Advertisement

How Personally Identifiable Information (PII) Is Evolving

By on

Click to learn more about author Beth Shulkin.

Personally identifiable information (PII) is any data used to identify an individual, such as social security number, phone number, or physical address. For years, merchants, banks, government agencies, and countless other organizations have relied on PII to service their customers, for processing transactions of online shoppers, approving loans for home buyers, issuing tax returns to citizens, and more.

While PII is useful for enabling digital transactions, it can also be harmful if compromised. Data breaches at retailers, health-related organizations, financial institutions, and federal agencies can put an individual’s PII at risk and make them vulnerable to identity theft and other forms of fraud. It can also be costly to the breached organization. According to IBM’s 2020 Cost of Data Breach Report, the average total cost of a data breach is $3.86M globally, with the most compromised and costliest type of record being customer PII at $150 per record.

How Stolen PII Puts Individuals at Risk

In the early days of digital fraud, it was a crime committed mostly by hackers acting independently. But over the years, it has become a domain of organized crime, with large groups targeting physical goods sold online to make real money. Today, fraud has accelerated and grown even more sophisticated due to the rise of e-commerce, mobile payments, and computing power. Many of the same technologies that companies rely on to innovate and rapidly introduce new products and services are also being adopted by fraudsters.

The increasing sophistication of today’s fraud can put individuals at even greater risk should their PII fall into the wrong hands. It can be used to create synthetic identities, where fraudsters combine PII from real people with false information to open bank accounts and credit cards and act like legitimate customers to build a transaction history. They then run up charges which they don’t pay for. McKinsey & Company estimates that synthetic identity fraud is the fastest-growing type of financial crime in the United States, and Aite Group found it costs U.S. lenders an estimated $10,000 to $15,000 per incident.

Gaining access to someone’s PII makes it possible to not only create new accounts but take over an individual’s existing accounts. Once in control, fraudsters can change the real shipping address and use a card on file to purchase goods and have them shipped to the fraudster’s address.

The Introduction of New Regulations to Protect PII

As fraudsters’ methods have become more advanced, new government regulations have emerged to protect consumer data and identities. In the European Union, the Payment Services Directive (PSD2) governs how banks and merchants share consumer data to facilitate payments, and the General Data Protection Regulation (GDPR) mandates stringent controls over the collection and use of consumer data. In the U.S., the California Consumer Privacy Act (CCPA) gives consumers more control over the personal information that businesses collect. These laws carry the risk of stiff penalties for non-compliance and reflect the strong attitudes toward data privacy.

The Shift from Static to Dynamic PII

Just as fraud has evolved over time, so has the concept of PII. According to the U.S. General Services Administration:

“Non-PII can become PII whenever additional information is made publicly available — in any medium and from any source — that, when combined with other available information, could be used to identify an individual.”

For this reason, the definition of PII continues to change as new information becomes available, and trends emerge.

Historically, PII has been static, meaning the elements remain the same over time. Static PII typically comprises data like a social security number, driver’s license ID, date of birth, or any other national identifier. But due to the sophistication of fraud attacks and recent major PII data breaches, such as Equifax in 2017 and Starwood Hotels in 2018, historical and static methods of verifying an identity have become ineffective for authentication. In fact, a survey by RSA found that 45 percent of Americans have had their personal information compromised by a data breach in the last five years.

However, as the world has become increasingly mobile and tech-driven, new dynamic PII elements have emerged, such as IP addresses, email addresses, device IDs, behavior, and biometrics. These PII types are fluid (or change frequently), making them less susceptible to compromise than their static PII counterparts. And by examining the relationships between these data elements, they become even more powerful as a tool in digital identity verification.

How Dynamic PII Better Assesses Fraud Risk

Dynamic PII elements fit together like puzzle pieces to create a composite picture of an individual. Device IDs, for instance, can show whether an individual has used a browser to conduct a transaction or log into their bank account. At the same time, behavioral data can provide a historical look back at an individual’s purchases to provide red flags or signal anomalies such as a consumer transacting across dozens of merchants in a day or two.

With dynamic PII, organizations can rely less on static PII as a definitive indicator of a customer’s identity and instead focus on PII patterns to determine risk. Some patterns might include how often a phone number or shipping address is used or the number of times an email address is paired with a specific IP address. By focusing on data patterns instead of precise identification, organizations can more easily spot cases of fraudulent activity while, at the same time, avoid interfering with valid users and causing unnecessary friction in the transaction process.

The Importance of Securing Customer PII

Regardless of the type of PII organizations use, it’s crucial that they take steps to protect it. Customer information is both an asset and a liability. The loss or misuse of PII can result in legal ramifications and cause irreparable damage to customer trust. The protection and handling of customer data should be a critical keystone at the base of every business. Some best practices for doing so include:

  • Understand the data sources. To determine how (and to which extent) they should protect PII, organizations should first consider where the data is coming from. For instance, a customer’s billing information is much more sensitive than web traffic data and, therefore, will require much more stringent data protection methods.
  • Ensure all data serves a clear and distinct purpose. Some data will fulfill short-term purposes (such as technical logs used for debugging purposes), whereas other data will fulfill longer-term purposes (e.g., billing records until the next tax season). Understanding the purpose of the collected PII will help guide decisions about how it should be stored and protected.
  • Devalue data no longer in use. It can be tempting for organizations to retain records indefinitely, but data does not stay relevant forever; it will likely grow stale and diminish in value over time. Data kept beyond its usefulness not only costs the company money to retain but also increases their liability if hacked. In order to keep PII relevant and low-risk, companies should consider aging off data that is no longer needed, with the goal of keeping it for the minimal time necessary to fulfill its purpose.

In a world where technology is rapidly advancing, organizations need to consider how they will keep up with the innovative tactics of today’s fraudsters. It isn’t enough to just create barriers for users that appear remotely fraudulent. Such broad-brush approaches risk alienating modern consumers who demand secure yet seamless experiences. By understanding how PII has evolved, leveraging dynamic elements to evaluate transactions, and prioritizing the protection of PII, businesses can be one step closer to better assessing and mitigating risk and providing enhanced experiences for their customers.

Leave a Reply