What Is Personally Identifiable Information (PII)?

Updated on December 22, 2025.

Personally Identifiable Information (PII) is any data that can be used to identify a specific individual. This includes direct identifiers like a person’s full name or Social Security number (SSN), as well as indirect information like an IP address or login credentials that can be tied to an individual when combined with other data. PII is constantly being collected, stored and shared whether people shop online or organizations serve customers. Since PII is used everywhere and is often highly sensitive, it is a valuable target for cybercriminals. Securing PII is essential for both individuals and organizations to minimize the risk of identity theft, fraud, account takeovers and reputational damage.

Continue reading to learn about the different types of PII, common examples of PII and how you and your organization can protect it.

Sensitive vs non-sensitive PII

PII is generally categorized as either sensitive or non-sensitive, depending on how easily it can identify an individual and the potential impact if it’s exposed.

What is sensitive PII?

Sensitive PII, also referred to as direct PII, is information that can uniquely identify an individual on its own. Since sensitive PII provides a direct connection to a person, it is very valuable to cybercriminals and requires the strongest protection. Common examples of sensitive PII include SSNs, driver’s license numbers, credit card information, biometric data and medical records.

What is non-sensitive PII?

Non-sensitive PII, also referred to as indirect PII, is information that cannot identify an individual on its own but can do so when combined with other information. Although this type of PII seems less risky, non-sensitive PII can still be exploited, especially when multiple pieces of information are collected and correlated. Several examples of non-sensitive PII include birthdates, phone numbers, email addresses, employer information and ZIP codes.

Why sensitive and non-sensitive PII matters

Distinguishing between sensitive (direct) and non-sensitive (indirect) PII is important because it determines how information should be secured. Sensitive PII demands stronger protections like encryption and continuous monitoring, whereas non-sensitive PII requires protection to prevent misuse when combined with other data.

For individuals, understanding the types of PII makes it easier to know which information should never be shared and which details require extra caution. For organizations, properly classifying PII supports compliance with data privacy regulations and helps reduce the potential impact of a data breach.

How cybercriminals steal PII

Cybercriminals use many techniques to steal PII from both individuals and organizations, often exploiting poor cyber hygiene or security vulnerabilities within critical systems.

How to protect your PII

While the specific security measures may differ for individuals and organizations, protecting PII generally involves reducing exposure, preventing unauthorized access and limiting the impact of potential data breaches.

How individuals can protect PII

• Use strong, unique passwords: Create long, complex passwords made up of at least 16 characters and a combination of uppercase and lowercase letters, numbers and symbols for each account. Avoid reusing passwords across multiple accounts to minimize security risks.
• Enable Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring a second verification step beyond traditional passwords, making it more challenging for cybercriminals to access accounts.
• Don’t overshare online: Refrain from oversharing on social media, and only provide PII when it’s absolutely necessary to people you know and trust.
• Use a VPN on public WiFi: Avoid accessing sensitive accounts, like online banking, over unsecured networks. If you must access sensitive information while connected to public WiFi, use a Virtual Private Network (VPN) to encrypt your connection.
• Be cautious of phishing attempts: Never click suspicious links or share PII through unsolicited emails, texts or phone calls.

How organizations can protect PII

• Implement a Privileged Access Management (PAM) solution: A PAM solution helps organizations secure, monitor and manage access to privileged accounts, reducing the risk of unauthorized access to sensitive PII.
• Enforce least-privilege access: Limit access to PII based on roles so users only have the necessary permissions to perform their tasks.
• Adopt strong password security policies: Require strong, unique passwords, enforce MFA and use a password manager to reduce credential-based attacks.
• Train employees on security awareness: Regularly train employees on how to recognize phishing attempts, suspicious behavior and proper data-handling practices.
• Make an incident response plan: Develop and test an incident response plan to quickly detect threats and minimize the impact of PII-related incidents.

Protect your PII with Keeper^®

PII is crucial in both our personal and professional lives, making it highly valuable to cybercriminals. For individuals, using a standalone password manager like Keeper makes it easier to generate, store and manage strong, unique passwords for each account. For organizations, a PAM solution like KeeperPAM^® helps secure sensitive PII by combining PAM with built-in password management, ensuring that only authorized users can access PII and critical systems.

Start your free trials of Keeper Password Manager and KeeperPAM to protect your PII at home, work and everywhere in between.