What is Sensitive Data? Sensitive Data Definitions, Types & Examples

What is Sensitive Data?

Sensitive data is information that must be protected against unauthorized disclosure.  It can be in physical or electronic form and includes PII (Personally identifiable information), PHI (Protected health information), and more. There are three main types of sensitive data that hackers and malicious insiders tend to exploit: personal, business, and classified information. If sensitive data falls into the wrong hands, it could be a fatal blow to the parties concerned, regardless of who they are: individuals, companies, and government entities.

Implementing strict measures when granting access to personal or confidential data, particularly when it involves individual privacy and intellectual property rights, is essential to mitigate any potential risks arising from data breaches. For example, a security breach in a government agency could expose classified information to foreign powers. Similarly, unauthorized access to individual or company data could lead to severe issues such as corporate espionage, insurance risks, cyber threats, or customer or employee data privacy violations.

Levels of Sensitive Data

Data is generally categorized by its sensitivity. A combination of federal or industry-specific regulations and organizational policies typically determines the categories or classifications. This article focuses on business information, as governments and defense agencies have their own data classification systems.

Sensitive data can be classified into four main types:

• Public – Low data sensitivity or public classification
• Internal – Moderate data sensitivity or internal classification
• Confidential – High data sensitivity or confidential classification
• Restricted – Extremely sensitive data or restricted classification

Public: Low data sensitivity

This class of data poses little to no risk to an organization. Data in this group can be accessed by anyone, as there are no restrictions on its accessibility. Examples include press releases, website information, social media posts, published research, research proposals, and information already available in the public domain.

Internal: Moderate data sensitivity

Moderate sensitivity covers data whose leakage would only cause minimal harm to the organization or an individual. Examples of moderately sensitive data include building plans, corporate policies, organizational charts, and IT service information.

Confidential: High data sensitivity

Highly sensitive and confidential data must be protected by law or corporate policies that apply to it. If the data is breached, it could cause significant harm to the organization or an individual. This includes personal data such as PII, PHI, and financial information, as well as confidential company information such as employee contracts, M&A, financial information, board documents, etc.

Restricted: Extreme Sensitivity

If leaked, extremely sensitive data could pose serious financial, legal, or regulatory consequences for the organization. This information needs to be restricted to only individuals who are authorized to handle it. Examples include social security numbers, identifiable human subject research, bank accounts, trade secrets, intellectual property, patents, investor information, etc.

Sensitive Data Types

There are many different approaches to sensitive data classification. As such, many different versions and varieties of sensitive information exist. One version uses several data categories to separate them from one another in terms of importance and potential harm they could bring if they fall into the wrong hands:

• Personally Identifiable Information (PII) – A relatively broad category of sensitive information that covers practically everything that could be associated with a specific person and used in a harmful way.
• Protected Health Information (PHI) – Data regulated by HIPAA covers all health information that could be used to identify a patient.
• Nonpublic Personal Information (NPI) – Refers to personally identifiable financial information provided by a financial institution or resulting from consumer transactions or services performed unless otherwise publicly available.
• Material Non-Public Information (MNPI) – Any company data that has not been released to the public but could impact a company’s share price.
• Attorney-Client Privileged Information (ACPI) – Refers to everything that could be considered communication between attorneys and their clients, implying that all such communication must be confidential and protected.

Sensitive Data Categories

Customer Information

Customer information is sensitive data that contains a client’s personal information (PII), such as transaction records, phone numbers, email addresses, home addresses, names, digital fingerprints, and pictures. If it gets into the wrong hands, it could cause severe personal harm to your customers and cause distrust between customers and the company.

Employee Data

Just like customer information, your employees’ data is also sensitive and must be handled with great care. If it leaks, it could cause cyber or physical assaults on your employees. The data could include the employee’s banking details, home address, and login details.

Industry-Specific Data

Sensitive industry data needs to be protected at all costs. For example, patient medical reports must be protected under HIPAA and HITECH in the medical sector. In the retail industry, the transaction details of all customers must be protected under various state and government Privacy Acts, as well as PCI DSS.

