A Guide to Types of Sensitive Information
Mastering Data Protection: A Comprehensive Guide to Safeguarding Sensitive Information
When’s the last time you told a secret? Did you tell someone you could trust not to share it with others or did you tell it with someone who lives for gossip? In today’s technology-driven world, sensitive data is the most important secret. Businesses across diverse industries engage in the collection, processing, storage, and exchange of various forms of information pertaining to customers, vendors, and employees. Embedded within this vast array of data lie critical pieces of sensitive information that demand stringent protection against unauthorized access and misuse.
What is Considered Sensitive Information?
Sensitive information encompasses any data that, if compromised, could lead to harm, loss, or unauthorized access. This includes personally identifiable information (PII), financial data, intellectual property, health records, and other confidential information.
Why is Safeguarding Sensitive Information Important?
The importance of safeguarding sensitive information cannot be overstated, particularly in today’s digital age where data breaches are increasingly common and pose significant risks to individuals and organizations alike. Consider the following:
Protection of Personal Privacy
Sensitive information often includes personal details such as names, addresses, social security numbers, and medical records. Safeguarding this information is crucial to protecting individuals’ privacy and preventing identity theft, fraud, or other forms of exploitation. Organizations have a responsibility to ensure that individuals’ personal data is handled securely and used only for legitimate purposes.
Trust and Reputation
A data breach or mishandling of sensitive information can have severe consequences for an organization’s reputation and trustworthiness. Customers, clients, and stakeholders expect organizations to handle their data with care and integrity. Failure to do so can result in loss of trust, customer defection, and damage to the organization’s brand reputation, leading to long-term financial and reputational repercussions.
Legal and Regulatory Compliance
Numerous laws and regulations govern the collection, storage, and use of sensitive information, including the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), and various industry-specific regulations. Compliance with these regulations is mandatory and failure to do so can result in severe penalties, fines, legal action, and reputational damage.
Business Transparency and Accountability
Safeguarding sensitive information promotes transparency and accountability within organizations. By implementing robust data protection measures, organizations demonstrate their commitment to ethical business practices and accountability to stakeholders. Transparent data handling practices also enhance trust and confidence among customers, employees, and partners, fostering stronger relationships and long-term sustainability.
How is Sensitive Data Protected?
No matter what your business’s location or industry is, the safeguarding of sensitive information and adherence to multifaceted regulatory demands begin with comprehensive data discovery. This entails mapping, inventorying, and categorizing all sensitive information into a centralized repository.
Here are the steps organizations should take to effectively safeguard all types of sensitive information:
1. Identify and Classify Sensitive Data
The first step is to conduct a thorough inventory of all data assets and classify them based on their sensitivity. This involves identifying personally identifiable information (PII), financial data, intellectual property, health records, and any other confidential information. Classifying data helps prioritize protection measures based on the level of risk associated with each data category.
2. Implement Access Controls
Limit access to sensitive information by implementing strict access controls. This includes role-based access control (RBAC), where access permissions are granted based on an individual’s role or job function within the organization. Additionally, enforce the principle of least privilege, granting users only the minimum level of access required to perform their duties.
3. Secure Storage and Transmission
Ensure that sensitive data is stored and transmitted securely. Utilize secure data storage solutions, such as encrypted databases and secure file storage systems, to protect data at rest. Employ secure communication protocols, such as HTTPS and VPNs, to encrypt data during transmission over networks, preventing interception or eavesdropping by malicious actors.
4. Regularly Update and Patch Systems
Keep software, applications, and systems up to date with the latest security patches and updates. Vulnerabilities in outdated software can be exploited by cyber attackers to gain unauthorized access to sensitive information. Regularly patching systems helps mitigate these risks and strengthens the organization’s security posture.
5. Train Employees on Security Best Practices
Educate employees on security awareness and best practices for handling sensitive information. Provide training on recognizing phishing attempts, using strong passwords, securely storing and transmitting data, and reporting security incidents or suspicious activities. A well-informed workforce is essential in maintaining a strong defense against cyber threats.
