Sensitive data is a term that we hear quite often these days, especially as it relates to the plethora of data privacy laws that have been introduced over the past several years. Seemingly, the sensitive data definition is simple: sensitive data is any information that needs to be protected. What that really means though is often dependent on the nature of the business conducted by an organization and even more so, the responsible governing body.
The categories of sensitive data will vary based on the privacy laws that are applicable to an organization. For example, a healthcare organization will need to adhere to HIPAA privacy rules which provide federal protections for Protected Health Information (PHI), while a financial institution will have to adhere to the definitions set forth by other regulations such as the Gramm-Leach-Billey act.
In general though, sensitive data encompasses any information pertaining to:
Personal data, also known as Personally Identifiable Information (PII) is any information that can be used to identify a specific individual. The protection of personal data has become increasingly important due to regulations such as the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) which aim to protect individuals with regard to the processing of their personal data. While both regulations have the same general goal, their definitions of personal data vary.
In any case, organizations are being held responsible in the manner by which they process and secure sensitive data in order to prevent unauthorized access and protect against data exposure and risk.
Sensitive data can be found lurking in a variety of applications and storage systems, in both structured and unstructured data formats. While the movement of data is fairly limited within structured data repositories like a SQL server database, files stored in unstructured repositories such as file shares and SharePoint sites tend to move more freely and leaves organizations scrambling when trying to pinpoint exactly where this data exists. To compound this issue, also consider the drastic overprovisioning of access that occurs over time, and the lack of controls most organizations have over their data in general.
With the over 80 countries who have released data privacy laws pertaining to the handling of personal data, organizations are being forced to get a handle of their sensitive data, needing to know where it exists and that the appropriate security measures have been put in place to reduce sensitive data exposure.
The consequences of a data breach of sensitive data can be severe for organizations depending on the scope of the breach. For example, under the GDPR, the failure to comply with the regulation could be up to $22 million or 4% of annual global turnover, whichever value is greater. The largest fine to date (while yet to be finalized) was for British Airways who are facing a $228 million fine for a data breach that was disclosed in September 2018.
Organizations need to get a handle on their sensitive data regardless of where it lives. In order to do so they will need to:
Leveraging cybersecurity software such as that offered by Stealthbits can streamline some of these necessary functions by providing the means to:
Farrah Gamboa is a Director of Technical Product Management at Stealthbits – now part of Netwrix. She is responsible for building and delivering on the roadmap of Stealthbits products and solutions.
Since joining Stealthbits in 2012, Farrah has held multiple technical roles, including Scrum Master and Quality Assurance Manager. Farrah holds a Bachelor of Science degree in Industrial Engineering from Rutgers University
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.
Read more© 2022 Stealthbits Technologies, Inc.
Leave a Reply