What is sensitive data, and how can you protect it?

What is sensitive data?

Sensitive data is information that is confidential and needs strong protection from unauthorized access to keep individuals and organizations safe and private. If exposed, this data could seriously harm the people and organizations it directly relates to.

Organizations usually limit access to this information to people with the right permissions. This rule covers both paper and digital forms of information.

Sensitive data vs. personal data

Not all sensitive data is personal data, but all personal data is sensitive. Personal data includes any information that can identify an individual, such as their name or email address. Sensitive data covers both personal data and a broader range of information that, if disclosed, could harm the individual concerned.

Personal and sensitive data examples include:

Types of sensitive data

We can organize sensitive data into several main types:

Personally identifiable information (PII)

Personal identifiable information (PII) includes any data that can identify a specific person. This category includes names, addresses, phone numbers, social security numbers, and digital identifiers such as IP addresses or cookie IDs. Misusing this information can lead to identity theft, fraud, or other cybercrimes.

Business information

Sensitive business information includes any data that could harm an organization if competitors or the public were to access it. Examples include trade secrets, plans for buying other companies, financial details, information about suppliers and customers, and intellectual property.

Classified information

Government agencies classify information to protect national security and safeguard sensitive details about organizations or individuals. They use four levels of classification to restrict access based on the information’s sensitivity:

• Restricted: Includes details like government facility operations, which could cause undesirable effects if disclosed. Unauthorized disclosure of restricted information could jeopardize the security of the facility and the safety of individuals associated with it.
• Confidential: Protects information such as diplomatic contacts to prevent damage to national interests.
• Secret: Covers information such as detailed military plans that could seriously harm national security if exposed.
• Top secret: Reserved for highly sensitive data, like real-time intelligence reports.

Financial information

Financial information, often classified together with nonpublic personal information (NPI), includes data related to an individual’s or organization’s financial status. It encompasses names, addresses, phone numbers, social security numbers, bank and credit card account numbers, credit or debit card purchase details, court records from consumer reports, and other consumer financial data. Due to its sensitive nature, safeguarding this data is essential to prevent cybercrimes, such as identity theft and credit card fraud.

Protected health information (PHI)

Protected health information (PHI) includes any medical information that can identify an individual and relate to their health status, healthcare provision, or payment for healthcare services. Examples include data from medical records, lab results, insurance details, and conversations between healthcare providers and patients. PHI also covers health histories, test results, prescriptions, and communications about medical services in both physical and electronic forms.

Access credentials

Access credentials, including usernames, passwords, PINs, and biometric data, are essential for securing your data, systems, and physical locations. You must safeguard these credentials to prevent unauthorized access to critical systems and sensitive data. If access credentials are compromised, consequences can include data breaches, financial losses, identity theft, reputational damage, legal penalties, and operational disruptions.

Education records

The Family Educational Rights and Privacy Act of 1974 (FERPA) regulates access to educational records, which contain sensitive and personal data about minors and young adults. Accessible under specific conditions to potential employers, academic institutions, and foreign governments, these records include admission applications, disciplinary records, enrollment details, financial aid information, grades, student identification numbers, and transcripts. FERPA protects this sensitive information to ensure student privacy.

Employment records

Employment records contain sensitive personal data that, if misused, can lead to workplace discrimination or harassment and potentially damage personal and professional reputations and relationships. These records include background checks, disciplinary actions, employment histories, performance evaluations, personal documents for HR purposes, salary and payroll details, and workplace incident reports.

What can someone do with sensitive data?

If sensitive data gets in the wrong hands, they can exploit it in various harmful ways, putting both individuals and businesses at risk.

Personal risks

When sensitive personal information falls into the wrong hands, it can lead to identity theft, financial loss, privacy violations, and reputational damage. The primary beneficiaries of a data breach are criminals, competitors, adversaries, and data brokers, each with distinct motives for using sensitive data.

Criminals often profit financially through theft and fraud. Competitors and adversaries exploit this information to launch personal attacks or gain a competitive edge. Additionally, data brokers may collect and sell personal data, whether legally or illegally, for profiling or advertising purposes. Cyberstalkers might even use personal information to follow or even physically assault someone.

Organizational risks

Organizations can face significant threats if they fail to protect sensitive information such as customer and employee details, trade secrets, and intellectual property. This failure can lead to loss of trust, reputational damage, financial losses, and penalties for non-compliance with regulations.

Given the high value of sensitive data, various actors may exploit a data breach for their own gains. Competitors may use stolen data to gain a market edge or disrupt business operations. Hackers profit by selling access to compromised systems or deploying ransomware, while industrial spies conduct corporate espionage to advance their company’s or country’s interests.

