Article

Sensitive information

ComplianceSecurity
Time to read: 10 minutes

What is sensitive information?

Sensitive information covers a broad range of data, but what it holds in common is that its exposure poses risks to people and organizations. Types of sensitive information include:

  1. Business-related data— accounting information, financial, planning, and trade secrets
  2. Governmental data—confidential, restricted, secret, and top-secret information
  3. Personal data—email addresses, phone numbers, physical addresses, and medical history
  4. Transactional data—bank account information, credit card numbers, and Social Security Numbers

Most sensitive information is protected by a mesh of domestic and international laws and regulations created and enforced by governments and organizations. These protections require that sensitive information be safeguarded from unauthorized access.

Whether it is present in physical or digital formats, sensitive information must be protected at rest (i.e., where it is stored) and in motion (i.e., when it is sent through physical channels, such as mail, or digital channels, such as email or shared between applications).

Following are details about several of the various categories of sensitive information.

Personal information

Personal information, often referred to as personally identifiable information (PII), is a large segment of sensitive information that can be traced directly to an individual and, if disclosed, could cause harm to the person. Because this type of sensitive information can distinguish one person from another, it could be used to deanonymize anonymous data.

It is important to note that, singularly, personal data is not sensitive information. However, when multiple pieces of personal data are connected, the aggregate can become PII. Therefore, organizations are encouraged to apply the same protections to personal and sensitive information to avoid noncompliance penalties and other negative impacts.

Examples of types of sensitive information included in personal information include:

  1. Alien registration number
  2. Biometric data (e.g., fingerprint, voice print, retina or iris image, or other unique physical measurement)
  3. Criminal record
  4. Date of birth
  5. Driver’s license number
  6. Genetic data
  7. Internet protocol (IP) addresses
  8. Location information
  9. Mother’s maiden name
  10. Name
  11. Non-driver identification card number
  12. Passport number
  13. Phone number
  14. Photograph
  15. Place of birth
  16. Political affiliation or opinion
  17. Racial or ethnic origin
  18. Religious or philosophical belief
  19. Sexual orientation
  20. Social Security Number
  21. Trade union membership
  22. Veteran and disability data

Business and customer information

Sensitive business information includes anything that poses a risk to an organization if it is exposed. Examples of business and customer information that can be considered sensitive information include:

  1. Bank account information
  2. Cardholder data
  3. Court records from a consumer report
  4. Credit or debit card purchases
  5. Credit scores
  6. Customer data
  7. Federal tax identification numbers
  8. Financial data
  9. Intellectual property data
  10. Inventory information
  11. Marketing plans
  12. Operational information
  13. Payment card information
  14. Pending corporate actions or plans, such as an initial public offering (IPO), mergers, acquisitions, or stock splits
  15. Sales figures
  16. Supplier information
  17. Trade secrets
  18. Unreleased earning reports

Classified government information

Classified information refers to government information that has restricted access based on the level of sensitivity—top secret, secret, and confidential.

Top secret
This type of governmental sensitive information refers to national security information that requires the highest level of protection. There is a high bar for sensitive information to achieve this designation.

According to the Code of Federal Regulations, if this information was accessed without authorization, there is a reasonable expectation that the result would be “exceptionally grave damage to the national security.”

Examples of “exceptionally grave damage” listed in the Code of Federal Regulations include:

  1. Armed hostilities against the United States or its allies
  2. Disruption of foreign relations vitally affecting national security
  3. The compromise of vital national defense plans
  4. The revelation of sensitive intelligence operations
  5. The disclosure of scientific developments vital to national security

Secret
The second highest classification for governmental information is applied to sensitive information that requires “a substantial degree of protection” according to the Code of Federal Regulations, as unauthorized access to it could be reasonably expected to cause “serious damage to national security.”

Examples of “serious damage” given in the Code of Federal Regulations include:

  1. Disruption of foreign relations significantly affecting the national security
  2. Significant impairment of a program or policy directly related to national security
  3. Revelation of significant military plans or intelligence operations
  4. Compromise of significant scientific or technological developments relating to national security

Confidential
Governmental information that is classified as confidential can reasonably expected to cause “damage to national security” in the event of unauthorized access. This information requires protection but not to the same level as secret and top-secret information.

Examples of confidential information include:

  1. The compromise of information that indicates the strength of ground, air, and naval forces in the United States and overseas areas
  2. Operational and battle reports which contain information of value to the enemy
  3. Intelligence reports
  4. Documents and manuals containing technical information used for training, maintenance, and inspection of classified munitions of war
  5. Research, development, production, and procurement of munitions of war
  6. Performance characteristics, test data, design, and production data on munitions of war
  7. Mobilization plans
  8. Documents showing the meaning of code names or symbols used to refer to confidential information
  9. Documents relating to special investigations, clearance, or assignment of personnel who will have knowledge of, or access to, classified information
  10. Details pertaining to features of special shipping containers, routes, and schedules of shipments of confidential materials

Protected Health Information (PHI) or Electronically Protected Health Information (ePHI)

PHI, or ePHI, is a type of sensitive information regulated by the US Health Insurance Portability and Accountability Act (HIPAA). It includes any medical information that can identify an individual or that is created, used, or disclosed while providing health care services. This includes any information related to a person’s medical, physical, or mental health that is recorded and stored in physical or digital records.

