What Is Sensitive Data? (What’s Sensitive & What Isn’t?)
Social security numbers, credit cards, email addresses, phone numbers. When it comes to data, what's the difference between sensitive and personal data?
Sensitive data is information that should remain confidential because of the risk associated with its unauthorized access or dissemination. Its breach or unwarranted exposure typically results in financial, emotional, and reputation damage to the affected entity (individual, organization, government agency, or even nation-state).
Sensitive data and the privacy it endangers have become top of mind for organizations due to the increased digital footprint from the explosion of numerous digital endpoints, transactions, and cloud computing platforms. As a result, it has heightened the risk or negative impact of sensitive data exposure.
Hence, the massive volume of data generated by corporate networks means the companies need to be more vigorous in understanding what constitutes sensitive data and what isn’t.
The Difference Between Sensitive Data and Personal data
Sensitive data exists at both the individual and corporate level. When it comes to personal data, it is focused on individual attributes that distinguish one person from another.
In general, sensitive data tend to include personally identifiable information (PII) but not personal data. This is because not all personal information is confidential, as there’s no risk associated with their exposure. For instance, publicly available information like a person’s name is insufficient for criminals to perpetrate identity theft fraud.
Sensitive and non-sensitive PII
However, understanding the difference between sensitive and non-sensitive PII is a very convenient way to distinguish sensitive data. As a rule of thumb, non-sensitive PII is information you can discover about someone from public sources.
Examples of non-sensitive PII typically include an individual’s full name, birthday, email address, mailing address, work history, and business contact information, such as their work phone number.
However, the low-risk factor associated with non-sensitive PII doesn’t mean organizations shouldn’t use it with discretion. This is because someone can string together non-sensitive PII to unmask the anonymity of an individual and infer their identity. This is prohibited in scientific surveys or research methods, which are meant to use anonymized information given by respondents.
Examples of Sensitive Data
The clue to sensitive data is to ask whether it includes information that can be used to paint a profile of an individual’s financial and health information. The former includes sensitive PII like the following:
- Social security numbers
- Credit cards
- Bank account information
- Tax filings
Personal health and healthcare information
An individual’s health information is highly personal because its unauthorized release jeopardizes an individual’s privacy. That's why it’s afforded one of the highest privacy protections.
It includes patient and healthcare information, especially those contained in electronic health records (EHR), in the form of digital files like the following:
- Medical and lab test results
- X-ray scans
- Biometric profiles
- DNA samples
- Database records
Health Insurance Portability and Accountability Act (HIPAA) laws were enacted in the United States to protect and establish how personal health information (PHI) is handled. HIPAA protects sensitive data related to an individual’s health status, including their condition, treatments, care received, and health insurance.
Trade secrets are sensitive data that constitutes information vital to an organization's operations and confers a competitive advantage to their business activities. Trade secrets typically include the following:
- Architectural drawings and ornamental designs
- Engineering methods, manufacturing processes, and technical know-how
- Algorithms (computer source code), formulas, ingredients, recipes
- Business budgets and financial plans
- Unpublished patent applications
- Institutional knowledge, patterns, and internal devices
Customer information and credential data
Apart from trade secrets, another set of sensitive data stored includes customer data. This type of sensitive data reveals information about a customer or client that ought to remain confidential. In addition to PHI and sensitive PII, customers’ web browsing habits, location data, and personal phone numbers are under this category.
It also includes credentialed authentication information like username/password combinations, PIN numbers, keycards, and biometric data that can be used to access privileged resources.
Some extend the liberty of sensitive data to include personal information like sexual orientation, religious/philosophical beliefs, political opinions, and racial or ethnic origin. However, these are no longer high-risk factors in most modern societies. They are sensitive in the sense that you can’t use them to discriminate against someone in employment, education, housing, and so on.
How Do You Determine the Sensitivity of Data?
Sensitive data is determined by the level of risk associated with its malicious or unintended breach, data leakage, or unauthorized dissemination. The higher the risk or fallout in terms of potential fraud, national security compromise, damaged reputations, and even public embarrassment, the higher the sensitivity of the data.
Consequently, organizations tend to classify data according to the degree of their sensitivity. That way, they can prioritize security protocols according to each data category's risk. Moreover, this data type classification serves as an easily discernible nomenclature or shorthand for data sensitivity.
- Sensitive: Sensitive data is accorded the highest protection because it could cause the most amount of damage to the organization and individuals involved if compromised. This typically includes trade secrets, PHI, and sensitive PII that encompasses credit card numbers.
- Restricted: This is often the highest classification in government agencies, signaling government-classified data of significant importance.
- Confidential: Closely related to sensitive data, confidential data doesn’t typically include sensitive PII and is of moderate risk to an organization.
- Internal: This is internal corporate data not meant for public consumption with low-security requirements. It often deals with corporate processes, sales playbooks, and communications to employees and contractors.
The Risks and Negative Impacts of Sensitive Data Exposure for Organizations
Sensitive data is like a honeycomb that attracts a rogue’s gallery of criminal activity. As a result, the deleterious effects of sensitive data exposure reverberate through financial, reputational, and compliance fallout for an organization.
According to research by IBM, the average cost of a data breach to an organization in 2023 is $4.45 million.
Organizations that are victims of a data breach incur financial hits by paying compensation costs to customers and legal fees. Not to mention other financial costs, such as investigating the data breach and setting up incident response efforts.
Unfortunately, identity theft remains lucrative, with credit card and financial information being sold to eager merchants on the Dark Web. Moreover, customers and the general public aren’t too happy when their financial information and privacy are violated.
This results in a negative public perception of the affected organization. The public becomes convinced that the organization is lax with security and data loss prevention methods. This reputational harm could dissuade customers and contractors from engaging with the company because they fear compromising their sensitive data.
Sensitive data breaches can be a result of non-compliance with data privacy laws such as the GDPR, CCPA, and HIPAA. These violations often result in stiff fines and penalties for the offending company. as well
How Fortra Can Help Protect Your Sensitive Data
Organizations need to be well-prepared in this age of sophisticated hacking, advanced persistent threats, and corporate espionage to steal trade secrets.
Fortra has both the technology and know-how to prevent data loss, whether through accidental data exposure or malicious data breaches. You can lock up sensitive files, both at rest or in transit. Fortra's data classification solutions go beyond basic labeling to enable you to enhance your data-centric security, as well.