences from work)

• personal financial information

• credit card or purchase card account numbers

• passport numbers

• potentially sensitive employment information (e.g., performance ratings, disciplinary actions, and results of background investigations)

• criminal history

• any information that may stigmatize or adversely affect an individual.

If sensitive PII is electronically transmitted, it must be protected by secure methodologies, such as encryption, Public Key Infrastructure, or secure sockets layer. When in doubt, treat PII as sensitive.

Context of Information is Important

The same types of information can be sensitive or nonsensitive depending upon the context. For example, a list of names and phone numbers for the company’s softball team is very different from a list of names and phone numbers for individuals being treated for an infectious disease.

PII and Sensitive PII as privacy incidents are not necessarily cut and dried. In some cases, PII that is not Sensitive would be reported as a privacy incident depending on context. For example, a loss of a contact list with the names of people who attended employer training would not be considered a privacy incident.

But if it is a list of employees who are being disciplined for not attending training and it is lost or compromised, then that would be considered a privacy incident. In this instance, it is the context of the information that would cause this to be a reportable privacy incident.

Also, the loss of Sensitive PII even in an encrypted or password-protected format could become a privacy incident. For instance, if encrypted or password protected Sensitive PII—along with the key or password to access the information—is sent to a person without a need to know or to a personal e-mail address, this would be considered a privacy incident.

In Washington State, personally identifiable information (PII) is protected under various state statutes and federal laws. PII includes any data that can identify an individual, such as name, social security number, email address, biometric records, and other linked information like date and place of birth or mother’s maiden name. Sensitive PII, which encompasses data like social security numbers, medical and financial information, and criminal history, requires even stricter protection due to the potential harm from unauthorized disclosure. Washington's data breach notification law, RCW 19.255.010, requires businesses and public agencies to notify individuals if their PII is compromised in a data breach. Additionally, entities must implement reasonable security measures to safeguard PII. The loss of PII, especially sensitive PII, can lead to legal liability for companies if the information is not adequately protected. The context in which PII is used or disclosed can also determine its sensitivity and the need for reporting a privacy incident. For example, a list of employees disciplined for not attending training, if lost or compromised, would be considered a privacy incident due to the context. Even encrypted or password-protected sensitive PII can become a privacy incident if the means to decrypt it are disclosed inappropriately. Federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA) for medical information, and the Gramm-Leach-Bliley Act (GLBA) for financial information, also provide additional protections for PII at the national level.