Benchmark: How much PII does the average organization store?

Do you know how much personally identifiable information (PII) your organization holds? According to our analysis, you probably have more PII than you think.

Written by

Belinda Walsh

Reviewed by

Adam Roberts
Share on Social Media

Finding it hard to keep up with this fast-paced industry?

Subscribe to FILED Newsletter.  
Your monthly round-up of the latest news and views at the intersection of data privacy, data security, and governance.
Subscribe Now

Benchmark: How much PII does the average organization store?

Do you know how much personally identifiable information (PII) your organization holds? How confident are you that you currently manage it all?

This is a tricky question to answer. Most would struggle to hazard a guess.

Even though we know accurate answers would enable us to make better privacy decisions and justify to our organization that more investment in risk reduction is needed.

Why is it tricky? Organizations like yours are collecting more customer data from more sources, losing visibility and control of sensitive data and setting up a potential goldmine for hackers.

A data breach would significantly impact your organization, with the average total cost of a data breach at US $4.45 million, or $165/record. Such breaches are becoming more frequent and damaging, with 1,802 data compromises affecting 422.1 million victims in the United States in 2022. In Australia, 497 breaches were notified in the second half of 2022.

So how do you answer this question in such an information void? Typically, you lean on market benchmarks, but finding one applicable to your organization can be difficult.

Building a PII benchmark

RecordPoint customers can quickly and accurately understand how much PII they have using our Intelligence Signals feature.

We’ve seen the impact this feature has had on our customers and their ability to reduce risk, so we wanted to share our knowledge with the broader community.

You probably have more PII than you think

Key insights

  • PII is everywhere, with half of all records analyzed containing PII.
  • While we will delve into the numbers further, this headline figure hints at the scale of organizations’ challenges.

Key insights

  • Unsurprisingly, industries that deal directly with customers and citizens store higher levels of PII.
  • The government/public sector deals stored the highest proportion of PII, with over half of their data containing PII. Organizations in this category need to handle PII, such as citizens’ names, addresses, and contact details to deliver essential services across all three levels of government.
  • The financial services industry came in second on the list. Considering hackers frequently target financial services organizations, this industry needs to invest in ensuring that it manages and secures this data.

Key insights

  • Organizations with between 1001 and 5000 employees tend to have the most extensive collection of PII.
  • Larger organizations with over 10,000 employees have the least PII, suggesting that as the organization grows, leadership introduces more robust disposal processes and adequate staffing, reducing the amount of PII they hold together.  
  • Such organizations are perhaps more heavily regulated, putting further onus on them to manage data appropriately.
  • These findings suggest that organizations with between 1001 and 5000 employees face dual challenges:
    – A larger data corpus from a more diverse range of data sources.
    – Less robust processes or staffing to manage it.

Why this matters

For this report, we have defined a subset of PII encompassing data that we believe are potentially most sensitive, which we will term “critical PII.” These are:

  • US Passport,  
  • US Driver’s License,
  • US Social Security Number,  
  • AU Tax File Number
  • AU Medicare Number.

Key insights

  • Of all the records analyzed, 8.8% had critical PII.  
  • Aside from the not-for-profit sector, similar levels of critical PII were detected regardless of industry.  
  • Financial services organizations must access and store critical PII for billing and identity verification tasks. In Australia, this would include 100 points of ID checks.
  • The not-for-profit sector typically handles critical PII in the context of their employees, rather than PII used for identity verification, like government or financial institutions.  
  • Again, organizations with between 1001 and 5000 employees had the most extensive collection of critical PII.

Why this matters

While our primary focus with this report is PII, payment card industry (PCI) data is also a security risk for organizations.

Many organizations have specific transactional-based systems compliant with Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is a set of requirements to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. However, organizations must ensure all their repositories protect cardholder data, not just those with PCI DSS compliance.

Key insights

  • While the figures here could seem low compared to the PII analysis, the fact that they may include PCI data that may have crept into repositories unsuitable for storing PCI makes this a priority for organizations.
  • Once again, organizations with between 1001 and 5000 employees tend to have the most PCI detected.

Essential takeaways

Understand what you have

  • You must address PII risk regardless of industry, organization size, or business focus.
  • The presence of PII isn’t necessarily ‘bad’ in and of itself. But suppose your organization loses track of sensitive data or fails to implement important data retention or access policies. In that case, this PII goes from an essential business asset to a liability.  

Secure what matters

  • Organizations must establish appropriate security policies and practices that limit the potential misuse of personal information.  
  • Once you have an accurate data inventory, you can move the most sensitive data to a more secure data source, manage who can access it, and remove it when legally permitted.

Growing organizations need to get ahead of their increasing PII risk

  • Organizations with between 1001 and 5000 employees have the most potential risk, with the most significant proportion of their data containing PII and critical PII.
  • These organizations urgently need to resolve any mismatch between the quantity of data they hold and the resources they allocate to understanding, securing, and removing it. They have the most to gain from automation and improved tooling.
  • If your organization fits into this definition, you must lean more heavily on automation and advances in AI/ML to overcome the shortfall in staffing and ensure you understand, control, and protect PII.
These results may concern you. You may be worried about how much PII your organization has. As we’ve discussed, your first step is to understand your data.  

RecordPoint allows organizations to connect to all their data sources to discover their data, enforce policies, and understand their PII risk. You can contain threats, uncover suspicious activities, and confidently respond to data breaches.  

These activities help build data trust and reduce your risk of a data breach or regulatory penalty.