Personal Data

Personally identifiable information (PII) is any data that could potentially identify a specific individual, distinguish one person from another or be used to deanonymize previously anonymous data. PII management is governed by multiple domestic and international guidelines such as the Privacy Act, HIPPA, GLBA, CCPA, CPRA, GDPR, etc., each with different requirements.

It’s important to distinguish between personal data and sensitive personal data.

Sensitive personal data generally falls into specific categories, such as race and ethnicity, health information, financial data, biometrics, genetics, trade union or association memberships, and political or philosophical beliefs. Its disclosure could cause potential personal harm, discrimination, an impact on an individual’s rights, financial fraud, identity theft, or reputational damage.

Personal data, on the other hand, identifies an individual but is not confidential by nature or poses a risk. For example, disclosing a person’s name on its own would not be enough to facilitate identity theft.

General Data Protection Regulation (GDPR) Definition Of PII

Organizations that collect, store, and process the data of any European Union individuals must adhere to the General Data Protection Regulation (GDPR). GDPR’s definition of personal data is not that much different from the regular definition of PII. It is data that either contains information that directly identifies the person or data that can be used to identify an individual indirectly. GDPR defines personal data as:

• Name
• ID Number
• Location Data
• Physical characteristics
• Political opinion or party affiliation
• Individual religious beliefs
• Trade union membership
• Sexual preferences
• Race or ethnicity
• Genetic data
• Biometric data such as fingerprints and pictures

California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) definitions of PII and SPI

The California Consumer Privacy Act (CCPA) protects consumers from mismanagement of their personal data and gives individuals control over what personal data is collected, processed, shared, or sold. The California Privacy Rights Act (CPRA) amends the CCPA to add new consumer rights to correct inaccurate personal information and limit the use and disclosure of their sensitive information. It also includes additional regulations for companies that purchase, sell, or exchange personal data of more than 100,000 households or customers in California.

CCPA Personal Information Definition

CCPA defines personal information as any information that identifies, relates to, or could reasonably be linked with you or your household. It does not include publicly available information from federal, state, or local government records, such as professional licenses and public real estate/property records. Some information is exempted from privacy regulations, including information that a business believes is lawfully available to the general public or disclosed by the consumer to a specific audience. Certain data types, such as medical and consumer credit reporting information, are exempted.

CCPA uses four main “characteristics” to define whether a specific piece of information is considered personal, such as:

• Descriptive information covers anything describing a consumer, including personal address, phone number, and drug prescription.
• Reasonably linkable information gathered from an operating system or other software may not be intended to track an individual. Still, if taken from the system in question, it could lead to one.
• Identifying information that can be used to describe a person or persons.
• Information that can be related to a person through its purpose – such as data received from various online tracking methods such as cookies.

CPRA Sensitive Personal Information (SPI) Definition

The California Privacy Rights Act (CPRA) has introduced a new category called Sensitive Personal Information (SPI), which applies stricter disclosure and purpose limitation regulations. As per the law, the security measures for this category of data should be appropriate to its type, indicating that SPI needs additional protection.

SPI includes the following data:

• Social Security Number
• Driver’s license
• State identification card
• Passport Number
• Financial account information and log-in credentials
• Debit Card or Credit Card number along with access codes
• Precise geolocation data
• Religious or philosophical beliefs
• Citizenship or immigration status
• Ethnic origin
• Contents of communication
• Genetic data
• Biometric information for the purposes of identification
• Health information
• Information about sex or sexual orientation

Sensitive Data That Hackers or Malicious Insiders Would Look For

You need to protect sensitive data from two types of threats: external threats, such as hackers, and insider threats, that stem from malicious or negligent employees and contractors.

