The Many Lives of PII
Can you believe how many different state laws we privacy pros need to reference just to determine what is PII? I mean, how many definitions could there be for one short phrase? I am not talking about Pi, the mathematical term, but the acronym for the likewise complex concept of “personally identifiable information.”
The definition of PII is important because it is a trigger for breach notification requirements in 48 U.S. jurisdictions (that’s 46 states plus D.C. and Puerto Rico). But it varies so much that I find myself constantly referencing complex charts, links and statutes to check on its meaning in a given state. Thankfully, the spirit of Halloween has bestowed upon me some inspiration in my search for broader understanding of these definitions. I’ve clustered the 48 definitions of PII into seven groups with similar definitions and dressed them up for Halloween. It’s easier to get acquainted with these definitions when I imagine each cohort as a persona. These personae are the seven PII archetypes.
Let’s start with Massachusetts, which has an undisputedly strict consumer data protection regime. I think of Massachusetts as the Drill Sergeant of PII. Its definition is not fancy and 32 other jurisdictions pretty much fall in line. Those 32 are the PII Infantry. In these states, PII is defined as name, or first initial and last name, in combination with one of three types of information:
1. Social Security number,
2. Driver’s license or state identification card number, or
3. Financial account number or credit card number, with or without any required code/number/password that would permit access to a financial account.
Get the idea?
Next in the lineup are the Nurses, who, in addition to the Drill Sergeant’s basic definition of PII, also protect individually identifiable medical information. The Nurses are Arkansas, Puerto Rico and Texas. Some states include not only medical information but also health insurance information. Since that’s where their priorities are, I call them the Brokers: California, Missouri, North Dakota and Virginia. In addition, Montana protects insurance policy numbers, but not medical information. North Dakota is a Broker and a good employer: It also protects employee identification numbers. Virginia is the Head Broker, since it has enacted a separate health information breach law.
The Pragmatists like to include various other types of information and “catch-all” definitions just in case a data breach tries to slip through the cracks. Georgia and Maine’s data breach notification laws cover any information that is sufficient to be used for identity theft, even if it is not exposed in combination with an individual’s name. Now that’s practical thinking. Maryland and Puerto Rico are Beancounters, the accountant archetype that is also concerned about individual taxpayer identification numbers. The rest of the states are Geeks, looking out for stuff like unique electronic identifiers to financial accounts, unique biometric data and digital signatures: Iowa, Nebraska, North Carolina, North Dakota and Wisconsin. Missouri is both a Nurse and a Geek – now we’re talking skills.
And let’s not forget the Agnostics, the four states that choose not to have a data breach notification law: Alabama, Kentucky, New Mexico and South Dakota. Their lack of such a law could be a comfort to companies doing business in those states, except that some of the other state laws still apply if the PII of one of their residents is compromised. For example, Massachusetts, our strict Drill Sergeant, protects the PII of its residents regardless of whether an entity is organized or licensed in Massachusetts. (Here, the Infantry does not fall in line, so let’s talk about that another time.)
So what kind of state do you live in? Are you ministered to by a Nurse, reassured by a Beancounter or protected by the Infantry? It’s not simple, but hopefully you have a more memorable impression of all the characters who play a part in the data breach notification scene.
 Alaska, Arizona, Colorado, Connecticut, Delaware, Dist. of Columbia, Florida, Hawaii, Idaho, Indiana, Illinois, Kansas, Louisiana, Michigan, Minnesota, Mississippi, Nevada, New Hampshire, New Jersey, New York, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Utah, Vermont, Washington, West Virginia, and Wyoming.
Note from the Editor:
A similar form of this post has been published at: www.DataNeutrality.org/TrustBlog
About the Author
Annie C. Bai, CIPP/US, is a graduate of NYU School of Law. She works part time for the Entertainment Software Rating Board, speaks on privacy law for New Directions for Attorneys at Pace Law School, consults with Mezzobit and contributes to blog.security-breaches.com. She externed in the privacy group of Wiggin and Dana LLP earlier in 2013 and is currently leading a privacy audit for Single Stop USA. Annie is a Data Neutrality Privacy Fellow.