What is Sensitive Data? Sensitive Data Definitions, Types & Examples

What is Sensitive Data?

Sensitive data is information that must be protected against unauthorized disclosure.  It can be in physical or electronic form and includes PII (Personally identifiable information), PHI (Protected health information), and more. Typically, there are three main types of sensitive data that hackers and malicious insiders tend to exploit: personal information, business Information, and classified information. If any of this data falls into the wrong hands, it could deal a fatal blow to the parties concerned, regardless of whom they are; individuals, companies, and government entities alike.

It warrants the need to have tougher restrictions on people who can access personal or an organization sensitive data, especially when it pertains to individual privacy and property rights to mitigate risk. For instance, a data breach in a government agency could expose government secrets to foreign powers. The same could be applied to individual or company data, which could pose grave risks like corporate spying, insurance risk, cyber threats or a breach of customer or employee data.

Levels of Sensitive Data

The sensitivity of data is generally classified into different types depending on sensitivity. Their classifications can be determined by federal regulations as procured by the security control units, industry specific or an individual such as an Information Security Officer could determine this.

Sensitive data can be classified into four main types:

• Low data sensitivity or public classification
• Moderate data sensitivity or internal classification
• High data sensitivity or confidential classification

Low data sensitivity

This class of data poses little or no risk to an individual, private organizations, or government agencies when it gets disclosed. Data in this group can be accessed by anyone, as there are little or no restrictions on its accessibility. It is more or less a piece of public information that can be discussed anywhere, and with anyone. Examples include school staff directory information, published research, research proposals, information that is already available in public domains, and also unpublished research with the permission of the researcher among others.

Moderate data sensitivity

Moderate sensitivity covers data that is subject there is a contractual obligation to protect. This means that the leakage of such data would only cause minimal harm to individuals or organizations concerned. Examples of moderately sensitive data include building plans information, individual donor records, student records, intellectual properties, IT service information, Visa and other travelling documents, security information, and contact information and documents.

High data sensitivity / confidential data

Highly sensitive and confidential data must be protected by law or other policies that apply to it. If such data is breached, it could cause significant harm to an individual or any organization. Examples include, but not limited to: personally identifiable information (PII), social security numbers, controlled unclassified info, identifiable human subject research, student loan application data, protected health data (PHI), etc. It can also include confidential company information such as trade secrets and intellectual property data, M&A, financial and Board documents.

Sensitive Data Types

Customer information

Customer information is a very sensitive data that contains clients’ personal information (PII) like transaction records, phone numbers, email address, home address, names, digital fingerprints, and in most cases, their pictures. This data is so sensitive that if It gets into the wrong hands, it could cause severe personal harm to your customers and cause distrust between customers and the company. It is safe to say that people only transact business with companies or business ventures than can assure them of maximum protection of their data.

Employee data

Just like customer information, your employee’s data is also sensitive data that must be handled with great care. If it leaks, it could cause cyber or physical assaults on your employee. The data could consist of the employee’s banking details, home address, login details, etc.

Industry-specific data

There is specific sensitive industry data that needs to be protected at all costs. For example in the medical sector, patient medical reports need to be protected under HIPAA and HITECH. Also in the retail sector, the transaction details of all the customers must be protected under various state and government Privacy Acts, as well as PCI DSS.

Personal data

Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used to deanonymize previously anonymous data is considered PII.

PII is governed by multiple domestic and international guidelines such as the Privacy Act, HIPPA, GLBA, CCPA, GDPR, etc. each with different requirements.

GDPR’s definition of PII

GDPR’s definition of personal data is not that much different from the regular definition of PII. It is data that either contains information that directly identifies the person or data that can be used to indirectly identify an individual. This means you may be able to identify an individual by using other information you hold or information you can reasonably access elsewhere. GDPR defines personal data as:

• Name
• ID Number
• Location Data
• Physical characteristics
• Political opinion or party affiliation
• Individual religious beliefs
• Trade union membership
• Sexual preferences
• Race or ethnicity
• Genetic data
• Biometric data such as fingerprints and pictures

The list of GDPR-related requirements is extensive, but the four main things you’ll have to do to comply are:

• Provide notifications about every data breach that occurs;
• Have someone with the position of a Data Protection Officer (DPO) in your company;
• Do not collect information from customers without their consent;
• Anonymize the data you’re processing for security reasons (while the encryption of the data would suffice for some types of sensitive data, others are too descriptive and identifying by their nature, allowing the tracing of such data to its origin even if it’s pseudonymized or encrypted).

Sensitive data that hackers would look for

While there’s a lot of different sensitive data types, hackers consider the following the most valuable:

1. Customer information.  Sensitive customer data such as payment info, emails, names, addresses, and so on that can be used as is or combined with other stolen information to create a more complete profile of your customers.
2. Employee data. While this might seem similar to the customer data, this is a separate category because of the extra sensitive employee data your store like banking info used to pay wages, username and password combos, and so on.
3. Trade secrets/Intellectual property. Anything that’s is proprietary to your organization and competitive advantage such as code, schematics and product specifications and can be sold to competitors or nation states.
4. Trade secrets/Intellectual property. Anything that’s is proprietary to your organization and competitive advantage such as code, schematics and product specifications and can be sold to competitors or nation states.
5. Digital Infrastructure. Hackers don’t just want to access sensitive data – they also look for a free ride. They will hack your infrastructure to store their own data and applications so they don’t have to pay for the applications and storage themselves.

Sensitive Data Protection and Exposure Prevention

What are the steps that need to be taken to identify and protect sensitive data?

1. Identify all sensitive data

The first step is to identify and group all the data your organization holds based on its sensitivity. This process is also known as sensitive data classification. This might sound like an easy task though, but it is not. From time to time, as there is new data created every day. The process of finding sensitive data is constant and ever-changing. Organizations or agencies must also be able to identify data that is relevant under regulations that apply to them such as the General Data Protection Regulation (GDPR).

2. Assess data risks

Data theft and leakage is a recurring problem and it is difficult to stop. It is not just an IT problem, because it affects all other departments in an organization or government unit. Sensitive data is always targeted by cybercriminals and you must assess the risk. Risks such as the liability cost of the sensitive data, location of these data, the movement of these data from one source or domain to another, and the size of the sensitive data that is being stored in a company, etc.

3. Implement adequate security measures and monitoring

This process follows the previously listed steps. This step involves creating viable security measures to safeguard against theft of sensitive data and applying them to the sensitive data that you’ve identified. you must also monitor these measures and log access to sensitive data to ensure there are no vulnerabilities in the process.

4. Design Information Security Policies Using the CIA Triad

Several different industries have agreed on a single specific standard which can be used to guide information security policies that can be used in the steps above. Commonly referred to as the CIA triad, the evaluation elements include Confidentiality, Integrity, and Availability,

Confidentiality is essentially related to privacy. This part is about preventing unauthorized access to sensitive information without limiting said information for people who need to have access to it. There’s a substantial number of countermeasures, and they vary a lot in difficulty and effectiveness. The list of measures includes passwords, soft tokens, data encryption, hard copy storage, limiting information destinations, limiting transmission extensiveness, and so on.

Integrity is about long-term data consistency and accuracy over a specific period in time. The list of integrity measures includes file permissions, user access controls, cryptography, audit logs, backups, and more.

Availability focuses on data being consistently available when it is needed by authorized parties. Availability-specific measures includes frequent software patching, safeguards against data losses due to the natural disasters, hardware maintenance, bandwidth provision, etc.

Conclusion

Data privacy and integrity is vital to any organization to protect it’s most vital asset – it’s data. The application of data discovery and security measures is paramount in order to protect sensitive data exposure.