January 2, 2013
by Michael Zevitz
South & Associates, P.C. – USFN Member (Kansas, Missouri)
PI is easily defined as 22÷7 or about 3.14159. On the other hand, PII is not so easily defined or recognizable.
PII, as employed in the financial services industry, is information that can be used to uniquely identify, contact, or locate a single person, or which can be utilized with other sources to uniquely identify a single individual. The abbreviation PII is widely accepted, but the phrase it abbreviates has four common variants based on personal, personally, identifiable, and identifying. Not all are equivalent and, for legal purposes, the effective definitions vary depending on the jurisdiction and the purposes for which the term is being used.
The most common definition of “personal information” refers to a consumer’s first name and last name linked to any one or more of the following data elements that relate to the consumer, when the data elements are neither encrypted nor redacted: Social Security number; driver’s license number or state identification card number; loan or financial account number; credit or debit card number, alone or in combination with any required security code, access code, or password that would permit access to a consumer’s financial account; street address, telephone number, email address; photo, fingerprint, or other biometric image.
Basis of PII — It is interesting to note that PII is a legal concept, not a technical concept. Because of the versatility and power of modern re-identification algorithms, the absence of PII data does not mean that the remaining data does not identify individuals. While some attributes may be uniquely identifying on their own, any attribute can be identifying in combination with others.
A Case Study — In the bankruptcy forum, protecting the PII of debtors gained importance with the pervasive use of electronic case filing. Section 205(c)(3) of the E-Government Act of 2002 required the U.S. Supreme Court to prescribe rules “to protect privacy and security concerns relating to electronic filing of documents and the public availability ... of documents filed electronically.” To satisfy this requirement, the court adopted Rule 9037, which restricts the filing of documents in bankruptcy cases containing certain types of PII, to address privacy concerns resulting from public access to electronic case files. Rule 9037 addresses the Social Security number, date of birth, and loan number. Pursuant to Rule 9037(a), any document filed in a bankruptcy case must limit the disclosure of that PII to the last four digits of the Social Security number, the year of the individual’s birth, and the last four digits of the loan number.
The term “personal information” does not include public information that is lawfully made available to the general public from federal, state, or local government records. Although the concept of PII is old, it has become much more important as information technology and the internet have made it easier to collect PII through breaches of internet, network, and web browser security, leading to a profitable market in collecting and reselling PII.
Response — As a response to these threats, servicers and their attorneys are implementing policies and security safeguards to protect against risks such as loss or unauthorized access, destruction, use, modification or disclosure of PII data. For data in motion, companies are now resorting to secure and encrypted email protocols prior to transmission, in addition to redaction policies for publically available documentation. For data at rest, which refers to information stored on a secondary storage device, such as a hard drive or backup tape, encryption solutions are also readily available. The adage “you can never be too careful” certainly applies to just about every aspect of Personally Identifiable Information.
© Copyright 2013 USFN. All rights reserved.