Personally Identifiable Information (PII)

Syllabus
GS Paper 2 – Government Policies and Interventions for Development in various sectors and Issues arising out of their Design and Implementation.

GS Paper 3 – Awareness in the fields of IT, Space, Computers, Robotics, Nano-technology, Bio-technology and issues relating to Intellectual Property Rights; Challenges to Internal Security through Communication Networks.

Context
The Ministry of Corporate Affairs recently addressed a significant security flaw in its online portal. According to reports, this flaw had left the personal information of over 98 lakh directors of Indian companies exposed.
The data at risk included Aadhaar numbers, PAN details, voter IDs, passports, dates of birth, phone numbers, and residential addresses.

---

The evolution of technology platforms has ushered in transformative changes in business operations, government legislation, and personal relationships. The advent of mobile phones, the internet, e-commerce, and a plethora of digital tools have led to a surge in data availability. This vast pool of data, often referred to as ‘Big Data’, is gathered, analyzed, and processed by businesses. It is then shared with other entities, providing them with valuable insights to enhance their customer interactions. This serves as the backdrop for our exploration into the world of data-driven decision making.

Personally Identifiable Information (PII)

• Personal Identifiable Information (PII) refers to any data or information that an organization or agency maintains, which can potentially be used independently or in conjunction with other relevant data to identify or trace a specific individual.
• PII includes details such as Aadhaar, PAN, voter identity, passport, date of birth, contact number, communication address, and biometric information.
• The constituents of PII can vary based on an individual’s home country.

Types of PII

• Direct Identifiers
  • Direct identifiers like Passport Information can uniquely identify a person.
• Quasi-Identifiers
  • Quasi-identifiers such as Race can be combined with other quasi-identifiers like date of birth to successfully recognize an individual.
• Sensitive PII
  • Sensitive PII includes legal statistics such as full name, Social Security Number, driver’s license, financial information, medical records, mailing address, passport information, credit card information. Such information, when exposed, can be used to identify a person and potentially cause harm. These are stored by employers, government organisations, banks etc.
  • For example, an insurance company sharing client’s information with a marketing company will not share the sensitive PII. The data shared will be limited to the marketing company’s goal only.
• Non-Sensitive PII
  • Non-sensitive PII is easily accessible from public sources. This includes: zip code, race, gender, date of birth, social media, religion etc.
  • This cannot be used alone to determine an individual’s identity. Although non-sensitive, such data is linkable, as when such data is used with other personal linkable information, this can reveal the identity of a person by using De-anonymization and re-identification techniques.
• Non-PII
  • Personal data, Non-personal data (such as the company you work for), shared data and anonymized data are not classified as PII.
  • Examples include: Photographic images (especially of the face or other identifying characteristics), place of birth, religion, geographic indicators, educational qualifications, etc.

Personal Data: This has a broader range than the PII, such as IP address, device ID numbers, browser cookies, or genetic data.

Threats of PII exposure

• Identity Theft: PII exposure increases the risk of identity theft, where criminals use stolen personal information to impersonate individuals for fraudulent activities. Cyberattacks and weaknesses in digital infrastructure can lead to the exposure of citizens’ PII.
• Financial Fraud:
  • Exposed PII, such as bank account numbers or credit card information, can lead to financial fraud.
  • Criminals may access bank accounts, make unauthorized transactions, commit payment fraud, and siphon funds from accounts allotted to beneficiaries of government welfare programmes, resulting in financial loss for the victim.
• Privacy Violations: PII exposure can violate privacy, compromising individuals’ confidentiality and autonomy. Unauthorized access to personal information can result in stalking, harassment, or intrusion into individuals’ private lives.
• Phishing and Social Engineering Attacks:
  • Cybercriminals may use exposed PII to conduct phishing attacks, tricking individuals into disclosing further sensitive information or clicking on malicious links. 
  • Social engineering attacks, such as impersonation scams or pretexting, exploit exposed PII to manipulate individuals into revealing confidential data or granting unauthorized access.
• Data Breach Fallout: PII exposure often occurs through data breaches, leading to significant financial losses, remediation costs, and damage to the organization’s reputation. Organizations may suffer from diminished customer trust, decreased revenue, and increased scrutiny from regulators and stakeholders.
• Reputation Damage: Exposure of sensitive PII, such as compromising photos or personal messages, can damage individuals’ reputations and relationships. Information leaked online may be used for blackmail, extortion, or public humiliation, leading to social and professional consequences.
• Dark Web and Threat Actors:
  • Lucius, a threat actor found selling data online claimed to have access to a 1.8 terabyte data leak impacting an unnamed ‘India internal law enforcement agency’.
  • The Dark web is an encrypted portion of the internet not visible to the general public via a traditional search engine such as Google. It is also known as the darknet and constitutes a large part of illegal activity on the internet.

