What Is Classified as Sensitive Data

What is Sensitive Data?

When it comes to unstructured data in an organization, sensitive data is the most important type of data to identify. Sensitive data falls into several classifications, but broadly refers to data that must be protected from unauthorized access to prevent harm to businesses and individuals alike. These classifications include personal information, private information, health information, and high-risk data, among others.

This blog discusses the categories of data that fall under such classifications, their variants, and how Congruity360 can help to classify and protect sensitive data.

Classifications of Sensitive Data

The different classifications of sensitive data require protection from unauthorized access for varying degrees of risk. Exposure of personal information, private information, health information, and their variants has the most vulnerability for individuals both inside and outside an organization. However, exposure or illegal destruction of high-risk data such as regulated, business, and confidential information poses the greatest threat to an organization itself, especially in reputation, trust, and legal compliance.

The following describes each classification of sensitive data:

Personal Information

The broadest classification, this includes personal data that can identify or relate to a person or household, whether inside or outside an organization. Because of this broad classification, several categories such as private information, personally identifiable information, and sensitive personal information can fall under this classification. However, distinct classifications of personal information should be used when identifying unstructured data to denote higher risk or to comply with regulations more effectively.

Private Information

This classification is a specific kind of personal information that includes encrypted or unencrypted data that poses higher exposure risk for an individual when combined with other personal information. In New York, the SHIELD Act regulates private information owned by a person or business, and considers the following data covered under its rules:

• Social security number
• Driver’s license number or non-driver ID card number
• Identifying biometric information
• Account number or credit/debit card number

Personally Identifiable Information

A type of personal information, this data refers to information that can be used to identify a person. In the wrong hands, this data is used to commit identity theft, forge documents, and target individuals with malicious intent. This includes not only names, legal addresses, and SSNs but also location data, IP addresses, and email addresses.

Sensitive Personal Information

This classification refers to sensitive personal data with higher security standards due to greater risk and differing regulations. For example, GDPR regulations define the following as sensitive personal information:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Sexual orientation and related data
• Identifying Biometric data

Aside from higher security standards, the storage of sensitive personal information also falls under regulations such as GDPR, for which lawful grounds for storage such as explicit consent is expected.

Nonpublic Personal Information

This classification refers to personally identifiable financial information handled by financial institutions to perform services and transactions for their consumers, and often falls under regulations such as the GLBA. Examples include information as public as names and phone numbers and as high-risk as SSNs, bank account numbers, and credit card numbers.

Protected Health Information

Healthcare providers, insurers, and other organizations covered by regulations such as the HIPAA would use this classification. Protected health information refers to medical information disclosed when providing health care services that can identify an individual. This classification covers a very wide range of personal information as well as unique medical data, such as:

• Names
• Dates
• Phone numbers
• Geographic data
• FAX numbers
• Social security numbers
• Email addresses
• Medical record numbers
• Account numbers
• Health plan beneficiary numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plates
• Web URLs
• Device identifiers and serial numbers
• Internet protocol addresses
• Full-face photos and comparable images
• Biometric identifiers
• Any unique identifying number or code

Protected health information mandates a high standard of physical and digital security to meet regulatory compliance.

Material Nonpublic Personal Information

A publicly traded company’s information and holdings that has not been made public or available to investors can fall under this classification when it can have significant impact on the share price. Possession, knowledge, and sharing such data to conduct trades with an advantage is an illegal type of insider trading, whether the trader is an employee of said company or not. Financial records, upcoming corporate actions, and rulings of regulatory agencies can fall under this classification.

Regulated, Business, Confidential, and High-Risk Data

Organizations must especially consider unstructured data that may be regulated, business, confidential, or otherwise high-risk to ensure sensitive data does not end up in the wrong hands. Identifying this important classification and enacting access controls, retention workflows, and data quality standards to match protects the organization and related individuals from harm and helps maintain good standing with both the public and with regulators. This includes:

• Regulated, business, confidential, and high-risk data in the prior classifications
• Business IP
• Classified information
• Unstructured data with unknown information
• Any business-specific data critical to the organization’s operations not traditionally considered sensitive data

How Congruity360 Helps Classify and Protect Your Sensitive Data

Congruity360 can help an organization classify and protect their unstructured data with the Classify360 solution. Classify360 works as a secure, powerful, cloud-based data governance tool that empowers a client to classify their sensitive data and take action to enforce data quality standards. With Classify360, clients can do the following:

• Organize unstructured data into secure, virtual repositories, without removing or copying files from the source
• Search repositories for sensitive data
• Run models in the repositories for duplicates, categorization, and risk analysis
• Use models and searches in drill-down analysis to classify sensitive data
• Run manual or automated policies to perform actions on sensitive data, right at the source

The actions Classify360 can manually or automatically perform on sensitive data include:

• Inject entries into files at the source, such as missing info or data tags
• Copy files to another location, for migration to better storage
• Secure files as read-only at the source
• Delete files from the source, to avoid duplicates post-migration and enforce data retention standards

Congruity360 will be happy to demonstrate how we can help you with your sensitive data needs. To request a custom demo of Classify360, click here. 

*Available actions can differ based on your data source. Contact Congruity360 or request a custom demo to ask for details.