Personally identifiable information (PII) is any data that can identify a specific individual, such as a name tied to a Social Security number, address, or date of birth. In AP Cybersecurity, PII is a type of highly sensitive data whose exposure compromises confidentiality and triggers high-risk ratings under Topic 5.1.
Personally identifiable information (PII) is data that points to one real person. Think Social Security numbers, full names tied to addresses, dates of birth, driver's license numbers, or account credentials. On its own, a city name isn't PII. But combine enough pieces and you can pin down exactly who someone is, and that's the line you're watching for.
In AP Cybersecurity, PII falls under Unit 5 (Securing Applications and Data), specifically Topic 5.1. It's one of the clearest examples of "highly sensitive data" described in EK 5.1.C.2, the kind of data that is often governed by laws or regulations. If an adversary reads PII they shouldn't have, you've lost confidentiality, the first leg of the CIA triad. That's why protecting PII drives so many of the controls you study: encryption for data at rest, access controls so only the right users can see files, and input validation so attacks like SQL injection can't pull it out of a database.
PII lives in Unit 5, Topic 5.1, and it's the practical stake behind the whole topic. Learning objective AP Cybersecurity 5.1.C asks you to assess and document risks from application and data vulnerabilities, and PII is the textbook case of high-impact data. EK 5.1.C.2 says high risk comes from highly sensitive data (often regulated) that could be compromised through a likely exploit, so PII is usually the data that pushes a risk rating up. It also connects to 5.1.A: if files holding PII are unencrypted and an adversary gets device access (EK 5.1.A.1), or if weak access controls let too many users in (EK 5.1.A.3), that PII is exposed. Protecting PII is the reason confidentiality matters (EK 5.1.C.1).
Keep studying AP Cybersecurity Unit 5
Visual cheatsheet
view galleryPHI and PCI (Unit 5)
PII is the broad category; PHI (protected health information) and PCI (payment card data) are specialized, regulated subsets. If you can identify the person AND it's medical or payment data, you've stacked sensitivity, which is why these get extra legal protection.
Data at rest, in transit, and in use (Unit 5)
PII has to be protected in all three states. Encrypt it on the drive (at rest), encrypt it as it crosses the network (in transit), and limit who can see it while a program works with it (in use). The same data, three different attack surfaces.
SQL injection and XSS (Unit 5)
These application attacks are how adversaries actually steal PII. A SQL injection can dump a whole database of customer records, so the input validation you learn in 5.1.B is really PII protection in disguise.
Confidentiality in the CIA triad (Unit 5)
PII exposure is the classic confidentiality failure from EK 5.1.C.1. When you see a question about unauthorized access to sensitive data, PII is the example the exam wants you to picture.
Expect PII in MCQ stems that describe a scenario and ask you to name the concept. One common pattern: a company stores customer PII in a spreadsheet encrypted with a small key, and you pick the term that describes the weakness (weak encryption, since a small key is easy to crack). Another version uses role-based permissions on that spreadsheet and asks for the matching concept (access control). You'll also see straight identification questions asking which option is an example of PII or of sensitive data that requires protection. No released FRQ has used the term verbatim, but PII is exactly the kind of high-risk data a risk-assessment FRQ under 5.1.C would expect you to flag and justify. When you spot PII in a prompt, your move is to rate the risk high and connect the exposure to a lost confidentiality.
All PHI is PII, but not all PII is PHI. PII is any data identifying a person; PHI is the narrower slice that's health-related and protected under regulations like HIPAA. If a scenario mentions medical records or a patient, reach for PHI; if it's just names, SSNs, or addresses, it's general PII.
Personally identifiable information is any data that can identify a specific individual, like a Social Security number, full name with address, or date of birth.
PII is a prime example of highly sensitive data under EK 5.1.C.2, so its presence usually pushes a risk rating to high.
Exposing PII is a confidentiality failure in the CIA triad, the most common thing PII questions are testing.
Protecting PII means securing it at rest, in transit, and in use, using encryption and access controls.
Attacks like SQL injection and XSS are the routes adversaries use to actually steal PII from applications and databases.
It's any data that can identify a specific person, such as a name tied to a Social Security number, address, or date of birth. In Unit 5 it counts as highly sensitive data, so exposing it compromises confidentiality and rates as high risk.
Not always. A common first name by itself usually can't single out one person, but combine it with other details like an SSN, address, or date of birth and it becomes PII. The test is whether the data can identify a specific individual.
PHI is a subset of PII. PII is any identifying data, while PHI (protected health information) is the health-related slice protected by laws like HIPAA. So all PHI is PII, but not all PII is PHI.
Because EK 5.1.C.2 ties high risk to highly sensitive, often-regulated data that could be exposed through a likely exploit. PII fits both halves, so when a scenario involves PII you should rate the data security risk as high.
Through application and data vulnerabilities from Topic 5.1. Reading unencrypted files with device access, exploiting weak access controls, or using SQL injection to dump a database are all ways an adversary gets to PII.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.