Concepts
What data should I protect?
When improving your data security practices, it's sometime difficult to know what data is important enough to protect. This page outlines the common types of sensitive data you should add controls to like encryption.
Personally identifiable information
Personally identifiable information (PII) is any data that could potentially identify a specific individual. An individual is ‘identified’ when, within a group of persons, they are ‘distinguished’ from all other members of a group.
Examples of this data include:
- Names
- Phone numbers
- Dates of birth
- Addresses
- Emails
- IP addresses
- Genders
- Nationalities
- Social security numbers
- License numbers
- Passport numbers
- Latitude/longitude coordinates
When in doubt, err on the side of caution, and treat information about people as personal information. PII is valuable to adversaries because it can be used to establish accounts in someone else's name and steal identities. It only takes a few pieces of information to create false accounts.
These regulations and compliance frameworks can apply to this type of data:
| Name | Type | Region |
|---|---|---|
| General Data Protection Regulation (GDPR) | Regulation | European Union |
| California Consumer Privacy Act (CCPA) | Regulation | California, USA |
| Confidentiality of Medical Information Act (CMIA) | Regulation | California, USA |
| Australian Privacy Principles (APP) | Regulation | Australia |
| Consumer Data Right (CDR) | Regulation | Australia |
| System and Organization Controls 2 (SOC2) | Compliance | International |
| System and Organization Controls 3 (SOC3) | Compliance | International |
| ISO27001 | Compliance | International |
| Payment Card Industry Data Security Standard (PCI-DSS) | Compliance | International |
| Health Insurance Portability and Accountability Act (HIPAA) | Regulation | USA |
Protected Health Information
Protected Healthcare Information is any information about health status, provision of health care, or payment for health care, that can be linked back to an individual.
Examples of this data include:
- Names
- Dates of birth
- Phone numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Biometric identifiers
- Genetic identifiers
- Full face photos
- Medicare numbers
- Medical conditions
- Medication prescription histories
- Medical payment histories
When in doubt, if you are working with data in a medical domain, you should err on the side of caution, and treat information about people as health information. PHI is valuable to adversaries because they can monetize it with methods like:
- Extortion: threatening an identified individual for money, access, and influence.
- Fraud: gaining access to medication, equipment, or supplies by impersonating an individual.
- Identity theft: creating accounts and gaining access to services by impersonating an individual.
These regulations and compliance frameworks can apply to this type of data:
| Name | Type | Region |
|---|---|---|
| Health Insurance Portability and Accountability Act (HIPAA) | Regulation | USA |
| Confidentiality of Medical Information Act (CMIA) | Regulation | California, USA |
| General Data Protection Regulation (GDPR) | Regulation | European Union |
| Australian Privacy Principles (APP) | Regulation | Australia |
Financial information
Financial information is data about money, accounts, and transactions. Financial information can be used to physically locate individuals, and build up a profile of behaviour.
Examples of this data include:
- Account data
- Account numbers, names and postal addresses
- Account types
- Account balances
- Interest rates, fees and discounts
- Tax File Numbers (TFN)
- Individual Taxpayer Identification Number (ITIN)
- Transaction data
- Incoming and outgoing transactions and the amounts
- Dates
- Descriptions of transactions
- Location of transactions
- Who you may have sent money to and received money from
- Direct debits and scheduled payments
- Saved payees
- The names and details of saved accounts.
Financial information is valuable to adversaries because they can monetize it with methods like:
- Extortion: threatening an identified individual for money, access, and influence.
- Fraud: gaining access to medication, equipment, or supplies by impersonating an individual.
- Identity theft: creating accounts and gaining access to services by impersonating an individual.
- Re-identification: identifying any individual from the data, either on its own, or in combination with other available data, to physically locate them, and build up a profile of behaviour
These regulations and compliance frameworks can apply to this type of data:
| Name | Type | Region |
|---|---|---|
| General Data Protection Regulation (GDPR) | Regulation | European Union |
| California Consumer Privacy Act (CCPA) | Regulation | California, USA |
| Confidentiality of Medical Information Act (CMIA) | Regulation | California, USA |
| Australian Privacy Principles (APP) | Regulation | Australia |
| Consumer Data Right (CDR) | Regulation | Australia |
| System and Organization Controls 2 (SOC2) | Compliance | International |
| System and Organization Controls 3 (SOC3) | Compliance | International |
| ISO27001 | Compliance | International |
| Payment Card Industry Data Security Standard (PCI-DSS) | Compliance | International |
| Health Insurance Portability and Accountability Act (HIPAA) | Regulation | USA |
Authentication information
Authentication information are credentials used to gain access to accounts and services. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.
Examples of this data include:
- Usernames
- Passwords (both plaintext and hashed)
- OAuth tokens
- Session cookies
Authentication information is valuable to adversaries because they can use it to:
- Gain access to systems: using techniques like password spraying, credential stuffing, and session impersonation.
- Lateral movement: entering and exploring a system.
- Extortion: threatening an identified individual for money, access, and influence.
- Identity theft: creating accounts and gaining access to services by impersonating an individual.
These regulations and compliance frameworks can apply to this type of data:
| Name | Type | Region |
|---|---|---|
| System and Organization Controls 2 (SOC2) | Compliance | International |
| System and Organization Controls 3 (SOC3) | Compliance | International |
| ISO27001 | Compliance | International |
| Payment Card Industry Data Security Standard (PCI-DSS) | Compliance | International |