What is sensitive data? What are the various types of sensitive data?
Sensitive data is any data that could incur some kind of cost to the organization holding it if it were exposed to the general public. These costs may include breach notification costs (which include alerting consumers and regulatory agencies), loss of revenue due to system downtime, regulatory fines, loss of customers from reputational damage, and even lawsuits and reparation. According to the Ponemon Institute’s “Cost of a Data Breach Report 2021,” the average cost of a data breach rose from $3.86 million to $4.24 million, the highest in the report’s 17-year history.
There are many different types of sensitive data and determining what data is important to your organization is crucial. That said, sensitive data can generally be grouped into a few broad categories:
- Business information: Any data central to an organization’s operations, including financial accounts and statements, employee information, intellectual property, trade secrets, and more.
- Personal data: Any information associated with an individual that can be used to identify them directly or when used in combination with other information. This type of data includes name, birth date, address, Social Security number, race, sexual orientation, religion, political views, and more.
- Health data: Information relating to an individual’s health, including their medical history, disability data, medical diagnoses, data from fitness apps, etc.
- Financial data: An individual’s bank information, credit card details, and security codes and PINs.
- Biometric data: Human body data, such as facial features, fingerprints, iris scans, voiceprints, and other data used for biometric identification.
- Genetic data: An individual’s genetic characteristics acquired through DNA and RNA analysis, such as chromosomal information.
Identifying which sensitive data needs to be protected isn’t always straightforward. That’s because sensitive data falls into two categories: regulated and unregulated.
- Regulated data is always deemed sensitive by the data privacy laws and regulations that protect it. The Health Insurance Portability and Accountability Act (HIPAA), for example, standardizes rules for accessing more than a dozen types of information in an individual’s medical records, including contact details, Social Security number, financial data, diagnostic results, and treatments. These types of data are always designated as sensitive, making it easy for healthcare organizations to understand what information needs to be kept confidential.
- Unregulated data comprises all publicly known information. Most data created falls into this category. While not directly covered by data-privacy laws and regulations, some files and documents in this category, such as employee contracts and customer surveys, may contain information that could be classified as sensitive data. This underscores the need for organizations to understand what data they are storing in order to adequately protect it.
How can sensitive data be misused? What are the risks of a sensitive data breach?
When most people hear the term “data breach,” they probably think of stolen credit card information. That’s because hacks exposing troves of credit card details have increasingly made headlines over the past decade.
One of the biggest was the 2013 Target data breach. Hackers used a sophisticated phishing campaign to steal the login credentials of one of the company’s third-party vendors. They used these credentials to work their way into Target’s internal network and ultimately access its point of sale (POS) systems.
They then installed malware on those systems to steal credit and debit card information from the memory of the POS devices as customers swiped their cards.
The hackers then collected and sold the stolen data on the digital black market. Target estimated that information for up to 110 million customers was stolen, making it one of the largest data breaches in history. In its data breach settlement, the company paid $18.5 million to 47 states and the District of Columbia (in addition to the $202 million it spent on legal fees and other costs in the wake of the breach).
Compromised sensitive data can be used in all sorts of ways that weren’t intended, which can have serious repercussions for the company entrusted with that data.Although credit card data breaches grab most of the headlines, they aren’t the only example of data misuse. Compromised sensitive data can be used in all sorts of ways that weren’t intended, which can have serious repercussions for the company entrusted with that data.
One of the most infamous recent examples of data misuse involved the social media giant Facebook and the British consulting firm Cambridge Analytica. The developers of an app called This Is Your Digital Life (TIYDL) collected up to 87 million Facebook profiles.
The app was designed as a personality quiz and used to build psychological profiles on users and collect the personal data of the users’ Facebook friends. The app’s developers then sold that data to Cambridge Analytica, which used it to help target voters for the political campaigns of Donald Trump and Ted Cruz. Ultimately, Facebook paid a $5 billion penalty for the exposure and subsequent misuse of its users’ data.
Incidents like the Facebook-Cambridge breach have brought greater scrutiny to how AdTech companies use data. This has led to the creation of stronger regulations around the collection and use of data, such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
What regulations exist around sensitive data?
There are many regulatory requirements that govern how companies conduct business, and most mandate how sensitive data should be handled. Some regulations target specific industries. HIPAA, for example, covers the healthcare industry, and PCI DSS covers finance. Others like CCPA and GPDR apply to all industries within a geographic region.
