PII (personally identifiable information) is any data that can identify a specific person, such as a name, Social Security number, birthdate, or address. In AP Cybersecurity it's classified as highly sensitive data whose exposure compromises confidentiality.
PII stands for personally identifiable information. It's any data that can be tied back to a real person, either on its own or combined with other data. Think Social Security numbers, full names, birthdates, home addresses, and account numbers. The reason it matters in cybersecurity is simple: if an attacker gets your PII, they can impersonate you, drain your accounts, or open credit in your name.
In AP Cybersecurity, PII falls under Unit 5 as a type of highly sensitive data. Per EK 5.1.C.2, high-risk data is data that's governed by laws or regulations and could cause serious harm if exposed. PII fits that bill. When PII gets accessed by someone unauthorized, that's a confidentiality compromise (EK 5.1.C.1). And because so much PII sits in unencrypted files or weakly protected databases, it's exactly the kind of data an adversary goes after once they have access to a device or drive (EK 5.1.A.1).
PII lives in Unit 5, Topic 5.1 (Application and Data Vulnerabilities and Attacks). It directly supports learning objective AP Cybersecurity 5.1.C, where you assess and document risks from data vulnerabilities. The core idea from EK 5.1.C.1 is the CIA triad, and PII exposure is the textbook example of a confidentiality failure. PII also raises the stakes on every other vulnerability in the unit. A SQL injection or a directory traversal attack isn't just a technical bug. If it pulls PII out of a database, it becomes a high-severity incident because the data is regulated and the harm is real. That's the connection the exam wants you to make: vulnerability plus sensitive data equals high risk.
Keep studying AP Cybersecurity Unit 5
Visual cheatsheet
view galleryPHI (Unit 5)
PHI is protected health information, basically PII for medical records. The healthcare practice question about patient names, birthdates, and medical record numbers is asking you to recognize PHI, which is just PII in a healthcare context governed by regulations.
PCI (Unit 5)
PCI refers to payment card information standards. Credit card and account data is another flavor of regulated sensitive data, so PII, PHI, and PCI together cover the three big categories of 'data the law cares about' under EK 5.1.C.2.
Data at rest (Unit 5)
PII sitting in a database or on a drive is data at rest. EK 5.1.A.1 says unencrypted files can be read by anyone with access, so unencrypted PII at rest is one of the easiest wins for an attacker.
SQL injection (Unit 5)
SQL injection is one of the application attacks that actually steals PII. The attack exploits weak input checks (EK 5.1.B.2), and the prize at the end is usually a table full of personally identifiable information.
Expect PII on multiple-choice questions as a classification problem. A stem will describe a piece of data (a Social Security number, a name plus birthdate, an account number) and ask which term applies, or which item counts as PII that could compromise someone's identity. Another common pattern hands you a scenario, like a database of patient records with weak encryption, and asks you to name the type of sensitive data at risk. No released FRQ uses 'PII' verbatim, but the concept feeds the risk-assessment reasoning behind objective 5.1.C: you identify the data, label it as highly sensitive, and explain that exposure is a confidentiality compromise. Your job is to connect 'this is PII' to 'this is high risk because it's regulated.'
PII is any data that identifies a person. PHI is health-specific PII, like medical record numbers and diagnoses, protected under healthcare regulations. All PHI is PII, but not all PII is PHI. A name on its own is PII; a name tied to a patient record is PHI.
PII is personally identifiable information, any data that can identify a specific person, such as a name, SSN, birthdate, or address.
Exposing PII is a confidentiality compromise under the CIA triad described in EK 5.1.C.1.
PII counts as highly sensitive, high-risk data because it's often governed by laws and regulations (EK 5.1.C.2).
Unencrypted PII at rest can be read by anyone with access to the device or drive (EK 5.1.A.1).
PHI and PCI are specialized categories of regulated sensitive data; PHI is health PII and PCI is payment card data.
PII (personally identifiable information) is any data that can identify a specific person, like a Social Security number, name, birthdate, or address. In Unit 5 it's treated as highly sensitive data whose exposure breaks confidentiality.
No. PHI (protected health information) is a subset of PII that lives in healthcare contexts, like medical record numbers and diagnoses. All PHI is PII, but plenty of PII (a home address, for example) has nothing to do with health.
Because it's regulated by laws and can cause real harm if leaked, matching the high-risk definition in EK 5.1.C.2. A leak of PII lets attackers steal identities or commit fraud, which is why exposing it counts as a serious confidentiality compromise.
Common routes include reading unencrypted files when they have device access (EK 5.1.A.1) and pulling it out of databases through application attacks like SQL injection that exploit weak input checks (EK 5.1.B.2).
Yes. Multiple-choice questions ask you to identify which data is PII or to classify sensitive data in a scenario, and the concept supports the risk-assessment reasoning in learning objective AP Cybersecurity 5.1.C.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.