The language of data privacy: The differences between PII, PHI, NPI, and PCI

Most of us have been affected by data compromise at some point in the last few years. When a company is attacked and data is stolen, that company is responsible for notifying the individual victims of the data breach. The company may also publish incident response efforts on a website, and this may include details on the data that is exposed. Unfortunately, these notifications aren’t always clear, and victims are left wondering exactly what was exposed. The term ‘cardholder data’ may seem simple enough, but it might not be what you think.

All data is used and regulated in different ways, with varying levels of corporate responsibility attached. Most of us can agree that ‘sensitive’ and ‘private’ data should be protected from the public, but that’s not good enough because we don’t all agree on what data should be classified as sensitive and private. People still can’t agree on whether public records should be protected under certain circumstances. The regulatory environment requires specificity to protect the public from data exposure and fraud. This specificity also helps companies understand their obligations in protecting data and data breach victims.

This post will review the most common data terms used in breach notifications. Data privacy laws vary around the world, so I’m going to keep it simple and focus on the United States, starting with personally identifiable information (PII).

Personally identifiable information (PII)

PII is defined in the National Institute of Standards and Technology (NIST) publication 800-122.  In short, PII is information that can be used to distinguish or trace an individual’s identity (name, social security number) or other information that is linked to an individual (financial information, employment history).  See section 2.1 of the NIST publication for more details on what qualifies as PII. 

Protected health information (PHI)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is one of the best-known data protection laws in the U.S.  HIPAA defines national standards for privacy, security, and breach notification rules around health information. HIPAA rules may reference PII and protected health information (PHI).

PHI is a subset of PII and is limited in scope to health information that is shared with HIPAA-covered entities.  To be classified as PHI, the information must include any one of the 18 identifiers, like a name or phone number. If all identifiers are removed from a PHI record, the record is no longer considered protected health information. This allows PHI to be de-identified and shared with other parties for research purposes. However, PHI rules only apply to HIPAA-covered entities, which is why schools are not subject to HIPAA rules, even if they maintain PHI-like data.

Nonpublic personal information (NPI)

The Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA), changed the way financial institutions do business with each other and consumers. GLBA was one of the first laws in the U.S. to standardize data protection practices across financial institutions. It requires these institutions to disclose privacy practices and follow strict rules when sharing information with third parties.

The privacy rule of GLBA protects nonpublic personal information (NPI) and is enforced by the Federal Trade Commission (FTC). NPI is any personally identifiable financial information that is collected by a financial institution “in connection with providing a financial product or service.” Name, address, purchase histories, and credit reports are all considered NPI under specified circumstances. If information is publicly available, it cannot be designated NPI, even if it would otherwise be NPI. The FTC provides the example of a private vs publicly known phone number. A private phone number can create an NPI record, and having just one NPI record in a list of non-NPI information designates the entire list as NPI. NPI is another subset of PII.

Cardholder and Payment Card Industry (PCI) data 

The Payment Card Industry Security Standards Council (PCI SSC) was created in 2006 to manage payment card security standards. The council manages and administers the Payment Card Industry Data Security Standard (PCI DSS).  There are twelve requirements that companies must meet to be considered PCI compliant, and most of these are standard IT security measures. Password security, appropriate firewalls, updated antivirus protection, etc. The requirement to protect cardholder data requires that card data be encrypted and that merchants regularly scan primary account numbers (PAN) to ensure that no data is left unencrypted.

The PCI SSC defines cardholder data as the full primary account number, along with cardholders name, expiration date, or service code. If any one of those three is present with the PAN, it is considered cardholder data. Sensitive authentication data is any security-related information that is used to authenticate a cardholder or transaction. This could be the information from a magnetic stripe or a chip, and it is typically not stored by a merchant but captured in transit if exposed. The terms PCI data breach and PCI compliance breach usually refer to a breach of cardholder data.

Other terms

Reports of a data breach often refer to sensitive information or private data instead of using a proper classification. Companies often do not disclose details of a data breach until individual breach notifications are underway, which means the public can only describe a data breach by using common terms with a widely shared understanding. Phrases like ‘protected records’ and ‘personal information’ convey the meaning that something private and potentially damaging has been exposed. The public cannot know what was stolen unless it is itemized, or a classification has been provided.

Depending on your location, these common terms might have a legal definition that applies to you or your company. For example, the California Consumer Privacy Act (CCPA) gives consumers the right to limit sensitive information, which includes “information about racial or ethnic origin, religious or philosophical beliefs, or union membership.” This information is regulated as sensitive personal data under the General Data Protection Regulation (GDPR). GDPR also makes sensitive personal data a subset of personal data, which is also defined with specificity in the regulation.

There are many more classifications of data and they all have applicable regulations. We can’t possibly cover all of them, but we’ll continue to explore topics around data regulations and exposures. Please keep in mind that you should consult an attorney or compliance expert if you have questions about your own rights and responsibilities since none of this is legal advice. You might also benefit from an IT security audit that ensures you are meeting all of the technical requirements required by your regulatory environment.