PII Violations: What Are the Consequences?

Personally identifiable information (PII) is any piece of sensitive information that can be used to uniquely identify an individual, either directly or indirectly. In the US, PII protection isn’t regulated by just one federal law. Rather, there are miscellaneous federal and state laws, industry self-regulatory programs, common law principles, and sector-specific regulations.

For example, consumer protection laws such as the Federal Trade Commission Act (FTC Act) make it illegal to collect, use, process, or share PII in an unfair or deceptive way. In addition, each state enforces its own privacy and data security laws to protect PII. The scope and duties of these laws vary.

Fines for PII Violations

Breaching PII often leads to frauds like identity theft. Violations of confidential and sensitive information also happen when:

• • PII is accessed, used, or shared without permission, whether physical or electronic.

• • There is a failure to report a PII breach.

• • An employee or agency deliberately distributes personal information to any person or agency not authorized to receive it.

• • Anyone requests or obtains an individual’s record from an agency under false pretenses.

Bulleted List

Those charged with mishandling PII may face civil penalties from payment of damages and legal fees to disciplinary actions, e.g., job termination or criminal prosecution.

Violators can face criminal sanctions ranging from a $5,000 fine to misdemeanor criminal charges.

To avoid violations, all organizations dealing with PII should adhere to the best security practices for protecting PII. This includes installing firewall and antivirus software and enforcing an e-commerce privacy policy.

How to Report a PII Violation

Visit the FTC website and navigate to their identity theft page. If you want to report a scam or fraud incident, head on to the FTC fraud page.