What Is Sensitive Data?
Sensitive data is content that an individual or organization requires to be protected from unauthorized access or disclosure, in order to maintain their information security. Exposure of sensitive data can cause a number of problems, including financial or personal harm to an individual and legal or competitive issues for an organization.
Let’s jump in and learn:
Types of Sensitive Data
There are three main types of sensitive data:
1. Personal information
Personal information includes personally identifiable information (PII), protected health information (PHI), education-related information, and financial information.
2. Business information
Sensitive business data is any information that would pose a risk to a company if released (e.g., to a competitor, to the general public).
3. Classified information
Classified information, officially referred to by the United States (U.S.) government as National Security Information, is sensitive data that has been intentionally kept secret at a governmental level.
Unauthorized access to classified information has the potential to seriously endanger a government’s objectives and its international standing. The U.S. government uses three levels for classified information:
- Top Secret— applied to information that the unauthorized disclosure of could reasonably be expected to cause exceptionally grave damage to national security.
- Secret— applied to information that the unauthorized disclosure of could reasonably be expected to cause serious damage to national security.
- Confidential— applied to information that the unauthorized disclosure of could reasonably be expected to cause damage to national security.
Examples of Sensitive Data
Examples of PII include:
- Address
- Biometric data
- Birthdate
- Citizen visa code
- Citizenship status
- Contracts
- Ethnicity
- Financials
- Gender
- Home address
- Home phone number
- Passwords
- Place of birth
- Political opinions or political organization membership(s)
- Racial or ethnic data
- Religious or ideological affiliation
- Sexual orientation
- Social security number
- Trade union membership
- Veteran and disability status
Examples of medical-specific PHI include:
- Biometric data
- Device identifiers and serial numbers
- Genetic information
- Insurance information
- Laboratory tests
- Medical records
Examples of education-related sensitive data include:
- Attendance records
- Behavior-related information
- Enrollment records
- Test results
- Transcripts
Examples of financial information-related sensitive data include:
- Bank account information
- Credit or debit card information
- Credit reports
- Loan information
- Tax forms
Examples of sensitive business data include:
- Contracts
- Customer and supplier records
- Intellectual property
- Merger or acquisition information
- Business plans (e.g., sales, marketing, corporate strategy)
- Pricing
- Trade secrets
Sensitive Data Loss
Sensitive data loss is the theft, adulteration, unauthorized sharing, or destruction of sensitive information. The term is most often used to describe sensitive data that is stored electronically on a computer or network, but it can also refer to physical documents.
Sensitive data loss most commonly occurs via networks, including the internet and email, but it can also occur via mobile data storage devices such as removable hard drives, USB sticks, laptops, and mobile devices (e.g., smartphones, tablets).
There are many different types of sensitive data loss that are initiated by external perpetrators and people inside an organization. Several common causes of sensitive data loss include:
- Accidental breach
Sensitive data loss is often the result of unintentional unauthorized data access or use. An example of how an accidental breach can occur is an employee choosing the wrong recipient when sending an email containing confidential data. Another is someone sharing their login credentials. - Malicious insider
A disgruntled or ill-intentioned employee (i.e., malicious insider) can access sensitive data from inside the organization and share it with or sell it to someone else. Or the employee can give an outsider access to sensitive data. - Malware
Sensitive data loss is often initiated with malware. A cybercriminal will attack an organization (e.g., phishing attack through email, adware through a website) and use malware to gain access to a computer or a network. Once they are in the system, the sensitive data loss begins.
To protect against sensitive data loss, it is important to understand when it is most at risk. The two states at which sensitive data is vulnerable are in transit and at rest.
Data in transit across networks to other servers, applications, or users is highly vulnerable, especially when moving across unprotected channels or to the application programming interface (API) that allows applications to communicate with one another. Sensitive data is targeted via:
- Man-in-the-middle (MITM) attacks
Traffic is intercepted and monitored by someone between a user and an application to eavesdrop or impersonate one of them. Sensitive data, such as login credentials, account information, or credit card numbers, are stolen from this position. Common targets for man-in-the-middle attacks are financial applications, banking or credit card sites, and online stores. - Structured query language injection (SQLI) attacks
SQLI attacks are the most frequent application attack. During an SQLI attack, SQL requests are manipulated into executing malicious commands, which can be used to gain access to sensitive data.
