Organizations of all sizes and verticals collect, process, store, and share all kinds of customer, vendor, and employee data — and that data often contains sensitive information that must be safeguarded from unauthorized access.
What is considered sensitive information?
PI: Personal Information
Personal Information, or PI, may include personally identifiable information (PII), but is a broader category. In other words, all PII is considered PI, but not all PI is PII.
This broader definition of PI is defined as: “Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
PI, therefore, can include data that is obviously associated with an identity — like a name or a date of birth, which is often also PII — or be interpreted in an extremely broad legal manner. PI can and often includes:
- IP addresses
- employee record information
- location information
- racial or ethnic origin
- political affiliations or opinions
- religious or philosophical beliefs
- trade union membership
- sexual orientation
- criminal record
- health or genetic information
- some biometric information
SPI — Sensitive Personal Information
Sensitive Personal Information (SPI) under the upcoming California Privacy Rights Act (CPRA) is a new defined term covering data that is related to but does not directly identify an individual —and may cause harm if it’s made public. SPI includes personal information that reveals:
- a consumer’s social security, driver’s license, state identification card, or passport number
- account log-in, financial account, debit card, or credit card numbers in combination with any required security or access code,
- password, or credentials allowing access to an account
- precise geolocation
- racial or ethnic origin, religious or philosophical beliefs, or union membership
- the contents of a consumer’s mail, email, and text messages — unless the business is the intended recipient of the communication
- genetic data, including
- the processing of biometric information for the purpose of uniquely identifying a consumer;
- personal information collected and analyzed concerning a consumer’s health; or
- personal information collected and analyzed concerning a consumer’s sex life or sexual orientation
NPI — Nonpublic Personal Information
Nonpublic Personal Information, or NPI, is a type of sensitive information created and defined by the Gramm-Leach Bliley Act (GLBA), which specifically regulates financial services institutions.
NPI does not include publicly available information, and is defined as “personally identifiable financial information that is:
- provided by a consumer to a financial institution
- resulting from a transaction or service performed for the consumer, or
- otherwise obtained by the financial institution.”
NPI may include names, addresses, phone numbers, social security numbers, bank and credit card account numbers, credit or debit card purchases, court records from a consumer report, or any other consumer financial information that:
- a consumer provides to a financial institution
- results from a transaction or service performed for the consumer
- is otherwise obtained by the financial institutions
- NPI does not include information that has been made publicly available or widely distributed in the media or public government records
MNPI — Material Nonpublic Information
Material Nonpublic Information, or MNPI, is data relating to a company, its holdings, and its subsidiaries, that has not been publicly disseminated or made available to investors in general — and that could impact the company’s share price.
The regulation aims to monitor and prevent illegal types of insider trading by preventing those who hold MNPI from using it to their advantage in the trading of stock or other securities — or sharing it with others who may use it to their advantage. When trading involves the use of MNPI at all, it is considered illegal — regardless of whether or not the person who acts on it is an employee of the company.
The use or knowledge of MNPI determines in part the lawfulness of insider trading. So, while not all insider trading is illegal — as when employees buy or sell shares of their company and adhere to registration and filing requirements from regulating body, the Securities and Exchange Commission (SEC) — any trading that involves MPNI is illegal.
The “material” part of MNPI requires that the information be significant enough to influence the value of the company’s stock. If the information would not reasonably affect the stock price, it is not considered MNPI.
Types of MNPI include — but are not limited to:
- corporate information that comes from either the company affected — or outside regulatory agencies, lawmakers, or financial institutions
- earning reports and other financial records
- upcoming corporate actions or plans, such as initial public offerings (IPO), acquisitions, or stock splits
- outcomes of legal proceedings
- rulings by agencies like the FDA
Relevant regulations for MNPI include the Securities and Exchange Commission’s Securities Act and Exchange Act — Regulation FD (Fair Disclosure)
Private Information is the set of sensitive data regulated by the New York’s Stop Hacks and Improve Electronic Data Security (NY SHIELD) Act.
NY SHIELD applies to “any person or business which owns or licenses computerized data which includes private information” of a resident of New York — also referred to as “covered businesses.”
Private information expands upon “personal information,” which was the type of data originally regulated by New York data breach law before SHIELD came on the scene. New York law defined personal information as “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.”