While there are a lot of different sensitive data types, hackers and malicious insiders consider the following the most valuable:

1. Customer information.  Sensitive customer data such as payment cards, emails, names, addresses, etc., that can be used as is or combined with other stolen information to create a more complete profile of your customers.
2. Employee data. While there is overlap with customer data details, this is a separate category because of the extra sensitive employee data your store, like banking info used to pay wages, username and password combos, etc.
3. Trade Secrets or Intellectual Property. Anything that is proprietary to your organization and offers competitive advantages, such as code, schematics, and product specifications, can be sold to competitors or nation states.
4. Digital Infrastructure. Bad actors want to access sensitive data and look for a free ride. They want access to your infrastructure to store their own data and applications so they don’t have to pay for the applications and storage themselves.

Sensitive Data Protection and Exposure Prevention

To effectively protect sensitive data, you need to take the following steps:

1. Identify and Classify all sensitive data

The first step is to identify and categorize all of your organization’s data based on its sensitivity, known as data classification. This task may seem simple, but it’s often complicated due to the vast amount of data organizations generate and store daily. The process of identifying sensitive data is constant and ever-changing. A document may start out with low sensitivity but may become more sensitive if certain information is added. Organizations must be able to identify data that is regulated by privacy acts such as GDPR and organizationally sensitive.

2. Assess data risks

Data theft and leakage are recurring problems. It is not just an IT problem; sensitive data governance affects all other departments in an organization. Insider threats and cyberattacks pose the most significant risks. Risks that must be assessed include the liability costs of the sensitive data breached, the location of data, the movement of these data from one source or domain to another, the volume of the sensitive data stored, etc.

3. Design Information Security Policies Using the CIA Triad

Several industries have agreed on a universal standard to guide information security policies to address risks. Commonly referred to as the CIA triad, the evaluation elements include Confidentiality, Integrity, and Availability.

• Confidentiality is essentially related to privacy. It is about preventing unauthorized access to sensitive information without limiting access for people who are authorized to use it. There are a substantial number of countermeasures, and they vary in difficulty and effectiveness. The measures include passwords, soft tokens, data encryption, hard copy storage, limiting information destinations, transmission extensiveness, and so on.
• Integrity is about long-term data consistency and accuracy over a specific period of time. The list of integrity measures includes file permissions, user access controls, cryptography, audit logs, backups, and more.
• Availability focuses on data being consistently available when authorized parties need it. Availability-specific measures include frequent software patching, safeguards against data losses due to natural disasters, hardware maintenance, bandwidth provision, etc.

All three of these parameters are used to determine the security measures that have to be applied to the information piece based on its sensitivity.

4. Implement adequate security measures and monitoring

Next, you must implement security measures to enforce your information security policies and safeguard against theft of sensitive data. This includes deploying access management and data loss prevention tools. You must also monitor these measures and log access to sensitive data to ensure there are no vulnerabilities in the process. There are a lot of technologies available to assist with these measures. It is vital to employ data-centric methodologies that apply access and security controls at the data level in addition to network security, identity management and firewall tools for effective data security.

Sensitive Data Exposure and its Consequences

The extent of harm caused by sensitive data exposure solely depends on the type of data that has been exposed. There are three general categories of potential damage caused by a breach or exposure:

• Reputational damage. Data breach events alter the perception of the business in the eyes of the public, customers and potential customers. Aside from reputation loss and diminished goodwill, there are also costs associated with losing and acquiring new customers.
• Regulatory fines. Data breaches involving government and industry regulations can be incredibly harmful to organizations. Such incidents typically result in hefty penalties and fines imposed by data privacy laws such as the CCPA, GDPR, and other associated costs.
• Financial consequences are significant for companies that experience a data breach, with the average cost of a data breach reaching an all-time high of USD 4.45 million in 2023. Costs can include forensic and investigative activities, assessment and audit services, crisis management and communications, post-breach notifications, business downtime or disruption, and legal activities, which can all negatively impact a company’s bottom line.

It’s essential for organizations to prioritize data security measures to avoid such incidents and safeguard their reputation and finances.