If you’ve done any work with data, you’ve likely heard the term “sensitive data.” Data compliance regulations like the GDPR, HIPAA, CCPA, and more make repeated mentions of “sensitive personal data” and “sensitive personal information,” and many privacy statements include similar language. A quick search of the term “sensitive data” returns more than 1 billion search results.
“Data privacy regulations are growing increasingly numerous and complex, and cyber security threats abound,” says Bart Koek, Field CTO at Immuta. “As a result, organizations must find a way to secure their sensitive data without completely locking it down, so that they can continue to effectively leverage it for business purposes.”
But what do we actually mean when we refer to sensitive data? When we provide our names, addresses, credit card and phone numbers to third parties, how much of it is considered sensitive?
In this blog, we’ll define sensitive data, describe the difference between sensitive and personal data, and give you pointers for securing it without inhibiting its value.
Sensitive data is information that, if exposed, could jeopardize the security, privacy, and/or integrity of the individual(s) or organization(s) at hand. If this data were to be accessed by unauthorized users or bad actors, it would almost certainly have a detrimental effect on the person or group to which it belongs.
Examples of sensitive data include:
If exposed, these types of information could lead to dangerous repercussions for the individuals to whom they are attributed. This is why sensitive data necessitates a higher bar of data security and privacy than other types of information.
We know that sensitive data can reveal information about an individual that they would likely not want publicly available. How, then, does it differ from personal data? Where is the line between information that is simply “personal” and that which is vulnerable enough to be deemed “sensitive?”
NIST defines personal data as “Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.”
Similarly, the GDPR’s definition is “any information which are related to an identified or identifiable natural person.”
In each case, we see that personal data is a broader category of information about an individual that could be used to identify them.
Sensitive data is a more refined categorization of personal information. Think of it this way: geometrically speaking, every square also technically fits the definition of a rectangle. However, not every rectangle can be categorized as a square. In the same way, sensitive data can fall under the broader umbrella of personal data, but not all personal data is going to be delicate enough to be called sensitive.
| Sensitive Data | Personal Data |
|---|---|
| Information that, if exposed, could jeopardize the security, privacy, and/or integrity of the individuals or organizations to which it belongs. | Information that can be used to identify an individual, whether on its own or when combined with other information. |
With the delineation between sensitive data and personal data in mind, how should data governance teams identify their most sensitive data? Besides the various legal definitions of the term, there are standard qualifiers that organizations use to determine which of their data is sensitive. NIST’s CIA Triad outlines these qualifiers:
With these various qualifiers in mind, you can more effectively determine which of your data is the most sensitive – and therefore, the most crucial to protect.
Given the impact that its leakage could have on an individual’s safety and security, protecting sensitive data is at the core of virtually all modern data security initiatives. You need to know that the sensitive data you collect is not at risk, both to preserve data subjects’ safety, and avoid the penalties and reputational damage associated with a security incident. To identify and proactively protect sensitive data, you should take the following steps:
You cannot effectively protect that which you don’t know about. When data is collected and ingested into a modern data stack, it should be reviewed as soon as possible to determine its level of sensitivity. Sensitive data discovery automatically scans, tags, and classifies data to provide a comprehensive view of an organization’s assets. This is crucial to protecting sensitive data.
“Instead of defining access controls based on the data, teams should leverage data classification, which is the process of identifying the types of data and then applying metadata tags or attributes accordingly,” says Koek. “This creates an enhanced model that can scale with your data while also complying with regulations.”
Identifying and tracking sensitive data with consistent classifiers will set a baseline level of knowledge on which to build measures to secure it.
Once sensitive data is properly identified and classified, you can build systems to ensure its long-term security, confidentiality, and integrity. Writing and enforcing dynamic attribute-based access controls will help keep your sensitive data secured against unauthorized access.
“Data teams can leverage attributes, which automatically give users appropriate access to the data based on their business needs as they move through the organization,” says Koek. “To remain agile, secure, and compliant, companies must scale their access controls proportionately to their expanding data demands.”
To bolster access controls, privacy enhancing technologies (PETs) like data masking and k-anonymization further protect data against external and internal threats.
Even with controls in place, sensitive data needs to be consistently monitored for suspicious activity and compliance. Continuous data monitoring and unified auditing helps track and log all data activity within your environment.
“In order to meet evolving regulations for sensitive data and remain compliant, organizations must maintain continuous visibility into their data activities, including the type of data, where it is being accessed, and specific requirements or rules that apply to it,” says Koek. “This requires seamless collaboration between legal teams (from a regulatory perspective) and the data platform team (on the data management side).”
Monitored activity includes user queries, access behaviors, and configuration and classification changes, providing insight into who is doing what with which sensitive data. With detection capabilities, any sort of anomalous behavior can be identified and shared with security and governance teams in order to execute a timely and effective response.
A guide for teams of any data management maturity.