To define private information, the SHIELD Act broadened that definition to include “personal information consisting of any information in combination with any one or more of the following data elements, when either the data element or the combination of information not encrypted — or is encrypted with an encryption key that has also been accessed or acquired.”
Those covered data elements are:
- social security number
- driver’s license number or non-driver ID card number
- biometric information — or digital representation of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical measurement that could authenticate an individual’s identity
- account number or credit/debit card number, either in combination with any required security code, access code, or password that would permit access — or without such additional identifying information
Private information does not include publicly available data that is legally available from government records at the federal, state, or local level.
The most important takeaway is that private information incorporates a combination of different types of personal data, like a username or email with a security question or passcode.
PHI / ePHI — Protected Health Information / Electronically Protected Health Information
Protected Health Information, or PHI, is a type of sensitive information regulated by the Health Insurance Portability and Accountability Act (HIPAA) — a US regulation for healthcare providers, health plans and insurers, healthcare clearinghouses, or businesses associated with health care organizations — also collectively called “HIPAA-covered entities” or just “covered entities.”
PHI is any medical information that can identify an individual — or that is created, used, or disclosed in the process of providing health care services. This includes past, current, and future information about individuals’ medical or physical/mental health-related conditions — as contained in physical records, electronic records, and even conversations that take place among patients and clinicians.
Health records, health histories, healthcare services rendered, lab or test results, prescriptions, appointments, patient forms, medical bills, and provider or patient communication records all fall under PHI. Any information at all is considered PHI if it can be related to an individual, even if it would be considered PI under a different regulation (e.g., names, social security numbers, birth dates).
PHI includes 18 identifiers — any one of which is considered PHI if handled by a covered entity:
- phone numbers
- geographic data
- FAX numbers
- social security numbers
- email addresses
- medical record numbers
- account numbers
- health plan beneficiary numbers
- certificate/license numbers
- vehicle identifiers and serial numbers, including license plates
- web URLs
- device identifiers and serial numbers
- internet protocol addresses
- full-face photos and comparable images
- biometric identifiers
- any unique identifying number or code
PHI in digital files is called electronically Protected Health Information — or ePHI. The HIPAA Security Rule requires covered entities to ensure the sanctity and integrity of PHI with administrative, technical, and physical safeguards.
Regulated, business, confidential, and high-risk data
Taking a broader view of sensitive data that organizations might possess, companies must consider how they treat regulated data, business data, confidential data, and high-risk data – the crown jewels of an organization.
These categories may include information like intellectual property (IP) – including trade secrets, patents, copyrights, and trademarks. It can include financial or health data that is highly sensitive, personal information that must be kept confidential, and dark data that may lurk in silos, shadow servers, or data streams — and that pose heightened security risk if exposed.
It could be business-specific sensitive data that’s critical to the business, but not traditionally labeled as sensitive or regulated. Or transactional data that’s critical for Anti Money Laundering (AML), customer IDs, and more.
Such types of sensitive data will often overlap PI, PII, SPI, NPI, PHI, and other data definitions — but may need to be classified, mapped, and cataloged according to specific access permissions or reporting requirements, or custom tagged for specific business needs.
Businesses that are empowered with the ability to classify and correlate data not only by regulation — but according to risk categories, confidentiality principles, and other elements that are relevant to how the business runs — can better contextualize, understand, and take action on their data. This visibility allows companies to:
- enable risk scoring
- ensure proper access controls
- operationalize data minimization efforts and retention workflows
- establish data quality standards, and more.
From a business standpoint, enabling full visibility into your data will significantly reduce risk, strengthen safeguards from unauthorized access, lead to meaningful business insight, and ultimately help unleash the value of your data.
What is sensitive compartmented information?
Sensitive Compartmented Information (SCI) is a type of classified information used by the United States government and certain other countries’ intelligence agencies. SCI refers to information that is highly sensitive and requires special handling and protection to prevent unauthorized disclosure.
SCI information is classified at a higher level than Top Secret information, and it is divided into compartments based on the level of sensitivity and the need-to-know basis of the individuals who are authorized to access the information. Each compartment is designated by a codeword that indicates the level of sensitivity and the type of information contained within the compartment.
Access to SCI information is strictly controlled and limited to individuals with the appropriate clearance level and need-to-know basis. Those who are authorized to access SCI information are required to undergo extensive background checks, security clearances, and regular training to ensure the safe handling and protection of sensitive information.