6. Monitor and Audit Access
Implement monitoring and auditing mechanisms to track access to sensitive data and detect suspicious or unauthorized activities. Monitor user activity logs, access attempts, and data transfers to identify potential security incidents or breaches. Conduct regular security audits and assessments to ensure compliance with security policies and regulations.
7. Establish Incident Response Procedures
Develop and document incident response procedures to effectively respond to security incidents or data breaches. Define roles and responsibilities, establish communication channels, and outline the steps for containing, investigating, and mitigating security incidents. Prepare incident response plans and conduct regular drills or simulations to test the organization’s readiness to handle security incidents effectively.
8. Regularly Review and Update Security Policies
Review and update security policies, procedures, and controls regularly to adapt to evolving threats and regulatory requirements. Ensure that security policies are comprehensive, clearly communicated to employees, and enforced consistently across the organization. Regularly assess and improve security measures based on emerging threats, industry best practices, and lessons learned from security incidents.
Types of Sensitive Information
To explore the different types of sensitive information that various regulations define and monitor, let’s start with the basics of PII and PI, and then explore more specific iterations — particularly those relevant to certain verticals.
Then we will explore how these regulations overlap — and how to protect sensitive information across the enterprise — no matter what your industry or organization.
PII: Personally Identifiable Information
Personally Identifiable Information (PII) is any information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information. This data is critical in various sectors for identifying, contacting, or locating an individual and is subject to stringent legal protections due to its sensitive nature.
Protecting PII is crucial to safeguard individuals from identity theft, fraud, and other privacy invasions. Unauthorized access to PII can lead to significant personal and financial harm.
How Has PII Evolved?
The concept of PII has evolved with advancements in technology and changes in societal norms. Initially focused on straightforward identifiers like names and SSNs, the definition of PII has expanded to encompass digital and biometric data as the digital landscape has grown. Regulatory bodies continue to adapt their frameworks to address emerging privacy challenges and technological developments.
Key Characteristics of PII
Direct PII Identifiers
- Full name
- Social Security number (SSN)
- Driver’s license number
- Passport number
- Email address
- Phone number
Indirect PII Identifiers
Information that can be combined with other data to identify an individual. Examples include:
- Date of birth
- Gender
- Zip code
- IP address
- Biometric data (e.g., fingerprints, facial recognition data)
Regulatory Frameworks Governing PII
- General Data Protection Regulation (GDPR): Applicable in the European Union, GDPR is one of the most comprehensive data protection laws. It defines personal data broadly and includes stringent requirements for handling, processing, and storing PII.
- California Consumer Privacy Act (CCPA): This U.S. state law grants California residents rights over their personal information, including the right to know what data is collected, the right to delete data, and the right to opt-out of data selling.
- Health Insurance Portability and Accountability Act (HIPAA): In the U.S., HIPAA regulates the protection of health-related PII, ensuring that medical information is safeguarded.
- Federal Trade Commission (FTC) Guidelines: The FTC enforces consumer protection laws in the U.S., including those related to data privacy and security.
PI: Personal Information
Personal Information (PI) refers to any data that can be used to identify, contact, or locate an individual, either directly or indirectly. This category is broad and encompasses a wide range of information types, which can vary depending on the context and specific legal definitions applicable in different jurisdictions.
Protecting PI is essential to prevent unauthorized access, which can lead to identity theft, financial fraud, and other privacy violations. Ensuring the confidentiality and security of PI helps maintain individual privacy and trust.
How Has PI Data Evolved?
The definition and scope of personal information have evolved significantly with technological advancements and changes in regulatory landscapes. Initially focused on obvious identifiers like names and SSNs, the concept now includes digital footprints, biometric data, and other emerging identifiers. Regulatory bodies continue to adapt their definitions and protections to address new privacy challenges posed by technological innovation.
