What is Sensitive Data? Sensitive Data Definitions, Types & Examples

What is Sensitive Data?

Sensitive data is information that must be protected against unauthorized disclosure.  It can be in physical or electronic form and includes PII (Personally identifiable information), PHI (Protected health information), and more. There are three main types of sensitive data that hackers and malicious insiders tend to exploit: personal, business, and classified information. If sensitive data falls into the wrong hands, it could be a fatal blow to the parties concerned, regardless of who they are: individuals, companies, and government entities.

Implementing strict measures when granting access to personal or confidential data, particularly when it involves individual privacy and intellectual property rights, is essential to prevent a data breach. For example, a security breach in a government agency could expose classified information to foreign powers. Similarly, unauthorized access to individual or company data could lead to severe issues such as corporate espionage, insurance risks, cyber threats, or customer or employee data privacy violations.

Why Sensitive Data is Important

The value of protecting sensitive data goes far beyond any immediate privacy concerns, with substantial social, economic, and technological implications. Information is the most valuable resource in a modern-day digital economy, pushing forward innovation and affecting strategic business decisions. Businesses that cannot protect sensitive information risk both immediate financial losses and long-term strategic disadvantages.

The value of sensitive data as a whole has been dramatically expanded with the rise of big data analytics and artificial intelligence, with even the most innocuous data points providing vast amounts of information about market trends, organizations, or individuals (with the help of complex analysis techniques). 

At the same time, maintaining the security of sensitive data plays a substantial part in maintaining end users’ trust in modern digital ecosystems. Maintaining customer loyalty, as well as partner networks and business relationships, becomes much more difficult without proper attention to sensitive data security in the modern world of IoT devices, cloud services, digital transformation initiatives, etc. A single data breach has the potential to disrupt multiple supply chains and established business networks and affect multiple stakeholders at the same time.

Proper sensitive information handling from a compliance perspective is mandatory for participating in modern global markets. The proliferation of data protection regulations worldwide forces companies to demonstrate their sensitive data protection capabilities as a prerequisite to operating in different jurisdictions. The complexity of the regulatory landscape is challenging because it regularly evolves, forcing companies to make data governance an ongoing strategic goal instead of taking a one-time action to pass compliance checks, which can quickly become obsolete.

Levels of Sensitive Data

Data is generally categorized by its sensitivity. A combination of federal or industry-specific regulations and organizational policies typically determines the categories or classifications. This article focuses on business information, as governments and defense agencies have their own data classification systems.

Sensitive data can be classified into four main types:

• Public – Low data sensitivity or public classification
• Internal – Moderate data sensitivity or internal classification
• Confidential – High data sensitivity or confidential classification
• Restricted – Extremely sensitive data or restricted classification

Public: Low data sensitivity

This class of data poses little to no risk to an organization. Data in this group can be accessed by anyone, as there are no restrictions on its accessibility. Examples include press releases, website information, social media posts, published research, research proposals, and information already available in the public domain.

Internal: Moderate data sensitivity

Moderate sensitivity covers data whose leakage would only cause minimal harm to the organization or an individual. Examples of moderately sensitive data include building plans, corporate policies, organizational charts, and IT service information.

Confidential: High data sensitivity

Highly sensitive and confidential data must be protected by law or corporate policies that apply to it. If the data is breached, it could cause significant harm to the organization or an individual. This includes personal data such as PII, PHI, and financial information, as well as confidential company information such as employee contracts, M&A, financial information, board documents, etc.

Restricted: Extreme Sensitivity

If leaked, extremely sensitive data could pose serious financial, legal, or regulatory consequences for the organization. This information needs to be restricted to only individuals who are authorized to handle it. Examples include social security numbers, identifiable human subject research, bank accounts, trade secrets, intellectual property, patents, investor information, etc.

