Most regulations define the term “personal identifiable information” to mean information about an individual that is recorded, which includes things like: name, address, e-mail, age, sex, marital status, social security number, health care history, religious or political beliefs, race, nationality, ethnicity, origin…you get my point. However, with the evolving landscape of technological innovations related to online behavioral advertising, is it time to revisit “what” the term PII really means. Most technology and marketing experts state that they do not need any of the above data to determine “who” they are dealing with online. Cookies, trackbacks, IP addresses (not the same as address – which is meant to mean physical address), and other invisible data tracking tools can easily provide firms with knowledge asset resources that is even more valuable than the name of a customer, for instance. If this information is being commoditized between and amongst third-parties, and the same third-parties are able to identify the individual through their behavioral habits online, then should we start to rethink the definition of PII?
Recent studies have shown that more and more businesses are relying upon encryption to secure its mission-critical information. While this should sound like positive news, there is an alarming trend that encryption is only being used to satisfy regulatory compliance mechanisms, and not as a tool to a much broader, more comprehensive data governance strategy. As I’ve said numerous times, technology alone will not secure mission-critical data. The more a company relies on technology alone to secure mission-critical data, the greater the chance for an unauthorized release.