Understanding What Makes Data Sensitive? Douglas Ribback 19 May, 2017 Classified data is data that has been tagged with information that identifies that data by specific attributes that allow people and technologies to treat it in a specific way. So, what makes data sensitive and how can you determine how sensitive it is and when and how to classify it? Read on to find out. Understanding What Makes Data Sensitive? Sensitive Data is information which, if accessed by an adversary, would create liability. While this statement may seem self-evident, it is worth analyzing its components: Information: Information of any type may become sensitive data. Personally identifiable information (PII), protected health information (PHI), payment card industry (PCI) data, and other specifically regulated information are examples of common sensitive data. Intellectual property, trade secrets, and company financial records are also sensitive data. While they may not be governed by regulations, the fact that such data is highly valuable classifies it as sensitive, and thus worthy of Adversary: Adversaries are not just the proverbial bad guys wearing masks. They may be trusted insiders engaged in industrial espionage, hackers, or individuals defined by the company as “unauthorized” people, even if they’re innocent employees in good standing. Access: Adversaries use a variety of methods to access sensitive data, but it doesn’t necessarily mean the data is taken; it may simply be viewed. For example, access methods may include social engineering, theft, hacking, or simple Internet searches for old, forgotten data. Adversaries often take advantage of under‐trained, over‐burdened, or well intentioned but not security minded employees. Liability: Liability takes many forms. Regulated data might carry legal fines for mishandling. Proprietary information in the wrong hands can devastate stock value. Breached client information can spawn lawsuits, tarnish your company’s reputation, and reduce goodwill. And mishandling of sensitive information can result in embarrassment for clients and loss of future revenue. The definition of sensitive information continues to evolve as businesses grow, technologies advance, laws are created, and new uses for information are developed. A good rule of thumb is that the more valuable the data is and the bigger the impact it would have on your business if compromised, the more sensitive it probably is. Download the e-Book Read the “Classification for Dummies” e-book here.