Data at rest, where it is stored, is less vulnerable than in transit, but is more valuable, so it is a more enticing target. A couple of ways that sensitive data loss occurs with data at rest are:
- Ransomware attacks
In a ransomware attack, malware is used to infiltrate systems and encrypt files. The malware is delivered in a number of ways, including email and malicious websites. The encrypted data can be kept in place, or a copy is taken. The attackers hold the data for ransom, threatening to not share the key to decrypt it or to expose the sensitive data. - Phishing attacks
Phishing attacks are usually perpetrated via email messages. Users are tricked into clicking malicious links or downloading files with malware.
Determining and Measuring Data Sensitivity
How data sensitivity is classified depends on the type of organization, the industry, and the kinds of data it collects, uses, stores, processes, and transmits. Regardless of the kind of data, there are a few key considerations when classifying data, including:
- What data is collected from customers and vendors?
- What data does the organization create?
- What is the level of sensitivity of the data?
- Who needs access to the data?
Different levels of classification apply based on the type of sensitive data that an organization collects and uses. There are four commonly used classification types for data.
1. Restricted data
Restricted data is highly confidential. If restricted data is compromised or accessed without authorization, it could lead to criminal charges, fines, lawsuits, and significant financial losses, and cause irreparable damage to the company.
2. Confidential data
If confidential data is exposed, it could result in financial risk, loss of customers, disruption of operations, and damage to the organization’s reputation.
3. Internal-only data
While not meant for the public, exposure of internal-only data could have a relatively low impact on an organization and not negatively affect profitability, disrupt operations, or cause compliance issues. It could result in short-term embarrassment or reputational damage, but it might not have lasting repercussions.
4. Public data
No special protections are required for public data. It may be freely disclosed without risk.
In addition to those four basic classifications, three additional sub-layers are being used to address more stringent privacy regulations:
- Data Processing layer—consent
Requires organizations to gain an individual’s consent as to how their private data can be used. - Purpose layer—access
Requires organizations to specify the purpose for which specific data about an individual is being collected. - Privacy layer—compliance
Requires organizations that retain an individual’s data to facilitate compliance with privacy rules.
Sensitive Data and Data Classification
Data classification is the process of organizing data into categories to make it faster and easier to identify and treat appropriately. Data is tagged to facilitate searches and enable tracking. Data classification is especially useful and important for identifying sensitive information and implementing proper controls for risk management, compliance, and data security.
There are three main types of data classification for sensitive data.
1. Content-based classification
This involves reviewing files and documents then classifying them. Content is inspected and interpreted to identify sensitive data.
2. Context-based classification
Files are classified based on metadata related to a file, such as what application was used to create it, the person who created it, or the location in which files were authored or modified. Context-based classification uses metadata as an indirect indicator of sensitive information.
3. User-based classification
A knowledgeable user classifies files manually based on their judgment. User-based classification relies on the individuals who work with documents to specify how sensitive they are. This classification can be done when the file is created, after reviews and edits are completed, or before it is released.
Several key steps to prepare for a data classification project are:
- Assess the data
- What types of data are there?
- Where does it reside?
- How much of the data is regulated?
- What policies and controls are in place to protect the data?
- Who has access to the data?
- Evaluate the risks if the data were compromised
- Erosion of competitive advantage
- Loss of intellectual property (IP)
- Exposed sensitive information
- Penalties for compliance violations
- Financial loss
- Develop policies for data classification
- Who should have access to each type of data?
- How many classification categories will there be?
- How are classifications added or changed?
- What will the classifications cover?
- What classification approach will be used—automated or user-driven?
- What will the process be for training employees to use the data classification system?
