Article
Sensitive information
What is sensitive information?
Sensitive information covers a broad range of data, but what it holds in common is that its exposure poses risks to people and organizations. Types of sensitive information include:
- Business-related data— accounting information, financial, planning, and trade secrets
- Governmental data—confidential, restricted, secret, and top-secret information
- Personal data—email addresses, phone numbers, physical addresses, and medical history
- Transactional data—bank account information, credit card numbers, and Social Security Numbers
Most sensitive information is protected by a mesh of domestic and international laws and regulations created and enforced by governments and organizations. These protections require that sensitive information be safeguarded from unauthorized access.
Whether it is present in physical or digital formats, sensitive information must be protected at rest (i.e., where it is stored) and in motion (i.e., when it is sent through physical channels, such as mail, or digital channels, such as email or shared between applications).
Following are details about several of the various categories of sensitive information.
Personal information
Personal information, often referred to as personally identifiable information (PII), is a large segment of sensitive information that can be traced directly to an individual and, if disclosed, could cause harm to the person. Because this type of sensitive information can distinguish one person from another, it could be used to deanonymize anonymous data.
It is important to note that, singularly, personal data is not sensitive information. However, when multiple pieces of personal data are connected, the aggregate can become PII. Therefore, organizations are encouraged to apply the same protections to personal and sensitive information to avoid noncompliance penalties and other negative impacts.
Examples of types of sensitive information included in personal information include:
- Alien registration number
- Biometric data (e.g., fingerprint, voice print, retina or iris image, or other unique physical measurement)
- Criminal record
- Date of birth
- Driver’s license number
- Genetic data
- Internet protocol (IP) addresses
- Location information
- Mother’s maiden name
- Name
- Non-driver identification card number
- Passport number
- Phone number
- Photograph
- Place of birth
- Political affiliation or opinion
- Racial or ethnic origin
- Religious or philosophical belief
- Sexual orientation
- Social Security Number
- Trade union membership
- Veteran and disability data
Business and customer information
Sensitive business information includes anything that poses a risk to an organization if it is exposed. Examples of business and customer information that can be considered sensitive information include:
- Bank account information
- Cardholder data
- Court records from a consumer report
- Credit or debit card purchases
- Credit scores
- Customer data
- Federal tax identification numbers
- Financial data
- Intellectual property data
- Inventory information
- Marketing plans
- Operational information
- Payment card information
- Pending corporate actions or plans, such as an initial public offering (IPO), mergers, acquisitions, or stock splits
- Sales figures
- Supplier information
- Trade secrets
- Unreleased earning reports
Classified government information
Classified information refers to government information that has restricted access based on the level of sensitivity—top secret, secret, and confidential.
Top secret
This type of governmental sensitive information refers to national security information that requires the highest level of protection. There is a high bar for sensitive information to achieve this designation.
According to the Code of Federal Regulations, if this information was accessed without authorization, there is a reasonable expectation that the result would be “exceptionally grave damage to the national security.”
Examples of “exceptionally grave damage” listed in the Code of Federal Regulations include:
- Armed hostilities against the United States or its allies
- Disruption of foreign relations vitally affecting national security
- The compromise of vital national defense plans
- The revelation of sensitive intelligence operations
- The disclosure of scientific developments vital to national security
Secret
The second highest classification for governmental information is applied to sensitive information that requires “a substantial degree of protection” according to the Code of Federal Regulations, as unauthorized access to it could be reasonably expected to cause “serious damage to national security.”
Examples of “serious damage” given in the Code of Federal Regulations include:
- Disruption of foreign relations significantly affecting the national security
- Significant impairment of a program or policy directly related to national security
- Revelation of significant military plans or intelligence operations
- Compromise of significant scientific or technological developments relating to national security
Confidential
Governmental information that is classified as confidential can reasonably expected to cause “damage to national security” in the event of unauthorized access. This information requires protection but not to the same level as secret and top-secret information.
Examples of confidential information include:
- The compromise of information that indicates the strength of ground, air, and naval forces in the United States and overseas areas
- Operational and battle reports which contain information of value to the enemy
- Intelligence reports
- Documents and manuals containing technical information used for training, maintenance, and inspection of classified munitions of war
- Research, development, production, and procurement of munitions of war
- Performance characteristics, test data, design, and production data on munitions of war
- Mobilization plans
- Documents showing the meaning of code names or symbols used to refer to confidential information
- Documents relating to special investigations, clearance, or assignment of personnel who will have knowledge of, or access to, classified information
- Details pertaining to features of special shipping containers, routes, and schedules of shipments of confidential materials
Protected Health Information (PHI) or Electronically Protected Health Information (ePHI)
PHI, or ePHI, is a type of sensitive information regulated by the US Health Insurance Portability and Accountability Act (HIPAA). It includes any medical information that can identify an individual or that is created, used, or disclosed while providing health care services. This includes any information related to a person’s medical, physical, or mental health that is recorded and stored in physical or digital records.
