Companies like LinkedIn and Yahoo had their fair share of data breaches last year. In May, a hacker stole 6.5 million encrypted passwords from LinkedIn and posted them to a Russian crime forum. What’s even better is that the hacker sold an additional 117 million email and password combinations to a handful of other websites. And just last month, Yahoo announced that its data theft was much worse than they originally let on by saying more than one billion accounts were affected. Keep in mind that this issue has been going on since 2013.

This is why businesses need to take huge steps to protect the usernames, email addresses, passwords, and security questions and answers its consumers use. However, the issue is that the definition of what information qualifies as PI varies greatly amongst different states. Take a look here.