Personally Identifiable Information (PII)

Context: Recently, the Ministry of Corporate Affair fixed a critical vulnerability in its online portal. As per the reports, the vulnerability exposed personal details, like Aadhaar, PAN, voter identity, passport, date of birth, contact number, and communication address of more than 98 lakh directors of Indian companies. 

Introduction: 

• Advancements in technology platforms, brought bigger changes in operations of businesses, legislations by governments and individual relations. Cell phones, internet, e-commerce and all other kinds of digital tools have created an explosion in data supply.
• This ‘Big Data’, is collected, analysed and processed by businesses and shared with other companies, which has in turn enabled them to gain better insight into how to make interaction better with the customers. 

Personally Identifiable Information: 

• Any data or information maintained by an organisation or agency that can potentially be used alone or with other relevant data to identify or trace a specific individual. 
• Includes information such as Aadhaar, PAN, voter identity, passport, date of birth, contact number, communication address, and biometric information.
• Constituents of PII differ depending on an individual’s home country.

This may contain: 

• Direct identifiers such as Passport Information, that can identify a person uniquely, or;
• Quasi-identifiers such as Race, that can be combined with other quasi-identifiers like date of birth to successfully recognize an individual.

Non-PII:

• Personal data, Non-personal data (such as the company you work for), shared data and anonymized data are not classified as PII.
• Examples: Photographic images (especially of the face or other identifying characteristics), place of birth, religion, geographic indicators, educational qualifications, etc. 
• Personal Data: This has a broader range than the PII, such as IP address, device ID numbers, browser cookies, or genetic data.

What are Sensitive and Non-Sensitive PII: 

• Sensitive PII includes legal statistics such as full name, Social Security Number, driver’s license, financial information, medical records, mailing address, passport information, credit card information. 
• Such information when exposed can be used to identify a person and potentially cause harm. 
• Such sensitive PII are stored by employers, government organisations, banks etc
• Example: An insurance company that is sharing client’s information with a marketing company will not share the sensitive PII. The data shared will be limited to the marketing company’s goal only. 
• Non-sensitive PII is easily accessible from public sources. This includes: zip code, race, gender, date of birth, social media, religion etc.
• This cannot be used alone to determine an individual’s identity. 
• Although non-sensitive, such data is linkable, as when such data is used with other personal linkable information, this can reveal the identity of a person by using De-anonymization and re-identification techniques. 

Threats of PII exposure:

• The Internet has become a major vector for identity theft. 
• Data can be found by digging through the trash or unopened mails, which can provide an individual’s name and address. This can also reveal information about the employment, banking relationships or social security networks. 
• Phishing and social engineering attacks using deceptive-looking website or email, tricks into revealing key information, which can be used to fraudulently open bank accounts, and siphon off funds from accounts. 
• Information can also be stolen through deceptive phone calls or SMS messages.
• These threat actors are known to sell exposed PII information on the ‘dark web’. 
• Lucius, a threat actor found selling data online claimed to have access to a 1.8 terabyte data leak impacting an unnamed ‘India internal law enforcement agency’. 
• Dark web: It is an encrypted portion of the internet not visible to the general public via a traditional search engine such as Google. It is also known as the darknet and constitutes a large part of illegal activity on the internet. 
• Threat actors also breach third-party aggregating PII which is also facilitated by weaknesses in digital infrastructure. 

Risks for India:

• India is ranked fourth globally in all malware detection in the first half of 2023, as per the survey of Resecurity. 
• A survey of 200 Indian IT decision makers found that 45% of Indian businesses have experienced more than a 50% rise in disruptive cyberattacks in 2023. 
• The report also found that 67% of Indian government and essential services organisations experienced an increase in disruptive cyberattacks.
• The data sold on the dark web included one’s Aadhaar number, a unique 12-digit individual identification number issued by the Unique Identification Authority of India (UIDAI). 
• Certain cases: 
• In 2023, reports emerged that a bot on Telegram was returning the personal data of Indian citizens who registered with the COVID-19 vaccine intelligence network (CoWIN) portal for vaccination purposes.
• The government of India denied allegations of a biometric data leak, as well as a breach in the CoWIN portal.
• The Government however, launched an investigation into the allegations that led to the arrest of a man in Bihar, along with a juvenile in June 2023.
• A data breach was also reported in the Rail Yatri platform in January 2023. 

How to secure PII?

• Individuals can take steps to ensure that their PII is not readily available to threat actors. 
• They can look for HTTPS in URLs when visiting unknown websites. “S” stands for secure and is used by legitimate websites to secure collected information from unsecured connections.
• Keep a tab on your PII like Aadhaar, passport, PAN, Voter ID, and other important proofs of identity. Avoid sharing or accessing images or details of identity documents through unknown devices. 
• Keep a tab on your bank account transactions, credit cards, and credit score. A hit in the credit score could mean your PII has been misused to procure credit cards in your name.
• Users should also be alert and approach emails for unknown sources with caution as stolen information may be used to target users in phishing campaigns.
• Users can change existing IDs and passwords to ensure that stolen data cannot be used for launching brute force attacks.
• Users should also implement two-factor authentication for all their accounts and inform the concerned authorities in case they notice any suspicious activity in their online accounts.

The following are the privacy regimes in specific jurisdictions:

India:

• Country’s Computer Emergency Response Team (CERT-In) is investigating reports of the data leak and the government is working on moving massive amounts of data, including legacy data collected over the past decades, to safe storage.
• Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, mandate social media platforms to ensure greater diligence with respect to the content. 

United States: 

• Government defined ‘personally identifiable information’ in 2020.
• Anything that can be used to distinguish or trace an individual's identity such as name, social security network and biometrics information; either alone or with other identifiers such as date of birth or place of birth.

European Union: 

• The definition expands to include quasi-identifiers as outlined in the General Data Protection Regulation (GDPR) which came into effect in 2018.
• The GDPR is a legal framework that sets rules for collecting and processing personal information for those residing in the EU.

Australia: 

• Privacy Act 1988 protects personal information.
• It regulates the collection, storage, use, and disclosure of personal information, whether by the federal government or private entities.