Classifying Data: Why It’s Important and How To Do It

by Sarah Harvey / March 18th, 2020

Why is Classifying Data Necessary?

Knowing how to classify data is critical given today’s advancing cyber threats. With well over 5,000 data breaches occurring in 2019 alone, including more than 8 billion pieces of data compromised, classifying your data is essential if you want to know how to secure it and prevent security incidents at your organization.

How to Classify Data

Determining how to classify your data will depend on your industry and the type of data your organization collects, uses, stores, processes, and transmits. For healthcare organizations, this could be PHI such as patient names, dates of birth, Social Security numbers, medical data and histories, or prescription information. For financial services organizations, this could be CHD, PINs, credit scores, payment history, or loan information. Regardless of the type of data, though there are a few key considerations to make when classifying data, including:

  1. What data does your organization collect from customers and vendors?
  2. What data does your organization create?
  3. What is the level of sensitivity of the data?
  4. Who needs access to the data?

4 Ways to Classify Data

Depending on the sensitivity of the data an organization holds, there needs to be different levels of classification, which determines a number of things, including who has access to that data and how long the data needs to be retained. Typically, there are four classifications for data: public, internal-only, confidential, and restricted. Let’s look at examples for each of those.

  • Public data: This type of data is freely accessible to the public (i.e. all employees/company personnel). It can be freely used, reused, and redistributed without repercussions. An example might be first and last names, job descriptions, or press releases.
  • Internal-only data: This type of data is strictly accessible to internal company personnel or internal employees who are granted access. This might include internal-only memos or other communications, business plans, etc.
  • Confidential data: Access to confidential data requires specific authorization and/or clearance. Types of confidential data might include Social Security numbers, cardholder data, M&A documents, and more. Usually, confidential data is protected by laws like HIPAA and the PCI DSS.
  • Restricted data: Restricted data includes data that, if compromised or accessed without authorization, which could lead to criminal charges and massive legal fines or cause irreparable damage to the company. Examples of restricted data might include proprietary information or research and data protected by state and federal regulations.

Common Requirements for Classifying Data

Many frameworks and legal regulations have specific requirements that encourage organizations to classify data. While this isn’t an exhaustive list of the requirements and laws, these are quite common. It should be noted that these requirements vary depending on the types of data your organization collects, uses, stores, processes, or transmits.

  • SOC 2: The SOC 2 Trust Services Criteria requires that service organizations who include the confidentiality category in their audit demonstrate that they identify and maintain confidential information to meet the entity’s objectives related to confidentiality.
  • HIPAA: PHI is considered high-risk data. As such, HIPAA Security Rule requires that all covered entities and business associates implement administrative safeguards that ensure the confidentiality, integrity, and availability of PHI. In addition, the HIPAA Privacy Rule limits the uses and disclosures of PHI, forcing covered entities and business associates alike to establish procedures for classifying the data they collect, use, store, or transmit.
  • PCI: In order to comply with PCI DSS Requirement 9.6.1, entities must “classify data so that sensitivity of the data can be determined.”
  • GDPR: Organizations that handle the personal data of EU data subjects must classify the types of data they collect in order to comply with the law. Additionally, GDPR categorizes certain data – race, ethnic origin, political opinions, biometric data, and health data – as “special” and therefore it is subject to additional protection. This not only means that organizations need to know what types of data they hold, but they also need to be able to label that data such as public, proprietary, or confidential.

What processes does your organization have in place for classifying data? Do you need help determining which types of data you collect, use, store, process, or transmit? If compliance is on your radar this year, make sure you’ve done your due diligence to classify data. Interested in learning more about how we can help you establish data classification procedures? Let’s find some time to talk.

More Resources

Best Practices for Data Retention

How to Build an IT Asset Management Plan

How Much is Your Data Worth to Hackers?