Sensitive Data Types

There are many different approaches to sensitive data classification. As such, many different versions and varieties of sensitive information exist. One version uses several data categories to separate them from one another in terms of importance and potential harm they could bring if they fall into the wrong hands:

• Personally Identifiable Information (PII) – A relatively broad category of sensitive information that covers practically everything that could be associated with a specific person and used in a harmful way.
• Protected Health Information (PHI) – Data regulated by HIPAA covers all health information that could be used to identify a patient.
• Nonpublic Personal Information (NPI) – Refers to personally identifiable financial information provided by a financial institution or resulting from consumer transactions or services performed unless otherwise publicly available.
• Material Non-Public Information (MNPI) – Any company data that has not been released to the public but could impact a company’s share price.
• Attorney-Client Privileged Information (ACPI) – Refers to everything that could be considered communication between attorneys and their clients, implying that all such communication must be confidential and protected.

 

Sensitive Data Categories

Customer Information

Customer information is sensitive data that contains a client’s personal information (PII), such as transaction records, phone numbers, email addresses, home addresses, names, digital fingerprints, and pictures. If it gets into the wrong hands, it could cause severe personal harm to your customers and cause distrust between customers and the company.

Employee Data

Just like customer information, your employees’ data is also sensitive and must be handled with great care. If it leaks, it could cause cyber or physical assaults on your employees. The data could include the employee’s banking details, home address, and login details.

Industry-Specific Data

Sensitive industry data needs to be protected at all costs. For example, patient medical reports must be protected under HIPAA and HITECH in the medical sector. In the retail industry, the transaction details of all customers must be protected under various state and government Privacy Acts, as well as PCI DSS.

Personal Data

Personally identifiable information (PII) is any data that could potentially identify a specific individual, distinguish one person from another or be used to deanonymize previously anonymous data. PII management is governed by multiple domestic and international guidelines such as the Privacy Act, HIPPA, GLBA, CCPA, CPRA, GDPR, etc., each with different requirements.

Personal vs Sensitive Personal Data

It’s important to distinguish between personal data and sensitive personal data.

Sensitive personal data generally falls into specific categories, such as race and ethnicity, health information, financial data, biometrics, genetics, trade union or association memberships, and political or philosophical beliefs. Its disclosure could cause potential personal harm, discrimination, an impact on an individual’s rights, financial fraud, identity theft, or reputational damage.

It should also be noted that the definition of sensitive data can differ slightly based on the location of the company and several other factors. For example, the European Union’s understanding of personal sensitive data defines it as the following:

“The following personal data is considered ‘sensitive’ and is subject to specific processing conditions:

• personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs

• trade-union membership

• genetic data, biometric data processed solely to identify a human being

• health-related data

• data concerning a person’s sex life or sexual orientation”

Personal data, on the other hand, identifies an individual but is not confidential by nature or poses a risk. For example, disclosing a person’s name on its own would not be enough to facilitate identity theft.

LAWS that Govern Sensitive Data

 

Australian Data Protection Framework

 

Australia’s approach to protecting sensitive data is governed by a combination of the Privacy Act 1988 (Cth) and its amendment from 2014 that introduces the Australian Privacy Principles. The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 has strengthened this framework significantly, increasing the significance of penalties for repeated or serious privacy breaches.

Sensitive information under Australian law has special protection and covers a wide range of data categories – political opinions, religious beliefs, sexual orientation, criminal record, genetic information, philosophical beliefs, biometric information, health information, and many others.

Important Elements of Australia’s Privacy Framework

The Australian Privacy Principles act as the cornerstone of privacy protection in the region, applying a combination of 13 principles that both private sector organizations and government agencies have to work under. The principles govern the following topics:

• Access and correction rights
• Use and disclosure of personal information
• Direct marketing limitations
• Collection and handling of personal information
• Cross-border data flows
• Data quality and security
• Direct marketing limitations

The Notable Data Breaches scheme that was introduced in 2018 forces companies to notify all affected individuals (as well as the Office of the Australian Information Commissioner) when a data breach is likely to affect a substantial volume of clients’ information. This scheme outlines penalties for non-compliance, notification timeframes, assessment of suspected data breaches, and remediation steps. 

