Sending PII Over Email: Security & Compliance Considerations

If your business receives PII over email from customers, contractors, or other individuals, there are strict regulations you must follow to avoid costly fines.

Is it safe to send PII via email? No, you should never send PII over email. However, if you must send PII over email, it needs to be encrypted and certain security protocols must be met to ensure that if it’s intercepted, the PII won’t be readable.

What Is Personally Identifiable Information (PII)?

Simply stated, personally identifiable information PII is any information that allows someone to “infer” someone else’s identity directly or indirectly. “Inferred,” in this case, can mean anything that makes someone’s identity determinable.

While this seems self-evident, PII is rather ill-defined in the U.S. As such, it can be hard to separate what constitutes PII and what doesn’t—especially when different contexts can change what it means to disclose confidential information.

What’s the Difference Between Personally Identifiable Information (PII) and Protected Health Information (PHI)?

Personally Identifiable and Protected Health Information (PII/PHI) are both sensitive data types, but they differ in scope, context, and regulatory requirements.

PII refers to any information that can identify an individual on its own or when combined with other data. This includes names, Social Security numbers, addresses, phone numbers, and email addresses. PII is regulated under various privacy laws depending on the industry and region, such as GDPR, CCPA, and FISMA.

PHI, on the other hand, is a subset of PII specifically related to an individual’s health. It includes medical records, diagnoses, treatment information, insurance details, and any data tied to a person’s health status or care. PHI is strictly regulated under the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. and applies only when the data is handled by covered entities (e.g., healthcare providers, insurers) or their business associates.

Key difference: All PHI is PII, but not all PII is PHI. PHI must include health-related data and be created, received, or maintained by a covered entity.

Understanding the distinction is vital for applying the correct privacy controls, especially when working in regulated industries like healthcare.

NIST SP 800-122 Guidelines on Categorization of PII

The National Institute of Standards and Technology (NIST) divides PII into two categories: linked and unlinked. Linked information can allow someone to ascertain an identity directly. PII examples in this category include:

• First and Last Name
• Home Address
• Work Address
• Social Security Number (SSN)
• Phone Number (Work, Home, or Cell)
• Information About Personal Property (Vehicle Identification Numbers, etc.)
• Birthdate
• Credit or Debit Card Numbers
• Email Addresses
• IT-associated Information (Device-specific MAC Addresses, IP Addresses, Serial Numbers, etc.)

Unlinked information is less direct and requires an outside party to combine two or more pieces of information to identify someone. Unlinked information includes:

• Common First and Last Names
• Racial and Gender Categories
• Age
• Job Title
• Broader Address Items (City, State, Country, or Zip Code)

Unlinked PII may appear “safer” than linked PII, however, you don’t know what combination of unlinked PII will accidentally disclose someone’s identity. It is important therefore to use platforms, tools, and processes that protect data within your specific business cases.

With that in mind, PII is defined and treated slightly differently under different data privacy regulations:

• Under the Health Insurance Portability and Accountability Act (HIPAA), PII is better understood as protected health information (PHI). HIPAA defines PHI under the Privacy Rule as any information regarding a patient’s health, healthcare or treatment, or billing and payment related to health and treatment.
• The Payment Card Industry Data Security Standard (PCI DSS) emphasizes card payment data, so emailed PII will almost exclusively refer to credit card numbers as well as any combination of name, address, phone number, or email address that can identify a customer.
• FedRAMP is split into three Impact levels: FedRAMP Low authorization, FedRAMP Moderate authorization, and FedRAMP High authorization. PII types, as you might expect, differ by level. Many FedRAMP Low Impact systems for example might not contain PII outside of login credentials (username and password) while FedRAMP High Impact systems may handle data like PHI. Nevertheless, emailing PII is prohibited under FedRAMP unless it is encrypted.

Sensitive vs. Non-Sensitive PII Classification

Understanding the distinction between sensitive and non-sensitive PII is crucial for appropriate data handling and risk management.

Sensitive PII is information that, if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. Examples include financial account numbers, Social Security numbers, biometric records, medical information, and driver’s license numbers. This type of PII often falls under specific regulatory protection, such as the GDPR’s “special categories of personal data” (e.g., race, religion, health data).

Due to the high risk associated with its exposure, sensitive PII demands stringent security controls, such as strong encryption both at rest and in transit, strict access controls, comprehensive audit logging, and data masking or tokenization where possible.

Non-sensitive PII, on the other hand, is information that, while potentially identifying, is generally publicly available or would not typically cause significant harm if disclosed. Examples include zip codes, publicly listed phone numbers, or general job titles. While still requiring protection, the security measures for non-sensitive PII might be less rigorous than those for sensitive PII, though combining multiple non-sensitive pieces can sometimes escalate the risk level, necessitating a careful assessment.

