Data Security

Information Sensitivity

Information sensitivity refers to the need to protect specific data that, if not secured, can have negative consequences for an individual or organization if it is disclosed to unauthorized parties. Sensitive information can pertain to an individual, business or government.

Why is it Important to Protect Confidential Information?

The need for entities to protect sensitive data that pertain to personal, financial or medical conditions is becoming the subject of government legislation in many countries. Regulations such as the General Data Protection Regulation (GDPR) protect an individual’s right to privacy. Inadequate controls can lead to data loss and potential fines of up to 10% of a company’s profits.

Businesses that store personal data about customers, such as Banks and Credit Card processors, must comply with specific regulations regarding the financial information they hold. Compliance audit failures resulting from weak controls will lead to fines from regulatory bodies such as the Financial Conduct Authority (FCA) and the Consumer Financial Protection Bureau (CFPB).

Conceptual Illustration of files and gears protected with a lock and representing information sensitivity.

In healthcare, providers must ensure that no one without the correct authority accesses protected health information (PHI) which cannot be passed across borders and can only be viewed in the country the patient is a resident.

For pharmaceutical research and drug development, the loss of formulas can cost billions of dollars in lost revenue. Research and innovations must be kept secret at a company level until a patent is filed to protect them from illegal use.

The consequences of poor control of information sensitivity are not just financial. Data leaks are embarrassing, hurting the corporate brand and customer confidence.

Government secrets protect countries by limiting foreign arms development, guarding intelligence gathering and preventing terrorism.

Conceptual image of a person working besides a file and key and lock representing sensitive data.

Examples of Information Sensitivity

One of the most effective ways to appreciate the need for information sensitivity is to consider some high-profile examples of data loss:

In May 2023, a German newspaper received 23,000 leaked files containing sensitive information about Tesla accidents. Despite the data being protected by internal controls, an insider leaked the files to embarrass their employer.
Yahoo exposed 3 billion user accounts to cyber attackers who used account information such as security questions and plaintext passwords to gain access.
Approximately 90% of LinkedIn users’ details were exposed, including email addresses, phone numbers, geolocation records and gender. These were discovered for sale on the dark web after being scraped using a weakness in the LinkedIn API. Today, such organizations control data volumes through API access.
In 2019 Facebook discovered 533 million of their user details were available for sale on the dark web after being stolen.
Marriott (Starwood) was fined $18.4 million after the theft of sensitive information from their customer reservation system in 2018. This breach exposed names, email addresses, and credit card information.
In 2015, over 190 million US voters had their names, addresses, contact information and affiliations from the national voter database. The database was misconfigured, exposing sensitive information to the open internet.
In 2017 an unencrypted USB storage device containing complete security information for Heathrow Airport, including badges, maps, and CCTV camera locations. An unemployed man found the drive on the street, which he sold to the UK press.

Protecting Sensitive Information

One of the best ways to protect sensitive information is to evaluate who proactively has access to sensitive information and whether they need access. Those with the necessary privilege should only gain access to sensitive data access. Access should be role-based and include an expiry time to limit exposure.

Data needs to be protected at rest and in motion. The appropriate access to Sensitive data should limit the ability of an individual to share it. Data can be labeled so security mechanisms can double-check that the access is from an entity with the appropriate clearance level. Clearance levels classify government data to control access.

The most basic way to protect data is with a password. Password management can be used to ensure they are frequently changed and contain a specified number of characters and symbols. This makes them harder to guess and takes a long time to break using brute force approaches. Biometric security adds another level of security that is user-friendly. Multi-factor authentication further protects sensitive information.

The encryption of data at rest and in motion provides an additional safeguard. Longer advanced encryption standard (AES) keys can make decoding data take hundreds of years.

Physical security should never be overlooked. Keeping sensitive data in a safe or bunker works for banks and governments. Backup media must be protected at least as well as the original data.

When the business needs to share portions of sensitive data for verification, masking the value effectively allows limited access with low risk. Credit card issuers often need to verify the identity of a caller for online app users using only the last four digits of their Social Security number. Printed statements usually obscure most credit card numbers to protect from dumpster divers.

When creating test data, sensitive information can be jumbled or obfuscated so actual customer data can be protected, and the test data is representative of the original values in the test dataset.