Blog
What is Sensitive Data?
Abstract shapeAbstract shape

Sensitive data is confidential information that must be kept safe and out of reach from all outsiders unless they have permission to access it.

Access to sensitive data should be limited through sufficient data security and information security practices designed to prevent data leaks and data breaches.

The rise of regulatory scrutiny over sensitive data protection has culminated into a desperate need for improved data management, third-party risk management, and enhanced cybersecurity. Forsaking these now essential requirements could cost your business up to $4 million..

Examples of sensitive data

Sensitive information includes all data, whether original or copied, which contains:

Personal information

As defined by the North Carolina Identity Theft Protection Act of 2005, a series of broad laws to prevent or discourage identity theft and to guard and protect individual privacy.

Protected Health Information (PHI)

As defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). PHI under the US law is any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a third-party associate) that can be linked to a specific individual.

Education records

As defined by the Family Educational Rights and Privacy Act of 1974 (FERPA). FERPA governs access to educational information and records by potential employers, publicly funded educational institutions, and foreign governments.

Customer information

As defined by the Gramm-Leach-Bliley Act (GLB Act, GLBA or the Financial Modernization Act of 1999), requiring financial institutions to explain how they share and protect their customers' private information.

Card holder data

As defined by the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is an information security standard that tells organization's how to handle branded credit cards from the major card schemes.

Confidential personnel information

As defined by the State Personnel Act.

Confidential information

In accordance with the North Carolina Public Records Act.

Personal data

As defined by The EU General Data Protection Regulation (GDPR).

In general, sensitive data is any data that reveals:

  • Racial or ethnic origin 
  • Political opinion
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data
  • Health data
  • Sex life or sexual orientation
  • Financial information (bank account numbers and credit card numbers)
  • Classified information

What is personal data?

Personal data (or personal information) is information that can identify an individual.

GDPR defines personal data as anything that directly identifies an individual such as a person's name, surname, phone number, social security number, driver's license number or any other personally identifiable information (PII).

Versus pseudonymous data or non-directly identifying information that does not allow direct identification but allows singling out of individual behaviour (such as serving a targeted at to a user at the right moment).

GDPR was established to set a clear distinction between directly identifying information and pseudonymous data. 

GDPR encourages the use of pseudonymous information over directly identifying information as it reduces the risk of data breaches having adverse effects on individuals.

How to measure data sensitivity

To determine how sensitive specific is and how it should be classified, think about the confidentiality, integrity and availability (CIA triad) of that information and how it would impact your organization or its customers if it was exposed.

This is a common way to measure data sensitivity and is a framework provided in the Federal Information Processing Standards (FIPS) by the National Institute of Standards and Technology (NIST).

What is confidentiality?

Confidentiality is roughly equivalent to privacy. 

Countermeasures that prevent unauthorized access to sensitive information, while ensuring the right people can still access it, are concerned with confidentiality. 

These countermeasures range from simple awareness training to understanding the security risks associated with handling the information and how to guard against them, to sophisticated cybersecurity software.

Examples of confidentiality countermeasures:

  1. Data encryption
  2. Passwords
  3. Two-factor authentication
  4. Biometric verification
  5. Security tokens
  6. Key fobs
  7. Soft tokens
  8. Limiting where information appears
  9. Limiting the number of times information can be transmitted
  10. Storing on air gapped computers
  11. Storing on disconnected storage devices
  12. Storing in hard copy only

What is integrity?

Integrity is about maintaining the consistency, accuracy and trustworthiness of data over its lifecycle.

Sensitive data, or sensitive information, should not be changed in transit and should not be able to be altered by unauthorized people (for example when a data breach happens).

Examples of integrity countermeasures:

  1. File permissions
  2. User access controls
  3. Audit logs
  4. Version control
  5. Cryptographic checksums
  6. Backups
  7. Redundancies

What is availability?

Availability is concerned with ensuring all information systems and sensitive data is available when needed. 

Examples of availability countermeasures:

  1. Maintaining hardware and making repairs immediately
  2. Patching software as soon as possible
  3. Providing adequate communication bandwidth
  4. Fast and adaptive disaster recovery with a comprehensive disaster recovery plan
  5. Safeguards against data loss or interruption during natural disasters and fire
  6. Extra security equipment and software such as firewalls and additional servers that guard against downtime and prevent denial-of-service (DoS) attacks

What is the impact of unauthorized disclosure of sensitive data?

Data privacy is becoming more and more important. In over 80 countries, personally identifiable information (PII) is protected by information privacy laws that outline limits to collecting and using PII by public and private organizations.

These laws require organizations to give clear notice to individuals about what data is being collected, the reason for collecting and the planned uses of the data. In consent-based legal frameworks, like GDPR, explicit consent from the individual is required.

GDPR extends the scope of EU data protection laws to all foreign companies who process the data of EU residents. Requiring that all companies:

  • provide data breach notifications
  • appoint a data-protection officer
  • require user consent for data processing
  • anonymize data for privacy

The United States has similar laws dictating data breach disclosure, with all 50 US states having data breach laws in some form requiring:

  • Notification of those affect as soon as possible
  • Let the government know as soon as possible
  • Pay some sort of fine

Additionally, many other countries have enacted their own legislature regarding data privacy protection, and more are still in the process of doing so.

How to protect sensitive data

The first step in protecting sensitive data is data classification

Depending on data sensitivity, there are different levels of protection required. The key thing to understand is that not all data is equal and it is best to focus your data protection efforts on protecting sensitive data as defined above.

Examples of non-sensitive information:

  • Public information: Information that is already a matter of public record or knowledge
  • Routine business information: Business information that is routinely shared with anyone from inside or outside your organization

Effective information security starts with assessing what information you have and identifying who has access. Understanding how sensitive data moves into, through and out of your organization is essential to assessing potential vulnerabilities and cybersecurity risks

This means taking inventory of every where your organization uses sensitive data and where you hand of sensitive data to third-party and fourth-party vendors

This will allow you to understand how information flows through your organization and give you a complete picture of who sends personal information in your organization, who receives sensitive data, what information is collected, who keeps the information collected and who has access to the information.

How UpGuard can help you protect your most sensitive data

At UpGuard, we can protect your business from data breaches, identify all of your data leaks, and help you continuously monitor the security posture of all your vendors.

UpGuard also supports compliance across a myriad of security frameworks, including the new requirements set by Biden's Cybersecurity Executive Order.

CLICK HERE to get your FREE security rating now!

Free eBook

The Non-Technical Guide to Cyber Risk

Learn about the basics of cyber risk for non-technical individuals with this in-depth eBook.
UpGuard logo in white
The Non-Technical Guide to Cyber Risk
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Abstract shapeAbstract shape

Related posts

Learn more about the latest issues in cybersecurity.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Abstract shapeAbstract shape
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan ratingAbstract shape