Define Personal Information

When we attempt to protect customer non-public information within the boundaries of our businesses, we must first define personal information. We can’t develop a protection strategy if we don’t what information we should protect and where the target information resides. Privacy laws exist in many forms and at many levels from the State levels to the Federal government levels, and standalone or embedded within other laws such as the GLBA and HIPAA. These laws are often redundant as they overlap, and, incomplete. For example, these privacy laws do not address consumer awareness and education in any form or shape. There are many redundant laws requiring employee awareness and training about information security threats and best practices, but there are no laws pertaining to consumers, requiring companies to educate customers which is currently one of the biggest gaps in our privacy laws in my opinion.

Depending on who created the various privacy laws and where the laws were created, there are many terms and definitions for describing customer private information. For example, I personally label and define personal information as "identity components" in many of my writings. In my opinion, not only each identity is made up of many identity components, but also not all identity components are created equally because some are more vulnerable to theft and fraud, thus, much more likely to be exploited. Before we can even attempt to protect an identity against theft and fraud, we have to properly define and identify the exploitable identity components.

Let’s now look at how various agencies and governments define personal information:

Consumer identity is often referred to as "non-public information", "personal information" in the State of California or "personally identifiable information" or PII per the US government. PII is defined as "Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc". On the other hand, "personal information" is defined as "an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number. (2) Driver's license number or California Identification Card number. (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. (f) For purposes of this section, "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records."

As you can see, depending on where you collect and intend to protect personal information, you must first define personal information in accordance with local laws. Here’s another description to define personal information per EU directive, "'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity."

For regulatory compliance purposes, we must first define personal information per the privacy laws before we can develop a strategy for protecting customer information and complying with the various laws.