Was sind sensible Daten?

Mit dem Aufkommen der digitalen Transformation – angetrieben durch den pandemiebedingten Anstieg der Heimarbeit – speichern Unternehmen nun den Großteil ihrer Daten digital. Der Umstieg auf digitale Datenspeicherung ist unglaublich praktisch und fördert die Zusammenarbeit und Effizienz, hat jedoch auch die Tür für eine beispiellose Anzahl von Cyberangriffen und Data Breaches geöffnet.

In the past few years, different countries, states, and industries have passed increasingly strict data protection regulations that govern how companies handle sensitive data.

Defining Sensitive Data

Menschen verwenden die Begriffe sensible Daten, personenbezogene Daten und vertrauliche Daten oft synonym. Im alltäglichen Gebrauch sind sensible Daten alle Informationen, die man nicht veröffentlicht haben möchte. Wenn es jedoch um rechtliche Verpflichtungen geht, ist die Definition von sensiblen Daten genauer.

Sensible Daten sind eine besondere Kategorie von Daten, die aufgrund der Folgen ihrer Offenlegung zusätzlichen Schutz benötigen. Wenn sensible Daten offengelegt werden, besteht eine hohe Wahrscheinlichkeit finanzieller, persönlicher oder rufschädigender Schäden, falls sie in die falschen Hände geraten. Das Verständnis der Bedeutung sensibler Daten ist für Organisationen entscheidend, um sicherzustellen, dass sie persönliche und vertrauliche Informationen ausreichend vor unbefugtem Zugriff schützen.

Personenbezogene Daten vs. Sensitive Data

Personenbezogene Daten sind alle Informationen, die zur Identifizierung einer Person verwendet werden können. Informationen wie Namen, Adressen oder Telefonnummern sind personenbezogene Daten. In einigen Fällen kann Ihre E-Mail als personenbezogene Daten angesehen werden — zum Beispiel, wenn es yourname@yourcompany.com ist. Personenbezogene Daten können auch Informationen umfassen, die jemand verwenden kann, um zu bestätigen, dass Sie sich an einem bestimmten Ort befunden haben, wie zum Beispiel Ihre Fingerabdrücke oder Aufnahmen von Ihnen auf einer Überwachungskamera.

Sensible Informationen sind eine Untergruppe personenbezogener Daten, die verwendet werden können, um einer Person in irgendeiner Weise zu schaden. Ihr Name ist personenbezogene Daten, aber Ihre Sozialversicherungsnummer ist sensible Daten, weil ein böswilliger Akteur sie verwenden könnte, um Ihre Identität zu stehlen. Nicht alle personenbezogenen Daten sind sensibel.

Types of Sensitive Data

Generally, sensitive data isn’t publicly available and belongs in one of several high-stakes categories. Some sensitive personal data examples include:

Financial Data

Information related to a person or entity’s financial status is considered sensitive data. This includes:

• Bank account numbers
• Credit and debit card information
• Credit history
• Tax filings

Businesses that accept, process, transmit, or store payment card information must comply with the Payment Card Industry Data Security Standard (PCI DSS). It mandates strong security management practices to protect cardholder data.

Personal Data

Personal data, also known as Personally Identifiable Information (PII), is any information that can be used to identify a specific individual. Regulations such as the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) protect personal data. While both regulations protect personal data, they define it slightly differently.

• The GDPR defines ‘personal data’ as any information relating to an identified or identifiable natural person (‘data subject’). Personal data can be direct, such as a name, an identification number, location data, or an online identifier. It can also be indirect, such as physical characteristics, health information, or cultural or social identity markers.
• The CCPA has a much broader definition of personal data. It includes any information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

The GDPR applies to businesses that handle the personal data of any EU citizen, while the CCPA applies to businesses that handle the data of any resident of the state of California. Both regulations prescribe extensive data protection measures that organizations must follow to prevent unauthorized access or breaches.

Protected Health Information (PHI)

Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) refers to any information about health status, provision of healthcare, or payment for healthcare that can be linked to an individual. It includes a broad range of personal identifiers as well as information about a person’s past, present, or future physical or mental health condition.

