Securiti Named a 2022 Cool Vendor in Data Security by Gartner

Download Now

Organizations collect data from consumers every day. This data can range widely from a person's first and last name to confidential information such as bank account details. Such sensitive data needs to be protected at all times. As sensitive data continues its movement to the cloud, the ease with which it can be accessed expands. While it enables teams to work on and off-premises from a multitude of devices, it also expands the risks that come with ubiquitous access and a larger surface area that malicious actors can exploit.

This article will talk about sensitive data, the types of sensitive data, and how organizations can protect their sensitive data from breaches.

sensitive data

What is Sensitive Data?

Sensitive data is information that a person or organization wants to keep from being publicly available because the release of that information can lead to harm such as identity theft or other crimes. In some cases, sensitive data is related to individuals, such as payment information or birth date, etc. In other cases, sensitive data can be proprietary corporate information.

Sensitive and special categories of personal data need extra security because the consequences of a personal data breach are more detrimental for individuals. For example, most modern smartphones store their owner’s biometric data for security. If this biometric data is compromised in a data breach, it could help criminals steal identities, create fake documents, and commit crimes.

Types of Sensitive Data

    1. Attorney-Client Privileged Information: This refers to the confidential communications between an attorney and his/her client for the purpose of legal advice.
    2. Controlled Unclassified Information (CUI): As defined by Section 2 of Executive Order 13556 (2010), CUI is non-classified, federal information that must be protected by implementing a set of requirements and security controls directed at securing sensitive government information.
    3. Payment Card Industry Information: It includes information related to debit, credit, or other payment cards.
    4. Export Controlled Research: Export Controlled Research includes information that is regulated for reasons of national security, foreign policy, anti-terrorism, or non-proliferation.
    5. Federal Information Security Management Act (FISMA) Data: This includes data related to federal agencies providing services to document, develop and implement security programs for IT systems and store the data on U.S. soil.
    6. Personally Identifiable Information (PII): This refers to a category of sensitive information that is associated with a person, such as an employee, student, or donor. PII also includes any data that could potentially be used to identify a particular person.
    7. Protected Health Information (PHI): Protected Health Information (PHI) is regulated by the Health Insurance Portability and Accountability Act (HIPAA). PHI includes all individually identifiable health information that may range from medical tests, results, history, and any other information that could potentially be used to identify a particular patient.

Here are some examples of sensitive data:

    • Social security number
    • Birthdate/place
    • Biometric Data
    • Genetic Data
    • Data about an individual’s sex life
    • Sexual Orientation
    • Home phone number
    • Home address
    • Health records
    • Passwords
    • Gender
    • Ethnicity
    • Religious or ideological convictions
    • Political opinions or political organization membership
    • Citizenship
    • Citizen visa code
    • Veteran and disability status
sensitive data intelligence

Data under CCPA

Under the CCPA, personal information means “any information that  identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Under the CCPA, Personally Identifiable Information includes identifiers, biometric information, geolocation information, internet or other electronic network activity information, professional or employment-related information, etc. Personal Information does not include publicly available information (made public by federal or state authorities) or de-identified consumer information.

CCPA does not separately define the special categories or sensitive personal information.  However, personal characteristics, behavior, religious or political convictions, sexual orientation, financial and medical information are considered sensitive in nature. Following are four subdivisions that need to be fulfilled for information to be deemed personal under the CCPA.

    • Information that Identifies:

This refers to information that clearly identifies a consumer or a household. Names of individuals, an image of the person, a  social security number will all be personal information  under the CCPA.

    • Information that Relates:

This refers to information that does not identify such a person or household by virtue of its content but by virtue of its purpose. For example, it is debated that information gathered through cookies or alternate tracking methods can be classified as personal information that relates to a consumer and becomes a part of a consumers’ personal information.

    • Information that Describes:

Information such as drug prescriptions, dosage, drug identification number, phone number, and other information can be used to describe a consumer and falls under the category of personal information under the CCPA.

    • Information that can be Reasonably Linked:

Certain tracking is embedded in the system and although this tracking may not be intended for the purpose of tracking an individual, if the person is linked to the system, any information taken from the system about the individual will be classed as personal information under the CCPA.

Data under GDPR

Under the GDPR, personal data means any information relating to an identified or identifiable natural person.  Sensitive personal data is a specific set of “special categories of personal data'' that require extra security. Sensitive personal data under the GDPR includes the following:

    • Ethnic or Racial origin;
    • Political opinions;
    • Religious or philosophical beliefs;
    • Trade union membership;
    • Genetic data; and
    • Biometric data (where processed to uniquely identify someone).

How to protect sensitive data?

Protecting data from any and all breaches is never a guarantee, but there are a number of steps that can be taken in order to minimize the effect and sprawl of sensitive data.

    • Build a catalog of all shadow & managed data assets

Discover data and build a centralized catalog of all data assets including all sanctioned & shadow data assets in on-premises & multicloud environments. The ability to keep track of the data is the first step towards protecting it from malicious intent and minimizing the “blast zone”.

    • Enrich sensitive data catalogs

Every data asset has various metadata associated with it that are classified into business, technical, and security. With this metadata, organizations can determine how their PII and PHI data is protected and governed.

There are 3 types of metadata:

  1. Business metadata
  2. Technical metadata
  3. Security metadata
    • Detect & identify sensitive and personal data in all assets

Once cloud-based or on-premise assets are discovered, security administrators need to know what sensitive data is stored in these assets. There are few important categories of sensitive environment that impacts most businesses:

  1. Health information
  2. Financial information
  3. Educational information
  4. Trade or business secrets
  5. Personal information
  6. Biological Information
    • Sensitive data catalog with automated classification & tagging

A sensitive data catalog provides insights into sensitive data attributes as well as security and privacy metadata such as security controls, purpose of processing, etc.

    • Configure & customize data risk posture

Implement comprehensive data risk assessments that include data sensitivity, data concentration and instances of cross-border transfers. All these parameters can be used together to assess the overall data risk score which can be used to prioritize risk mitigation activities.

    • Build a relationship map between data and its owners

Fulfilling DSR Requests are a requirement under global privacy regulations, and failure to do so can result in heavy fines. To fulfil DSR requests in a timely manner, organizations should ensure that they can not only discover personal data but also link discovered data with users' identities automatically.

    • Generate real-time security & privacy compliance reports

For organizations, up to date security, privacy, and compliance reports are required for business as well as for legal reasons. Organizations need to build a centralized catalog of their data assets as well as discover sensitive data stored in them. Using automated discovery mechanisms, organizations can ensure their data maps and Article 30 (GDPR) reports are up to date.

sensitive data


Due to the exponential growth of data and potential leakage of sensitive information in the cloud, the use of Sensitive Data Intelligence solutions is needed in order to maintain visibility over data that has gone beyond the reach of on-premises tools. Securiti enables organizations to maintain complete visibility of their data stores through one portal and offers control over all data activity.

Bedrock of your Privacy & Security

A Comprehensive Platform

Share this

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

Related Content




Users love Securiti on G2 G2 leader spring 2022 G2 leader summer 2022 G2 leader easiest business 2022 ISO certification RSAC Leader Forrester Badge IAPP Innovation award 2020 Sinet Innovator Award Gartner Cool Vendor Award

Securiti PrivacyOps Named a Leader in The Forrester WaveTM