SecurityMetrics PIIscan Helps You Comply with Security Standards and Mandates. 

What is PII, and why do I need to find it?

Personally Identifiable Information (PII) is data kept by an organization which can be used to “distinguish or trace an individual’s identity,” according to NIST. For example, PII could include names, birth dates, birth places, mothers’ maiden names, or social security numbers. “Linked PII” is any information that is linkable to an individual, like educational, medical, employment, or financial information.

Storing these types of (unencrypted) information on your systems and devices can leave your organization open to fines and make you more vulnerable to data theft.

Organizations can manually search for PII on their systems and devices, but doing so is time-consuming, tedious, and expensive in terms of working hours.

Sensitive Data Discovery Tool: SecurityMetrics PIIscan

PIIscan was created to help organizations quickly find and secure unencrypted PII on their systems. The data discovery tool is now widely available and helps organizations and businesses of all sizes comply with data security mandates and standards in the US and EU. 

This scanner runs light, but performs a big job. According to Product Manager Kai Whitaker, “PIIscan is designed to be quick, small, and powerful. Organizations find value and increase their security through the effective scanning that PIIscan provides.”

SEE ALSO: SecurityMetrics Releases PIIscan

encryption, unencrypted data, data encryption, sensitive data discovery, sensitive data discovery tools Unencrypted PII hides in unexpected places

Of all the organizations that conducted first-time data discovery scans with SecurityMetrics PIIscan, 61% found unencrypted PII in their networks. Many times, this sensitive data shows up in accounting, marketing, or other unexpected areas or departments.

Caches of unencrypted PII are highly valuable to data thieves. PIIscan searches systems, hard drives, and attached storage devices for unencrypted sensitive data. If it does find unencrypted sensitive data, it provides you a path to the file location where the unencrypted information is found.


If you are fulfilling the requirements of security standards and mandates like the EU’s General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI DSS), or the Health Insurance Portability and Accountability Act (HIPAA), it’s important to know where PII is on your systems and whether it’s encrypted or not.

PIIscan searches not only for PII, but also for payment card data like primary account numbers and magnetic stripe track data. PIIscan finds the following information:

USA Social Security Numbers (SSN)
UK National Insurance Numbers (NINO)
Canada Social Insurance Numbers (SIN)
Australian Tax File Numbers (TFN)
Australian Business Numbers (ABN)
Primary account numbers (PAN)
Magnetic stripe track data
Protected Health Information (PHI)

SEE ALSO: GDPR 101 Part 1: Should I Be Worried?

More Tips to help you find and protect PII Data:

1. Monitor your PII data flow
To help find PII flows you might not immediately know about, create and regularly update a PII flow diagram that tracks the processes you go through as you receive, use, store, or transmit sensitive data.

This will help you see where PII enters and exits your organization.

 Here are some areas unprotected PII may be hiding:
  • Printers often store old jobs, which could include sensitive data
  • Error logs frequently contain sensitive numbers in plaintext during a failed authentication
  • Accounting and marketing departments may have email or paper forms with PII
  • Web browser cache may store PII inadvertently

2. Secure and Encrypt PII
When possible, avoid using and storing PII. You can also avoid storing sensitive data by using tokenization or outsourcing sensitive data handling to a third party.

But if you do need to keep data, make sure to find and encrypt PII. All electronic PII that is received, stored, handled, or transmitted in your systems and work devices must be encrypted. Industry best practice would be to use AES-128, AES-256, or better.

3. Segment Your Networks
While not all mandates require network segmentation, it’s considered security best practice to keep your networks that handle sensitive data like PII separate from your other networks.

Whether done physically or through firewall implementation, make sure systems that receive, store, handle, and transmit sensitive data are kept separate from each other. This can be done by regularly doing "segmentation checks.”

Learn more about sensitive data discovery tools or call us about a PCI audit or HIPAA audit at