The 2022 amendment dramatically increased penaltiesm for repeated or substantial data breaches to 30% of adjusted turnover during the breach period, 3x the value of any benefit obtained due to misuse of information, or $50 million AUD, whichever is higher. At the same time, this amendment has significantly enhanced the enforcement and investigative powers of the OAIC while leveraging new information sharing provisions with both domestic and international regulators.

Sector-Specific Requirements in the Australian Privacy Framework

Austrlaian sensitive data protection t rules and regulations slightly differ by industry , including:

• The Healthcare sector is controlled using:
  • Healthcare Identifiers Act 2010
  • My Health Records Act 2012
  • State-specific health records legislation
• Financial services are regulated by:
  • Anti-Money Laundering and Counter-Terrorism Financing Act 2006
  • APRA Prudential Standards (CPS 234 on Information Security)
  • Consumer Data Right regime
• Telecommunications are governed by:
  • Telecommunications (Interception and Access) Act 1979
  • Telecommunications Act 1997

Australian organizations are also expected to take reasonable steps to ensure that overseas recipients of personal data still comply with the APPs using ongoing monitoring obligations, specific consent requirements, due diligence requirements and contractual safeguards.

The Australian government has recently indicated its intention to align closer with international standards, such as GDPR, while maintaining its own risk-based approach to privacy protection. Additionally, several of the existing Privacy Acts are expected to go through a review process in the future, reforming potentially outdated or vague segments when applicable.

General Data Protection Regulation (GDPR) Definition Of PII

Organizations that collect, store, and process the data of any European Union individuals must adhere to the General Data Protection Regulation (GDPR). GDPR’s definition of personal data is not that much different from the regular definition of PII. It is data that either contains information that directly identifies the person or data that can be used to identify an individual indirectly. GDPR defines personal data as:

• Name
• ID Number
• Location Data
• Physical characteristics
• Political opinion or party affiliation
• Individual religious beliefs
• Trade union membership
• Sexual preferences
• Race or ethnicity
• Genetic data
• Biometric data such as fingerprints and pictures

GDPR also uses the topic of consent relatively frequently, because consent is necessary for data processing under GDPR to commence in the first place. However, seeking consent to process personal data is a common misconception about GDPR, because the regulation itself makes consent the least preferable option. 

The rules suggest that processing might not be strictly necessary if it is not a contractual or legal obligation. Because GDPR attempts to give individuals more control over their own data, opting out of processing must always be an option.

GDPR includes several different approaches to data security, including data separation, data encryption, and pseudonymization measures. The last two options are mandatory for storing sensitive information on portable devices such as laptops, as well.

Pseudonymization is a type of data processing that changes the original information in a way that prevents the identification of specific people (such as clients), but the original information can still be re-identified if the pseudonymized data is combined with other separately stored information. 

Encryption  is a common form of cryptography that encodes information using a secret value in the form of a “key” that prevents any other user from reading it without a decryption key.

One of the most definitive ways to prove compliance with GDPR requirements is the Europrivacy certification: a practical way to demonstrate compliance in the form of a data protection seal, making it possible to demonstrate a company’s data processing efforts as GDPR-compliant. This certification scheme serves as a detailed framework for data security measures that are sufficient for GDPR compliance from both organizational and technical standpoints, thus making them a valuable source of information when it comes to protecting PII.

California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) definitions of PII and SPI

The California Consumer Privacy Act (CCPA) protects consumers from mismanagement of their personal data and gives individuals control over what personal data is collected, processed, shared, or sold. The California Privacy Rights Act (CPRA) amends the CCPA to add new consumer rights to correct inaccurate personal information and limit the use and disclosure of their sensitive information. It also includes additional regulations for companies that purchase, sell, or exchange personal data of more than 100,000 households or customers in California.

CCPA Personal Information Definition

CCPA defines personal information as any information that identifies, relates to, or could reasonably be linked with you or your household. It does not include publicly available information from federal, state, or local government records, such as professional licenses and public real estate/property records. Some information is exempted from privacy regulations, including information that a business believes is lawfully available to the general public or disclosed by the consumer to a specific audience. Certain data types, such as medical and consumer credit reporting information, are exempted.

