How to identify types of sensitive data

Sensitive data is private information that must be protected from unauthorized access. This type of data can come in various forms — from physical to digital, such as written documents, photographs, videos or audio recordings. Most organizations have collected somewhere in their network storage forms of sensitive data and are required to adhere to federal compliance laws and regulations.

There are two broad categories that sensitive data falls under: regulated and unregulated data. When the topic of sensitive data is brought up, most people tend to think of examples of regulated data. Regulated data is always sensitive and always needs to be kept confidential — like social security numbers, bank account numbers or healthcare information.

Oftentimes, though, sensitive data can live within unsuspecting documents or files. This is unregulated data, and the vast majority of data created falls under this category.

What is the difference between regulated and unregulated sensitive data?

While regulated data is always sensitive information that should be protected, unregulated data also includes all publicly known information, so it is not always classified as sensitive. Although unregulated data may contain publicly available information, it should never be overlooked by an organization, as it can also include highly sensitive information.

Some examples of sensitive, unregulated data are customer surveys, job applications or employee contracts. These types of data may not always contain protected, sensitive information, but they often can. That’s why it is critical to apply a data classification process to all of your data, regardless of whether it’s regulated or unregulated data.

What data privacy laws and regulations cover sensitive data?

In the United States, certain classes of information are always deemed as sensitive with laws and regulations that protect it. Legislative definitions of personal information have broadened over time, led primarily by the state of California. In other countries, such as within the EU, data protection laws tend to be more comprehensive.

One of the most well‐known types of sensitive data laws are breach notification laws. Starting with the General Data Protection Regulation (GDPR), and most recently the California Consumer Privacy Protection Act of 2018 (CCPA), the majority of countries and states have enacted data privacy and breach notification laws. These laws require companies to protect customer data, share what data is stored, how data is used, who the data is shared with, and to notify consumers when sensitive personal information is accessed by an unauthorized person. The notification requirement of these laws can often create negative publicity, resulting in loss of general goodwill and, in more severe cases, class action lawsuits.

In addition to notification obligations, breach notification laws often impose additional duties, which vary depending on the storage media. For example, as outlined in the California Civil Code, businesses have a duty to “provide reasonable security” for personal information. Legislative findings in several states emphasize the importance of preserving trust and confidentiality, while others emphasize the need to protect consumers from identity theft.

It’s always advisable to consult with an attorney to become more familiar with data protection laws in your country, state, and industry — especially as they relate to cloud computing and the storage of sensitive information. Each regulation has varying levels of compliance requirements.

These regulations can be used as classification levels within your schema. For example, if you classify files as PCI DSS and find files classified as such outside of your Cardholder Data Environment (CDE), you can immediately move or destroy that data and then investigate how that data leaked from the CDE and implement a process to prevent it from recurring.

Determining the sensitivity of unregulated data

At first glance, many cases of unregulated data may not appear to be sensitive. However, upon closer attention and additional context, that seemingly unimportant piece of data could actually contain sensitive information and be classified as sensitive, protected data.

For example, take the scenario of an ordinary shopping list. Most of the time, shopping lists contain seemingly harmless information. And while an average 45-year-old balding male probably wouldn’t mind too much if you found out he was purchasing Rogaine, what if that list belongs to a 70-year-old grandmother? Suddenly, the sensitivity of that information increases, and if the 70-year-old grandma is your customer, she probably doesn’t want this information to be shared with others.

We can take that scenario and increase the scale to that of a large organization. Perhaps an organization sends out a customer survey that asks what beauty products or brands customers have used within the past six months. While at first the information may seem harmless, there is likely sensitive information within those survey responses that should be kept private.

Here’s another scenario — take an organization’s typical computer log full of IP addresses, pages accessed, and other mundane information. To most, it looks like a bunch of noise. But to an experienced hacker, this log contains enough information to mount an attack and take control of the organization’s website because they see that the organization’s Apache web server hasn’t been updated in three years. That attack could lead to the theft of personal consumer information, including names, addresses and phone numbers — leading to potentially severe legal consequences or even a class action lawsuit.

Examples of unregulated sensitive data

Organizations today are constantly creating and storing new types of data. Some common types of unregulated data that may contain sensitive information include:

  • Intellectual property
  • Information not widely distributed or known to the public
  • Product, process, program, or service information
  • Specifications and requirements
  • Strategy documents
  • Customer requirements
  • Inventions, designs, and formulae
  • Designs
  • Reports
  • Source and object code
  • Databases
  • Trade secrets
  • Supplier lists
  • Customer and prospect lists
  • Marketing techniques
  • Pricing and cost policies
  • Financial information
  • Internal operations documents

Discovering sensitive data in all its forms everywhere it exists allows an organization to classify it appropriately and mitigate security risks.

Classifying types of sensitive data

Since sensitive data can fall into either the regulated or unregulated categories, the label of “regulated” or “unregulated” is not always the most accurate measure of how to protect and remediate data. That is why it’s important for organizations to determine classification levels for sensitive data.

Classification terms can look unique to each organization, but generally, IT teams will categorize data by these four types:

  • Public: Data with a public classification typically pose little-to-no risk if disclosed, since public data is freely accessible by anyone. Some examples of public data include a public university directory or a business’s consumer pricing.
  • Internal: This is data that isn’t meant for public exposure and while there may be some level of harm if exposed, that potential harm is minimal. This could look like a company’s organizational chart or IT service information.
  • Confidential: As the name indicates, if data is confidential it needs to be kept private. If this data is exposed, the organization responsible can see negative ramifications. Some examples of confidential data include employment contracts or student loan records.
  • Restricted: This is highly sensitive data that if leaked could pose serious financial, legal or regulatory consequences towards an organization. Some examples of restricted data include social security numbers, medical records and bank account numbers.

Once your organization’s classification levels are defined and a process is established for applying those classifications to data based on specific criteria, you are on the right path for strong data lifecycle management.

Want to dig deeper?

With privacy regulations like the EU’s GDPR and the CCPA, new security risks with a predominantly remote workforce, and almost daily news of cyberattacks, organizations are looking to its IT Security teams for answers on how to keep its sensitive data protected and the organization compliant. Understand what your data protection software needs to do, how it helps enforce new privacy regulations, and questions you should ask before purchasing by downloading our “Buyer’s Guide for purchasing data privacy and compliance software.”

Download now

Related Blog Posts

Blog Post
How to determine the sensitivity of information
Blog Post
How to minimize risk after the Blackbaud data breach
Blog Post
Spirion Software Updates 2/5/2020 edition
Blog Post
Find Data and Gain Visibility as the First Step in Data Security
Blog Post
8 Steps Security Leaders Follow to Classify Sensitive Data
Blog Post
Surprised by a Compliance Deadline? How to Use the 80/20 Rule for Success