Concepts

What data should I protect?

When improving your data security practices, it's sometime difficult to know what data is important enough to protect. This page outlines the common types of sensitive data you should add controls to like encryption.

Personally identifiable information

Personally identifiable information (PII) is any data that could potentially identify a specific individual. An individual is ‘identified’ when, within a group of persons, they are ‘distinguished’ from all other members of a group.

Examples of this data include:

  • Names
  • Phone numbers
  • Dates of birth
  • Addresses
  • Emails
  • IP addresses
  • Genders
  • Nationalities
  • Social security numbers
  • License numbers
  • Passport numbers
  • Latitude/longitude coordinates

When in doubt, err on the side of caution, and treat information about people as personal information. PII is valuable to adversaries because it can be used to establish accounts in someone else's name and steal identities. It only takes a few pieces of information to create false accounts.

These regulations and compliance frameworks can apply to this type of data:

NameTypeRegion
General Data Protection Regulation (GDPR)RegulationEuropean Union
California Consumer Privacy Act (CCPA)RegulationCalifornia, USA
Confidentiality of Medical Information Act (CMIA)RegulationCalifornia, USA
Australian Privacy Principles (APP)RegulationAustralia
Consumer Data Right (CDR)RegulationAustralia
System and Organization Controls 2 (SOC2)ComplianceInternational
System and Organization Controls 3 (SOC3)ComplianceInternational
ISO27001ComplianceInternational
Payment Card Industry Data Security Standard (PCI-DSS)ComplianceInternational
Health Insurance Portability and Accountability Act (HIPAA)RegulationUSA

Protected Health Information

Protected Healthcare Information is any information about health status, provision of health care, or payment for health care, that can be linked back to an individual.

Examples of this data include:

  • Names
  • Dates of birth
  • Phone numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health insurance beneficiary numbers
  • Biometric identifiers
  • Genetic identifiers
  • Full face photos
  • Medicare numbers
  • Medical conditions
  • Medication prescription histories
  • Medical payment histories

When in doubt, if you are working with data in a medical domain, you should err on the side of caution, and treat information about people as health information. PHI is valuable to adversaries because they can monetize it with methods like:

  • Extortion: threatening an identified individual for money, access, and influence.
  • Fraud: gaining access to medication, equipment, or supplies by impersonating an individual.
  • Identity theft: creating accounts and gaining access to services by impersonating an individual.

These regulations and compliance frameworks can apply to this type of data:

NameTypeRegion
Health Insurance Portability and Accountability Act (HIPAA)RegulationUSA
Confidentiality of Medical Information Act (CMIA)RegulationCalifornia, USA
General Data Protection Regulation (GDPR)RegulationEuropean Union
Australian Privacy Principles (APP)RegulationAustralia

Financial information

Financial information is data about money, accounts, and transactions. Financial information can be used to physically locate individuals, and build up a profile of behaviour.

Examples of this data include:

  • Account data
    • Account numbers, names and postal addresses
    • Account types
    • Account balances
    • Interest rates, fees and discounts
    • Tax File Numbers (TFN)
    • Individual Taxpayer Identification Number (ITIN)
  • Transaction data
    • Incoming and outgoing transactions and the amounts
    • Dates
    • Descriptions of transactions
    • Location of transactions
    • Who you may have sent money to and received money from
    • Direct debits and scheduled payments
  • Saved payees
    • The names and details of saved accounts.

Financial information is valuable to adversaries because they can monetize it with methods like:

  • Extortion: threatening an identified individual for money, access, and influence.
  • Fraud: gaining access to medication, equipment, or supplies by impersonating an individual.
  • Identity theft: creating accounts and gaining access to services by impersonating an individual.
  • Re-identification: identifying any individual from the data, either on its own, or in combination with other available data, to physically locate them, and build up a profile of behaviour

These regulations and compliance frameworks can apply to this type of data:

NameTypeRegion
General Data Protection Regulation (GDPR)RegulationEuropean Union
California Consumer Privacy Act (CCPA)RegulationCalifornia, USA
Confidentiality of Medical Information Act (CMIA)RegulationCalifornia, USA
Australian Privacy Principles (APP)RegulationAustralia
Consumer Data Right (CDR)RegulationAustralia
System and Organization Controls 2 (SOC2)ComplianceInternational
System and Organization Controls 3 (SOC3)ComplianceInternational
ISO27001ComplianceInternational
Payment Card Industry Data Security Standard (PCI-DSS)ComplianceInternational
Health Insurance Portability and Accountability Act (HIPAA)RegulationUSA

Authentication information

Authentication information are credentials used to gain access to accounts and services. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

Examples of this data include:

  • Usernames
  • Passwords (both plaintext and hashed)
  • OAuth tokens
  • Session cookies

Authentication information is valuable to adversaries because they can use it to:

  • Gain access to systems: using techniques like password spraying, credential stuffing, and session impersonation.
  • Lateral movement: entering and exploring a system.
  • Extortion: threatening an identified individual for money, access, and influence.
  • Identity theft: creating accounts and gaining access to services by impersonating an individual.

These regulations and compliance frameworks can apply to this type of data:

NameTypeRegion
System and Organization Controls 2 (SOC2)ComplianceInternational
System and Organization Controls 3 (SOC3)ComplianceInternational
ISO27001ComplianceInternational
Payment Card Industry Data Security Standard (PCI-DSS)ComplianceInternational
Previous
GCP Cloud Run