Risks for India

• Malware Detection Ranking: According to a survey by Resecurity, India is ranked fourth globally in all malware detection in the first half of 2023.
• Rise in Cyberattacks: A survey of 200 Indian IT decision makers revealed that 45% of Indian businesses have experienced more than a 50% rise in disruptive cyberattacks in 2023.
• Government and Essential Services: The report also found that 67% of Indian government and essential services organisations experienced an increase in disruptive cyberattacks.
• Data Sold on Dark Web: The data sold on the dark web included one’s Aadhaar number, a unique 12-digit individual identification number issued by the Unique Identification Authority of India (UIDAI).

Data Breach Instances in India

• CoWIN Data Breach Allegations
  • Reports surfaced about a Telegram bot returning the personal data of Indian citizens registered on the CoWIN portal.
  • An American cybersecurity company reported a similar data breach, claiming the PII of 815 million Indian citizens, including Aadhaar numbers and passport details, were being sold on the dark web.
  • The Indian government denied these allegations and assured that the CoWIN website is safe and has adequate safeguards for data privacy.
• Aadhaar Data Leaks
  • There were reports of Aadhaar data leaks in 2018, 2019, and 2022, with three instances of large-scale leaks, including one where farmer’s data stored on the PM Kisan website was made available on the dark web.
• RailYatri Platform Data Breach
  • A data breach was reported on the RailYatri platform in January 2023.
• Increase in Cyberattacks on Government and Essential Services
  • According to a report from Resecurity, an American cybersecurity company, 67% of Indian government and essential services organisations experienced over a 50% increase in disruptive cyberattacks.
  • Furthermore, a survey of 200 IT decision-makers noted that 45% of Indian businesses experienced more than a 50% increase in cyberattacks.

Data Governance in India

• Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021: This is a set of rules that governs the digital media landscape in India.
• Justice K. S. Puttaswamy (Retd) vs Union of India 2017: This is a landmark case that had significant implications for privacy rights in India.
• Digital Personal Data Protection Act, 2023: This act regulates the processing of personal data in India. It applies to both online and offline data collection and processing, including activities outside India if they involve offering goods or services in India.
• Computer Emergency Response Team – India (CERT-In): Under the Information Technology Amendment Act 2008, CERT-In has been designated to serve as the national agency to perform several functions in the area of cyber security. These include the collection, analysis, and dissemination of information on cyber incidents, as well as issuing alerts on cybersecurity incidents. It is an organisation of the Ministry of Electronics and Information Technology.

Data Governance in Rest of the world

• United States: In 2020, the U.S. Government defined ‘personally identifiable information’ (PII) as anything that can be used to distinguish or trace an individual’s identity such as name, social security network, and biometrics information; either alone or with other identifiers such as date of birth or place of birth.
• European Union: In the European Union, the definition expands to include quasi-identifiers as outlined in the General Data Protection Regulation (GDPR) which came into effect in 2018. The GDPR is a legal framework that sets rules for collecting and processing personal information for those residing in the EU.
• Australia: In Australia, the Privacy Act 1988 protects personal information. It regulates the collection, storage, use, and disclosure of personal information, whether by the federal government or private entities.

Challenges in Protecting PII

• Diverse Sources: PII may be stored and processed across multiple locations due to the growth of cloud computing and SaaS services.
• Increasing Data Volume: The amount of sensitive data stored in public clouds is projected to double by 2024, posing challenges in ensuring its security.
• Evolving Threat Landscape: Cybercriminals employ various techniques, including social engineering attacks and purchasing data on the dark web, to steal PII.
• Complex Regulatory Environment: Organizations must navigate different data privacy regulations and tailor their protection measures accordingly.

Securing PII

• Encryption: Employ encryption techniques to protect PII, regardless of the data’s state – whether it is at rest in a database, in transit across the internet, or even in use.
• Identity and Access Management (IAM): Utilize two-factor or multifactor authentication and zero-trust architecture (ZTA) to limit access to sensitive data. ZTA is based on the principle of “never trust, always verify.” It requires organisations to verify the identity of each user and continuously monitor user behaviour for malicious activity.
• Training: Provide employees with training on handling and protecting PII, including anti-phishing and social engineering awareness.
• Anonymization: Anonymize sensitive data to remove identifying characteristics.
• Cybersecurity Tools: Deploy data loss prevention (DLP) and extended detection and response (XDR) tools for tracking and detecting PII misuse. XDR tools are security tools that gather data from across a network and manage automated responses to threats.
• Collaboration and Partnerships: Collaborate with cybersecurity experts, regulatory bodies, and industry peers to stay informed about emerging threats and best practices in PII protection.

Personally Identifiable Information (PII) is crucial in today’s digital age. While it enables personalized services, its exposure can lead to identity theft and financial fraud. Therefore, safeguarding PII through encryption, anonymization, and robust access management is essential. Despite the evolving threat landscape, collaboration with cybersecurity experts and adherence to data privacy regulations can help ensure PII protection.

Source: The Hindu

---

Practice Question

Examine the importance of Personally Identifiable Information (PII) in the digital age. Discuss the potential risks associated with PII exposure and suggest measures to safeguard such information. Substantiate your answer with relevant examples. [250 words]