Every time you sign up for a new service, buy something online or, even apply for a job, you automatically share your personal information. If you look back over the hundreds of online interactions you’ve had over the years, it gives you an inkling as to how many businesses have processed information about you.
Then, if you think of your own company, you’ll realize the exact same applies in reverse. From customer credit card information to employee payroll to supplier information, your company likely collects, processes and stores a wealth of personal information.
Sharing this data is part of living in today’s Western’s society. After all, data makes the world go round – particularly in the age of remote working. But what happens when organizations fail to look after it?
In the last year alone, hundreds of millions of individual records have been exposed in incidents of data loss, theft or accidental sharing. These include the credentials of over 500,000 Zoom teleconferencing accounts, the names, addresses, license plate numbers and vehicle identification numbers of California residents and the personal information of over 10.6 million hotel guests who stayed at MGM Resorts.
These incidents made the headlines because personal information is big business for cyber-attackers today. They can use it for fraud, to steal money, compromise identities, or trade it on the dark web.
This is why understanding and safeguarding sensitive data is so important.
Sensitive data is, in essence, individuals’ personal information. It’s either data that reveals personally identifiable information (PII), protected health information (PHI), or confidential information.
In the business world, sensitive data also refers to trade secrets, research and development assets, and financial plans.
Because this type of information is classified and high-risk, it is labelled as ‘sensitive’ and should only be available to authorized users. Its unintended disclosure constitutes a serious breach of privacy, security and confidentiality.
Examples of sensitive data include:
Sensitive data and compliance
If your organization processes sensitive data, it is your responsibility to safeguard it, in line with national and global compliance regulations.
Sensitive data vs personal data (GDPR)
If you operate in the European Union (EU), you may see sensitive data classed under another name: personal data. This is what sensitive data is called in the General Data Protection Regulation (GDPR). This data includes:
- Genetic and biometric data that can identify a human being
- Racial or ethnic origin
- Sexual orientation and sex life
- Personal political opinions
- Religious and philosophical beliefs
- Health-related data
- Trade-union membership
Sensitive data policy: US vs EU
One of the biggest differences between the US and EU is that, where the latter has one all-encompassing regulation in the form of the GDPR, the US has a patchwork of different data protection laws that apply to different territories, industries or sectors.
- The Health Insurance Portability and Accountability Act (HIPAA), a set of standards that aim to secure protected health information (PHI) among healthcare providers.
- The Payment Card Industry Data Security Standard (PCI DSS), which is more of an IT security standard for protecting credit card holder information.
- The Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the Financial Modernization Act of 1999, designed to protect customer data in financial institutions.
- The Federal Information Security Management Act (FISMA), which requires federal agencies to possess an information security and protection program.
Impact of sensitive data loss, theft or unintentional disclosure
In the digital-driven world, companies are processing more sensitive data than before. In turn, this is leading to more and more high-profile data breaches, accidental data loss, and data misuse incidents – all of which have hefty consequences.
Compliance violations – All organizations in the US fall under one or more of several data privacy regulations. These can be state, industry or sector-specific laws. Stiff fines face companies who inadvertently lose or disclose sensitive data, usually from the regulatory agencies that govern their industry.
For example, one healthcare provider was recently fined $1,040,000 for a HIPAA violation, after a company laptop was stolen. The device was unencrypted and stored patient medical records.
Lawsuits and settlements – Depending on the size of the compromised data, the organization can face individual lawsuits all the way to class-action suits. Plaintiffs can be victims whose data was compromised, or investors, employees, whistleblowers, and other parties affected by the incident.
This was a hard-earned lesson by the credit rating agency, Equifax. The company suffered a data breach in 2017 that compromised the personal details of 147 million people. In addition to regulatory fines, it had to establish a $300 million settlement fund to satisfy claims from millions of customers who were affected by the breach.
Damage to brand equity and negative PR – If all that weren’t enough, there are future costs incurred due to lost business, loss of trust, and negative publicity. Consumers are more in-tune to their digital privacy rights than ever before, and they do not look kindly on organizations that are complacent or negligent with their data. The effects are especially damaging to smaller businesses. According to one study of 1,000 organizations with less than 500 people, 10% went out of business after suffering a data breach, while a quarter had to file for bankruptcy.
How to determine sensitive data sensitivity
The National Institute of Standards and Technology (NIST) recommends using the CIA triad to measure how data should be classified in terms of sensitivity. CIA stands for confidentiality, integrity, and availability.
This generally refers to the level of secrecy or privacy the data should be accorded, and the measures taken to preserve that confidentiality.
These measures include:
- Data encryption
- Two-factor authentication
- Security tokens
- Best practices like hard-copy only storage and using disconnected storage media
Integrity is concerned with ensuring the data remains accurate and consistent, and monitoring alterations throughout its lifecycle.
Some of the integrity checks are:
- Using audit logs
- Enacting user access controls and file permissions – including for databases
- Maintaining file backups and storage redundancies
This area aims to make sure the data is available for access when required. Some of the measures involved include:
- Proper hardware maintenance
- Keeping on top of software updates and security patches
- Having a disaster recovery plan
- Guarding against data loss in case of natural or man-made calamities
How to protect sensitive data
The continued rise of data breaches and compliance fines is putting the pressure on organizations to ensure the privacy and security of sensitive data they are entrusted with.
To effectively protect it, businesses must first understand the risks. These include:
- The insider threat: Be it malicious or unintentional, employees are a huge risk to data security. For example, a disgruntled employee may download and steal trade secrets. Then there are those employees who are simply innocently going about their jobs, but accidentally share or lose sensitive data. Examples of this include losing USB sticks with company information or uploading confidential data to an unsecured cloud application.
- Remote working vulnerabilities: Hackers work 24/7 to find vulnerabilities in organizations’ networks and applications. In the remote working world, employees are outside the safety of the corporate office. Phishing emails, unsecured WiFi networks, use of unverified third-party applications and weak passwords are key vectors that malicious attackers prey on.
- Ransomware: Ransomware is a type of malware that uses encryption to hold company information for ransom. The company will not be able to access their data until they pay up. Once ransomware gets into the network, it quickly spreads and targets critical databases and servers, hindering business output by creating a state of paralysis.
All of these threats mean that companies must take a stance of constant vigilance and be proactive about safeguarding sensitive data. Here is an overview of how to do so:
- Classify your sensitive information: To protect sensitive data, you have to know what and where it is. This is where data classification comes in. It’s a process of organizing data according to its type, sensitivity, and metadata, as well as its perceived value to the organization. For a full overview of data classification, read our article here.
- Deploy cloud-based data loss prevention: Next-generation CASBs support organizations in discovering, classifying and securing sensitive information across cloud applications and unmanaged devices. Read more about CASBs here.
- Nudge your employees in the right direction: As mentioned above, human error is a big cybersecurity risk. Effective training is therefore critical to preventing accidental data loss. However, a one-off training program won’t do. What’s needed is nudges and warnings that are integrated into the daily flow – you can