On the surface, the question of whether or not a database contains sensitive data may seem like a rather simple one to answer. Most people recognize that a Federal identification number or a credit card number is and should be recognized as sensitive data. While these pieces of data get a tremendous amount of attention by the media when data loss is reported there are other pieces of data that are not as easily recognized as being considered as sensitive.
The following categories of data are considered to be sensitive and should be protected:
Government Assigned Personal Identification data
This type of data includes Social Security numbers, tax identification numbers for businesses, driver license numbers and other data that the Federal, State or Local Governments have assigned to an individual or business for the purpose of identification.
Biometric data
As biometrics become utilized more often for the purpose of identification verification the importance of protecting this information becomes more critical. This type includes items such as retinal scan images, facial images, fingerprints and signatures.
Medical data
The Health Insurance Portability and Accountability Act (HIPAA) protects data in regard to medical and insurance information for patients. This includes notations in regard to conversations with your health care professional, physical and mental medical history as well as payment history of medical care. Unauthorized disclosure could result in civil and criminal penalties.
Student Education data
The Federal Educational Rights and Privacy Act (FERPA) protects data in regard to students and their educational records. This includes the student’s name, address, telephone number as well as information specifically regarding their education history. Unauthorized disclosure could affect a school’s Federal funding… not to mention compromising a student’s privacy.
Employment data
Items such as salary information, performance reviews, worker’s compensation claims, benefit information and pension plan details fall into this category. Any HR Professional will tell you that the unauthorized disclosure of such information could result in severe consequences.
Communication data
E-mail messages, telephone records and recordings, fax documents, text messages are all carriers of information that may contain data that would fall into any of these categories; Therefore, this information should be considered sensitive data.
Financial data
Financial data not only discloses information regarding an individual or business’ financial status it also often contains data that is used to gain access to assets. For example: bank account numbers, personal identification numbers and beneficiary information.
Intellectual Property data
Items that fall into this category are source code, schematics, details regarding a new product and also creative works such as images and written documents. The unauthorized disclosure of such information could destroy the competitive edge of a business or compromise the copyright claim by an author or artist.
As the DBA and Developer, we are typically the ones that implement encryption and other security measures in the database. We are often requested to provide extracts of data for use by external systems. We are also often requested to produce printed reports that present data for the use of Business Analysts to review. We are also a target for phishing or social engineering efforts to gain access to sensitive data.
Once data leaves the protected environment of the database the control of its dissemination becomes nearly impossible. The printed report could be passed around and end up in the hands of a person who will use the information for fraudulent activities. The spreadsheet that is generated by a SSIS Package or query could be stored on a laptop that is not password protected or encrypted which is stolen from the person’s automobile. The information could be attached or typed in an e-mail that was accidentally sent to a mailing list that contains hundreds of people.
While you cannot control the further disclosure of the data once it is in the requestor's possession the understanding of the data that is being stored in your database will go a long way in protecting your client's privacy, your employer's reputation and ultimately your job.