Examples of PHI and ePHI include:

  1. Appointments
  2. Device identifiers and serial numbers
  3. Health histories
  4. Healthcare services provided
  5. Lab or test results
  6. Medical records
  7. Medical bills
  8. Patient forms
  9. Prescriptions
  10. Provider or patient communication records

Education records

Educational information and records are considered sensitive information, and access by potential employers, publicly funded educational institutions, and foreign governments is strictly regulated.

Examples of education records include:

  1. Academic specializations and activities
  2. Advising records
  3. Awards conferred
  4. Courses taken
  5. Date and place of birth
  6. Degrees earned
  7. Disciplinary records
  8. Documentation of attendance
  9. Educational services received
  10. Emergency contact information for parent and/or guardian
  11. Grades and/or grade point average
  12. Medical and health records that the school creates or collects and maintains
  13. Number of course units in which the student is enrolled
  14. Official letters regarding a student’s status in school
  15. Parent and/or guardian addresses
  16. Schedule
  17. Schools attended
  18. Special education records
  19. Student email
  20. Student’s identification code
  21. Test scores

Sensitive information vs personal information

Laws and regulations for sensitive information

Following are several laws and regulations that reference sensitive information and require protections for it.

National laws

United States (U.S.)

  1. Children’s Online Privacy Protection Act (COPPA)
  2. Family Educational Rights and Privacy Act (FERPA)
  3. Gramm-Leach-Bliley Act (GLBA)
  4. Health Insurance Portability and Accountability Act (HIPAA)
  5. U.S. Privacy Act of 1974

International

  1. Australian Federal Privacy Act
  2. Australian Privacy Act and Sensitive Information
  3. Brazil’s Lei Geral de Proteçao de Dados (LGPD)
  4. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
  5. Chile’s Law No. 19.628 Protection of Private Life
  6. China’s data protection law, the Personal Information Protection Law (PIPL)
  7. Egypt’s Personal Data Protection Law (PDPL)
  8. European Union’s General Data Protection Regulation (GDPR)
  9. Japan’s Act on Protection of Personal Information
  10. Nigeria’s Data Protection Regulation (NDPR)
  11. Thailand’s Personal Data Protection Act (PDPA)
  12. UK’s Data Protection Act

U.S. state laws that govern sensitive information

  1. California Privacy Rights Act (CPRA), an amendment to the California Consumer Privacy Act (CCPA)
  2. Colorado Privacy Act (CPA)
  3. Connecticut Personal Data Privacy and Online Monitoring Act
  4. Indiana Consumer Data Protection Act
  5. Iowa Consumer Data Protection Act (ICDPA)
  6. Maryland Online Consumer Protection Act
  7. Massachusetts Data Privacy Law
  8. Montana’s Consumer Data Privacy Act
  9. New York Privacy Act
  10. New York SHIELD Act (Stop Hacks and Improve Electronic Data Security Act)
  11. Oregon Consumer Privacy Act (OCPA)
  12. Tennessee Information Protection Act
  13. Texas Data Privacy and Security Act (TDPSA)
  14. Utah Consumer Privacy Act (UCPA)
  15. Virginia Consumer Data Protection Act

Key sensitive information-related categories included in laws and regulations

Following are specific items included in various U.S. laws and regulations that specify aspects of sensitive information handling.

Biometrics

  1. Allowing a consumer to opt out of the sale of biometric information
  2. Developing a written policy regarding the collection or retention of biometric identifiers
  3. Implementing a specific type of biometric (e.g., fingerprints, facial, voice, iris, and palm)

Children’s online privacy

  1. Prohibiting the collection of information about minor users for marketing purposes
  2. Requiring operators of websites, online services, or applications to erase personal information about a minor if it has already been collected

Connected devices (e.g., speakers, mobile phones, cameras, and video surveillance)
May prohibit the following actions related to data captured with connected devices without an individual’s consent:

  1. Collecting
  2. Storing
  3. Using

Consumer rights
Providing specific consumer rights related to their sensitive information and personal data, such as the right to:

  1. Access—see any information about them that is stored
  2. Delete—request that any information about them be deleted
  3. Correct—request that inaccurate information be updated

Location privacy

  1. Prohibiting the transfer or sale of consumer geolocation or global positioning system (GPS) data without permission

Website privacy

  1. Requiring an operator of a commercial website or online service that collects personally identifiable information to notify customers about its personal information-sharing practices
  2. Requiring consent before sharing internet browser information

Ensure protection of sensitive information with privacy by design

The protection of sensitive information is of paramount importance for the enterprise. Increasingly, organizations are adopting a Privacy by Design approach to protect sensitive information. This security approach integrates privacy into the implementation and deployment of all policies, systems, and devices.

Privacy by Design helps organizations ensure the protection of sensitive information with seven core principles:

  1. Proactive, not reactive; preventive, not remedial
  2. Privacy as the default setting
  3. Privacy embedded into design
  4. Full functionality – positive-sum, not zero-sum
  5. End-to-end security—full lifecycle protection
  6. Visibility and transparency—keep it open
  7. Respect for user privacy—keep it user-centric

Regardless of the approach, organizations must protect sensitive information to adhere to multiple regulations and laws and meet expectations for sensitive data protection.

Unleash the power of unified identity security.

Centralized control. Enterprise scale.

Get started

See what SailPoint Identity Security can do for your organization

Discover how our solutions enable modern enterprises today to meet the challenge of ensuring secure access to resources without compromising productivity or innovation.