What is Sensitive Data?

What is sensitive data?
Sensitive data is information organizations prefer to keep confidential due to the potential harm its unauthorized disclosure could cause.

Sensitive data and files are information that organizations prefer to keep confidential due to the potential harm their unauthorized disclosure could cause. These can range from personal identification details to proprietary business information. The focus on personal privacy regulations like the GDPR (General Data Protection Regulation) and the CCPA (California Consumer Privacy Act) has expanded the definition to encompass a wide array of information. Sensitive data goes beyond personal data, including any documents or files that either party in an external collaboration would prefer to keep private.

How do regulators define "sensitive data"?

Different regulatory bodies have specific definitions for various types of sensitive data:

Personally Identifiable Information (PII):

• GDPR (EU): Information relating to an identifiable person, directly or indirectly.
• NIST (USA): Information that can trace an individual's identity, such as a name or biometric records.

Protected Health Information (PHI):

• HIPAA (USA): Health information that can identify an individual.

Financial Information:

• GLBA (USA): Non-public personal information related to financial transactions.

Intellectual Property (IP):

• WIPO: Creations of the mind, such as inventions and literary works.

Corporate Information:

• OECD: Data on a company's operations, strategies, and confidential matters.

Customer Information:

• CCPA (USA): Information linked to a particular consumer or household.

Legal Information:

• ABA: Documents protected under attorney-client privilege.

Operational Data:

• ISO 9001: Information for planning and controlling quality management systems.

Trade Secrets:

• WIPO: Confidential business information that provides a competitive edge.

Proprietary Business Information:

• OECD: Information owned by a business that provides a competitive advantage.

Sensitive Security Information (SSI):

• DHS (USA): Information related to security measures and protocols.

Where does this sensitive data show up?

Understanding where sensitive data resides within your organization is crucial for effective data protection. There are a variety of frameworks or mental models we can use to think about sensitive data. Here are a couple.

Simple categorizations

One of the most basic ways is to think about sensitive data in three big buckets:

‍

‍

• Data about people - This category encompasses all information related to individuals, what GRDP calls Natural Persons, both employees and customers.
• Data about things (i.e., your products or services) - Information related to the products or services offered by the organization
• Data about your organization - Information that pertains to the organization’s internal operations

Data classification schemes

The ISO 27001 classification scheme provides a useful framework for thinking about data. Data can be classified as public, internal-use only, customer-confidential, or company-confidential. We classify all those various types of sensitive data (as defined by regulators) into the

Public

Information that is intended for public consumption. This category includes data that can be freely shared without any risk to the organization or individuals. No sensitive files should exist here.

Internal-Use Only

Information intended for internal use within the organization. This category includes data that is not for public dissemination but does not pose a significant risk if disclosed within the company.

• PII: Employee HR files.
• PHI: Employee health records.
• Financial Information: Internal financial reports.
• IP: Confidential R&D information.
• Corporate Information: Strategic plans.
• Legal Information: NDAs, legal documents.
• Operational Data: Strategy documents.
• Trade Secrets: Proprietary formulas.
• Proprietary Business Information: Marketing strategies.
• Sensitive Security Information (SSI): Security plans.

Customer Confidential

Sensitive information related to customers that must be protected to maintain confidentiality and trust. Unauthorized disclosure of this information could harm customer relationships and violate privacy regulations. It's worth pointing out that certain typied

• PII: Customer service agreements.
• PHI: Health information shared with services.
• Financial Information: Customer financial data.
• Customer Information: Feedback, complaints.

Company Confidential

Sensitive information related to the organization that requires protection to maintain competitive advantage, legal compliance, and operational integrity. Unauthorized disclosure of this information could harm the organization's competitive position and legal standing.

