Sensitive data is information that must be protected against unauthorized access. Access to sensitive data should be limited through sufficient data security and information security practices designed to prevent unauthorized disclosure and data breaches.
Your organization may have to protect sensitive data for ethical or legal requirements, personal privacy, regulatory reasons, trade secrets and other critical business information. Such data could pose increased social, reputational, legal, employability or insurance risk for you and/or your customers if exposed.
Pair this with the rise of regulatory scrutiny for many industries and we have more of a need for data management, vendor risk management, third-party risk management, and cyber security than ever before.
The loss, misuse, modification or unauthorized access to your most sensitive data can damage your business, ruin customer trust, breach customer privacy and in extreme cases, affect the security and international relations of nations.
Table of contents
- Examples of sensitive data
- What is personal data?
- How to measure data sensitivity
- What is the impact of unauthorized disclosure of sensitive data?
- How to protect sensitive data
- How UpGuard can help you protect your most sensitive data
Sensitive information includes all data, whether original or copied, which contains:
- Personal information: as defined by the North Carolina Identity Theft Protection Act of 2005, a series of broad laws to prevent or discourage identity theft and to guard and protect individual privacy.
- Protected Health Information (PHI): as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). PHI under the US law is any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a third-party associate) that can be linked to a specific individual.
- Education records: as defined by the Family Educational Rights and Privacy Act of 1974 (FERPA). FERPA governs access to educational information and records by potential employers, publicly funded educational institutions, and foreign governments.
- Customer information: as defined by the Gramm-Leach-Bliley Act (GLB Act, GLBA or the Financial Modernization Act of 1999), requiring financial institutions to explain how they share and protect their customers' private information.
- Card holder data: as defined by the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is an information security standard that tells organization's how to handle branded credit cards from the major card schemes.
- Confidential personnel information: as defined by the State Personnel Act.
- Confidential information: in accordance with the North Carolina Public Records Act.
- Personal data: as defined by The EU General Data Protection Regulation (GDPR).
In general, sensitive data is any data that reveals:
- Racial or ethnic origin
- Political opinion
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Health data
- Sex life or sexual orientation
- Financial information (bank account numbers and credit card numbers)
- Classified information
Personal data (or personal information) is information that can identify an individual.
GDPR defines personal data as anything that:
- Directly identifies an individual such as a person's name, surname, phone number, social security number, driver's license number or any other personally identifiable information (PII).
Versus pseudonymous data or non-directly identifying information that does not allow direct identification but allows singling out of individual behaviour (such as serving a targeted at to a user at the right moment).
GDPR was established to set a clear distinction between directly identifying information and pseudonymous data.
GDPR encourages the use of pseudonymous information over directly identifying information as it reduces the risk of data breaches having adverse effects on individuals.
To determine how sensitive specific is and how it should be classified, think about the confidentiality, integrity and availability (CIA triad) of that information and how it would impact your organization or its customers if it was exposed.
This is a common way to measure data sensitivity and is a framework provided in the Federal Information Processing Standards (FIPS) by the National Institute of Standards and Technology (NIST).
Confidentiality is roughly equivalent to privacy.
Countermeasures that prevent unauthorized access to sensitive information, while ensuring the right people can still access it, are concerned with confidentiality.
These countermeasures range from simple awareness training to understanding the security risks associated with handling the information and how to guard against them, to sophisticated cybersecurity software.
Examples of confidentiality countermeasures:
- Data encryption
- Two-factor authentication
- Biometric verification
- Security tokens
- Key fobs
- Soft tokens
- Limiting where information appears
- Limiting the number of times information can be transmitted
- Storing on air gapped computers
- Storing on disconnected storage devices
- Storing in hard copy only
Integrity is about maintaining the consistency, accuracy and trustworthiness of data over its lifecycle.
Sensitive data should not be changed in transit and should not be able to be altered by unauthorized people (for example when a data breach happens).
Examples of integrity countermeasures:
- File permissions
- User access controls
- Audit logs
- Version control
- Cryptographic checksums
Availability is concerned with ensuring all information systems and sensitive data is available when needed.
Examples of availability countermeasures:
- Maintaining hardware and making repairs immediately
- Patching software as soon as possible
- Providing adequate communication bandwidth
- Fast and adaptive disaster recovery with a comprehensive disaster recovery plan
- Safeguards against data loss or interruption during natural disasters and fire
- Extra security equipment and software such as firewalls and additional servers that guard against downtime and prevent denial-of-service (DoS) attacks
Data privacy is becoming more and more important. In over 80 countries, personally identifiable information (PII) is protected by information privacy laws that outline limits to collecting and using PII by public and private organizations.
These laws require organizations to give clear notice to individuals about what data is being collected, the reason for collecting and the planned uses of the data. In consent-based legal frameworks, like GDPR, explicit consent from the individual is required.
GDPR extends the scope of EU data protection laws to all foreign companies who process the data of EU residents. Requiring that all companies:
- provide data breach notifications
- appoint a data-protection officer
- require user consent for data processing
- anonymize data for privacy
The United States has similar laws dictating data breach disclosure, with all 50 US states having data breach laws in some form requiring:
- Notification of those affect as soon as possible
- Let the government know as soon as possible
- Pay some sort of fine
The first step in protecting sensitive data is data classification.
Depending on data sensitivity, there are different levels of protection required. The key thing to understand is that not all data is equal and it is best to focus your data protection efforts on protecting sensitive data as defined above.
Examples of non-sensitive information:
- Public information: Information that is already a matter of public record or knowledge
- Routine business information: Business information that is routinely shared with anyone from inside or outside your organization
Effective information security starts with assessing what information you have and identifying who has access. Understanding how sensitive data moves into, through and out of your organization is essential to assessing potential vulnerabilities and cybersecurity risks.
This means taking inventory of every where your organization uses sensitive data and where you hand of sensitive data to third-party and fourth-party vendors.
This will allow you to understand how information flows through your organization and give you a complete picture of who sends personal information in your organization, who receives sensitive data, what information is collected, who keeps the information collected and who has access to the information.
UpGuard helps companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA protect their sensitive data and prevent breaches.
UpGuard BreachSight's typesquatting module can reduce the cyber risks related to typosquatting, along with preventing breaches, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
We can also help you continuously monitor, rate and send security questionnaires to your vendors to control third-party risk and improve your security posture, as well as automatically create an inventory, enforce policies, and detect unexpected changes to your IT infrastructure.