The 10 Types of Sensitive Data Companies Must Protect

The 10 Types of Sensitive Data Companies Must Protect

Keeping sensitive data secure from theft and vulnerabilities can be incredibly challenging. With limited budget and bandwidth, IT and Security teams are expected to protect sensitive information while introducing strong security solutions.

To protect sensitive data from getting into the wrong hands, companies first must understand what counts as sensitive data.

This guide explores the 10 types of sensitive data your company must protect and what you can do to keep them as secure as possible.

What Is Sensitive Data Anyway?

Sensitive data, also known as private data or information, is any information that must be protected and kept inaccessible to the public and other parties unless specifically granted permission.

The legal definition describes it as information that must be protected against unauthorized disclosure, including personally identifiable information (PII), protected health information (PHI), and more.

It’s crucial to impose tougher restrictions when dealing with this type of data, especially when it pertains to individual privacy and property rights for ethical or legal reasons. For instance, a data breach could leave a company exposed to grave risks like reputational damage, litigation issues, or privacy breaches of their customers and/or workers.

Similarly, a data breach in a government commission could give foreign powers access to national secrets.

The 10 Types of Sensitive Data Your Company Must Protect

Companies must be aware of the types of data they should safeguard to keep their customers, employees, and themselves secure.

Sensitive Data Example 1: Personally Identifiable Information

When working with people, whether it be your customers, vendors, or other employees, personally identifiable information (PII) can suddenly feel like it lives everywhere – in emails, databases, documents, and more. This is information used to identify an individual, including their names, contact details, or social security numbers. 

A large number of recent breaches, such as T-Mobile’s (compromised twice in 2023) have leaked this type of sensitive data, including addresses and government IDs. 

Loss of PII not only leads to a loss of trust in the company, it can also cause costly cleanups and a lack of business opportunities. 

Take the case of Atlassian in 2023, when the hacking group SiegedSec leaked the PII of nearly 13,200 Atlassian employees. Or genetics testing company 23andMe’s October breach that led to the exposure of more than 20 million pieces of personal user data. 

When it comes to corporate security incidents, PII is often exposed first, and companies end up paying the price.

Sensitive Data Example 2: Intellectual Property and Trade Secrets

Nearly all companies store proprietary information, whether it’s in their network, within a document management system, or entrusted to a third party. For a hardware developer, this can be schematics or manufacturing process details, while for a software developer, this could be code or architecture details.

Trade secrets and intellectual property can also include product specifications, competitive research, ad creative, designs, or even the in-development footage of a forthcoming video game, like Rockstar Games’s infamous Grand Theft Auto 6 leak in 2022. 

When company IP is stolen, it can compromise other organizations. For example, the 2023 incident involving Micro Star International, where MSI’s source code, along with Intel BootGuard keys, were exposed, posing a threat to vendors including Intel and Lenovo.

Companies must ensure that their valuable IP is protected, as well as the property of their partners and clients, to safeguard trust and their organization’s reputation.

Sensitive Data Example 3: Employee Data and Customer Information

Employee data and customer information are similar. They include the PII, banking information, usernames, and passwords of employees and customers. They might also include other customer details, like company strategies, new product launches, advertising campaigns, and details about their customers.

Different departments deal with this type of data including Human Resources, Customer Success, and Sales. For instance, the Sales team can access customer contracts or notes from client calls that may contain confidential data. 

Losing customer or employee data can have detrimental effects, from erosion of customer or employee trust to even legal consequences. For example, Northwell Health and Perry Johnson & Associates faced a class action lawsuit after a major breach impacted customer PII and PHI in 2023. 

Organizations must take measures to safeguard their customer and employee data to maintain trust and credibility.

Sensitive Data Example 4: Protected Health Information (PHI)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) defines PHI as any information about health status, provision of healthcare, or payment of healthcare that is created or collected by a Covered entity (or a third-party associate) that can be linked to a specific individual.

You never know how a malicious agent may use such confidential information as the rate of compromised PHI continues to rise. 

According to IBM, healthcare breaches have been the most costly out of all industries for 13 years, and there is no indication that this trend is shifting.

Approximately 89 million individuals in the US experienced a breach of their sensitive health information in 2023, marking a significant increase from the 43.5 million reported during the same period in 2022. 