Key Characteristics of PI
Direct Identifiers
Information that can directly identify an individual without the need for additional data. Examples include:
- Full name
- Social Security number (SSN)
- Driver’s license number
- Passport number
- Email address
- Phone number
Indirect Identifiers
Information that, when combined with other data, can identify an individual. Examples include:
- Date of birth
- Gender
- Zip code
- IP address
- Device identifiers
- Geolocation data
SPI — Sensitive Personal Information
Sensitive Personal Information (SPI) under the upcoming California Privacy Rights Act (CPRA) is a new defined term covering data that is related to but does not directly identify an individual —and may cause harm if it’s made public. SPI includes personal information that reveals:
- a consumer’s social security, driver’s license, state identification card, or passport number
- account log-in, financial account, debit card, or credit card numbers in combination with any required security or access code,
- password, or credentials allowing access to an account
- precise geolocation
- racial or ethnic origin, religious or philosophical beliefs, or union membership
- the contents of a consumer’s mail, email, and text messages — unless the business is the intended recipient of the communication
- genetic data, including
- the processing of biometric information for the purpose of uniquely identifying a consumer;
- personal information collected and analyzed concerning a consumer’s health; or
- personal information collected and analyzed concerning a consumer’s sex life or sexual orientation
NPI — Nonpublic Personal Information
Nonpublic Personal Information, or NPI, is a type of sensitive information created and defined by the Gramm-Leach Bliley Act (GLBA), which specifically regulates financial services institutions.
NPI does not include publicly available information, and is defined as “personally identifiable financial information that is:
- provided by a consumer to a financial institution
- resulting from a transaction or service performed for the consumer, or
- otherwise obtained by the financial institution.”
NPI may include names, addresses, phone numbers, social security numbers, bank and credit card account numbers, credit or debit card purchases, court records from a consumer report, or any other consumer financial information that:
- a consumer provides to a financial institution
- results from a transaction or service performed for the consumer
- is otherwise obtained by the financial institutions
- NPI does not include information that has been made publicly available or widely distributed in the media or public government records
Relevant regulations for Nonpublic Personal Information include: GLBA, NYDSF / NYCRR 500
MNPI — Material Nonpublic Information
Material Nonpublic Information, or MNPI, is data relating to a company, its holdings, and its subsidiaries, that has not been publicly disseminated or made available to investors in general — and that could impact the company’s share price.
The regulation aims to monitor and prevent illegal types of insider trading by preventing those who hold MNPI from using it to their advantage in the trading of stock or other securities — or sharing it with others who may use it to their advantage. When trading involves the use of MNPI at all, it is considered illegal — regardless of whether or not the person who acts on it is an employee of the company.
The use or knowledge of MNPI determines in part the lawfulness of insider trading. So, while not all insider trading is illegal — as when employees buy or sell shares of their company and adhere to registration and filing requirements from regulating body, the Securities and Exchange Commission (SEC) — any trading that involves MPNI is illegal.
The “material” part of MNPI requires that the information be significant enough to influence the value of the company’s stock. If the information would not reasonably affect the stock price, it is not considered MNPI.
Types of MNPI include — but are not limited to:
- corporate information that comes from either the company affected — or outside regulatory agencies, lawmakers, or financial institutions
- earning reports and other financial records
- upcoming corporate actions or plans, such as initial public offerings (IPO), acquisitions, or stock splits
- outcomes of legal proceedings
- rulings by agencies like the FDA
Relevant regulations for MNPI include the Securities and Exchange Commission’s Securities Act and Exchange Act — Regulation FD (Fair Disclosure)
Private Information
Private Information is the set of sensitive data regulated by the New York’s Stop Hacks and Improve Electronic Data Security (NY SHIELD) Act.
NY SHIELD applies to “any person or business which owns or licenses computerized data which includes private information” of a resident of New York — also referred to as “covered businesses.”
Private information expands upon “personal information,” which was the type of data originally regulated by New York data breach law before SHIELD came on the scene. New York law defined personal information as “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.”
To define private information, the SHIELD Act broadened that definition to include “personal information consisting of any information in combination with any one or more of the following data elements, when either the data element or the combination of information not encrypted — or is encrypted with an encryption key that has also been accessed or acquired.”
Those covered data elements are:
- social security number
- driver’s license number or non-driver ID card number
- biometric information — or digital representation of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical measurement that could authenticate an individual’s identity
- account number or credit/debit card number, either in combination with any required security code, access code, or password that would permit access — or without such additional identifying information
Private information does not include publicly available data that is legally available from government records at the federal, state, or local level.