How to Identify PII Within Your Organization

Identifying where Personally Identifiable Information (PII) resides in your organization is a critical first step in managing data privacy, meeting regulatory obligations, and reducing risk. The following checklist provides a structured approach to discovering, classifying, and documenting PII across systems and business processes:

• Define Project Scope and Objectives: Clearly outline which departments, systems (including email servers, databases, cloud storage, third-party applications), and business processes handle potential PII. Understand the goals, whether for regulatory compliance, risk reduction, or data minimization.
• Conduct Stakeholder Interviews: Engage with key personnel across different departments (e.g., HR, Finance, Marketing, IT, Legal) to understand how they collect, use, store, and transmit PII, including practices around sending PII via email. Gather insights into data flows and perceived risks.
• Utilize Automated Discovery Tools: Employ specialized software designed to scan systems, databases, file shares, and potentially email archives for patterns matching known PII types (e.g., SSNs, credit card numbers, specific keywords). These tools can significantly accelerate the inventory process.
• Develop Data Flow Diagrams: Visually map how PII enters, moves through, is processed by, and leaves the organization. Pay close attention to transfer points, such as email gateways, API integrations, and third-party sharing, to identify potential vulnerabilities.
• Classify Identified PII: Categorize discovered PII based on sensitivity (sensitive vs. non-sensitive) and regulatory relevance (e.g., GDPR, HIPAA, CCPA, etc.). Apply consistent data classification tags to data repositories where possible.
• Document Findings Rigorously: Maintain a comprehensive PII inventory detailing the type of PII, its location, owner, purpose of processing, retention period, security controls, and associated data flows. This documentation is essential for demonstrating compliance during audits and informing risk assessments.

How Does the General Data Protection Regulation (GDPR) Define PII?

Under GDPR regulations, personal data is specifically linked to any information “relating to an identified or identifiable natural person (data subject) … directly or indirectly.” GDPR also specifies general items that fall under personal data, including any name, ID number, online identifier, or “one or more factors specific to the physical, physiological, genetic, economic, cultural, or social identity of that natural person.”

While PII and personal data are only slightly different, the legal ramifications are much more diverse. Anything that can be used to identify anyone is considered personal data and must remain secure, private, and confidential. This includes items like security logs, consent forms, cookies, and any tag or token used to maintain a customer’s presence or experience on an online platform.

It also means that you could face steep penalties—like up to 4% of your total revenue—for emailing PII in violation of GDPR regulations.

Learn more about sharing PII in compliance with GDPR: How to Send PII via Email in Compliance with GDPR

What’s the Difference Between PII and Personal Data?

While PII is a bit ill-defined in the United States, the European Union has taken steps to make the definition more concrete. That’s why the concept of “Personal Data,” as defined in the General Data Protection Regulation (GDPR) framework, is spelled out on the legal framework and referred to repeatedly in legal documentation and requirements.

Encryption Techniques to Secure PII

Encryption is a widely used technique to secure personally identifiable information (PII) before sending it over email. Protecting PII is critical because it contains sensitive information that can cause harm if it falls into the wrong hands, such as identity theft, credit card fraud, and other malicious activities. Encryption provides an additional layer of security to emails containing PII, ensuring that the information remains confidential and secure. Email encryption is a vital tool for organizations to protect their clients’ confidential information while in transit. By encrypting PII, organizations ensure that the information is secure and inaccessible to unauthorized individuals. Here are some common ways to encrypt PII:

Symmetric Encryption for Protecting PII

The symmetric encryption technique uses a single secret key to both encrypt and decrypt content. This technique is ideal for securing PII because it guarantees confidentiality and authenticity of the content. The key is kept secret and only authorized users can access it.

Asymmetric Encryption for Protecting PII

The asymmetric encryption technique uses two keys—one to encrypt content and the other to decrypt it. The sender encrypts content using the recipient’s public key and the recipient decrypts content using their private key. This technique is particularly useful to secure PII content during transmission.

Hashing for PII Protection

Hashing is a technique that creates a unique digital fingerprint of PII content that cannot be reversed. It is particularly useful for securing PII because even if an attacker gains access to the hashed content, it is practically impossible to derive the original content from it.

Tokenization for PII Protection

Tokenization replaces sensitive content with a unique identifier, or token, that has no value or meaning outside of the system where it is used. This technique is particularly useful for securing PII in storage or during transactions, as it ensures that the sensitive content remains protected even if the system is compromised. Tokenization also allows for more efficient processing of transactions and reduces the potential for data leakage.

Encryption Key Management for PII Protection

Proper encryption key management is critical to maintaining the security of encrypted content. Keys must be stored securely and only provided to authorized parties. Key rotation and revocation are also important to ensure that compromised keys do not compromise the security of encrypted data.