The number of legal actions arising from healthcare breaches is also increasing, with various entities including providers, payers, and vendors reporting incidents.

For example, HCA Healthcare, whose 2023 security incident affected more than 11 million people, and led to a class action lawsuit against the company. Or Community Health Systems, a major Tennessee provider network that faced litigation following a breach that exposed the data of approximately one million patients.

Sensitive Data Example 5: Financial and Operational Information

Financial information is data related to money transactions, credit card information, bank account details, and other sensitive financial statements. This data can relate to the company, its customers, and other third parties.

This type of sensitive data includes any business operations or inventory figures. For example, businesses wouldn’t want the details of their sales figures disclosed publicly or accessed by their rivals.

Departments like Finance and Accounting have access to this information, and it’s vital to keep it protected and stay compliant with various laws and regulations such as the Fair Credit Reporting Act (FCRA) and the Sarbanes Oxley Act (SOX). 

This type of data is extremely valuable and can have huge consequences for companies and consumers if leaked. For instance, Equifax’s 2017 breach affected 40% of the US population and led to a $700 million global settlement with the FTC, CFPB, and 50 US states and territories.

Protecting financial and operational data is crucial to avoid data breaches, massive fines, and company infamy.

Sensitive Data Example 6: Legal and Compliance Data

Legal and compliance data is any information necessary to comply with industry-specific regulations and data protection laws as well as legal documents and information. Examples of this could be a SOC 2 report, data that is protected under GDPR requirements, or confidential legal agreements or records related to litigation proceedings. 

For example, in 2023, sensitive data linked to law firm Proskauer Rose remained vulnerable for more than six months, as an unsecured Microsoft Azure cloud server exposed the information. 

The sensitive data consisted of 184,000 files, encompassing private and privileged legal documents, non-disclosure agreements, contracts, and files related to high-profile acquisitions. 

Keeping sensitive information secure is key to staying in good standing with various frameworks and legal statutes including the Gramm-Leach-Bliley Act and the Federal Trade Commission Act.

Sensitive Data Example 7: Backup and Recovery Data

Ensuring the security of data backups is crucial for business continuity and disaster recovery. It ensures the availability and integrity of critical information in the event of a cyberattack, hardware failure, or accidental deletion. 

Ransomware attacks are nothing new, but organizations must be prepared as threat actors persist in their efforts. Like the case of the Clop ransomware gang’s successful compromise of MOVEit Transfer software which led to the largest hack of 2023.  

With ransomware risks rising, having secure and isolated backup data is a key defense mechanism. If systems are compromised, organizations can restore their data from clean backups rather than succumbing to ransom demands.

Sensitive Data Example 8: Industry-Specific Data

Depending on your industry, you must protect specific types of sensitive data.

For instance, those working in the healthcare sector should take proper measures to protect digitally stored medical records and medical research data, while those in retail should focus on safeguarding the payment information of their customers.

Whatever your industry, you’re likely to have sensitive data that goes along with it. For example, if your company is in the Research and Development sector, you’ll need to protect experiment results and prototypes. If your industry is the Education sector, protecting student records and financial aid details would be key.

Losing this type of information hurts your reputation within your specific industry and can lead to massive fines from the regulatory bodies that oversee it. For example, if you’re in the Financial Services sector, your company could be penalized by the Federal Reserve Board (FRB) or the Securities and Exchange Commission (SEC).

Keeping industry data safe is paramount to protect your company’s customers, partners, and organization’s good name.

Sensitive Data Example 9: Confidential Business Plans and Strategies

IT and Security teams should be aware of information about future business plans, product roadmaps, and strategic initiatives that can impact the company’s success. Although this type of data can slip through the cracks, it should be protected just as much as financial or legal information. 

Take the case of Sony in December 2023, when the company’s video game roadmap, budgets, and corporate strategy were among the 1.3 million files leaked by threat actors in a massive breach. Details about almost everything the studio is currently developing are now publicly accessible, leading to massive damage control for Sony and its partners.

Sensitive Data Example 10: Mergers and Acquisitions (M&A) Data

When a company is buying another company, two companies are merging, or a company is selling off a part of its business, lots of confidential information gets exchanged during the process. 