The most important takeaway is that private information incorporates a combination of different types of personal data, like a username or email with a security question or passcode.
PHI / ePHI — Protected Health Information / Electronically Protected Health Information
Protected Health Information, or PHI, is a type of sensitive information regulated by the Health Insurance Portability and Accountability Act (HIPAA) — a US regulation for healthcare providers, health plans and insurers, healthcare clearinghouses, or businesses associated with health care organizations — also collectively called “HIPAA-covered entities” or just “covered entities.”
PHI is any medical information that can identify an individual — or that is created, used, or disclosed in the process of providing health care services. This includes past, current, and future information about individuals’ medical or physical/mental health-related conditions — as contained in physical records, electronic records, and even conversations that take place among patients and clinicians.
Health records, health histories, healthcare services rendered, lab or test results, prescriptions, appointments, patient forms, medical bills, and provider or patient communication records all fall under PHI. Any information at all is considered PHI if it can be related to an individual, even if it would be considered PI under a different regulation (e.g., names, social security numbers, birth dates).
PHI includes 18 identifiers — any one of which is considered PHI if handled by a covered entity:
- names
- dates
- phone numbers
- geographic data
- FAX numbers
- social security numbers
- email addresses
- medical record numbers
- account numbers
- health plan beneficiary numbers
- certificate/license numbers
- vehicle identifiers and serial numbers, including license plates
- web URLs
- device identifiers and serial numbers
- internet protocol addresses
- full-face photos and comparable images
- biometric identifiers
- any unique identifying number or code
PHI in digital files is called electronically Protected Health Information — or ePHI. The HIPAA Security Rule requires covered entities to ensure the sanctity and integrity of PHI with administrative, technical, and physical safeguards.
Regulated, Business, Confidential, and High-Risk Data
Taking a broader view of sensitive data that organizations might possess, companies must consider how they treat regulated data, business data, confidential data, and high-risk data – the crown jewels of an organization.
These categories may include information like intellectual property (IP) – including trade secrets, patents, copyrights, and trademarks. It can include financial or health data that is highly sensitive, personal information that must be kept confidential, and dark data that may lurk in silos, shadow servers, or data streams — and that pose heightened security risk if exposed.
It could be business-specific sensitive data that’s critical to the business, but not traditionally labeled as sensitive or regulated. Or transactional data that’s critical for Anti Money Laundering (AML), customer IDs, and more.
Such types of sensitive data will often overlap PI, PII, SPI, NPI, PHI, and other data definitions — but may need to be classified, mapped, and cataloged according to specific access permissions or reporting requirements, or custom tagged for specific business needs.
Businesses that are empowered with the ability to classify and correlate data not only by regulation — but according to risk categories, confidentiality principles, and other elements that are relevant to how the business runs — can better contextualize, understand, and take action on their data. This visibility allows companies to:
- enable risk scoring
- ensure proper access controls
- operationalize data minimization efforts and retention workflows
- establish data quality standards, and more.
From a business standpoint, enabling full visibility into your data will significantly reduce risk, strengthen safeguards from unauthorized access, lead to meaningful business insight, and ultimately help unleash the value of your data.
What is Sensitive Compartmented Information?
Sensitive Compartmented Information (SCI) is a type of classified information used by the United States government and certain other countries’ intelligence agencies. SCI refers to information that is highly sensitive and requires special handling and protection to prevent unauthorized disclosure.
SCI information is classified at a higher level than Top Secret information, and it is divided into compartments based on the level of sensitivity and the need-to-know basis of the individuals who are authorized to access the information. Each compartment is designated by a codeword that indicates the level of sensitivity and the type of information contained within the compartment.
Access to SCI information is strictly controlled and limited to individuals with the appropriate clearance level and need-to-know basis. Those who are authorized to access SCI information are required to undergo extensive background checks, security clearances, and regular training to ensure the safe handling and protection of sensitive information.
Examples of SCI information include intelligence reports, military plans, and other classified information related to national security or foreign relations
Regulatory Exceptions by Vertical and Location
Depending on an organization’s industry, it may be responsible for complying with multiple regulations — and tracking which of its sensitive data is regulated by which set of rules, and which is subject to multiples sets of rules. Establishing this “Venn diagram” for responsible regulatory practices requires sophisticated data classification functionality.