Benefits of Identifying and Classifying Sensitive Data
- Ensure that employees are aware of the type of information they are dealing with, its value, and their obligation to protect it
- Help meet compliance requirements
- Improve data visibility and control
- Know what data requires protection
- Raises users’ awareness about sensitive data
- Understand who should or should not have access to sensitive information
Sensitive Data vs. Personal Data
The differences between personal and sensitive information are subtle, but important to understand.
Personal information includes data that identifies an individual. It can include full names, home addresses, telephone numbers, birthdays, email addresses, and bank account information. Information that classifies an individual’s presence can also be considered personal information, such as CCTV footage.
Data or information that can lead to identification of a person when combined with another relevant piece of information can be classified as personal data. Accidental disclosure can cause problems, but it will not put the person in harm’s way.
Sensitive data is a subset of personal information. It can include information such as biometric data, records concerning a person’s physical or mental health, race or ethnic origin, religion, political affiliations, sexual orientation, and criminal history. If revealed, sensitive data can leave an individual vulnerable to discrimination, harassment, or worse.
Unauthorized Disclosure of Sensitive Data
Data breaches can occur in any organization, from small businesses to major corporations.
The consequences of a breach of sensitive data can range from minor to disastrous—from fines and litigation to reputational loss and even loss of the right to operate the business.
The unauthorized disclosure of sensitive data, such as personal information, credit card numbers, Social Security numbers, driver’s license numbers, and healthcare history, results in financial and compliance issues for organizations. It also creates hassles and headaches for affected individuals.
When considering the impact of the unauthorized disclosure of sensitive data, the impact is measured by the risk level associated with the sensitive data. There are three types of risk related to unauthorized disclosure of sensitive data:
1. Low risk
Disclosed data may be linkable to other data that could support the re-identification of individuals, households, business firms, etc.
2. Medium risk
Disclosed data includes indirect identifiers that could support the re-identification of individuals, households, business firms, etc.
3. High risk
Disclosed data includes direct identifiers that will directly identify individuals, households, business firms, etc.
Protecting Sensitive Data
Assess Risk
Risk assessments are one of the most important factors for protecting sensitive data. It requires an organization to identify all users, devices, networks, applications, and information and categorize them based on the risks associated with exposure (e.g., sensitive information is considered a high risk asset, marketing information may be considered lower risk).
Also included in the assessment should be an evaluation of potential attack vectors. Based on these assessments, informed decisions can be made about what protections are required.
Document Activities Related to Sensitive Data Protection
What is done to protect sensitive data must be documented to meet the requirements of many agencies and organizations. Among the many regulations that require documentation of how an organization protects sensitive data are:
- Family Educational Rights and Privacy Act (FERPA)
- General Data Protection Regulation (GDPR)
- Gramm–Leach–Bliley Act (GLBA)
- Health Information Technology for Economic and Clinical Health Act (HITECH)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standard (PCI DSS)
Monitor and Test Control Efficacy
Continuous monitoring and testing of controls are required to stay ahead of changing threat landscapes.
Remediate Risks
Once identified, risks need to be prioritized for remediation. Cybercriminals constantly exploit vulnerabilities, so remediating risks in a timely manner is critical.
Set Controls
Controls for preventing unauthorized access to sensitive data need to be developed and enforced. Tools that can help protect sensitive data include:
- Access control
- Antivirus and anti-malware software
- Auditing
- Backup and recovery systems
- Data discovery and classification
- Data encryption
- Data loss prevention (DLP)
- Employee monitoring software
- Firewall
- Intrusion detection and prevention systems (IDS/IPS)
- Physical security
- Security information and event management (SIEM)
- User and entity behavior analytics (UEBA)
Safeguard Sensitive Data
Despite the massive volumes of information that are being collected and produced, organizations remain responsible for protecting their sensitive data. The consequences of compromised sensitive data are never trivial. Even a small leak causes problems for organizations and individuals.
There are many effective solutions available to safeguard sensitive data. Take time to assess the risks and implement the appropriate protections for your organization.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 26th April, 2022