Regulations can also vary from one location to another, so that requirements for handling data, even within a single industry, can differ between Europe and the U.S. and even from state to state. But virtually all regulations and standards impact IT and data security. The most common of these include:
GDPR (General Data Protection Regulation). Adopted by the European Union in 2016, it’s the primary law governing the protection and privacy of citizen data. GDPR introduced several mandates for all transactions taking place within EU member states, including:
- Customers must give consent for data processing.
- Any personally identifiable information must be anonymized or pseudonymized (the consumer’s identity replaced with a pseudonym).
- Consumers must be notified of a data breach within 72 hours.
- Data transferred outside the EU must receive the same degree of protection by the receiving party that the EU provides.
- Some companies must appoint a data protection officer (DPO) to oversee GDPR compliance.
All organizations within the EU are subject to GDPR, as are those based abroad that have operations or customers in the EU.
CCPA (California Consumer Privacy Act), enacted in 2018, grants several rights to California residents, including:
- The right to know what personal information is collected, used, shared, or sold.
- The right to delete personal information held by businesses and their service providers.
- The right to opt out of the sale of personal information.
- The right to nondiscrimination via price or service when a consumer exercises a privacy right under CCPA.
CCPA also created several new obligations for business. Most important, businesses subject to CCPA regulation must provide notice to consumers at or before data collection. They must also create procedures to respond to consumers who want to opt out of data collection, know what data is collected, or have their collected data deleted—and must respond to those requests within certain time frames.
CCPA applies to any for-profit business that serves California residents and meets one of the following criteria:
- Generates more than $25 million in gross annual revenues.
- Annually buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices.
- Derives 50% or more of annual revenues from selling consumers’ personal information.
PCI DSS (Payment Card Industry Data Security Standard). Since its introduction in 2004, it has been regularly updated to improve the security standards of payment processing. It specifies a dozen primary requirements to protect cardholder data, including firewall requirements and password rules, the encryption of data in transit, network access monitoring, and more. PCI DSS applies to any organization that accepts, transmits, or stores cardholder data.
HIPAA (Health Insurance Portability and Accountability Act) sets standards for how protected health information (PHI) is handled by healthcare providers. PHI includes a range of patient data, including personal identifiers such as name, birth date, and gender, as well as health information like diagnoses, treatment information, and medical test results. HIPAA mandates how PHI is accessed and sets physical, administrative, and technical safeguards that healthcare organizations must implement in order to secure it. It also addresses how healthcare facilities should respond in the event of a data breach. Healthcare facilities, including hospitals, doctor’s offices, nursing homes, and any other party that does healthcare business with clients or patients, must be HIPAA compliant.
FERPA (Family Educational Rights and Privacy Act) is a federal law protecting the privacy of student education records. These records can exist in any medium and typically include both personal identifiers (SSN, date of birth, gender, ethnicity) and academic information (test scores, GPA, transcripts, financial-aid information). The law grants several rights to parents, including the right to inspect their child’s education records and amend any inaccuracies. It also gives them control over the disclosure of personally identifiable information from their child’s records. These rights transfer directly to the student once they turn 18 or attend college. FERPA applies to all schools that receive federal funding.
NIST (National Institute of Standards and Technology), a nonregulatory federal agency, sets standards for the science and technology industries to help federal agencies and contractors meet the requirements of the Federal Information Security Management Act (FISMA). However, NIST standards can help any organization improve its security and prevent breaches with federal regulatory laws like PCI DSS and HIPAA. Organizations around the world use the NIST Cybersecurity Framework (CSF) to reduce cyber risk and protect their networks and data. NIST Federal Information Processing Standards (FIPS) are used by government agencies, contractors, and vendors. FIPS standards establish requirements for circumstances not covered by broader industry standards, providing a framework for a different range of security processes.
CMMC (Cybersecurity Maturity Model Certification) is a Department of Defense program that establishes standards and best practices for Defense Industrial Base (DIB) contractors. DIB contractors handle sensitive government data, and CMMC ensures they secure it the same way as government and military agencies do. In particular, CMMC addresses the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Other security compliance standards that organizations need to be aware of include COPPA (Children’s Online Privacy Protection Act), CIS Controls (Center for Internet Security Controls), and FedRAMP (Federal Risk and Authorization Management Program). And more regulatory requirements go into effect every year. Organizations need to understand which standards and regulations apply to their business, as any compliance missteps can result in significant penalties and costs.
