Protecting sensitive data requires an expenditure of money, time, and effort. We want to protect all of our client’s sensitive data, but we don’t want to waste resources on data that is not sensitive . In addition, some kinds of data require more protection than others. We need a way to identify and classify sensitive data.
The most familiar data classification system is that used by many government and military organizations: Top Secret, Secret, Confdential, Restricted, and Unclassified. This is not the best fit for most businesses. A more appropriate classification is Confidential, Private, Sensitive, and Public. The first three are different types of “sensitive” data, and the fourth is data which is not “sensitive”.
Confidential data includes proprietary information that the organization owns – company financial records, customer or client lists, formulas, recipes, processes, and any other data that could harm the company directly if improperly disclosed.
Private data is data for which the company serves as custodian, but does not necessarily own. In other words, data about other individuals or organizations. This includes employee records, patient records, and the financial records of others. Improper disclosure could harm the individuals or organizations. This data is typically subject to legal or regulatory requirements, such as PIPEDA in Canada, HIPAA or GLBA in the US, or the PCI DSS, which applies to vendors in all countries.
Sentsitive data is not specifically subject to legal or regulatory requirements, but its disclosure could cause harm to others. An example is medical records maintained by an attorney in the US. Only medical providers are subject to HIPAA regulations. However, non-medical providers can still be held liable for any harm caused by unauthorized disclosure of information. As data custodians, they have a legal obligation to exercise due diligence in protecting the property of others, including data.
Public data is everyting else – that data that would cause no appreciable harm if publicly disclosed.
Any data that your business cleint would not want posted on a bulletin board in the lobby falls into one of the fist three categories.
The legal requirements are different for each country, and there may be additional state or provincial laws. You have to be familiar with the laws that apply to your client’s business.
Next: Where does (or should) your client’s sensitve data live?
Dennis H in West Virginia, US
December 7, 2009