I’m in the property casualty insurance business. Appropriately, we have a standard that prohibits us from using production personally identifiable information (PII) (real client name, address, driver license number, SSN, etc.) in a non-production environment. Makes sense – protect the client. So we obfuscate all sensitive data as policies and claims are copied from production to non-production environments, to be used for testing purposes. We are not currently obfuscating policy number and claim number. We choose to do this, as it is helpful during system testing to trace the test data back to the original policy/claim, should there be something not working properly. Also, policy number and claim number are keys on nearly every database table in the system, so obfuscating these fields would substantially increase the work involved when copying data from production to non-production.
Here’s my question: Do you consider policy number and/or claim number to be PII, knowing that all other “real” data has been obfuscated?
Thank you for sharing your thoughts!
Ameriprise Auto & Home Insurance
With the disclaimer that I know that privacy laws in the US are different than where I am (Canada): Our privacy laws would require the policy number (at a minimum) to be treated as PII as it is directly related to the rest of the identifying data. The claim number is a bit more gray since a claim can have multiple policies associated to it in some cases and, therefore, may not, in and of itself, qualify as PII, even though it traces back to 1 or more sets of PII. That said, I believe most of our insurance companies here would still treat it the same. Likely out of “an abundance of caution” type of thing.