Sensitive data includes any data that should remain confidential. That includes personally identifiable information, such as social security numbers, as well as any other information, such as bank account credentials or web browsing history, that someone might want to keep private for any reason. For organizations, sensitive data can include customer data, trade secrets, or any data that could bring a company harm if exposed.
Examples of Sensitive Data
Sensitive data falls into two categories: personal and company. However, some data on the personal side of the equation isn’t just deemed sensitive by the individual; it’s also covered by various laws designed to ensure reasonable privacy.
By looking at a few examples of sensitive personal and company data, it’s easier to see how much information can be classified in this category. Additionally, understanding the basics of relevant laws ensures companies know what’s required to remain compliant.
Sensitive Personal Data
In most cases, any data that’s deemed personally identifiable information (PII) is classified as sensitive data. Essentially, if the details allow the targeting of a single person, it falls in this category.
Not all types of personally identifiable information are as sacrosanct as others. Though you want to keep your social security number a secret, you hopefully aren’t hiding your name, address, and date of birth from your family and friends. That said, even those types of data should not always be publicly posted – if someone steals your credit card, for instance, they’ll have a much easier time using it if they can also find your address.
A detail that doesn’t present a risk on its own could still qualify as PII. If that data, when combined with publicly accessible information, could lead to the identification of an individual, then it’s PII regardless of whether it poses a risk as a single data point.
Some classic examples of PII include:
- Names
- Addresses
- Phone Numbers
- Email Addresses
- Dates of Birth
- Social Security Numbers
- ID Numbers (Driver’s License, Passport, State Issued ID Numbers, etc.)
- Payment Card or Bank Account Numbers
- Medical Histories
- Financial Transaction Records
- Fingerprints
- Photos
- Handwriting
- Biometrics
If a piece of data could identify someone or lead to their identification, you can consider it personally identifiable. Beyond that, though, any data that could lead to harm should also be considered sensitive data.
Sensitive Company Data
Like personal data, if information about a company getting into the wrong hands could threaten the organization to any degree, that qualifies it as sensitive data. This includes information that could introduce risk if it was acquired by the public or a competitor.
Some examples of sensitive company data include:
- Proprietary Product or Service Information
- Trade Secrets
- Intellectual Property
- Financial Data
- Supplier Information
- Customer Data
- Personnel Records
- Merger or Acquisition Plans
- New Product or Service Development Plans
- Security Response Protocols
- Internal Communications
In some cases, internal communications can fall on either side of the line. Primarily, it depends on the content of the message. However, whether other details within the communication can lead someone to discover additional sensitive information, even if the message doesn’t contain anything with a clear risk, it could qualify.
Privacy Laws Impacting Data
The handling of specific types of sensitive data is governed by law. In some cases, the regulations simply set expectations regarding the management and secure storage of a select kind of information. In others, there are strict guidelines that companies must follow to remain compliant.
The risk of non-compliance with various laws can vary. Some may result in steep fines; others may lead to business closures. Additionally, non-compliance can often leave organizations open to legal action, as those who were harmed may be within their right to seek compensation, and law enforcement may choose to prosecute any missteps deemed critical in nature.
Here is a quick overview of some of the privacy laws impacting data handling and storage:
- Health Insurance Portability and Accountability Act (HIPAA) – governs the management of personal health information (PHI) by healthcare organizations and businesses that engage with medical records and data
- Fair Credit Reporting Act (FCRA) – regulates the collection of credit information and its use
- General Data Protection Regulation (GDPR) – outlines how businesses and data must handle and secure personal data relating to European Union (EU) citizens, along with providing EU citizens expanded rights regarding required data collection notifications, the ability to opt-out, and more
- Payment Card Industry Data Security Standard (PCI DSS) – details data protection and network security requirements for payment processors
- Children’s Online Privacy Protection Act (COPPA) – discusses rules regarding the collection of data related to minors
- Family Education Rights and Privacy Act (FERPA) – governs the access to educational information, outlining consent requirements US educational institutions must follow before releasing data regarding degrees earned, transcripts, class schedules, disciplinary action, and more
- Health Information Technology for Economic and Clinical Health (HITECH) – outlines data breach reporting requirements for organizations subject to HIPAA
- Gramm-Leach-Bliley Act (GLBA) – regulates the collection, management, and use of personal information by financial organizations
In some cases, companies also have to navigate state-level laws. The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) are prime examples that established broader consumer rights regarding the collection of personal information for California residents. There’s also the Colorado Privacy Act (CPA), An Act Concerning Personal Data Privacy and Online Monitoring in Connecticut, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act in New York, Utah Consumer Privacy Act (UCPA), and Consumer Data Protection Act (CDPA) in Virginia.
How to Keep Sensitive Data Secure
Securing sensitive data isn’t just the responsible and smart thing to do; it’s often required by law. As a result, companies should have clear mechanisms designed to keep sensitive data safe. Here are some best practices that can help.
Know What You Have (and Where)
You can’t secure sensitive data if you don’t know what your company is storing and where it’s kept. Explore the data that your organization collects and identify any information that poses a risk. Additionally, determine its exact location within your systems, as well as what employees, third parties, and applications can tap into the information.
Safeguard Against Outside Intrusion
Embracing cybersecurity basics like antivirus, antimalware, and firewall solutions is an essential part of keeping data safe. They help you identify malicious software that could leave systems vulnerable and prevent entry by unauthorized outside parties. While those solutions alone aren’t typically sufficient, particularly if you’re subject to data management or privacy regulations, they create a strong security foundation.
Create Policies for Data Handling and Management
Policies allow you to dictate where specific data is stored and how its managed. By establishing clear protocols, you can ensure that sensitive data is kept in the right places and has the proper protections.
In many cases, you’ll need a multi-layer policy, as most companies handle information of varying sensitivity. That allows you to apply the strictest protocols to data that represents a significant risk and more metered ones to information that signifies a lower risk.
Use Strong Encryption
Encrypting sensitive data is essential, reducing the odds that, if the information is accessed by an unauthorized individual, the data is readable. Make sure to use strong encryption and be diligent about key management, as doing so well could render any stolen data generally inaccessible.
Additionally, if you use the cloud, encrypt sensitive data prior to upload. Technically, the cloud is nothing more than a computer that someone else owns and operates; they just give you access to their device as part of the arrangement. As a result, waiting to encrypt poses a risk, as the cloud services company could potentially view, edit, retrieve, or delete that data if it isn’t protected.
Plus, the act of uploading is its own source of risk, potentially leaving data vulnerable. By encrypting before the upload, you’re protecting data in transit, too.
Limit Access
While safeguarding against outside intrusion is essential, it’s also wise to limit internal access to sensitive information. Determine which employees have a legitimate need to view, use, edit, or delete the data. For everyone else, restrict their privileges to prevent their access.
With access restrictions, you reduce the insider threat. Additionally, it makes it harder for hackers to reach that data, as not all employee credentials will secure their access.
Provide Training
In many cases, a company’s employees are the most likely failure point when it comes to the proper handling of data. Make sure to train your workforce in sensitive data management, outlining what it is, why protecting it is essential, and any policies in place that they must follow.
Often, education makes a difference, reducing the odds that an employee will make a mistake simply because they didn’t know it was a misstep. Plus, it can help your workforce view information in a new light, making them more aware of the risks of improper data handling.