CCPA uses four main “characteristics” to define whether a specific piece of information is considered personal, such as:

• Descriptive information covers anything describing a consumer, including personal address, phone number, and drug prescription.
• Reasonably linkable information gathered from an operating system or other software may not be intended to track an individual. Still, if taken from the system in question, it could lead to one.
• Identifying information that can be used to describe a person or persons.
• Information that can be related to a person through its purpose – such as data received from various online tracking methods such as cookies.

CPRA Sensitive Personal Information (SPI) Definition

The California Privacy Rights Act (CPRA) has introduced a new category called Sensitive Personal Information (SPI), which applies stricter disclosure and purpose limitation regulations. As per the law, the security measures for this category of data should be appropriate to its type, indicating that SPI needs additional protection.

SPI includes the following data:

• Social Security Number
• Driver’s license
• State identification card
• Passport Number
• Financial account information and log-in credentials
• Debit Card or Credit Card number along with access codes
• Precise geolocation data
• Religious or philosophical beliefs
• Citizenship or immigration status
• Ethnic origin
• Contents of communication
• Genetic data
• Biometric information for the purposes of identification
• Health information
• Information about sex or sexual orientation

European Data Protection Board (EDPB) Initiatives

The EDPB is an incredibly important initiative that will directly shape the future of protecting sensitive information across the European Union. It uses Binding Decisions and Guidelines to refine and improve the implementation of data protection principles previously established under GDPR.

One of the key aspects of EDPB is its development of comprehensive guidelines for dark patterns in social media, addressing the way deceptive design practices can lead to the unauthorized collection of sensitive or personal data. The guidelines in question both identify and eliminate interface designs that can compromise users’ privacy and data protection rights.

The introduction of comprehensive frameworks for cross-border data transfers has also been a substantial advancement of EDPB, focusing on assessing supplementary measures that are necessary to create and maintain international data flows. Detailed recommendations for pseudonymization techniques, encryption protocols, and contractual safeguards for information transferred outside of the European Economic Area are just a few examples of the new and powerful requirements introduced by EDPB.

One response to emerging technologies has been the development of specialized guidance on protecting sensitive data in artificial intelligence systems and IoT environments. This specialized guidance emphasizes the principle of privacy by design, while also introducing a number of new requirements for automated decision-making systems that work with sensitive personal information.

EDPB has recently introduced certification mechanisms and standardization criteria for data protection seals, creating a harmonized approach to demonstrating compliance with sensitive data protection requirements. The certificates in question serve as indicators of trust and commitment to protecting sensitive and personal data across the entire European Union.

Other Key Data Protection Regulations Around the World

A substantial number of regional and national regulations have emerged to address sensitive data protection concerns. Many of these frameworks offer a diverse approach to data sovereignty and privacy for different regions, while also employing common data protection principles.

China’s Personal Information Protection Law

PIPL is one of the most complex sensitive data protection laws in all of Asia, introducing both strict cross-border data transfer requirements and a separate consent mechanism for processing sensitive personal information. Each organization must conduct impact assessments before processing sensitive data, and they must also appoint dedicated protection officers to provide constant oversight.

Saudi Arabia’s Personal Data Protection Law

PDPL has established a new benchmark for sensitive data handling in the Middle East, introducing data localization requirements that apply to sensitive information, along with explicit consent mechanisms applicable to biometric or health-related information. Companies must maintain detailed processing records and implement several technical measures to protect sensitive information to comply with PDPL.

Brazil’s Lei Geral de Proteção de Dados

LGPD uses an unusual categorization system for sensitive information that covers biometric and genetic data, among others. This law emphasizes transparency in data processing, requiring enhanced security measures when handling sensitive data. The law also establishes specific provisions for processing sensitive data related to children and adolescents.