• Financial Information: Financial performance data.
• IP: Trade secrets.
• Corporate Information: Compliance documents.
• Legal Information: Contracts.
• Operational Data: Supply chain logistics.
• Trade Secrets: Manufacturing processes.
• Proprietary Business Information: Customer analytics.
• Sensitive Security Information (SSI): IT security audits, Security policies and procedures

Functional view of sensitive data

A slightly different way of thinking about sensitive data, it to consider which functions use sensitive data:

• Human Resources (HR): Employee PII, PHI
• Information Technology (IT): Employee PII, SSI
• Legal: Employee PII, PHI, Financial Information, IP, Corporate Information, Customer Information, Legal Information, Trade Secrets, Proprietary Business Information, SSI
• Finance/Accounting: Financial Information, Customer Financial Data
• Marketing: Customer PII, Customer Information, Proprietary Business Information
• Sales: Customer PII, Customer Financial Data, Customer Information
• Customer Support: Customer PII, Customer Information, PHI
• R&D (Research and Development): IP, Trade Secrets
• Operations: IP, Trade Secrets, Operational Data
• Executive Management: Corporate Information
• Compliance: Corporate Information, Legal Information
• Health Services/Insurance: PHI
• Security: SSI

Getting a comprehensive view by combining all three points of view 

If we put all three points of view together, we can end up with a pretty comprehensive framework for thinking about sensitive data, where it resides, and what it impacts.

‍

People - category, classifications, and functional areas affected 

Things - category, classifications, and functional areas affected

Your organization - category, classifications, and functional areas affected

Costs of losing sensitive data

A breach of sensitive data can result in various costs for an organization:

1. Regulatory Fines and Penalties: Financial penalties imposed by regulatory bodies for non-compliance with data protection laws and regulations. Examples: Fines from GDPR (General Data Protection Regulation), CCPA (California Consumer Privacy Act), HIPAA (Health Insurance Portability and Accountability Act), and GLBA (Gramm-Leach-Bliley Act).

2. Legal Costs: Expenses associated with legal actions taken against the organization, including litigation, settlements, and legal fees. Examples: Costs from defending against class-action lawsuits, settlements with affected parties, and attorney fees.

3. Remediation Costs: Costs related to addressing and mitigating the breach, including technical and operational responses. Examples: Incident response, forensic investigations, and system repairs or upgrades to prevent future breaches.

4. Notification Costs: Expenses incurred in notifying affected individuals and regulatory bodies about the breach. Examples: Sending letters, emails, or other forms of communication to inform individuals about the breach and any potential risks.

5. Reputational Damage: The loss of trust and credibility with customers, partners, and the general public, which can impact the organization's brand and market position. Examples: Negative publicity, loss of customers, and reduced market value.

6. Business Interruption Costs: Financial losses due to disruptions in business operations caused by the breach. Examples: Downtime of systems, loss of productivity, and revenue losses due to halted operations.

7. Loss of Competitive Advantage: The strategic disadvantage that occurs when sensitive information, such as trade secrets or proprietary data, is exposed. Examples: Competitors gaining access to confidential R&D data, strategic plans, or marketing strategies, leading to diminished market leadership.

8. Regulatory Compliance Costs: Expenses associated with enhancing or implementing new compliance measures to meet regulatory standards post-breach. Examples: Investing in new security technologies, hiring compliance experts, and updating policies and procedures.

9. Customer Redress Costs: Costs related to compensating customers for any losses or inconvenience caused by the breach. Examples: Providing credit monitoring services, compensating for financial losses, and offering discounts or refunds.

10. Operational Costs: Increased operational expenses due to additional security measures, staff training, and enhanced monitoring. Examples: Hiring additional security personnel, conducting employee training programs, and continuous monitoring of IT systems.

These costs can significantly impact an organization both financially and strategically, underscoring the importance of robust data protection measures and effective breach response plans.

Email and sensitive files

One of the most common ways sensitive files are exposed is through email. Sending sensitive files to external stakeholders via email poses several risks, including accidental sending to the wrong recipient, lack of encryption, and susceptibility to phishing attacks. Organizations need to adopt secure methods for sharing sensitive information, such as secure collaboration platforms that offer encryption, access controls, and detailed activity tracking. For more information on managing these risks, see this guide on Top Email Risks When Sending Sensitive Files to External Stakeholders.

Final thoughts

Understanding sensitive data and the associated risks is crucial for protecting your organization from potential breaches. By adhering to regulatory definitions, recognizing where sensitive data resides, and understanding the potential costs of a breach, organizations can implement effective data protection strategies. Secure methods for sharing sensitive files, particularly when collaborating with external stakeholders, are essential for maintaining data integrity and avoiding significant financial and reputational damage.