What is Sensitive Data?
Sensitive data is the classified information that must be protected and is inaccessible to outside parties unless specifically granted permission. The data can be in physical or electronic form, but either way, sensitive data is regarded as private information or data. An ethical or legal reason may warrant the need to have tougher restrictions on people who can access personal or an organization sensitive data, especially when it pertains to individual privacy and property rights.
For instance, a data breach in a government commission could expose government secrets to foreign powers. The same could be applied to individual or company data, which could pose grave risks like corporate spying, insurance risk, cyber threats or a breach in the privacy of your clients, and/or that of your workers.
The legal definition of sensitive data describes it as information that must be protected against unauthorized disclosure, including PII (Personally identifiable information), PHI (Protected health information), and more.
Typically, there are three main types of sensitive data that hackers (including insiders) tend to exploit, and they are : personal Information, business Information, and classified information. If any of this data falls into the wrong hands, it could deal a fatal blow to the parties concerned, regardless of whom they are, individuals, companies, and government entities alike.
Types of Sensitive Data
When we say that data is sensitive, then its sensitivity must have levels. The sensitivity of data could be classified into different types and their classifications can be determined by federal regulations as procured by the security control units, industry specific or an individual such as an Information Security Officer could determine this.
Sensitive data can be classified into four types:
- Low data sensitivity type/ public classification
- Moderate data sensitivity type or internal classification
- High data sensitivity type or confidential classification
- Restricted type of sensitive data
Low data sensitivity type
This class of data poses little or no risk to an individual, private organizations, or government agencies when it gets disclosed. Data in this section can be accessed by anyone, as there are little or no restrictions on its accessibility. It is more or less a piece of public information that can be discussed anywhere, and with anyone. Examples of sensitive data in this section include school directory information of both students and staff, published research, research proposals, information that is already available in public domains, and also unpublished research with the permission of the researcher among others.
Moderate data sensitivity type
Data is subjected to contractual agreements in this level of data sensitivity, either by two or more parties. This means that the leakage of such data would only cause minimal harm to individuals or organizations concerned. Examples of sensitive data in this paragraph include building plans information, individual donor records, student records, intellectual properties, IT service information, Visa and other travelling documents, security information, and contact information and documents.
High data sensitivity type/confidential data
If data is confidential, then it must be personal or private. If such data is breached, it could cause significant harm such as exposure to criminal liability, cyber-attacks, etc to an individual or any organization. Examples of this sensitivity level include, but not limited to, the following: IT security info, social security numbers, controlled unclassified info, identifiable human subject research, student loan application data, protected health data, and so on.
Restricted type of sensitive data
These are highly sensitive data that are protected with a NDA (Non-disclosure Agreement) in order to minimize legal risk. Examples of sensitive data that could be restricted include trade secrets, credit card details, Potentially Identifiable Information (PII), etc. There’s also personal information, trade secrets, employee information and customer information, intellectual property data, Industry-specific data, education records, confidential information, and more. Careless disclosure of such information or data can severely harm an individual or nation as a whole.
Let us discuss a few out of them:
Customer information is a very sensitive data that contains clients’ personal information like transaction records, phone numbers, email address, home address, names, digital fingerprints, and in most cases, their pictures. This data is so sensitive that if It gets into the wrong hands, it could cause severe harm to your customers and cause distrust between customers and the company. It is safe to say that people only transact business with companies or business ventures than can assure them of maximum protection of their data.
Just like customer information, your employee’s data is a sensitive data that must be handled with great care. If it leaks, it could cause cyber or physical assaults on your employee. The data could consist of the employee’s banking details, home address, login details, etc.
There is specific sensitive industrial data that needs to be protected at all costs. For example in the medical sector, medical reports of people need to be protected. Also in the retail sector, the transaction details of all the customers are so sensitive that they need to be protected.
This is private data about an individual. This data is personal, and should only be released to the public at will. Personal data according to the GDPR, are information that relate to an identified data subject.
GDPR Sensitive Data
GDPR sensitive data has had the meaning of personal data and sensitive personal data changed to make it simpler and more detailed than before, with references to identifiers such as name, IP address, and location data being a part of these changes. Mixing up personal data with sensitive personal data is unavoidable as most people tend to misinterpret them. Some people might be thinking along the lines of saying any personal data at all, is sensitive. Although this is true to a certain degree, it is wrong, however. So then what is sensitive personal data?
The GDPR’s definition of personal data is not that much different from the regular definition. It is a sample of data that either contains information that directly identifies the person, or the pseudonymous data that does not allow personal identification but can still be used for the individual behaviour pattern detection.
