How to identify types of sensitive data

Sensitive data is private information that must be protected from unauthorized access. This type of data can come in various forms — from physical to digital, such as written documents, photographs, videos or audio recordings. Most organizations have collected somewhere in their network storage forms of sensitive data and are required to adhere to federal compliance laws and regulations.

There are two broad categories that sensitive data falls under: regulated and unregulated data. When the topic of sensitive data is brought up, most people tend to think of examples of regulated data. Regulated data is always sensitive and always needs to be kept confidential — like social security numbers, bank account numbers or healthcare information.

Oftentimes, though, sensitive data can live within unsuspecting documents or files. This is unregulated data, and the vast majority of data created falls under this category. Keep in mind, unregulated data will almost always contain sensitive information, but not all of it needs to be considered confidential. This is where data discovery and classification can help.

What is the difference between regulated and unregulated sensitive data?

While regulated data is always sensitive information that should be protected, unregulated data also includes all publicly known information, so it is not always considered “sensitive.” This is an incorrect line of thinking, however. Almost all data is sensitive, but how sensitive it is depends on the amount available or the context it’s used in. A first and last name in a public record is harmless, but a first and last name in an organization’s database should be treated as confidential, as it could be tied to payment card data, home addresses, Social Security numbers, and more. So, although unregulated data may contain publicly available information, it should never be overlooked by an organization, as its context can enhance its level of sensitivity.

Some examples of sensitive, unregulated data are customer surveys, job applications or employee contracts. TThese types of data may not always contain confidential information, but they often can. That’s why it is critical to apply a data classification process to all of your data, regardless of whether it’s regulated or unregulated data.

What data privacy laws and regulations cover sensitive data?

In the United States, certain classes of information are always deemed as sensitive with laws and regulations that protect it. Legislative definitions of personal information have broadened over time, led primarily by the state of California. In other countries, such as within the EU, data protection laws tend to be more comprehensive.

One of the most well-known types of sensitive data laws are breach notification laws. Starting with the General Data Protection Regulation (GDPR), and most recently the California Privacy Rights Act (CPRA), the majority of countries and states have enacted data privacy and breach notification laws. These laws require companies to protect customer data, share what data is stored, how data is used, who the data is shared with, and to notify consumers when sensitive personal information is accessed by an unauthorized person. The notification requirement of these laws can often create negative publicity, resulting in loss of general goodwill and, in more severe cases, class action lawsuits.

In addition to notification obligations, breach notification laws often impose additional duties, which vary depending on the storage media. For example, as outlined in the California Civil Code, businesses have a duty to “provide reasonable security” for personal information. Legislative findings in several states emphasize the importance of preserving trust and confidentiality, while others emphasize the need to protect consumers from identity theft.

It’s always advisable to consult with an attorney to become more familiar with data protection laws in your country, state, and industry — especially as they relate to cloud computing and the storage of sensitive information. Each regulation has varying levels of compliance requirements, which can be used as classification levels within your schema. For example, if you classify files as PCI DSS and find files classified as such outside of your Cardholder Data Environment (CDE), you can immediately remediate that data by moving or destroying it, and then investigate how that data leaked from the CDE and implement a process to prevent it from recurring.

Determining the sensitivity of unregulated data

At first glance, many cases of unregulated data may not appear to be sensitive. However, upon closer attention and additional context, that seemingly unimportant piece of data could actually contain sensitive information requiring classification as sensitive, protected data.

For example, take the scenario of an ordinary shopping list. Most of the time, shopping lists contain seemingly harmless information. And while an average 45-year-old balding male probably wouldn’t mind too much if you found out he was purchasing Rogaine, what if his list contained his name and the details of a prescription he was on his way to pick up to treat a specific medical condition? Suddenly, the sensitivity of that list increases, and its owner probably doesn’t want his personal healthcare information to be shared with others.

We can take that scenario and increase the scale to that of a large organization. Perhaps an organization sends out a customer survey that asks what beauty products or brands customers have used within the past six months. While at first the information may seem harmless, there is likely sensitive information within those survey responses that should be kept private.

Here’s another scenario — take an organization’s typical computer log full of IP addresses, pages accessed, and other mundane information. To most, it looks like a bunch of noise. But to an experienced hacker, this log contains enough information to mount an attack and take control of the organization’s website because they see that the organization’s Apache web server hasn’t been updated in three years. That attack could lead to the theft of personal consumer information, including names, addresses and phone numbers — leading to potentially severe legal consequences or even a class action lawsuit.

Sensitive data examples

Organizations today are constantly creating and storing new types of data. Because of this, it can be difficult to apply the proper regulatory requirements to it. Some common types of unregulated sensitive data that has the potential to contain or lead to confidential information include:

  • Intellectual property
  • Information not widely distributed or known to the public
  • Product, process, program, or service information
  • Specifications and requirements
  • Strategy documents
  • Customer requirements
  • Inventions, designs, and formulae
  • Designs
  • Reports
  • Source and object code
  • Databases
  • Trade secrets
  • Supplier lists
  • Customer and prospect lists
  • Marketing techniques
  • Pricing and cost policies
  • Financial information
  • Internal operations documents

While these data types and sources may not be directly subject to legal regulation (yet), if any of it were to fall into unauthorized hands, the consequences could be ruinous. Discovering sensitive data in all its forms, everywhere it exists, allows you to understand what information you possess, create your own internal security policies, classify data appropriately based on its confidentiality, and apply the proper protective measures to mitigate security risks.

Classifying types of sensitive data

Since sensitive data can fall into either the regulated or unregulated categories, the label of “regulated” or “unregulated” is not always the most accurate measure of how to protect and remediate data. That is why it’s important for organizations to determine classification levels for sensitive data.

Classification terms can look unique to each organization, but generally, IT teams will categorize data by these four types:

  • Public: Data with a public classification typically pose little-to-no risk if disclosed, since public data is freely accessible by anyone. Some examples of public data include a public university directory or a business’s consumer pricing.
  • Internal: This is data that isn’t meant for public exposure and while there may be some level of harm if exposed, that potential harm is minimal. This could look like a company’s organizational chart or IT service information.
  • Confidential: As the name indicates, if data is confidential it needs to be kept private. If this data is exposed, the organization responsible can see negative ramifications. Some examples of confidential data include employment contracts or student loan records.
  • Restricted: This is highly sensitive data that if leaked could pose serious financial, legal or regulatory consequences towards an organization. Some examples of restricted data include social security numbers, medical records and bank account numbers.

Once your organization’s classification levels are defined and a process is established for applying those classifications to data based on specific criteria, you are on the right path for strong data lifecycle management.

Ensure regulated and unregulated data are properly secured with Spirion

Spirion offers highly accurate, automated data discovery and persistent classification to help organizations identify sensitive information at its source and classify it appropriately based on its level of sensitivity. Get in touch with us today to learn more about how we can help get your unregulated data in line and properly secured.

Want to dig deeper?

With privacy regulations like the EU’s GDPR and the CCPA, new security risks with a predominantly remote workforce, and almost daily news of cyberattacks, organizations are looking to its IT Security teams for answers on how to keep its sensitive data protected and the organization compliant. Understand what your data protection software needs to do, how it helps enforce new privacy regulations, and questions you should ask before purchasing by downloading our “Buyer’s Guide for purchasing data privacy and compliance software.”

Download now