For example, a mortgage lending company that is subject to both GLBA and CCPA (or the upcoming CPRA) will always need to carefully track its NPI for GLBA compliance and reporting (as well as other regulations geared toward finance) — but will find that its NPI is exempt from CCPA’s requirements. At the same time, data that the mortgage lending company collects, processes, and stores that is not considered NPI may still fall under the CCPA’s requirements for sensitive PI.
On the other hand, a health services company that operates in France, Brazil, and multiple US states including New York and California, will need to determine and categorize which of their data is subject to PHI under HIPAA, PI under GDPR, LGPD, NY SHIELD, and CCPA — and soon, SPI under CPRA — and process it accordingly to meet the various reporting standards required by each. Complicating matters further, companies that operate internationally must also take cross-border transfer requirements into account.
The complications posed by multiple regulations can result in a virtual quagmire for data governance, security, and privacy programs — if the company’s data is not properly mapped, tagged, cataloged, and cleaned up.
Is There Sensitive Data That’s More Vulnerable Than Others?
- Personal Identifying Information (PII): PII is often targeted by cybercriminals because it can be used to commit identity theft, financial fraud, or other forms of malicious activity. In particular, Social Security numbers and credit card numbers are highly sought after by hackers.
- Health Information: Health information is considered sensitive because it can be used to identify and target individuals with specific medical conditions, and can also be used for insurance fraud or other types of financial scams.
- Financial Information: Financial information is a prime target for cybercriminals because it can be used to steal money, open credit accounts, or make fraudulent purchases. Bank account details, credit card numbers, and tax information are all highly valuable to hackers.
- Intellectual Property: Intellectual property such as trade secrets, proprietary software code, and patents are often targeted by corporate espionage or cybercriminals looking to steal valuable information for financial gain.
- Biometric Information: Biometric information such as fingerprints, facial recognition data, and iris scans are considered highly sensitive because they cannot be changed like a password or a credit card number. Once this information is compromised, it can be used for identity theft or other malicious activities.
Sensitive Data Loss – What’s at Stake?
The risk of sensitive data loss is significant and can have serious consequences for both individuals and organizations. Here are some of the potential risks of sensitive data loss:
- Identity theft: Sensitive data such as personal and financial information can be used to steal an individual’s identity, allowing hackers to access bank accounts, open credit accounts, and make fraudulent purchases.
- Reputation damage: If an organization or individual’s sensitive data is lost, it can damage their reputation, leading to a loss of trust among customers, clients, or partners.
- Legal and regulatory consequences: Depending on the type of data lost, organizations and individuals may be subject to legal or regulatory action, fines, or other penalties for not adequately protecting sensitive information.
- Financial losses: Sensitive data loss can result in financial losses for individuals and organizations, including direct costs associated with remediation efforts, legal fees, and damage to intellectual property.
- National security risks: Sensitive data loss can also pose national security risks if the information that is lost is related to government or military operations.
BigID for All Types of Sensitive Data
No matter where your business operates or what industry you’re in, fulfilling a complex array of regulatory requirements starts with deep data discovery that maps, inventories, and categorizes all your sensitive information, all in one place.
BigID’s data discovery & classification goes beyond traditional discovery techniques, which only see one type of data, and targeted data discovery, which only finds data you already know about. Using advanced machine learning, you can protect all of your organization’s PII, PI, SPI, NPI, PHI, and more; know what data is subject to which regulation; maintain accurate reporting standards; and achieve compliance across regulations.
Here are just some ways BigID’s unmatched data intelligence platform can help:
- classify all your sensitive data — of all types — to know its purpose of use, quality, risk impacts, and more
- automatically catalog sensitive data and metadata in structured, unstructured, cloud, Big Data, NoSQL, data lake sources, and everywhere in between
- find, flag, and tag related data
- automatically identify duplicate, derivative, and similar data
Schedule a demo to learn more about what sensitive information your organization needs to protect — and how to get the most out of your data.