How do attackers retrieve sensitive data?
There are myriad ways for attackers to steal sensitive data, and enterprising hackers are developing more sophisticated methods all the time. Some of the most popular methods include:
- Malware (“malicious software”) broadly refers to any script or code designed to exploit a device. Attackers exploit a vulnerability to insert malware—which a user unwittingly downloads from an email attachment or a web link—into the system, where it can perform a variety of malicious acts, such as monitoring your keystrokes, transmitting sensitive data to the attacker’s computer, or capturing your passwords. Malware is particularly popular because it’s easy to distribute and highly effective.
- Phishing is a type of social engineering attack in which the attacker uses emails, texts, or phone calls that appear to be from a legitimate institution to trick the target into sharing sensitive data, such as login credentials and credit card information. Phishing has been on the rise in the age of COVID, constituting 36% of data breaches in 2021, an 11% increase over the previous year.
- Device theft: Opportunistic criminals can retrieve sensitive data simply by gaining physical access to a user’s device. One common cause of data compromise is an unattended device—a laptop left in the car or on a café table. Once someone has it in their hands, they have access to a potential treasure trove of sensitive data, particularly if the device isn’t password-protected or encrypted.
Where is sensitive data typically located?
Sensitive data can be anywhere and everywhere. Data travels between a multitude of devices, users, apps, and services every day. That can make it exceedingly difficult to secure, particularly once it leaves your network. A file located on a secure centralized server, for example, can become compromised when an employee downloads a copy to their personal laptop—which almost certainly does not have the same level of security—and then forgets to delete it when they’re done working on it. Sensitive data can also be found on backup servers and hard drives.
Why is securing sensitive data difficult?
Again, one of the major problems with securing sensitive data is that it resides in so many places, which means it is difficult to even find, much less secure. Some of these locations may be frequently disconnected from the network—as is the case with an employee’s laptop or a USB thumb drive—which limits the enterprise’s visibility into the data. Securing sensitive data also requires a fine balance between security and usability. Users need access to certain documents, but getting that access may require permissions further upstream. To mitigate this, an enterprise should require tight processes around both giving permissions and terminating sessions, and must ensure that any residual data is deleted from the device. A sensitive data monitoring tool can help with many of these challenges.
How do sensitive data monitoring tools work?
Sensitive data monitoring tools can take two approaches. One is network-based, in which centralized software reaches out from a server to scan all network devices for sensitive data. However, this method is slow as it compromises network bandwidth, and it can leave gaps because it can’t access devices outside the corporate network.
The alternate approach uses a client-centric architecture to search for sensitive data across all your endpoints. It has a much lighter impact on network performance, and once it performs an initial scan for sensitive data, it continues to index your endpoints in real time to keep scans up-to-date. And because software is installed directly on the endpoint, you can scan for sensitive data even when the device isn’t connected to the corporate network.
What are the key features of a sensitive data monitoring tool?
As with any new tool, ease of use and compatibility with your current technologies are primary considerations. Some other features to look for include:
- Agent-based scanning: Agent-based monitoring tools install a software package (“agent”) on each device you want to scan. Each agent collects relevant security data from its host machine and sends it back to a collection server. This allows it to scan devices even if they’re offline or outside the organization network. Agent-based monitoring tools are also lighter weight than network-based tools, easing the burden on your network.
- Multiple file-format and operating system support: A sensitive data monitoring tool should be able to retrieve data in a wide variety of common file formats (Word, Excel, PDF, etc.) on Windows, Mac, and Linux endpoints.
- Out-of-the-box regulatory content: The tool should provide deep visibility into GDPR, PCI DSS, HIPAA, CCPA, and other regulatory use cases, allowing you to quickly report on and respond to data-privacy requirements as legal mandates change.
- Sensitive Data Monitoring: 10 Ways Tanium Makes It Accurate, Comprehensive and Lightweight
- Endpoint Detection and Response 101: What EDR Is and Where It Falls Short
- What Is Device Vulnerability Management?
- What Is a Cyber Risk Score and Why Does it Matter?