While implementing a combination of these encryption techniques can create a strong and comprehensive security strategy for protecting PII, it is important to regularly review and update encryption methods to ensure that they are up to date and effective against emerging threats.

Email Alternatives for Sending PII

Abstinence may be the best remedy for protecting PII.

Think about what it takes to handle PII: secure servers, encryption, policies, procedures, audits, and more. Your email platform therefore must adhere to stringent security requirements. Sending PII over public email won’t comply with any data privacy regulations or requirements, much less maintain customers’ privacy.

If you must share PII, consider some key alternatives. While data encryption in transit and at rest is a given, organizations should consider the following alternatives for exchanging PII in compliance with regulations like GDPR, HIPAA, CCPA, and others:

SFTP or Other File Transfers

SFTP, configured properly, can provide a secure and compliant way to share and transfer data. Secure managed file transfer (MFT) is another option. Again, however, you risk alienating the recipient. No customer is going to use an MFT or SFTP solution to handle data (unless they operate in an industry in which these solutions are the norm).

Secure Email Links

Secure email links blend the best of secure servers and emails into one package. Instead of sending encrypted data, organizations send a secure email link to an encrypted server that contains the message in a simple email inbox. The user must authenticate him/herself to gain access to that server and the message containing PII.

This last option is the simplest and most manageable way to protect PII over email. Not only does it remove the burden on users to learn or adopt new technologies, but it also shifts responsibility from the user to the IT infrastructure. With secure email links, you can ensure you meet other email compliance requirements like audit logs and user access management.

Acceptable Methods for Emailing PII Securely

Emailing Personally Identifiable Information (PII) presents inherent risks if not properly secured. To ensure data protection and regulatory compliance, organizations should adopt secure methods tailored to their operational needs and risk tolerance. Below are several accepted approaches for transmitting PII via email, each offering varying levels of security, usability, and implementation complexity:

• End-to-End Encrypted Email: Utilizes protocols like S/MIME or PGP, or integrated platforms like Kiteworks Private Data Network, to encrypt the message content from sender to recipient, i.e., end-to-end encryption. Features strong alignment with GDPR and HIPAA encryption requirements. Email encryption can require setup (key exchange) or compatible software on both ends. Requires configuration, key management policies, and user training.
• Secure Web Portals: Recipients receive an email notification with a link to a secure online portal where they must log in (authenticate) to view the message or download files containing PII. Provides excellent control, authentication, and audit logs support regulatory compliance. Requires recipients to perform extra steps, namely multi-factor authentication (MFA) to login, which can be less convenient than direct email. Also needs a dedicated portal platform, user provisioning, and clear instructions for recipients.
• Password-Protected Attachments: Encrypting individual files (e.g., PDFs, ZIP archives) containing PII and protecting them with a strong password before attaching them to a standard email. Meets basic encryption needs, but hinges entirely on secure password delivery; often insufficient for strict regulations if password handling is weak. Usability is relatively simple, but relies on sender/recipient coordination for the password. Requires users to know how to encrypt files and necessitates a separate, secure channel (e.g., phone call, SMS) for password transmission. Sending the password in the same or another email negates the security.
• Zero-Trust File Links (Secure Links): Similar to portals, but often focused on file sharing. The email contains a unique, expiring link that directs the recipient to a secure server for downloading the PII-containing file, often requiring authentication. Provides strong security, auditability, and control over access, aligning well with compliance mandates. Usability is generally user-friendly, often integrated into secure file sharing or content network platforms. Typically implemented as part of a secure file transfer solution or private data network platform like Kiteworks, requires platform setup and policy configuration.

Legal and Compliance Issues When Sending PII Over Email

Sending PII over email can be insecure and lead to unauthorized access to private and confidential data. Most email services are not encrypted and can therefore be intercepted in transit, allowing hackers to access sensitive data. There are other risks organizations face when sending PII over email, including:

1. Data Protection: Sending PII over email may violate data privacy laws in the jurisdiction which the sender is receiving the data. Data protection regulations and standards may require the sender to undertake additional measures to ensure that the email is secure and that data is not disclosed inappropriately.
2. Privacy and Consent: Sending PII over email may violate privacy and consent laws in the jurisdiction which the sender is receiving the data. In some cases, permission must be obtained from the user before personal data can be sent.
3. Anti-spam Laws: Sending PII over email may violate anti-spam laws in the jurisdiction which the sender is receiving the data. Unsolicited emails may be prohibited and any emails containing PII must be sent in accordance with the law.
4. International Transfers: Sending PII over email may also involve moving data between countries, triggering additional legal and compliance obligations, such as the EU General Data Protection Regulation (GDPR).

