Exposure, disclosure, data breaches, leaks, social media, and a myriad of open-source data serve to provide access to personal information that can be used to craft, target, and execute various social engineering attacks on unsuspecting individuals. This research endeavored to quantify personal information exposure. Experts from 12 industries and academia were asked to take part in a Delphi process to assess, categorize, and assign levels of exposure to 105 personal information components compiled from the literature. Three categories of personal information were quantified: unidentifiable, potentially identifiable, and definitely identified, which can be directly associated with a respective risk nomenclature: low, medium, and high. The resulting feedback provided the item weights, measures, and categories to assess personal information exposure of clients, associates, key personnel, information systems, storage mechanisms, as well as leaked or breached data.