Examples of PHI and ePHI include:
- Appointments
- Device identifiers and serial numbers
- Health histories
- Healthcare services provided
- Lab or test results
- Medical records
- Medical bills
- Patient forms
- Prescriptions
- Provider or patient communication records
Education records
Educational information and records are considered sensitive information, and access by potential employers, publicly funded educational institutions, and foreign governments is strictly regulated.
Examples of education records include:
- Academic specializations and activities
- Advising records
- Awards conferred
- Courses taken
- Date and place of birth
- Degrees earned
- Disciplinary records
- Documentation of attendance
- Educational services received
- Emergency contact information for parent and/or guardian
- Grades and/or grade point average
- Medical and health records that the school creates or collects and maintains
- Number of course units in which the student is enrolled
- Official letters regarding a student’s status in school
- Parent and/or guardian addresses
- Schedule
- Schools attended
- Special education records
- Student email
- Student’s identification code
- Test scores
Sensitive information vs personal information
Laws and regulations for sensitive information
Following are several laws and regulations that reference sensitive information and require protections for it.
National laws
United States (U.S.)
- Children’s Online Privacy Protection Act (COPPA)
- Family Educational Rights and Privacy Act (FERPA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- U.S. Privacy Act of 1974
International
- Australian Federal Privacy Act
- Australian Privacy Act and Sensitive Information
- Brazil’s Lei Geral de Proteçao de Dados (LGPD)
- Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
- Chile’s Law No. 19.628 Protection of Private Life
- China’s data protection law, the Personal Information Protection Law (PIPL)
- Egypt’s Personal Data Protection Law (PDPL)
- European Union’s General Data Protection Regulation (GDPR)
- Japan’s Act on Protection of Personal Information
- Nigeria’s Data Protection Regulation (NDPR)
- Thailand’s Personal Data Protection Act (PDPA)
- UK’s Data Protection Act
U.S. state laws that govern sensitive information
- California Privacy Rights Act (CPRA), an amendment to the California Consumer Privacy Act (CCPA)
- Colorado Privacy Act (CPA)
- Connecticut Personal Data Privacy and Online Monitoring Act
- Indiana Consumer Data Protection Act
- Iowa Consumer Data Protection Act (ICDPA)
- Maryland Online Consumer Protection Act
- Massachusetts Data Privacy Law
- Montana’s Consumer Data Privacy Act
- New York Privacy Act
- New York SHIELD Act (Stop Hacks and Improve Electronic Data Security Act)
- Oregon Consumer Privacy Act (OCPA)
- Tennessee Information Protection Act
- Texas Data Privacy and Security Act (TDPSA)
- Utah Consumer Privacy Act (UCPA)
- Virginia Consumer Data Protection Act
Key sensitive information-related categories included in laws and regulations
Following are specific items included in various U.S. laws and regulations that specify aspects of sensitive information handling.
Biometrics
- Allowing a consumer to opt out of the sale of biometric information
- Developing a written policy regarding the collection or retention of biometric identifiers
- Implementing a specific type of biometric (e.g., fingerprints, facial, voice, iris, and palm)
Children’s online privacy
- Prohibiting the collection of information about minor users for marketing purposes
- Requiring operators of websites, online services, or applications to erase personal information about a minor if it has already been collected
Connected devices (e.g., speakers, mobile phones, cameras, and video surveillance)
May prohibit the following actions related to data captured with connected devices without an individual’s consent:
- Collecting
- Storing
- Using
Consumer rights
Providing specific consumer rights related to their sensitive information and personal data, such as the right to:
- Access—see any information about them that is stored
- Delete—request that any information about them be deleted
- Correct—request that inaccurate information be updated
Location privacy
- Prohibiting the transfer or sale of consumer geolocation or global positioning system (GPS) data without permission
Website privacy
- Requiring an operator of a commercial website or online service that collects personally identifiable information to notify customers about its personal information-sharing practices
- Requiring consent before sharing internet browser information
Ensure protection of sensitive information with privacy by design
The protection of sensitive information is of paramount importance for the enterprise. Increasingly, organizations are adopting a Privacy by Design approach to protect sensitive information. This security approach integrates privacy into the implementation and deployment of all policies, systems, and devices.
Privacy by Design helps organizations ensure the protection of sensitive information with seven core principles:
- Proactive, not reactive; preventive, not remedial
- Privacy as the default setting
- Privacy embedded into design
- Full functionality – positive-sum, not zero-sum
- End-to-end security—full lifecycle protection
- Visibility and transparency—keep it open
- Respect for user privacy—keep it user-centric
Regardless of the approach, organizations must protect sensitive information to adhere to multiple regulations and laws and meet expectations for sensitive data protection.
Unleash the power of unified identity security.
Centralized control. Enterprise scale.