NordVPN conducted a case study on the cost of stolen data on the dark web and found that payment card data was the most commonly found item on the darknet markets. The increasing rate of data theft and data breaches underscores the need for enhanced security measures. Dark Web Monitor by NordVPN can help protect your accounts before criminals can act. It immediately alerts you if it finds your credentials on a dark web page.

Data protection laws

While you should do your best to protect your data, laws also exist to help shield you from snoopers.

GDPR (Europe)

The General Data Protection Regulation (GDPR) is an EU law that requires companies to collect personal information only with a lawful basis, which can include your consent. It applies to any entity, regardless of location, that processes the personal data of individuals within the European Union. Non-compliance with the General Data Protection Regulation can lead to substantial fines — up to 4% of the company’s global annual turnover or €20 million, whichever is bigger.

CCPA (California, USA)

Enacted in 2018, the California Consumer Privacy Act (CCPA) gives California residents more control over their personal information. It allows them to know what data organizations collect about them, why it’s collected, and who it’s shared with. Additionally, the CCPA provides the right to opt out of the sale of their personal data and guarantees that they won’t be mistreated for using their CCPA rights.

CPRA (California, USA)

The California Privacy Rights Act (CPRA) builds on the CCPA by adding more protections and responsibilities to better protect consumer privacy. Key features of the CPRA include allowing consumers to correct incorrect personal information, setting limits on how sensitive personal information can be used, and creating the California Privacy Protection Agency (CPPA) to enforce these rules.

GLBA (USA)

The Gramm-Leach-Bliley Act (GLBA) focuses on financial institutions and companies that provide financial products or services like loans, financial advice, or insurance. It requires these organizations to clearly explain how they share customer information and to protect sensitive data.

DTSA (USA)

The Defend Trade Secrets Act (DTSA), passed in 2016 in the US, sets up federal rules to protect trade secrets. Trade secrets are important business details like formulas, methods, and designs that companies keep secret to stay ahead of competitors. This information must be kept away from the public and protected carefully to count as a trade secret under this law.

Directive (EU) 2016/943 (Europe)

The European Union’s Trade Secrets Directive, officially Directive (EU) 2016/943, was adopted in 2016 to standardize trade secret protection across all EU member states. Before this directive, trade secret laws varied widely across Europe, leading to inconsistent protection and challenges for businesses operating in multiple countries. The directive establishes a unified framework to ensure consistent and effective protection of trade secrets across the EU.

HIPAA (USA)

The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that sets national standards for protecting sensitive patient health information. It covers health plans, healthcare providers, healthcare clearinghouses, and their business associates. HIPAA’s Privacy Rule mandates the protection of protected health information (PHI), while its Security Rule requires physical, technical, and administrative measures to safeguard electronic PHI. These measures ensure patient data security and privacy across various healthcare settings.

Other data protection laws around the world:

• Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada)
• The Protection of Personal Information Act (POPIA) (South Africa)
• Federal Data Protection Act (BDSG) (Germany)
• Lei Geral de Proteção de Dados (LGPD) (Brazil)
• Personal Data Protection Act (PDPA) (Singapore)

How to protect sensitive data

Learn how to protect sensitive data by following the steps below.

• Use strong passwords. Use tools like NordPass to generate and store complex passwords. If any of your data ends up in a data breach, change passwords immediately.
• Encrypt your files. Protect your files from data breaches with top-notch data encryption using the NordLocker vault. Encrypted files remain inaccessible even if someone gains possession of them.
• Exercise common sense when surfing online. Do not click on suspicious links or ads, and avoid opening suspicious messages or dodgy websites. Don’t give out your personal data to people you don’t know.
• Keep your social media accounts private. Make your social media pages visible only to people you know and trust.
• Don’t share your identifiable personal information. Keep details like your phone number or home address out of the public eye.
• Use a VPN. Keep your browsing secure with a VPN. NordVPN encrypts your traffic and includes a Threat Protection Pro feature, which helps identify malware, block harmful websites, and stop websites from using trackers to follow you around the web. Moreover, a VPN helps stay secure on public Wi-Fi.
• Opt out of data brokering. Use a service like Incogni to stop brokers from exploiting your personal information.
• Identify data sensitivity. Implement data classification to provide users and IT professionals with clear usage and protection guidelines. Correct data classification can help manage sensitive data more efficiently.
• Educate and stay informed. Promote cybersecurity awareness by educating yourself and others on data security and reporting suspicious activity.
• Secure your network. Improve your network security with firewalls, intrusion detection systems, and encrypted communications to safeguard data in transit.
• Keep systems updated. Regularly update and patch your software, operating systems, and security systems to reduce vulnerabilities and improve protection against new threats and data breaches.