Sensitive information includes data that requires protection because its loss, misuse, modification, or unauthorized access will negatively impact the welfare, privacy, assets, or security of an organization or individual.
Sensitive information is restricted to limited users in an organization with access based on need and authorization.
Let’s jump in and learn:
Types of Sensitive Information
Sensitivity directs how information should be stored and accessed to adhere to generally accepted data security best practices as well as meet compliance standards. Most organizations divide sensitive information into three categories.
- Personal information
- Business information
- Government-classified information
Sensitive Information as Related to Personal Information
Personally identifiable information (PII) includes data that can be traced back to an individual and that, if disclosed, could result in harm to that person.
Personally identifiable information (PII) is a form of Sensitive Information, which includes, but is not limited to, PII and Sensitive PII.
DHS defines personal information as "Personally Identifiable Information" or PII, which is any information that permits the identity of an individual to be directly or indirectly inferred, including any other information that is linked or linkable to that individual, regardless of whether the individual is a U.S. citizen, legal permanent resident, visitor to the U.S., or employee or contractor to the Department.
Sensitive PII (SPII) is Personally Identifiable Information, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.
- Social security numbers (SSN)
- Passport numbers
- Driver's license numbers
- Taxpayer identification numbers
- Patient identification numbers
- Financial account numbers or credit card numbers
- Home address information
- Email addresses
- Personal telephone numbers
Digital media can also be classified as PII. This includes:
- IP addresses
- Login IDs
- Certain social media posts
- Digital images
- Geolocation data
- Behavioral data
Other sensitive information includes:
- Employee data, such as salary
- Academic data, such as grades and enrollment data—as specified under FERPA
- Medical and health data—as specified under HIPAA
- Proprietary or copyrighted data—as specified under DMCA
- Confidential legal or financial data
Under the Gramm-Leach-Bliley Act (GLBA), nonpublic personal information (NPI) is called out as sensitive information that requires protection. This information includes data collected by a financial institution while providing products or services. It is data that can identify an individual and data that is not publicly available, such as:
- Customers' names
- Account numbers
- Account balances
- Loan applications
- Credit card or debit card applications
Sensitive Information as Related to Business Information
Sensitive business information includes anything that would harm the organization if publicly disclosed or acquired by a competitor. Most businesses consider sensitive information to include:
- Trade secrets or intellectual property
- Sales information
- Marketing information
- New product strategy
- Patent documentation
- Partner information
- Financial data
- Acquisition plans
Sensitive Information as Related to Government Classified Information
Within the realm of government data, sensitive information is categorized as classified. This is information related to national security and protecting national interests that requires enhanced protection and access controls.
Classified information access is restricted according to five levels of sensitivity:
- Top secret
- Sensitive unclassified
- Unclassified—classified information that has been declassified
Sensitive Information Breaches
Unauthorized access to or theft of sensitive information is called a data breach. This type of security breach is specifically related to the exploitation of sensitive information, including stealing it or holding it for ransom.
The sensitive data attack surface spans applications, networks, and devices.
Sensitive data is vulnerable to both malicious outsiders and insider threats. Attackers gain access to sensitive data through a number of cyberattack vectors, including the following:
- Lost or stolen credentials and subsequent credential stuffing
- Weak passwords
- Lost or stolen equipment
- Social engineering attacks
- Vulnerability exploits that target systems and applications
- Targeted attacks, such as:
- Brute force
- DDoS (Distributed Denial of Service)
- Cross-site scripting (XSS)
- SQL Injection
- Man-in middle attacks
- Encryption deficiencies—i.e., nonexistent or poorly implemented and managed
- Misconfigured web apps or servers
- Partner vulnerabilities
Protecting Sensitive Information
Breaches that reveal sensitive information threaten individuals' privacy, damage organizations' reputations, and disrupt operations. Vulnerabilities are exploited not just by hackers, but also by employees.
