This is an ongoing problem
"Unfortunately for Mishra, this data is defined as user passwords, payment information, and authentication tokens – and not IP addresses and domain-name lookups."
Yes, this is the same problem we run into when companies start talking about "personally identifiable information" generally -- the definition of PII used by pretty much every company in existence, and the definition I have are two very different things.
In my view, PII is any information that can be used to identify you. However, companies define it as a piece of information that is listed in their pre-ordained list of specific data items, all of which omit lots of information that can be personally identifying.
This is why I simply ignore any claims made about protecting "PII", since we don't even agree on our definitions.
Biting the hand that feeds IT
