Data Classification Examples to Help You Classify Your Sensitive Data

Image

Data classification is a vital process for every company that wants to protect its sensitive data. Treating all data as though it's public data and poses no risk to your organization opens your business up to significant consequences if sensitive data that should be protected gets into the wrong hands.

Treating all data as though it's highly sensitive may seem like a simple solution, but doing so will lead to an abundance of alerts from your data loss prevention tools and cybersecurity solutions when public data or private data is accessed, shared, downloaded, or transferred. Your cybersecurity team will need to investigate every alert to ensure that it doesn't actually pose a risk to your organization, wasting valuable time and resources. Or worse, once your team has developed cyber alert fatigue, they may ignore alerts for issues that involve restricted data and potentially pose serious security risks to your company and its customers.

Data classification enables you to differentiate various types of data that have different levels of sensitivity and require different levels of protection. It forms the foundation for effective data loss prevention.

What is Data Classification?

Data classification is the process of organizing data into different categories according to their sensitivity. It is mandatory for several regulatory compliance standards such as HIPAA, SOX, and GDPR.

The four major data classification types are public, private, confidential, and restricted. However, an organization can have other classification levels depending on their requirements.

• Public data: This data is available to the public and doesn’t need protection. It can be distributed openly and is not sensitive in nature.
• Private data: Internal data that’s only available to the employees of the organization, and is not open to the general public.
• Confidential data: Data that’s only available to authorized officials within the organization.
• Restricted data: This data is highly sensitive and can lead to a huge loss for the company if stolen, altered, or destroyed. It is often protected by regulatory compliance standards such as PCI DSS and HIPAA.

Here are some examples to help companies classify their data in the right format.

What are Some Examples of Data Classification?

There are many examples of data classification, such as:

• Company URL: A company’s URL and social media profiles are available to the public. They help people learn more about the organization and hence they fall within the public domain.
• Marketing materials: Company flyers and brochures are often handed out to people to attract more customers. Digital marketing campaigns such as social media advertisements are also accessible to everyone, making them public in nature.
• Job postings: External job postings are often posted in public forums or on the company website. They can be viewed by everyone and are in the public domain.
• Employee details: Although primarily private data, there may be some information that is available internally to other employees. For example, the phone number of the security officer might be available to all employees, but not to anyone outside the company.
• Internal memos: Office memos are private data as they can only be seen by employees of the company.
• Company intranet: Since only employees can use the company intranet, it’s private data.
• Employee records: Employee records may contain sensitive information about employees and are thus considered confidential data.
• Federal tax information: The FTI information of employees is protected by law and comes under restricted data.
• Trade secrets: The mechanics or trade secrets of a company are restricted data and could cause a huge loss if stolen.
• Financial records: Information about all tangible and intangible assets of a company is restricted in nature and open only to top officials within the company.

Below, we'll review these and other data classification examples in more detail to help you develop an effective data classification policy.

50 Data Classification Examples to Help You Develop Your Data Classification Policies & Procedures

1. First and last names. Public records such as first and last names are openly accessible information. The name of a person is the basic unit of their identity. This information is requested while applying for a job (for example, as part of a criminal background check), getting admission to a college, and many other cases. Twitter: @ValidityScreen

2. Company name and founder or executive information. Public company filings are openly accessible to everyone, and the main database to find public company filings is Electronic Data Gathering, Analysis, and Retrieval (EDGAR). It is publicly searchable, shows filing documents for US-based companies and aims at increasing transparency in the market by making filing information available to investors. The EDGAR database gives you access to company details such as state location, business address, category, and former names of the company (if its name was changed), etc. It also shows the latest filings by the company. Twitter: @CFI_education

3. Date of incorporation. The date of incorporation of the company is public knowledge, is available in official documents, and can also be mentioned on the company website. If the Whois information of the website itself is openly available, it might also mention the date when the website was registered. Twitter: @UpCounsel

4. Address, phone number, and email address. The contact details of the company such as the email, phone number, and location of the headquarters may be available to everyone, and is therefore in the public domain. This information can also help possible leads or suppliers contact the company. Twitter: @Nature

5. Job descriptions and position postings. External job postings can be posted on public job portals or the company website, where interested candidates can apply for an open position. Jobs can also be posted in newspapers that are available to the general public. As such, they are in the public domain and anyone can view them. Twitter: @SmartRecruiters

6. Company URL or social media profiles. The URL of a company and its social media profiles are public data. The social media profiles are typically openly available on the company website and its URL (aka, its domain name or web address) can also be viewed by anyone in the general public. By entering the URL into a browser, visitors can see the public information about the company, which may contain the nature of the business along with the services or products it offers. Twitter: @webdotcom

7. Press releases. A press release is a short news story often released by the company to media houses. It could be an announcement, a product launch or anything of interest relating to that organization, and typically also contains the contact details of the company, such as its email address, physical address, and/or phone number. Since the press release and the provided contact details are freely available to anyone, they all lie in the public domain. Twitter:@HowStuffWorks

8. Marketing materials. Marketing materials include any element or piece of content that promotes a product, service, or the brand as a whole. They can be brochures, flyers, or cards, as well as digital content such as online advertisements or social media campaigns. Since most marketing campaigns aim to reach as many people as they can, they are available to everyone and are considered public. Twitter: @vistaprint

9. Content of public websites. A public website is openly accessible to everyone, and much of the content - whether it’s textual, audio, or visual - may be freely available to anyone who can view it. The website of an organization typically contains information about the company and the services or products it offers, but it might also contain details about its founder, or the teams who work behind the scenes. All this information lies in the public domain. Twitter: @techopedia

