January 17, 2019
Sensitive data falls into two broad categories: regulated and unregulated data. Regulated data is always sensitive, though to varying degrees, and should always be classified. The vast majority of unregulated data (which includes all publicly known information) is not always sensitive. However, unregulated data can also include highly sensitive information (e.g., company confidential data, intellectual property or sensitive data unique to the organization), so you must apply your data classification process to all of your data.
Regulated Sensitive Data
In the United States, certain classes of information are always deemed sensitive because law and regulation impose liability for improper or unauthorized access. Legislative definitions of personal information have broadened over time, led primarily by the state of California. In other countries, such as within the EU, data protection laws tend to be more comprehensive.
One of the most well‐known types of sensitive data laws are breach notification laws. Starting with the General Data Protection Regulation, and most recently the California Consumer Privacy Protection Act of 2018 (CCPA), the majority of countries and states have enacted data privacy and breach notification laws. These laws require companies to protect customer data, share what data is stored, how it’s used, who it’s shared with, and to notify consumers when sensitive personal information is accessed by an unauthorized person. The notification requirement often creates publicity that results in loss of goodwill and class action lawsuits.
In addition to notification obligations, breach notification laws often impose additional duties, which vary depending on the storage media. For example, as outlined in the California Civil Code, businesses have a duty to “provide reasonable security” for personal information. Legislative findings in several states emphasize the importance of preserving trust and confidentiality. Others emphasize the need to protect consumers from identity theft.
Consult with an attorney specializing in this area of law to become more familiar with data protection laws in your country, state, and industry, especially as they relate to cloud computing and the storage of sensitive information. Each regulation has varying levels of compliance requirements.
The following table shows some examples of sensitive information covered by various regulations; these regulations can be used as classification levels within your schema. For example, if you classify files as PCI DSS and find files classified as such outside of your Cardholder Data Environment (CDE), you can immediately move or destroy that data and then investigate how that data leaked from the CDE and implement a process to prevent it from recurring.
Sensitive Data Unique to an Organization
In many cases, sensitive data that’s unique to an organization is highly sensitive for example when dealing with intellectual property, operational business data, and certain financial information. In other cases, unregulated data may not appear sensitive but when understood within context, can become so. For example, consider the following three datasets:
Here are three examples of very ordinary, mundane data sets. The first is a shopping list. Most of the time, shopping lists contain seemingly harmless information. And while an average 45-year-old balding male probably wouldn’t mind too much if you found out he was purchasing Rogaine, what if I told you that this list belongs to my 70-year-old grandmother? Suddenly, the sensitivity of that information increases, and if the 70-year old grandma is your customer, she probably doesn’t want this information to be shared with others.
The second scenario is a typical computer log, full of IP addresses, pages accessed, and other mundane information. To you or me, it looks like a bunch of noise. But to an experienced hacker, this log contains enough information to mount an attack and take control of your website, because it indicates you have not updated your Apache web server in three years. That attack could lead to the theft of your customer’s personal information including names, addresses and phone numbers.
The third scenario is a list of non-descript financial data and other numbers. But what if I told you that this spreadsheet contains employee social security numbers; or alternatively, fourth quarter sales reports in preparation for your shareholder meeting? With context, a release of this otherwise unremarkable data could create a class action lawsuit or cause your company’s stock to tumble.
Other types of unregulated sensitive data may include:
• Intellectual Property
• Information not widely distributed or known to the public
• Product, process, program, or service information
• Specifications and requirements
• Strategy documents
• Customer requirements
• Inventions, designs, and formulae
• Source and object code
• Trade secrets
• Supplier lists
• Customer and prospect lists
• Marketing techniques
• Pricing and cost policies
• Financial information
• Internal operations documents
Once your classification levels are defined and a process is established for applying those classifications to data based on specific criteria, you are ready to classify your data!