How to Measure Data Sensitivity?
When measuring how sensitive or how data should be classified, think about the privacy, security, and accessibility of that information and how it might affect your organization or its clients if it were disclosed.
Privacy and security elements mandate businesses to introduce data encryption, enabling two factors to authenticate, using biometrics to confirm the identity of the user, restricting the locations where information can be found and restricting the number of times information can be used, keeping sensitive information in unconnected storage systems, etc.
Suppose an organization processes racial, ethnic, political, religious, philosophical, genetic, biometric, health, or sexual orientation data. In that case, it's no science that such data is classified as sensitive under many laws and requires a great deal of protection since it's sensitive in nature.
Impact of Unauthorized Disclosure of Sensitive Data?
Unauthorized disclosure of sensitive data may result in fines, legal action, reputational damage, economic losses, and other consequences. Losing customers' trust may very well be the primary long-term effect of an authorized disclosure resulting in a data leak.
A company's most treasured asset is frequently its reputation because it takes ongoing effort to develop and protect a brand's integrity. However, even the strongest reputations can be ruined by a single scandalous incident like a data leak/unauthorized disclosure.
Furthermore, unauthorized disclosure results in obtaining access to systems where the attackers can snoop around in locations unnoticed and can do a great deal of harm and jeopardize an organization's integrity.
Data under CCPA
Under the CCPA, personal information means “any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Under the CCPA, Personally Identifiable Information includes identifiers, biometric information, geolocation information, internet or other electronic network activity information, professional or employment-related information, etc. Personal Information does not include publicly available information (made public by federal or state authorities) or de-identified consumer information.
Sensitive Data under CCPA
CCPA does not separately define the special categories or sensitive personal information. However, personal characteristics, behavior, religious or political convictions, sexual orientation, and financial and medical information are considered sensitive in nature. The following are four subdivisions that need to be fulfilled for information to be deemed personal under the CCPA.
Information that Identifies:
This refers to information that clearly identifies a consumer or a household. Names of individuals, an image of the person, and a social security number will all be personal information under the CCPA.
Information that Relates:
This refers to information that does not identify such a person or household by virtue of its content but by virtue of its purpose. For example, it is debated that information gathered through cookies or alternate tracking methods can be classified as personal information that relates to a consumer and becomes a part of a consumer’s personal information.
Information that Describes:
Information such as drug prescriptions, dosage, drug identification number, phone number, and other information can be used to describe a consumer and falls under the category of personal information under the CCPA.
Information that can be Reasonably Linked:
Certain tracking is embedded in the system. Although this tracking may not be intended for tracking an individual if the person is linked to the system, any information taken from the system about the individual will be classed as personal information under the CCPA.
Data under GDPR
Under the GDPR, personal data means any information relating to an identified or identifiable natural person.
Sensitive Personal Data under GDPR
Sensitive personal data is a specific set of “special categories of personal data'' that require extra security. Sensitive personal data under the GDPR include the following:
- Ethnic or Racial origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Genetic data; and
- Biometric data (where processed to uniquely identify someone).
How to protect sensitive data?
Protecting data from any breaches is never a guarantee, but there are a number of steps that can be taken to minimize the effect and sprawl of sensitive data.
Build a catalog of all shadow & managed data assets
Discover data and build a centralized catalog of all data assets, including all sanctioned & shadow data assets in on-premises & multicloud environments. The ability to keep track of the data is the first step toward protecting it from malicious intent and minimizing the “blast zone”.
Enrich Sensitive Data Catalog
Every data asset has various metadata associated with it that are classified into business, technical, and security. Organizations can use this metadata to determine how their PII and PHI data is protected and governed.
There are 3 types of metadata:
- Business metadata.
- Technical metadata.
- Security metadata.
Detect & identify sensitive and personal data in all assets
Once cloud-based or on-premise assets are discovered, security administrators need to know what sensitive data is stored in these assets. There are a few important categories of sensitive environment that impacts most businesses:
- Health information.
- Financial information.
- Educational information.
- Trade or business secrets.
- Personal information.
- Biological Information.
Sensitive data catalog with automated classification & tagging
A sensitive data catalog provides insights into sensitive data attributes as well as security and privacy metadata such as security controls, the purpose of processing, etc.
Configure & customize data risk posture
Implement comprehensive data risk assessments that include data sensitivity, data concentration, and instances of cross-border transfers. All these parameters can be used together to assess the overall data risk score, which can be used to prioritize risk mitigation activities.
Build a relationship map between data and its owners
Fulfilling DSR Requests are a requirement under global privacy regulations, and failure to do so can result in heavy fines. To fulfill DSR requests in a timely manner, organizations should ensure that they can not only discover personal data but also link discovered data with users' identities automatically.
Generate real-time security & privacy compliance reports
For organizations, up-to-date security, privacy, and compliance reports are required for business and legal reasons. Organizations need to build a centralized catalog of their data assets as well as discover sensitive data stored in them. Organizations can use automated discovery mechanisms to ensure their data maps and Article 30 (GDPR) reports are up to date.