While GDPR is pushing for the more active implementation of a pseudonymous data instead of an information that directly identifies a person – pseudonymized data can still be traced back to its origin and “decrypted”, so to speak. There’s also the fact that in some specific areas pseudonymization is not enough to hide the person’s identity – genetic data is one of such examples, because of the original identifying nature of it.
Personal sensitive data generally consists of information such as:
- An individual political opinion or party affiliation
- Individual religious beliefs
- Trade union
- An individual sexual life/sexual preferences
- Racial and ethnicity
- Genetic data
- Online biometric data such as fingerprints and pictures
- Health data
The list of GDPR-related requirements are large in size, but the four main things you’ll have to do to comply are:
- Provide notifications about every data breach that occurs;
- Have someone with the position of a Data Protection Officer (DPO) in your company;
- Forbid yourself to collect information from customers without their consent;
- Anonymize the data you’re processing for security reasons (while the encryption of said data would suffice for some types of sensitive data, others are too descriptive and identifying by their nature, allowing the tracing of such data to its origin even if it’s pseudonymized or encrypted).
Sensitive data that hackers would look for
While there’s a lot of different data types that may be considered sensitive in one way or another, there are some specific types of sensitive data that would be prioritized, if hackers were to gain access to your system in some way:
- Industry-specific information. Since there’s a lot of different industries, there’s something that’s of the highest priority for every industry you might think of. For example, medical industries prioritize customers’ healthcare data, retail companies work on protecting customers payment information, and so on.
- Inventory/operational info. This category is more about generalized business figures, like sales figures, for example. The definition of sensitive information doesn’t have to include customers specifically for the information to be considered sensitive.
- Trade secrets/Intellectual property. This part includes basically anything that’s under an NDA (non-disclosure agreement) of sorts, from code and schematics to product specifications.
- Customer information. The most basic example of sensitive data, like payment info, emails, real names, home addresses, and so on.
- Data of your employees. While this might seem similar to the regular customer info, this is a separate category because of the nature of having quite a few different bits and pieces of data about your employees that may be considered sensitive, like banking info that you’re using to pay their wages, username and password combos, and so on.
How to Protect Sensitive Data and Prevent Sensitive Data Exposure?
What are the steps that need to be taken to identify and protect sensitive data?
In this section, we are going to postulate three steps by which sensitive data can be protected, and sensitive data exposure prevented.
Identify all sensitive data:
The first step is to identify and group all the data based on their sensitivity. The other name for this process is sensitive data classification. This might sound like an easy task though, but it is not. From time to time, there is always a change in system complexity, as there is new data almost every day. The process of finding sensitive data is constant and ever-changing. Be that as it may, organizations or agencies must be able to identify data that is relevant under the General Data Protection Regulation (GDPR).
Promptly respond to, and assess data risks:
Data theft and leakage is a recurring problem and it probably won’t stop. It is not only an IT problem because it affects all other sectors in an organization or government unit. Sensitive data is always targeted by cybercriminals and when you might have identified such sensitive data, you must assess the risk. Risks such as the liability cost of the sensitive data, location of these data, the movement of these data from one source or domain to another, and the size of the sensitive data that is being stored in a company, etc.
Monitor and implement adequate security measures:
This process follows the previously listed steps. This step involves creating viable security measures to safeguard against theft of sensitive data. After creating these, the next step would be to monitor these measures to ensure there are no vulnerabilities in the process. Assigning all of the protection measures to the sensitive data that you’ve found beforehand, including newer types of sensitive data and so on, is also in this step.
Data sensitivity and how it is measured
Several different industries have agreed on a single specific standard which can be used to measure the specific data’s sensitivity, and this standard is based on three parts: Confidentiality, Integrity, Availability (CIA triad).
Confidentiality at its core is roughly equivalent to privacy. This part is about preventing unauthorized access to sensitive information without limiting said information for people who need to have access to it. There’s a substantial number of countermeasures, and they vary a lot in difficulty and effectiveness. The list of countermeasures includes passwords, soft tokens, data encryption, hard copy storage, limiting information destinations, limiting transmission extensiveness, and so on.
Integrity, on the other hand, is about long-term data consistency and accuracy over a specific period in time. The list of integrity countermeasures is somewhat smaller, including positions like audit logs, backups, file permissions, user access controls, cryptography, and more.
Availability is the last of the three parts, and it focuses solely on sensitive data being available when needed. Availability-specific countermeasures are different from the other lists, with examples like frequent software patching,safeguards against data losses due to the natural disasters, hardware maintenance, bandwidth provision, and so on.
As data privacy is becoming increasingly vital in the world, many customers/clients would only transact and build long-lasting business relationships with organizations that can guarantee the safety of their data – Especially their sensitive data. Achieving a strong business relationship in regards to this calls for the application of strong data security measures in order to protect sensitive data, and prevent its exposure.