- WHAT IS SENSITIVE DATA?
Sensitive data is information that must be protected against unauthorized access. Access to sensitive data should be limited through sufficient data security and information security practices designed to prevent unauthorized disclosure and data breaches.
Your organization may have to protect sensitive data for ethical or legal requirements, personal privacy, regulatory reasons, trade secrets and other critical business information. Such data could pose increased social, reputational, legal, employability or insurance risk for you and/or your customers if exposed and is often the target of corporate spying.
Pair this with the rise of regulatory scrutiny for many industries and we have more of a need for data management, vendor risk management, third-party risk management, and cyber security than ever before.
The loss, misuse, modification or unauthorized access to your most sensitive data can damage your business, ruin customer trust, breach customer privacy and in extreme cases, affect the security and international relations of nations.
1. Examples of sensitive data
Sensitive information includes all data, whether original or copied, which contains:
- Personal information: as defined by the North Carolina Identity Theft Protection Act of 2005, a series of broad laws to prevent or discourage identity theft and to guard and protect individual privacy.
- Protected Health Information (PHI): as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). PHI under the US law is any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a third-party associate) that can be linked to a specific individual.
- Education records: as defined by the Family Educational Rights and Privacy Act of 1974 (FERPA). FERPA governs access to educational information and records by potential employers, publicly funded educational institutions, and foreign governments.
- Customer information: as defined by the Gramm-Leach-Bliley Act (GLB Act, GLBA or the Financial Modernization Act of 1999), requiring financial institutions to explain how they share and protect their customers’ private information.
- Card holder data: as defined by the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is an information security standard that tells organization’s how to handle branded credit cards from the major card schemes.
- Confidential personnel information: as defined by the State Personnel Act.
- Confidential information: in accordance with the North Carolina Public Records Act.
- Personal data: as defined by The EU General Data Protection Regulation (GDPR).
In general, sensitive data is any data that reveals:
- Racial or ethnic origin
- Political opinion
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Health data
- Sex life or sexual orientation
- Financial information (bank account numbers and credit card numbers)
- Classified information
2. What is personal data?
Personal data (or personal information) is information that can identify an individual.
GDPR defines personal data as anything that:
- Directly identifies an individual such as a person’s name, surname, phone number, social security number, driver’s license number or any other personally identifiable information (PII).
Versus pseudonymous data or non-directly identifying information that does not allow direct identification but allows singling out of individual behaviour (such as serving a targeted at to a user at the right moment).
GDPR was established to set a clear distinction between directly identifying information and pseudonymous data.
GDPR encourages the use of pseudonymous information over directly identifying information as it reduces the risk of data breaches having adverse effects on individuals.
How to protect sensitive data
The first step in protecting sensitive data is data classification.
Depending on data sensitivity, there are different levels of protection required. The key thing to understand is that not all data is equal and it is best to focus your data protection efforts on protecting sensitive data as defined above.
Examples of non-sensitive information:
- Public information: Information that is already a matter of public record or knowledge
- Routine business information: Business information that is routinely shared with anyone from inside or outside your organization
Effective information security starts with assessing what information you have and identifying who has access. Understanding how sensitive data moves into, through and out of your organization is essential to assessing potential vulnerabilities and cybersecurity risks.
This means taking inventory of every where your organization uses sensitive data and where you hand of sensitive data to third-party and fourth-party vendors.
This will allow you to understand how information flows through your organization and give you a complete picture of who sends personal information in your organization, who receives sensitive data, what information is collected, who keeps the information collected and who has access to the information.
Their Are Five Examples Of Sensitive Data
1. Customer Information
Customer information is what many people think of first when they consider sensitive data. This could include customer names, home addresses, payment card information, social security numbers, emails, application attributes, and more.
2. Employee Data
Employee data is, in many ways, similar to customer information. You have your employee’s names, addresses, and social security numbers, and you may also have their banking information (for payment purposes), usernames and/or passwords, or data associated with a credentialing process.
3. Intellectual Property & Trade Secrets
Nearly every company has—or has access to—proprietary information of some sort stored in their network, with a third party, or in some kind of document management system. For example, if you develop software, this could be code; if you’re a hardware developer, this could be schematics. It could also extend to product specifications, competitive research, or anything that would fall under a non-disclosure agreement with a vendor. For example, let’s say company A is developing a phone and company B is helping with a design component. If company B is breached, company A is vulnerable to having sensitive information exposed—which could be catastrophic.
4. Operational & Inventory Information
This would encompass any generalized business operations or inventory. For example, if you sell physical products, you likely don’t want your sales figures disclosed—making them sensitive information as well.
5. Industry-Specific Data
Depending on your industry, there may be specific sensitive information you need to protect. Those in retail have to focus on protecting customers’ payment data, whereas those in the healthcare sector have to focus on health-specific data.
It’s important to note that customers aren’t always aware they’ve provided you information—or where that information is living. For example, patients in a hospital provide information to their health care providers, but if that information is housed through a third-party, the patient may not know that their personal data is susceptible to risk.