As a business owner, you are the shepherd of your customers’ and employees’ personal identifiable information (PII). By itself or combined with other data, PII is data that can be used to identify a person and, in the wrong hands, steal a person’s identity. That’s a big risk for businesses that work with PII while conducting normal business operations.

While handling PII may be essential for running your business, it can also make businesses of all types and sizes potential targets for cybercriminals. We’ll help you understand how to protect yourself and your business when you store, share or work with PII on behalf of your customers and employees.

What are the types of PII?

There are two types of PII: sensitive PII and non-sensitive PII. Sensitive information includes details such as Social Security number, driver’s license number, full name, medical history and financial records. Non-sensitive information includes publicly available data such as ZIP code, gender and date of birth. Here’s a more detailed breakdown of each type:

Sensitive PII

Sensitive PII is information that must be protected and kept secure. Examples of sensitive PII include:

  • Full names
  • Fingerprints and other biometric data
  • Alien registration numbers
  • Driver’s license numbers and information
  • Mailing addresses
  • Account usernames
  • Passport information and numbers
  • Credit card numbers, CV codes and expiration dates
  • Financial information, including routing and account numbers
  • Medical records and health information
  • Social Security numbers

Because this data is sensitive in nature and can be used for exploitation if it falls into the wrong hands, companies that handle such data should use multiple levels of anonymization and encryption techniques. This tactic transforms sensitive PII into non-personally identifiable information and helps protect your business and customers.

Non-sensitive PII

Non-sensitive PII is also called “indirect PII.” Unlike sensitive PII, this information is publicly available and easy to find via sources such as social media, the internet or the phonebook. Examples of indirect PII include:

  • ZIP code
  • Mother’s maiden name
  • Age range
  • Date of birth and place of birth
  • Religion
  • Employer
  • Race
  • Gender

This information can be safely released to the public since it cannot be used on its own to identify an individual. Still, while non-sensitive information is not as highly protected as sensitive PII, it’s important to remember that it is linkable.

This means that when linked with other personal identifiable information, even non-sensitive PII may be able to distinguish an individual’s identity. Consequently, your business should take similar security measures for non-sensitive PII as you would with sensitive PII.

What is not considered PII?

To gain a better understanding of your potential exposure, it is also helpful to know what PII is not.

Information such as business phone numbers, workplace, job title, or aggregated statistics regarding the use of a service or product or partially or fully masked IP addresses are not usually considered PII. Still, this information should be protected as sensitive since it could be linked with PII to determine an individual’s identity.

How do you protect PII?

The more PII we produce, the more difficult keeping it safe becomes. This can be a concern for businesses responsible for protecting PII to avoid what’s referred to as a “privacy incident.” According to the Department of Homeland Security, a PII privacy incident is defined as “the actual or potential loss of control, compromise, unauthorized disclosure, unauthorized acquisition or access to sensitive PII, in physical or electronic form.”

While privacy incidents can occur any time PII is present, they’re most common when employees fail to employ the correct controls when using, sharing, or accessing sensitive PII. This opens your business up to bad actors who want to use sensitive PII for unauthorized purposes.

With this risk in mind, follow these tips to safeguard sensitive PII:

1. Use a VPN

VPN stands for “virtual private network.” VPNs provide bank-grade encryption designed to protect sensitive PII and other private information. A VPN encrypts your internet connection, keeping your online activity private — even if you’re using a public network. A variety of VPNs1 is available for businesses to use.

2. Know when you need to collect SSNs, and when you don’t

Many PII privacy incidents start with a Social Security number. The SSN is the gatekeeper to a person’s financial accounts, employment, medical information and more.

Be especially careful about how you manage the Social Security numbers of your clients and employees. Here are common occurrences when you may have to collect SSNs on behalf of your customers or employees:

  • During health insurance transactions
  • During financial and real estate transactions
  • To obtain employment or contract with a business
  • In certain medical scenarios

Outside of those instances, there’s seldom a legal requirement to collect a Social Security number. Educate yourself about the laws in your industry. If you need to collect and store Social Security numbers, do so carefully and with the appropriate levels of encryption and protection. For added security, avoid storing Social Security numbers whenever possible.

3. Understand what phishing looks like

Phishing is the most common method for stealing PII. Phishing takes many forms, but these attacks usually come from malicious emails disguised as standard communications from trusted brands or financial institutions. These emails will trick you into sharing important information such as your account and routing numbers, credit card information or login details.

To overcome phishing attempts, look for these signs:

  • The email or text communication is poorly written and full of spelling or grammar mistakes.
  • The logo doesn’t look correct.
  • The URL on the email doesn’t match up with that of the brand or financial institution.

If you’re ever unsure whether an email, text or phone call is legit, avoid opening the email or text (or giving any information to a person over the phone). Instead, visit the company’s website directly and contact them through official channels. Ask whether or not they sent the communication in question, and you’ll get your answer.

What is a PII violation?

PII violations take many forms depending on the type of information involved, how many victims there are, and what kind of breach or mishandling occurred. Here are a few examples of PII violations:

  • Identity theft. Identity theft occurs when a bad actor gains unauthorized access to sensitive PII. This grants the bad actor access to a person’s bank account, health information and more. From there, they can use someone’s PII to initiate fraudulent purchases and other unwanted actions. Identity theft is a risk for your customers and employees if your databases are compromised or you lose physical PII.
  • Physical PII violations. Even if your company has excellent digital security measures, physical PII violations can happen. Consider this example: you recycle old client records without shredding them first. This leaves your customers’ PII information out in the open, where anyone can find it.
  • Digital PII violations. PII violations often occur when someone trades in computer equipment or phones without first securely wiping them of data or destroying files.

Cyber insurance and PII

While the theft of a customer’s PII is a nightmare situation, it can happen. Fortunately, you can protect your clients’ and employees’ sensitive information by having cyber liability insurance. If you receive payments online, if you store and transfer employee or customer data, or if you work with partners or vendors who need access to your customers’ PII, a cyber insurance policy is crucial.

Cyber insurance covers a variety of financial losses, including those resulting from negative reputation effects, potential extortion payments, legal fees and settlement costs. It can protect your business from the financial losses stemming from a privacy breach, and also provides your legal defense in court.

Count your 0’s and 1’s

Personal identifiable information is a fact of life for any business that works with customers or employees. And no matter how careful you are with that sensitive data, PII violations still happen. Follow best practices when it comes to protecting sensitive information, but protecting your business with insurance is as easy as PII.

For a small business insurance policy that works as hard as you do, click “Get a quote” or download the Thimble mobile app, answer a quick set of questions, and get the coverage you need in minutes.


  1. CNET. Best VPN Service of 2022.