India’s Digital Personal Data Protection Act

DPDPA has introduced its own comprehensive requirements when it comes to processing sensitive personal information. DPDPA establishes data fiduciary responsibilities, introduces specific provisions for cross-border transfer of sensitive information, and requires that all entities that handle large volumes of sensitive data on a regular basis register with the state.

Singapore’s Personal Data Protection Act

PDPA, on the other hand, uses active reinforcement and mandatory notifications of breaches as its primary requirements for handling sensitive data. The law uses accountability measures that require appropriate security arrangements for the protection of sensitive data, especially in emerging technology fields.

Japan’s Act on Protection of Personal Information

APPI has evolved from its more traditional form to include strong protections for handling sensitive data, including mandatory impact assessments for high-risk processing activities, as well as a number of specific criteria for cross-border sensitive data transfer and the necessity to implement robust security measures for all companies that deal with sensitive information.

 

Sensitive Data That Hackers or Malicious Insiders Would Look For

You need to protect sensitive data from two types of threats: external threats, such as hackers, and insider threats, that stem from malicious or negligent employees and contractors.

While there are a lot of different sensitive data types, hackers and malicious insiders consider the following the most valuable:

1. Customer information.  Sensitive customer data such as payment cards, emails, names, addresses, etc., that can be used as is or combined with other stolen information to create a more complete profile of your customers.
2. Employee data. While there is overlap with customer data details, this is a separate category because of the extra sensitive employee data your store, like banking info used to pay wages, username and password combos, etc.
3. Trade Secrets or Intellectual Property. Anything that is proprietary to your organization and offers competitive advantages, such as code, schematics, and product specifications, can be sold to competitors or nation states.
4. Digital Infrastructure. Bad actors want to access sensitive data and look for a free ride. They want access to your infrastructure to store their own data and applications so they don’t have to pay for the applications and storage themselves.

Sensitive Data Protection and Exposure Prevention

To effectively protect sensitive data, you need to take the following steps:

1. Identify and Classify all sensitive data

The first step is to identify and categorize all of your organization’s data based on its sensitivity, known as data classification. This task may seem simple, but it’s often complicated due to the vast amount of data organizations generate and store daily. The process of identifying sensitive data is constant and ever-changing. A document may start out with low sensitivity but may become more sensitive if certain information is added. Organizations must be able to identify data that is regulated by privacy acts such as GDPR and organizationally sensitive.

2. Assess data risks

Data theft and leakage are recurring problems. It is not just an IT problem; sensitive data governance affects all other departments in an organization. Insider threats and cyberattacks pose the most significant risks. Risks that must be assessed include the liability costs of the sensitive data breached, the location of data, the movement of these data from one source or domain to another, the volume of the sensitive data stored, etc.

3. Design Information Security Policies Using the CIA Triad

Several industries have agreed on a universal standard to guide information security policies to address risks. Commonly referred to as the CIA triad, the evaluation elements include Confidentiality, Integrity, and Availability.

• Confidentiality is essentially related to privacy. It is about preventing unauthorized access to sensitive information without limiting access for people who are authorized to use it. There are a substantial number of countermeasures, and they vary in difficulty and effectiveness. The measures include passwords, soft tokens, data encryption, hard copy storage, limiting information destinations, transmission extensiveness, and so on.
• Integrity is about long-term data consistency and accuracy over a specific period of time. The list of integrity measures includes file permissions, user access controls, cryptography, audit logs, backups, and more.
• Availability focuses on data being consistently available when authorized parties need it. Availability-specific measures include frequent software patching, safeguards against data losses due to natural disasters, hardware maintenance, bandwidth provision, etc.

All three of these parameters are used to determine the security measures that have to be applied to the information piece based on its sensitivity. The framework is a common way to measure data sensitivity and is provided in the Federal Information Processing Standards by the National Institute of Standards and Technology (FIPS and NIST, respectively).