A holistic data security approach is required to defend sensitive information. In addition to protecting it from attacks, data protection strategies must also consider how information is secured and used internally. Sensitive information in all repositories—on-premises and cloud—must be identified and protected. The following steps are critical:
- Set security controls based on the sensitivity of the information.
- Understand who can access, modify, or delete sensitive information.
- Establish a data classification policy.
- Identify sensitive information that is collected and stored and tag it by applying labels.
- Ensure that all identification and tagging processes are ongoing and consistent
- Conduct regular scans to identify sensitive information.
- Ensure that sensitive information is stored in designated locations with access only to authorized users.
Considerations for Effective Classification
The type of data that is collected, used, stored, processed, and transmitted determines how classification processes are implemented. These five questions help frame thinking about sensitive information classification:
- What data is collected from employees, customers, and partners?
- What data is created internally?
- What is the level of sensitivity of the data?
- Who needs access to the data?
- How long does the data need to be stored?
Classification — Common Requirements
Proactively finding and protecting sensitive information, then classifying it, helps not only with corporate, customer, and employee privacy, but with threat deterrence and regulatory compliance. Requirements for classifying sensitive data vary depending on the types of data that is collected, used, stored, processed, or transmitted, along with protections or restrictions dictated by legal or corporate governance.
Compliance regulations require organizations to protect specific sensitive information. Data classification facilitates the identification of information to make it easier to apply the necessary controls and pass audits. Following are requirements for some of the more common regulations.
Demonstrate that sensitive information that service providers collect from customers is identified and appropriately maintained to meet requirements in five trust categories—security, availability, processing integrity, confidentiality, and privacy.
Implement administrative safeguards to protect the confidentiality, integrity, and availability of PHI (protected health information) by limiting the uses and disclosures of PHI and implementing procedures to classify data that is collected, used, stored, or transmitted.
Safeguard credit card and cardholder data against breach and other forms of unauthorized access, including classifying data so that sensitivity of the data can be determined.
Know what types of data related to EU citizens is collected and held as well as be able to classify that data—public, proprietary, or confidential.
Sensitive Information Levels
Commercial organizations generally use four levels of classification for structured and unstructured data. These determine a number of criteria, including who has access to that data and how long the data needs to be retained.
Public data can be used, reused, and redistributed freely with no repercussions. This data could be made public without repercussions for organizations or individuals. It is not confidential and does not require any controls.
Examples of public data include:
- Employees’ first and last names with positions and bios
- Press releases
- Product brochures
- Published research
- Customer lists (with customers' permissions)
Information that is meant only for use within an organization is considered internal-only data. Its access should be strictly limited to internal team members (e.g., employees, partners, contractors) who have been granted access. However, if disclosed, internal-only data has a minimal impact on an organization.
Examples of internal-only data considered sensitive information include:
- Memos or other communications
- Business plans—e.g., sales, marketing, operations, distribution
- Staff contact information
- Organizational charts
- Employee handbooks and policies
Confidential data access should require strict authorization. Unauthorized access to this content could have significant consequences, including impacting operations, causing financial loss, weakening position in the market by ceding critical information to competitors, and hurting customer satisfaction and confidence.
Confidential data includes:
- M&A documents
- New product information
- Accounting data
Sensitive information classified as restricted data is critical to an organization, and its unauthorized access could have devastating consequences. If restricted data were compromised or accessed without authorization, the result could be criminal charges, significant fines, and irreparable damage to the organization.
Restricted data includes sensitive information such as:
- Government information or research protected by state and federal laws
- Trade secrets
- PII (personally identifiable information)
- Cardholder data
- Health information
Know Your Data
Understanding the types of sensitive information is the beginning of the process of effectively protecting it—continuously. Whether it is structured or unstructured, all sensitive data must be accounted for, managed, and safeguarded from external and internal threats. Processes and technology ensure that this seemingly overwhelming work can be consistently and efficiently executed in a way that meets the requirements for the various kinds of sensitive data without encumbering users' workflows.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.