Sensitive data is a term that we hear quite often these days, especially as it relates to the plethora of data privacy laws that have been introduced over the past several years. Seemingly, the definition is simple: sensitive data is any information that needs to be protected. What that really means though is often dependent on the nature of the business conducted by an organization and even more so, the responsible governing body.
What is considered Sensitive Data?
The categories of sensitive data will vary based on the privacy laws that are applicable to an organization. For example, a healthcare organization will need to adhere to HIPAA privacy rules which provide federal protections for Protected Health Information (PHI), while a financial institution will have to adhere to the definitions set forth by other regulations such as the Gramm-Leach-Billey act.
In general though, sensitive data encompasses any information pertaining to:
- Personal Data, or data that can be used to identify an individual. For most organizations, this not only includes their customers’ data, but their employees as well. The definition of this alone varies between compliance standards as we’ll examine in a later section
- Financial Data such as bank account or credit card information
- Intellectual property or proprietary information such as software code or product specifications
Personal data, also known as Personally Identifiable Information (PII) is any information that can be used to identify a specific individual. The protection of personal data has become increasingly important due to regulations such as the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) which aim to protect individuals with regard to the processing of their personal data. While both regulations have the same general goal, their definitions of personal data vary.
- The GDPR defines ‘personal data’ as any information relating to an identified or identifiable natural person (‘data subject’) either directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- The CCPA has a much broader definition of personal data which is defined as information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device
In any case, organizations are being held responsible in the manner by which they process and secure sensitive data in order to prevent unauthorized access and protect against data exposure and risk.
Sensitive Data at Risk
Sensitive data can be found lurking in a variety of applications and storage systems, in both structured and unstructured data formats. While the movement of data is fairly limited within structured data repositories like a SQL server database, files stored in unstructured repositories such as file shares and SharePoint sites tend to move more freely and leaves organizations scrambling when trying to pinpoint exactly where this data exists. To compound this issue, also consider the drastic overprovisioning of access that occurs over time, and the lack of controls most organizations have over their data in general.
With the over 80 countries who have released data privacy laws pertaining to the handling of personal data, organizations are being forced to get a handle of their sensitive data, needing to know where it exists and that the appropriate security measures have been put in place to reduce sensitive data exposure.
The consequences of a data breach of sensitive data can be severe for organizations depending on the scope of the breach. For example, under the GDPR, the failure to comply with the regulation could be up to $22 million or 4% of annual global turnover, whichever value is greater. The largest fine to date (while yet to be finalized) was for British Airways who are facing a $228 million fine for a data breach that was disclosed in September 2018.
Securing Sensitive Data
Organizations need to get a handle on their sensitive data regardless of where it lives. In order to do so they will need to:
- Know where personal information exists: Not only should organizations have an understanding where there most critical data assets exist, but should also understand which of that data is personally identifiable.
- Employ strong Data Access Governance controls: While knowing where this type of information exists is the first step, ensuring that the right controls are in place to prevent unauthorized access, and controlling data growth by removing unnecessary data will be key to ensuring consumer data privacy
Leveraging cybersecurity software such as that offered by Stealthbits can streamline some of these necessary functions by providing the means to:
- Discover the repositories that contain data assets
- Determine which of this data is personally identifiable
- Ensure that the proper data controls are in place by providing an understanding of who has access to what, and how they are leveraging that access
- Monitor for real-time threats
- Deploy policies to prevent unauthorized access to critical or sensitive information.
Farrah Gamboa is a Director of Technical Product Management at Stealthbits Technologies. She is responsible for building and delivering on the roadmap of Stealthbits products and solutions.
Since joining Stealthbits in 2012, Farrah has held multiple technical roles, including Scrum Master and Quality Assurance Manager. Farrah holds a Bachelor of Science degree in Industrial Engineering from Rutgers University