Cellular Phone Numbers Have Become Personally Identifiable Information (PII)
Organizations and businesses spend resources protecting customer and/or employee personally identifiable information (PII). This mitigates risks associated with identity theft as well as protect the organization from fines and lawsuits. The evolution and popularity of cellular phones mean that a cell phone number is now considered PII.
PII includes a broad category of information. The Office of Management and Budget (OMB) defines PII as “… information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.” At the core of this definition is the simple understanding that PII is unique and exclusively assigned to an individual.
One reason for using PII is to provide better accounting and tracking of information for individuals. There may be 20 people with the name Jane Doe, but each should have their own Social Security Number, banking information, etc. The pre-assigned numbers, in turn, help verify the authenticity of the individual.
Examples of PII include:
- Social Security Number- Assigned to an individual by the Federal government.
- Driver License Number- Assigned to an individual by a state government.
- Credit Card Number- Assigned to an individual by a financial institution.
- Bank Account Number- Assigned to an individual by a financial institution.
Phone Number Portability
The two most common categories of phone numbers are landline and mobile. Landlines are physically wired into the local telephone network. These phone numbers are assigned to businesses or individuals within specific areas. If the business or person decides to move out of the area, the landline number is returned to the provider. A new number is then assigned in the new area.
Like those assigned to cellular phones, mobile phone numbers do not have the same restrictions as landlines. Once a number is assigned and loaded to the mobile device, it can be used anywhere to connect to a cellular tower. This portability means that a person, at least in theory, can have a phone number assigned and keep it throughout their entire life as a social security number. The requirement to change phone numbers after a move is eliminated.
Two Factor Authentication
Two-factor authentication (2FA) involves using a secondary method of authenticating a user to a website, device, or host. One 2FA method involves the user entering a one-time alphabetical or numerical code sent to them. Three popular ways of this data transfer involve an email, a text message, or a voicemail.
Text messages and voicemails directly involve a phone number. If the one-time code is sent via text message, a hacker may have the opportunity to view, use, or manipulate it. Protecting the phone number can be another method to impede a hacker’s effectiveness.
Gateway To Data
Cellular phones have evolved into portable computing and data storage devices. Web browsing, applications, and credit card storage and/or payment options have increased convenience and flexibility to users. In theory, today, a mobile device could be the only gateway between an individual and the outside world through the internet and/or unique cellular phone designed applications.
If the main point of a hacker’s activity is to access PII, then the gateway to that data must be protected. While knowing an individual’s phone number does not directly provide PII access, it does provide an entry point for malicious text messages. An unintentional or accidental click on a malicious link can make the device and the stored data vulnerable to hackers. Protecting a phone number should be considered as an option to restrict access to PII.
There are many reasons for considering a cellular phone number to be PII. There are those reasons that have been described in this article, and there are others, as well. Phone numbers used as user identification or as passwords are other considerations. The simple fact is that cellular phone numbers have evolved into personal identifiable information and should be treated as such.