Healthcare providers, insurance providers, health clearinghouses, and their business entities must follow HIPAA guidelines when handling patient data. HIPAA includes strict measures about how PHI can be used and disclosed.

Sensitive Data at Risk

Sensitive data occurs in structured and unstructured data types in various applications and storage systems. Data movement is fairly limited within structured data repositories like a SQL server database, giving you more control over how it’s transmitted and secured. However, files stored in unstructured repositories such as file shares and SharePoint sites tend to move more freely, making it harder to pinpoint exactly where they exist. This hidden data is harder to control and secure.

Although the GDPR is the most widely discussed data privacy law, over 70% of countries have enacted data privacy regulations. Most of these regulations share a common goal of protecting sensitive personal data, but the specifics vary. This patchwork of regulations is forcing companies to take control of their sensitive data. To do this, they need to know where it is and what security measures have been implemented to reduce sensitive data exposure.

Businesses can face severe consequences for failing to secure sensitive data. Under the GDPR, especially egregious failure to comply can result in penalties of over $20 million or 4% of annual global turnover, whichever value is greater. To date, the largest fine issued was to Meta, Facebook’s parent company. It was fined $1.3 billion for not adequately protecting data on EU citizens that was transmitted to the US.

Securing Sensitive Data

To avoid fines associated with noncompliance, you need to find and secure your sensitive data regardless of where it lives. A data classification inventory will help you identify and classify data based on its sensitivity and importance. Once this is done, you’ll need to maintain a comprehensive inventory of all your data assets, including where they’re stored, who has access to them, and how they are used.

Knowing where your data is stored is the first step in compliance, but you’ll also need to make sure you have the right controls in place to prevent unauthorized access. Businesses also need to be aware of and avoid collecting more data than necessary, along with limiting data growth by removing unnecessary data. You don’t have to secure data you don’t collect.

How Netwrix Can Help

Netwrix provides one powerful platform to help you govern access to all of your sensitive data, applications, and systems. With over 40 built-in data collection modules that identify data on both cloud-based and on-premise systems, you can stay in control of your data assets no matter where they’re stored. You don’t have to worry about overlooking sensitive data in unstructured formats.

Netwrix’s Access Analyzer can help you reduce the risk of data breaches and easily pass compliance audits. You can proactively spot gaps in your security posture such as excessive user permissions and disabled accounts that bad actors could exploit. The Access Analyzer will automatically remediate threats by deleting inactive accounts and withdrawing excessive permissions.

By following the principle of least privilege, you can monitor who is accessing your data and for what purposes. Quickly revoke unnecessary privileges to tighten your data security. Reach out today to request a free trial.

FAQ

What is considered sensitive data?

Sensitive data includes a range of information that requires extra protection due to its potential for misuse. Examples of sensitive personal data include health records or financial information such as bank account details, credit card numbers, and Social Security numbers. It also includes biometric data, such as fingerprints and facial recognition, personal identification numbers from driver’s licenses and passports, and confidential business information. Information about racial or ethnic origin, political opinions, religious or philosophical beliefs, and sexual orientation and behavior is also considered sensitive data. Protecting this data is crucial to prevent misuse, identity theft, and discrimination.

What is not considered sensitive data?

Non-sensitive data includes publicly available information, such as names without additional identifying details, generic job titles, business contact information, and anonymized data where personal identifiers have been removed. This type of data poses minimal risk if exposed and typically doesn’t need special protective measures.

What information is considered sensitive?

Sensitive data is characterized by its potential to cause significant harm if exposed, including identity theft, financial loss, or discrimination. It typically includes personally identifiable information that can directly or indirectly identify an individual. This data often pertains to personal health, financial status, biometric identifiers, or confidential business operations. This data needs to be secured to protect privacy and security and to comply with data protection regulations. Sensitive data also often requires explicit consent for collection and processing due to its inherently private nature.

What are the three types of sensitive data?

The three main types of sensitive data are Personal Identifiable Information (PII), Protected Health Information (PHI), and financial information. PII includes data that can identify an individual, such as names and Social Security numbers. PHI encompasses medical and health-related data. Financial information involves bank details, credit card numbers, and financial transactions.