What is Sensitive Information?

With large amounts of sensitive data being produced and exchanged every second, it’s more important than ever that businesses take steps to protect that data. This article will provide a comprehensive introduction to sensitive information so that you know how best to protect your organization.

Definition of Sensitive Information

Sensitive information is data that must be guarded from unauthorized access and unwarranted disclosure in order to maintain the information security of an individual or organization.

Unlike public information, sensitive information is not collected from unrestricted directories, and does not include any information made lawfully available to the general public from government records. This means that exposure of sensitive data can potentially cause financial or personal harm.

There are three main types of sensitive information:

Personal Information

Also called PII (personally identifiable information), personal information is any data that can be linked to a specific individual and used to facilitate identity theft. For example, knowing a person’s Social Security number and mother’s maiden name makes it easier to apply for a credit card in their name, and knowing the person’s passport and visa number makes it easier to create a false document.

Most people have personal information distributed across a variety of organizations and industries, such as:

• Protected health information (PHI) such as medical records, laboratory tests, and insurance information
• Educational information such as enrollment records and transcripts
• Financial information such as credit card numbers, banking information, tax forms, and credit reports

Business Information

Sensitive business information is any data that would pose a risk to the company if released to a competitor or the general public. For example, information such as intellectual property, trade secrets, or plans for a merger could all be harmful to the business if it fell into a rival’s hands.

In addition, the breach of sensitive business information such as customer and supplier records or cardholder data would have substantial financial penalties. The company would have to spend money on responding to and recovering from the breach, and its reputation would fall among its stakeholders and customers.

Classified Information

Classified information is data that has been intentionally kept secret at a governmental level. It typically belongs to a certain tier of sensitivity (restricted, confidential, secret, or top secret) that limits the people who have access to the information.

Just as the release of sensitive personal and business information could cause personal or organizational harm, the breach of classified information has the potential to seriously endanger a government’s objectives and international standing.

What Happens If Sensitive Information Is Breached?

For the organization, the consequences of a data breach of sensitive information can range from minor to disastrous. In particularly devastating cases, such as the 2014 Home Depot breach, companies may be required to pay tens of millions of dollars in damage compensation to customers and financial institutions.

If PII is accessed by cyberattackers, the information can be used for a number of nefarious purposes. For example, cybercriminals can open up a line of credit in a victim’s  name or gain access to their bank accounts. PII can also be used to create more targeted phishing attacks toward specific people (known as “spear phishing”), further compounding the financial damage.

What’s more, the likelihood of a data breach is higher than you think. According to a 2017 Ponemon Institute study of 419 organizations worldwide, the  likelihood that an organization in the study will experience a data breach in the next two years is more than one in four.

How Is Sensitive Information Protected?

Fortunately, there are regulations in place to protect the sensitive information of individuals and businesses. The following are a few of the most important ones:

• Gramm–Leach–Bliley Act (GLBA): U.S. financial institutions must disclose how they share customers’ information.
• Health Insurance Portability and Accountability Act (HIPAA): U.S. health providers must take adequate steps to protect patients’ PHI.
• Family Educational Rights and Privacy Act (FERPA): U.S. educational institutions must have the consent of students over 18 years old to release records such as schedules, transcripts, and disciplinary information.
• General Data Protection Regulation (GDPR): Businesses that process the personal data of European Union citizens and residents must adequately protect this data and notify affected parties in the event of a breach.
• Health Information Technology for Economic and Clinical Health (HITECH): Organizations regulated by HIPAA must report data breaches affecting more than 500 people to the affected individuals, the U.S. Department of Health and Human Services, and the media.
• Payment Card Industry Data Security Standard (PCI DSS): Companies that process credit card information must protect this data and conduct transactions within a secure network.

Final Thoughts

Due to the massive volumes of data generated and processed by today’s IT systems, it’s imperative that organizations properly handle security and privacy. However, issues such as large-scale cloud infrastructures, the diversity and volume of data sources and formats, and the streaming nature of data acquisition further complicate data protection.

Owing to these problems, traditional legacy encryption mechanisms are inadequate for all but small-scale, static organizations. Zettaset’s XCrypt line of data encryption products is optimized for performance and scalability. With XCrypt, companies can meet data protection requirements in high-volume distributed computing environments, in the cloud, and on-premises.