October 13, 2020
Sensitive data is private information that must be protected from unauthorized access. This type of data can come in various forms — from physical to digital, such as written documents, photographs, videos or audio recordings. Most organizations have collected somewhere in their network storage forms of sensitive data and are required to adhere to federal compliance laws and regulations.
There are two broad categories that sensitive data falls under: regulated and unregulated data. When the topic of sensitive data is brought up, most people tend to think of examples of regulated data. Regulated data is always sensitive and always needs to be kept confidential — like social security numbers, bank account numbers or healthcare information.
Oftentimes, though, sensitive data can live within unsuspecting documents or files. This is unregulated data, and the vast majority of data created falls under this category.
What is the difference between regulated and unregulated sensitive data?
While regulated data is always sensitive information that should be protected, unregulated data also includes all publicly known information, so it is not always classified as sensitive. Although unregulated data may contain publicly available information, it should never be overlooked by an organization, as it can also include highly sensitive information.
Some examples of sensitive, unregulated data are customer surveys, job applications or employee contracts. These types of data may not always contain protected, sensitive information, but they often can. That’s why it is critical to apply a data classification process to all of your data, regardless of whether it’s regulated or unregulated data.
What data privacy laws and regulations cover sensitive data?
In the United States, certain classes of information are always deemed as sensitive with laws and regulations that protect it. Legislative definitions of personal information have broadened over time, led primarily by the state of California. In other countries, such as within the EU, data protection laws tend to be more comprehensive.
One of the most well‐known types of sensitive data laws are breach notification laws. Starting with the General Data Protection Regulation (GDPR), and most recently the California Consumer Privacy Protection Act of 2018 (CCPA), the majority of countries and states have enacted data privacy and breach notification laws. These laws require companies to protect customer data, share what data is stored, how data is used, who the data is shared with, and to notify consumers when sensitive personal information is accessed by an unauthorized person. The notification requirement of these laws can often create negative publicity, resulting in loss of general goodwill and, in more severe cases, class action lawsuits.
In addition to notification obligations, breach notification laws often impose additional duties, which vary depending on the storage media. For example, as outlined in the California Civil Code, businesses have a duty to “provide reasonable security” for personal information. Legislative findings in several states emphasize the importance of preserving trust and confidentiality, while others emphasize the need to protect consumers from identity theft.
It’s always advisable to consult with an attorney to become more familiar with data protection laws in your country, state, and industry — especially as they relate to cloud computing and the storage of sensitive information. Each regulation has varying levels of compliance requirements.
These regulations can be used as classification levels within your schema. For example, if you classify files as PCI DSS and find files classified as such outside of your Cardholder Data Environment (CDE), you can immediately move or destroy that data and then investigate how that data leaked from the CDE and implement a process to prevent it from recurring.
Determining the sensitivity of unregulated data
At first glance, many cases of unregulated data may not appear to be sensitive. However, upon closer attention and additional context, that seemingly unimportant piece of data could actually contain sensitive information and be classified as sensitive, protected data.
For example, take the scenario of an ordinary shopping list. Most of the time, shopping lists contain seemingly harmless information. And while an average 45-year-old balding male probably wouldn’t mind too much if you found out he was purchasing Rogaine, what if that list belongs to a 70-year-old grandmother? Suddenly, the sensitivity of that information increases, and if the 70-year-old grandma is your customer, she probably doesn’t want this information to be shared with others.
We can take that scenario and increase the scale to that of a large organization. Perhaps an organization sends out a customer survey that asks what beauty products or brands customers have used within the past six months. While at first the information may seem harmless, there is likely sensitive information within those survey responses that should be kept private.
Here’s another scenario — take an organization’s typical computer log full of IP addresses, pages accessed, and other mundane information. To most, it looks like a bunch of noise. But to an experienced hacker, this log contains enough information to mount an attack and take control of the organization’s website because they see that the organization’s Apache web server hasn’t been updated in three years. That attack could lead to the theft of personal consumer information, including names, addresses and phone numbers — leading to potentially severe legal consequences or even a class action lawsuit.
Examples of unregulated sensitive data
Organizations today are constantly creating and storing new types of data. Some common types of unregulated data that may contain sensitive information include:
- Intellectual property
- Information not widely distributed or known to the public
- Product, process, program, or service information
- Specifications and requirements
- Strategy documents
- Customer requirements
- Inventions, designs, and formulae
- Source and object code
- Trade secrets
- Supplier lists
- Customer and prospect lists
- Marketing techniques
- Pricing and cost policies
- Financial information
- Internal operations documents
Discovering sensitive data in all its forms everywhere it exists allows an organization to classify it appropriately and mitigate security risks.
Classifying types of sensitive data
Since sensitive data can fall into either the regulated or unregulated categories, the label of “regulated” or “unregulated” is not always the most accurate measure of how to protect and remediate data. That is why it’s important for organizations to determine classification levels for sensitive data.
Classification terms can look unique to each organization, but generally, IT teams will categorize data by these four types:
Once your organization’s classification levels are defined and a process is established for applying those classifications to data based on specific criteria, you are on the right path for strong data lifecycle management.