Examples of SCI information include intelligence reports, military plans, and other classified information related to national security or foreign relations
Regulatory exceptions by vertical and location
Depending on an organization’s industry, it may be responsible for complying with multiple regulations — and tracking which of its sensitive data is regulated by which set of rules, and which is subject to multiples sets of rules. Establishing this “Venn diagram” for responsible regulatory practices requires sophisticated data classification functionality.
For example, a mortgage lending company that is subject to both GLBA and CCPA (or the upcoming CPRA) will always need to carefully track its NPI for GLBA compliance and reporting (as well as other regulations geared toward finance) — but will find that its NPI is exempt from CCPA’s requirements. At the same time, data that the mortgage lending company collects, processes, and stores that is not considered NPI may still fall under the CCPA’s requirements for sensitive PI.
On the other hand, a health services company that operates in France, Brazil, and multiple US states including New York and California, will need to determine and categorize which of their data is subject to PHI under HIPAA, PI under GDPR, LGPD, NY SHIELD, and CCPA — and soon, SPI under CPRA — and process it accordingly to meet the various reporting standards required by each. Complicating matters further, companies that operate internationally must also take cross-border transfer requirements into account.
The complications posed by multiple regulations can result in a virtual quagmire for data governance, security, and privacy programs — if the company’s data is not properly mapped, tagged, cataloged, and cleaned up.
Is there sensitive data that’s more vulnerable than others?
- Personal Identifying Information (PII): PII is often targeted by cybercriminals because it can be used to commit identity theft, financial fraud, or other forms of malicious activity. In particular, Social Security numbers and credit card numbers are highly sought after by hackers.
- Health Information: Health information is considered sensitive because it can be used to identify and target individuals with specific medical conditions, and can also be used for insurance fraud or other types of financial scams.
- Financial Information: Financial information is a prime target for cybercriminals because it can be used to steal money, open credit accounts, or make fraudulent purchases. Bank account details, credit card numbers, and tax information are all highly valuable to hackers.
- Intellectual Property: Intellectual property such as trade secrets, proprietary software code, and patents are often targeted by corporate espionage or cybercriminals looking to steal valuable information for financial gain.
- Biometric Information: Biometric information such as fingerprints, facial recognition data, and iris scans are considered highly sensitive because they cannot be changed like a password or a credit card number. Once this information is compromised, it can be used for identity theft or other malicious activities.
Sensitive data loss – what’s at stake?
The risk of sensitive data loss is significant and can have serious consequences for both individuals and organizations. Here are some of the potential risks of sensitive data loss:
- Identity theft: Sensitive data such as personal and financial information can be used to steal an individual’s identity, allowing hackers to access bank accounts, open credit accounts, and make fraudulent purchases.
- Reputation damage: If an organization or individual’s sensitive data is lost, it can damage their reputation, leading to a loss of trust among customers, clients, or partners.
- Legal and regulatory consequences: Depending on the type of data lost, organizations and individuals may be subject to legal or regulatory action, fines, or other penalties for not adequately protecting sensitive information.
- Financial losses: Sensitive data loss can result in financial losses for individuals and organizations, including direct costs associated with remediation efforts, legal fees, and damage to intellectual property.
- National security risks: Sensitive data loss can also pose national security risks if the information that is lost is related to government or military operations.
BigID for All Types of Sensitive Data
No matter where your business operates or what industry you’re in, fulfilling a complex array of regulatory requirements starts with deep data discovery that maps, inventories, and categorizes all your sensitive information, all in one place.
BigID’s data discovery & classification goes beyond traditional discovery techniques, which only see one type of data, and targeted data discovery, which only finds data you already know about. Using advanced machine learning, you can protect all of your organization’s PII, PI, SPI, NPI, PHI, and more; know what data is subject to which regulation; maintain accurate reporting standards; and achieve compliance across regulations.
Here are just some ways BigID’s unmatched data intelligence platform can help:
- classify all your sensitive data — of all types — to know its purpose of use, quality, risk impacts, and more
- automatically catalog sensitive data and metadata in structured, unstructured, cloud, Big Data, NoSQL, data lake sources, and everywhere in between
- find, flag, and tag related data
- automatically identify duplicate, derivative, and similar data
Schedule a demo to learn more about what sensitive information your organization needs to protect — and how to get the most out of your data.