What is sensitive data?
Sensitive data is any data that contains sensitive information. This data must be kept safe without being accessible to anyone unless they have explicit authorization to access the data. Moreover, preventing data breaches and protecting sensitive data has become one of the highest priorities in any organization. This need has been further exemplified by increased regulatory scrutiny over data collection, storage, and security in businesses.
The likelihood of a data breach has increased dramatically with the shift towards a remote workforce, leading to an average cost increase of $1.07 million per breach. Coupled with the explosive growth of IoT devices which is predicted to reach 75 billion devices by 2025, the threat surface of systems has further expanded. In this post, we’ll discuss what sensitive data is and how to protect it.
5 Common Examples of Sensitive Data
As stated above, any type of data that contains sensitive information can be categorized as sensitive data. Here are some common data sets that fall under this category.
1. Personal Data
Any data that can be used to identify an individual can be considered personal information. According to the General Data Protection Act (GDPR, Art. 9 (1), Art. 10) implemented by the European Union, personal data can include the following.
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Genetic data
- Biometric data
- Health data
- Sex life or sexual orientation
2. Employee Data
All employee data in a business is sensitive. It can include authentication information like usernames, passwords, private/public keys for internal systems, banking information of individual employees used for payments, and personal data of employees such as their names, addresses, and social security numbers.
3. Intellectual Property and Trade Secret Data
Every business entity has proprietary information that is vital for its business processes. For example, vehicle manufacturers have schematics of their next engine design, software development firms have their source code, and chip makers have chip architecture.
4. Operational Data
Any business entity needs data to operate, including sensitive and non-sensitive data. Sensitive operational data can include product specifications, market research, agreements with other vendors, third parties, product inventories, and sales figures. Besides, if a business collects customer information like emails, telephone numbers, addresses, and payment information, they also come under sensitive information that needs to be protected.
5. Financial Data
Any information relating to financial transactions at both organizational and individual levels can be categorized as sensitive data. This data can range from account details, transaction reports, yearly audits, payments to even login information for banking services.
Potential risks of sensitive data
There is no doubt that exposing sensitive data can harm individuals and business entities. As businesses hold many types of sensitive data, there are a lot of risks when handling it. Even unintentional exposure of relatively low sensitivity data can be a gateway to a full system compromise.
Compromised data will not only expose sensitive information but also bring costly endeavors for businesses to contain and resolve. In some cases, businesses will have to pay compensation to the affected individuals when their personal data is exposed. Regulatory bodies can even impose stricter policies and fines that can cripple the effectiveness of a product or service.
Even if the organization can bear the financial burden, the negative impact on the reputation of the brand can never be fully recovered. Even though the business is proactive in disclosing the breach and has taken preventive measures to mitigate the impact, its reputation will still be somewhat tainted in the eyes of the public. Moreover, it will create a good opportunity for competitors to sway the customer base to their products and services.
Issues companies face when dealing with sensitive data
- Effectively identify and locate sensitive data. There can be different teams, departments, and groups within the organization handling different sets of data. Therefore, the larger the organization, the harder it becomes to identify and locate sensitive data. Besides, storing this data from databases to simple file storage becomes complicated when multiple entities require access to the data. The ability to locate this data is vital to comply with requests such as “The right to be forgotten (RTBF)”.
- With shadow IT practices, there will be new resources to implement proper security measures without the knowledge of the IT department. They can easily create exploitable entry points to the system that lead to data breaches.
- 95% of security breaches occur as a result of human error. A simple mistake can lead to a compromise in the system regardless of the complexity of the security architecture or how well informed the employees are.
- Adhering to data compliance and privacy laws will be complex, especially when providing services across different geographical regions.
Creating a data classification policy
Data classification is the process of identifying different types of data within an organization or a system. It allows users to understand what types of data is stored and where it is located. Some categories used in data classification are as follows;
- Public - Data that can be publicly available and does not cause any ill effects. For instance, the company name, addresses, contact details, marketing materials, social media, etc.
- Confidential - Any data vital for the business process, such as product details and inventory information, comes under this category.
- Sensitive - All data that includes sensitive information like trade secrets, financial data, and employee data that can harm the business comes under this category. In most cases, confidential and sensitive classifications are often used interchangeably.
- Personal - Data that can be used to recognize individuals such as social security numbers, date of birth, ethnicity, and nationality.
Classification must be done by creating a data classification policy that specifies how data should be classified. It should include who owns the data, data users, impact of the data, workflows, and how to handle each type of data. Different types of data should be identified and metadata and tags applied for easy identification. This classification should be an ongoing process as new data is constantly added to a system.