The term Sensitive Data is used to define data assets that must be protected from unauthorized access. This data can be stored in either physical or digital form and generally contains either personal, financial, or other types of information that is susceptible to malicious purposes from an ethical or legal standpoint.
How information can be classified as sensitive will depend on a case by case and is generally defined during data governance policy design or from the context of data regulation compliance. For companies and organizations, sensitive data can refer to private individual information or property rights.
Common Examples of Sensitive Data
- Personally Identifiable Information (PII): Information that might directly or indirectly expose the details that might lead to the identification of an individual. Data protection regulations like GDPR generally regulate this information.
Personal Health Information (PHI): Information derived in the context of healthcare services that might be used to identify individuals.
- Financial Information: Information that might lead to access or financial assets such as credit card information, bank account data, and other types of related information.
Sensitive data can also be classified into three different classes:
- Personal Information: Information from individuals such as PII, PHI, or another type of user personal details.
- Business Information: Commercial, accounting data, trade secrets, financial statements or accounts, and financial information.
- Classified Information: Data is restricted because of various reasons.
Sensitive data can be the target of malicious attacks or obtained by unauthorized actors due to data breaches.
The Four Levels of Data Sensitivity
- Low data sensitivity: Little or no risk to individuals, organizations, or other entities. It can be accessed by anyone and can be regarded as public data.
- Moderate data sensitivity: Data subjected to contractual agreements between two or more parties. It is information that can create little or no harm if exposed without restrictions.
- High data sensitivity: Confidential, private or personal data. Exposure to this data can lead to criminal liabilities, malicious attacks, or any other type of harmful outcome.
- Restricted data sensitivity: Data generally protected by agreements such as NDAs that can lead to potential commercial or legal risks if leaked.
The level of sensitivity is generally established by regulations as procured by security control entities such as Information Security departments or industry-specific organizations. Protecting sensitive data can be undertaken by applying security measures that seek to restrict unauthorized access while ensuring proper use by authorized parties. Steps that can be applied are:
- Data encryption methods.
- Access control policies such as passwords management, two-factor authentication, and security tokens.
- Limiting the access to data catalogs of sensible data assets.
- Limiting the number of times information can be transmitted
- Storing on secure servers, disconnected storage devices, and physically restricted devices.
These countermeasures are also required to enforce awareness training to provide a general understanding of sensible data and how it must be dealt with.