Protecting this sensitive data is typically contractually required. It also facilitates a smooth negotiation process, increasing the likelihood of a successful deal. And if an acquisition does not go through, companies are typically still required to protect the M&A data, and in many cases, delete it.

It’s vital to understand that when your company acquires another company, you must now protect any sensitive information from that company and be aware of data protection vulnerabilities it may have. 

For example, the Marriott data breach in 2018 involved the exposure of personal information, including passport numbers, of millions of guests. Marriott had acquired Starwood Hotels in 2016, and the breach involved data from the Starwood guest reservation system.

To mitigate potential risks, companies need to implement robust security measures, access controls, and regular audits, especially when acquiring or merging with new companies.

How to Protect Your Company’s Sensitive Data from Exposure

What can you do to identify and protect your company’s sensitive data?

Here are three steps to help IT and Security teams protect sensitive data and prevent it from being exposed.

Step 1: Identify and Classify All Sensitive Data

You must take the necessary measures to identify and group all company data based on its sensitivity. Think of this step as classifying sensitive data.

This may look like an easy task, but it isn’t always the case.

You’ll see a change in system complexity over time, especially because new data pops up almost every day. As a result, the overall process of finding sensitive data becomes constant and highly dynamic. Be aware of what types of data your company has and how sensitive they are based on your classification methods.

Step 2: Respond To and Assess Data Risks ASAP

Data theft and data leakage are never-ending issues. Since it affects all sectors in an organization or government unit, one cannot categorize it as an IT problem solely.

Risk assessment is an incredibly crucial aspect of protecting sensitive data. You must first identify all the users, devices, networks, and applications, and then categorize them based on how a data leak would impact the organization.

The last step is to assess these potential attack vectors and decide whether you want to accept, transfer, mitigate, or refuse the risk.

Some of these risks include the liability cost of the sensitive data, the location where you plan on storing the sensitive data, the movement of the sensitive data from one source or domain to another, the size of the sensitive data, and so on.

Step 3: Monitor and Implement Strong Security Measures

Creating viable security measures should be done with care so IT and Security teams can effectively safeguard company sensitive data against theft.

You should continuously monitor these steps, ensuring there are no vulnerabilities or security gaps in the process. You must assign all of the protection measures to the sensitive data you’ve found beforehand, as well as the newer types of sensitive data.

Here are a few security measures you can use to protect company information:

Educate Employees

  1. Educate employees on the importance of following security protocols and best practices.
  2. Remind employees to avoid leaving sensitive papers when they’re away from their workstations, use laptop privacy screens to obscure their work, and keep their computers locked when not in use. 
  3. Make it mandatory for employees to use strong passwords and enable secure multi-factor authentication (MFA) methods through authentication apps or passkeys.
  4. Create a “culture of security“ by implementing a regular schedule of employee training. Keep updating employees as you find out about new risks and vulnerabilities.
  5. Provide employees with visibility and control over who their cloud-based sensitive documents are shared with.

Secure Company Networks and Systems

6. Encrypt all sensitive information sent to third parties over public networks. You can also encrypt email transmissions within the business if they contain PII.

7. Identify all connections to the networks where sensitive information is stored, and access the vulnerability of every connection to commonly known or reasonably foreseeable attacks.

8. Run up-to-date antivirus and anti-spyware programs on individual computers and network servers regularly.

9. Use a firewall to protect company computers from cyberattacks when they are connected to the internet.

10. Use a Cloud Document Security system to secure company documents while reducing data theft risks. This proactively protects company files from unauthorized access when using cloud collaboration tools like Google Workspace, Microsoft OneDrive, and SharePoint. 

11. If wireless devices like inventory scanners are used to connect to the computer network or to transmit sensitive information, consider limiting the number of users who can use a wireless connection to access the computer network. You can also limit the number of wireless devices that can connect to the network.

Safeguarding sensitive data is paramount to stop unauthorized access and potential misuse. 

Through effective security measures, companies keep sensitive information secure and mitigate the risks associated with breaches. 

This proactive approach is essential for maintaining the trust of customers, partners, and employees while ensuring compliance with data protection regulations. For more information on keeping confidential data safe with Nira, visit here.

 

Incredible companies use Nira

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
Former VP of IT at GitLab

Incredible companies use Nira