PII Email Compliance Checklist

Email remains a common but risky channel for transmitting personally identifiable information (PII). To reduce exposure and ensure regulatory compliance, organizations must enforce strict email handling procedures. The following checklist outlines essential steps to securely manage PII in email communications—from minimizing data shared to ensuring encryption, consent, and proper oversight:

1. Confirm Necessity and Minimize Data: Before sending PII via email, verify it’s absolutely necessary. Explore alternative methods. If email is required, send only the minimum amount of PII needed for the specific purpose (data minimization principle).
2. Obtain Explicit Consent (If Applicable): Ensure you have the data subject’s explicit consent for sending their PII via email, especially under regulations like GDPR, unless another lawful basis applies. Document this consent.
3. Verify Recipient Identity and Address: Double-check the recipient’s email address for accuracy. Implement measures to verify the recipient’s identity, particularly for highly sensitive PII. Avoid sending to generic or group addresses if possible.
4. Mandate Use of Approved Secure Methods: Enforce organizational policies requiring the use of specific, approved secure transmission methods, such as email solutions containing end-to-end encryption, secure portals, or secure file links. Prohibit sending sensitive PII via standard, unencrypted email.
5. Apply Strong Encryption: Ensure PII is protected with state-of-the-art encryption, both in transit and at rest. For encrypting data in transit, TLS is standard but insufficient alone for sensitive data. For data encryption at rest, AES 256 encryption is well regarded. Use end-to-end encryption for the email body or encrypt attachments containing PII.
6. Secure Attachments Properly: If sending PII in attachments, use strong encryption (e.g., AES 256 encryption) and a robust password. Crucially, transmit the password via a separate, secure channel (e.g., phone call, secure messaging app) – never in the same or another email.
7. Implement Data Loss Prevention (DLP): Use DLP tools to monitor outbound emails, detect potential PII, and automatically block or encrypt messages according to policy, reducing accidental exposure.
8. Provide Regular User Training: Educate employees about the risks associated with emailing PII, applicable regulations, organizational policies, and the correct procedures for using secure methods. Security awareness training sessions should reinforce the question: “is it safe to send confidential information in an email” without proper safeguards? (Answer: No).
9. Maintain Comprehensive Audit Logs: Ensure your email security solution logs all relevant activities, including sender, recipient, timestamp, PII detection (if applicable), and security actions taken (e.g., encryption applied). Retain audit logs as required by regulations and internal policy.
10. Manage Encryption Keys Securely: If using methods requiring key management (e.g., S/MIME, PGP), establish secure processes for key generation, distribution, storage, rotation, and revocation.

NIST PII Standards on Protecting PII

The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), as well as the NIST Privacy Framework, provide PII Standards to protect the PII of individuals. The framework provides organizations guidance when designing and implementing an information security program. The PII standards contain controls for protecting PII in areas such as data collection, data storage, data transmission, software development, physical access control, access control lists, and encryption. The standards also specify audit and reporting requirements.

Organizations should consider implementing the NIST CSF and its PII standards to protect PII because they are comprehensive and actionable guidelines, established by a trusted and authoritative source, that provide a solid foundation to ensure the secure and responsible handling of sensitive customer data. Following these standards can help protect organizations from potential security risks and data privacy breaches. Additionally, data privacy regulations such as HIPAA utilize the NIST CSF’s PII standards as the minimum security requirements for organizations handling PII, so compliance with NIST CSF’s PII standards can help organizations avoid costly fines for violating these regulations.

Send Secure Email With Kiteworks

The Kiteworks Private Data Network provides advanced protection and compliance for sensitive content, such as personally identifiable information (PII), and other confidential information that enterprises share with trusted partners across various communication channels.

Kiteworks secure email and Kiteworks secure file sharing comply with several key regulatory compliance requirements without sacrificing usability or enterprise functionality.

Kiteworks also combines a hardened virtual appliance, end-to-end encryption, and audit logs to ensure that employees can securely share, collaborate, and manage PII and other confidential information from any device or location.

In addition, the Kiteworks Email Protection Gateway automates email protection with end-to-end encryption to protect private email content from cloud service providers and malware attacks.

Kiteworks also provides detailed visibility into all file activity—who sent what to whom, when, and how—to ensure that documents remain compliant with industry regulations and standards, such as GDPR, HIPAA, the Cybersecurity Maturity Model Certification (CMMC), and many others. This makes Kiteworks an invaluable tool for organizations that need to protect PII and demonstrate compliance with relevant regulations.

Additional Resources

• Article What Is PCI Data Compliance?
• Blog Post What Is HIPAA-compliant Email?
• Blog Post How to Make Your Email Subscribe Form GDPR Compliant
• Blog Post What Does Compliance Email Mean?
• Webinar Seamless eDiscovery of Encrypted Email Across Archiving Platforms