Classifying Sensitive Data in Your Database
Data classification is a common task when designing a database. It will help you prioritize security issues and stay in compliance with regulations. Understanding the sensitivity of your data is important, as you want to make sure that stored information does not get into the wrong hands (i.e., competitors, users with malicious intent, disgruntled employees etc.). You may also need to be aware of data classification issues to comply with regulatory mandates, like SOX, HIPPA, GDPR, CCPA and PCI DSS. These types of issues are especially important today when a lot of people work remotely, and your confidential data may be accessed by employees and members of your organization world-wide.
In fact, over 80 countries have privacy laws that govern the storage and protection of data that is collected by private and public organizations. If you are in violation of these laws, you leave yourself open to legal liability (both civil and criminal) and fines. Your own business may also be directly damaged if your trade secrets are revealed.
Sensitive information can come in a variety of formats including documents, photographs and recordings. While a lot of sensitive information is regulated, other information may be unregulated. For example, information that you get from surveys or employee resumes may not be regulated by any government authority. However, these types of data sources may still contain sensitive information that you need to protect. Intentionally, negligently or accidently revealing this type of information can result in serious ramifications.
Examples of Sensitive Data
If you track any of the following types of information, you need to properly manage the security of your data:
- Personal data that reveals a person’s race, sexual orientation, criminal record, philosophical beliefs, and religion.
- Biometric data that can be used to identify an individual.
- Membership in organizations like Trade Unions and political party affiliation.
- Health data, genetic profiles or health history.
- Trade secrets, formulas, designs or classified information.
- Financial information like credit card numbers, bank account numbers, stock portfolios, income history, tax return information, real estate holdings, account balances etc.
- Sales and inventory information for a business or organization.
- Addresses and contact information.
- Birthplace, citizenship, birthdate, drivers license number, social security number and age.
- People’s photographs and related images.
- Customer or member purchase history and contact information.
- Student grades, schedules, ids, courses and other educational records.
- Employee salaries and schedules.
- Automobile vehicle identification numbers (VINS) and license plates.
- User IP addresses that can be used to reveal their location.
Please note this list is not all encompassing. If you have a gut feeling that the data your tracking is sensitive, it probably is. In any case, if you track any of the above types of information in your database, you definitely need to take special care to protect the data, and make sure that only authorized people have access to the information. Also, important to note is that you may need the explicit consent of your users or customers to keep track of this type of information in your database.
Regulatory Requirements for Data Classification
Some common regulations and standards that you should be aware of when you are classifying your data are:
- HIPAA – health records.
- SOX – data integrity for financial transactions and financial disclosures.
- PCI DSS – data security for credit card information.
- GDPR – European Union regulations for the protection of people’s personal information.
- ISO 27001 – standards for classifying information to prevent modification and unauthorized disclosure.
- NIST SP 800-53 Federal agency standards for classify data.
Individual sates also may have data privacy regulations. For example, Nevada, California and Virginia have enhance digital privacy laws. California’s Consumer Privacy Protection Act of 2018 (CCPA) is perhaps the biggest example. Even if you are not located in California, if you have customers in California you may need to be aware of these regulations.
Data Security Classification Levels
Data can be classified in a number of ways. Classifying data using security levels restricts who can view and edit data. Data may be restricted, public, internal or confidential. Restricted data is available to select group of people. Public data is available to anyone. Internal data is available to people inside an organization. Confidential data is limited to people with a certain security clearance.
A good rule of them is that you should only classify information as public if it is already a matter of public record or in the public domain, or if its your own information that you routinely share with others. All other information is likely subject to some sort of restriction.
Any information that can be used to steal a person’s identity or financial information requires special care and attention.
Data Reclassification
Even after you have classified your data, it’s important to keep in mind that you may need to reclassify information as laws and regulations change, or you enter into new contractual agreements with other companies. Always be on the lookout for new regulatory mandates and business relationships that may have an impact on your data classification.
Practices to Ensure Confidentiality of Information
There are several tools and techniques you can use to ensure data security in your database:
- Encrypt your data
- Use passwords to protect your data
- Limit the duplication of data in your database
- Store information on systems that are not connected to the internet or on-air gapped systems.
- Use tokens
- Use Biometric Verification like fingerprint scans
- Implement two factor authentications
- Restrict data access times and data access locations.
Data Integrity Best Practices for Your Database
Data integrity is important to ensure that your data is always accurate, consistent and trustworthy. The main principle is to ensure that your data does not change when its transmitted or copied. You can ensure data integrity by carefully managing user access, file permissions and redundancies. You also want to ensure that you maintain regular data backups, that keep track of data versions. Finally, whenever possible you should maintain an audit trail, so when data does change you know who changed it and why.
Tracker Ten and Data Classification
Our Tracker Ten database supports password protection so you can restrict who can view data. Tracker Ten also stores all information on your computer, so you have full control over your data. If you are dealing with sensitive information that you not want on the internet, Tracker Ten might be the right solution for you.