Categorizing and Handling Sensitive Data

Neha Sharma
Author: Neha Sharma, CISA, CIA, CPA, Assistant City Auditor, City of Austin
Date Published: 24 January 2023

Given the well-publicized level of security breaches and threats we currently face, it is increasingly important for organizations to have a handle on their most sensitive data. In today’s digital world, keeping sensitive data secure is not as easy as putting a lock on the file cabinet.

For protecting sensitive data, organizations need to establish a process. The first step is to define what they deem to be sensitive information. Identifying what makes data sensitive, and therefore worthy of time and effort to secure it, is a real challenge for cybersecurity teams. Sensitive data can come in various forms—from physical to digital, and including written documents, photographs, videos, audio recordings and more.

There are two broad categories of sensitive data: regulated data and unregulated data. Regulated data include information such as social security numbers, bank account information, healthcare history, etc. Unregulated data contain publicly known information which may or may not be mixed with sensitive information. Some examples of sensitive, unregulated data are customer surveys, job applications or employee contracts. These data may not always contain confidential information, but they often can. It is incorrect thinking to assume that since unregulated data includes publicly known information, it should not be considered sensitive.

Most of the data collected by organizations are unregulated data, and this presents the greatest challenge to security teams. Since sensitive data can fall into either regulated or unregulated categories, this is not the most efficient method of classifying sensitive data for the organization. The IT team generally categories their data into four groups:

Public: This type of data is freely accessible to the public. It can be freely used, reused and redistributed. An example might be job descriptions or press releases.

Internal: This type of data is strictly accessible to internal employees who are granted access. This might include business plans, organization charts, internal staff contact list, etc.

Confidential: As the name indicates, confidential data need to be kept private. If these data are exposed, the organization can have negative ramifications. Some examples of confidential data include social security numbers and cardholder data. Usually, confidential data are protected by data privacy and security laws like HIPAA and PCI DSS.

Restricted: This is highly sensitive data that if leaked could lead to criminal charges and massive legal fines. Examples of restricted data might include proprietary information or research and data protected by state and federal regulations.

Identifying and classifying sensitive data provides insight into the value of the organization’s various data assets. It is critical for effective risk management to prioritize data protection efforts, which will also lead to improved data security and regulatory compliance.