4. Implement adequate security measures and monitoring

Next, you must implement security measures to enforce your information security policies and safeguard against theft of sensitive data. This includes deploying access management and data loss prevention tools. You must also monitor these measures and log access to sensitive data to ensure there are no vulnerabilities in the process. There are a lot of technologies available to assist with these measures. It is vital to employ data-centric methodologies that apply access and security controls at the data level in addition to network security, identity management and firewall tools for effective data security.

5. Follow Best Practices for Sensitive Data Security

Implementing other best practices for securing sensitive information is a noteworthy step in improving the overall security stance of the environment, including the following measures:

• Deploying Attribute-Based Access Control measures. ABAC is a relatively new data-centric approach to protecting sensitive information that uses a dynamic system of access rights based on environmental conditions, user attributes, and even the data itself, to provide a much more granular access environment with more context to any decision than in any legacy system.
• Enhancing employee information privacy. Protecting employee information is just as important as any other data category when it comes to maintaining both trust and compliance. Limiting data access to authorized personnel, regularly training employees on the topic of data security, and implementing strong security controls are just a few examples of measures that can assist with the privacy of employee information.

Securing data in specialized collaboration environments, such as Microsoft 365. The increased usage of cloud-based collaboration platforms necessitates additional security measures to be taken in these unusual environments. Data security in M365 and similar environments can be improved by using advanced data protection capabilities, including real-time monitoring, obfuscation, access controls, and more.

Sensitive Data Exposure and its Consequences

The extent of harm caused by sensitive data exposure solely depends on the type of data that has been exposed. There are three general categories of potential damage caused by a breach or exposure:

• Reputational damage. Data breach events alter the perception of the business in the eyes of the public, customers and potential customers. Aside from reputation loss and diminished goodwill, there are also costs associated with losing and acquiring new customers.
• Regulatory fines. Data breaches involving government and industry regulations can be incredibly harmful to organizations. Such incidents typically result in hefty penalties and fines imposed by data privacy laws such as the CCPA, GDPR, and other associated costs.
• Financial consequences are significant for companies that experience a data breach, with the average cost of a data breach reaching an all-time high of USD 4.45 million in 2023. Costs can include forensic and investigative activities, assessment and audit services, crisis management and communications, post-breach notifications, business downtime or disruption, and legal activities, which can all negatively impact a company’s bottom line.

It’s essential for organizations to prioritize data security measures to avoid such incidents and safeguard their reputation and finances.

Common Causes of Sensitive Data Exposure

There are multiple critical pathways for the exposure of sensitive data that can be treated as common causes of issues and data breaches. We can segregate most of the potential causes into three major categories:

1. Technical Infrastructure Vulnerabilities

These vulnerabilities include a wide range of situations, such as inadequate encryption implementations, unpatched systems, misconfigured cloud services, and so on. Many of these vulnerabilities arise during rapid digital transformations or cloud migration initiatives, where security is often overlooked in favor of greater speed or functionality. Companies tend to struggle with securing sensitive information in hybrid environments that often make traditional security measures somewhat useless if they cannot be scaled up to cloud-based environments.

2. Third-Party Risk Management Failures

Risk management failures as a whole continue to be significant, as organizations share sensitive information with a wide variety of partners, vendors, and service providers. If the organization lacks visibility into its partners’ security practices, failure to maintain proper oversight of data handling procedures may result in a data breach or another kind of incident involving sensitive data. 

The risk in question is further compounded by the sheer scope of the issue, with the potential for multiple third parties to gain access to sensitive data, creating a massive number of potential exposure points that are difficult to manage and monitor at once.

3. Human Factors and Access Control Issues

The Human Factor has been a persistent challenge in many industries and situations, and sensitive data handling is no exception. Poor access management practices make the issue even worse, leaving many potential backdoors that can be explored using social engineering vulnerabilities or through other means. 

Excessive access privileges, successful phishing attacks, and delayed revocation of the access rights of departed employees are some of the most common situations in which sensitive information can be threatened. Companies often struggle to find the right balance between operational efficiency and security requirements, which produces compromises over access controls that dramatically increase the possibility of sensitive data exposure to unauthorized users.