10. Organizational charts. An organizational chart is a visual representation of the company’s structure. It lies in the public domain and specifies the roles and responsibilities of the company’s employees. Also known as org charts, they can be broad (depicting the entire company) or department-based (for a specific department). The organizational chart might include the board of directors, board members, and chief executive officer at the top levels. Other job titles in the chart could include managers, assistant managers, full-time employees, part-time employees, and contract employees. Twitter: @Investopedia

11. License plate numbers. License plate numbers can be used to track drivers. These fall in the public domain, and when a car is seen on the road or parked somewhere, some of its information is open to everyone. For example, its registration number, registration state, registration status, etc. are all visible to the public. Depending on the country or state, it can also reflect the name of the vehicle owner and insurance details. An online DMV search can reveal the name of the vehicle owner and address, although there might be a fee for searching the database. Twitter: @encyclopediacom

12. Personal contact information (e.g., email addresses and phone numbers). Email addresses have personally identifiable information and are therefore regarded as private data, while phone numbers and physical addresses are also considered private. According to CCPA and GDPR, companies that collect such personally identifiable information must first obtain consent from their users. While an email address may or may not be personally identifiable on its own, if used with other records such as name and phone number, it could reveal the private data of an individual. Twitter: @Termly_io

13. Research data or online browsing history. The web browsing history of an employee constitutes the websites they have visited in the past. The web history of individuals is 99% unique to them. This means if someone relates the history to an individual, they can re-identify them with the browsing patterns. Since browsing history can reveal a lot about a person along with their location, this data is considered private. Twitter: @lukOlejnik

14. Email inboxes or cellphone content. The email inbox details of an employee are private to them, and so is their cellphone content. When an email inbox is encrypted, it reduces the chances of its details being leaked. Most companies use secure technology for their emails so that the employee inbox stays private. Apart from email content, it’s also important to keep their cellphone content safe, especially if there’s a BYOD policy in the office. Twitter: @zapier

15. Family information. Family data is often kept by companies and government organizations. It’s private and could include the number of dependents and their details. It may also include emergency contacts and their phone numbers and email addresses. This additional data is also considered to be private and should not be available to anyone outside the company. Twitter: @ProcareSoftware

16. Employee Authentication data. Employee authentication data is used by an employee to log into their company portal. It could be a combination of username and password, biometric data, or other forms of authentication. Companies often ask their employees to use strong passwords that are difficult to crack, while some organizations will also use biometric authentication such as fingerprints to log into the system. Multifactor authentication is another way to securely validate an employee. As these details are not to be shared with others, they are considered to be private. Twitter: @HIDGlobal

17. Employee or student identification card numbers. Employee identification cards are issued by a company to its employees, while, similarly, student identification numbers are assigned to students by their university or college. These numbers can reveal private details about the employee or student, and are therefore considered private data. An employee may be able to use their employee number to gain special privileges offered by the company, while a student can use their code to gain access to the university portal or get special student discounts. Twitter: @lawinsider

18. Customer personal data. When a customer visits a website or an e-commerce store, the website might want to send cookies to their device to keep track of their browsing/buying behavior. This data is private and requires consent from the visitor/customer. The General Data Protection Regulation (GDPR) is formed to keep customers' personal data private, and aims to protect the personally identifiable data of an individual. Twitter: Not available

19. Marriage records. Marriage records contain the full names, and other details, of the couple, and are used to certify that the two individuals are married to each other. These records are private and only the spouse can obtain them; others will need a judicial document and specify the purpose for obtaining them. If the authorities are not satisfied with the reason given, the records will not be released. Twitter: @HealthNYGov

20. Internal correspondence not including confidential data. Internal correspondence in a company can include promotion letters or a memorandum. Such data is considered private, as long it’s not confidential (only for authorized officials). Office meetings between a manager and their subordinates can be considered private. Other forms of correspondence (such as emails or official chatrooms) are also considered private. Twitter: @vedantu_learn

21. Privileged credentials for IT systems. Privileged credentials are the accounts that have access to sensitive information such as health or monetary data, and are therefore considered to be private. A privileged account can be the account of a specific employee who can access the sensitive details of other individuals, and an organization can decide which accounts are more privileged than others. For example, in IT systems, admins may only have access to servers and hosts, as these computers hold sensitive data that needs to be protected. Twitter: @CoreSecurity

22. Real estate investments. Private real estate investments are not publicly traded and are thus classified as private data. These investments need analytic techniques different than those for publicly traded assets. Private real estate investments involve the use of an individual’s money and are generally meant for commercial applications. Since the market value of a particular property depends largely on its valuation, it’s different than trading in other assets. Twitter: @CFAinstitute

23. IT service management information (ITSM). IT service management information (ITSM) delivers IT as a service. It is considered private data that encompasses more than just IT support, as it focuses on customer requirements. It is end-to-end, and describes the processes used by IT teams to manage the technologies in an organization. Twitter: @Atlassian

24. Supplier contacts. It’s important to organize supplier contacts for better management of procurement activities, and the suppliers or supply network used by a corporation is private data that shouldn’t be available to people outside the company. Supplier contacts and other supplier information cannot be accessed by outside entities without the permission of the organization. Twitter: @HarvardBiz

25. Internal emails. Office memos and internal emails are regularly used for communication within an organization. They’re printed on paper or sent digitally in order to share information, such as a change in policy or a new hiring. It could also be used to address a problem. There can be feedback memos where employee feedback is requested. No matter what the memo is for, it can be classified as private data when it’s intended for all employees. Twitter: @chron

26. Company intranet platforms. The company intranet is typically used to share company news or other updates, and may also include an employee directory. Since the intranet contains the company’s internal information, it is considered private data. Employees can use the intranet platform to research more on the company’s policies or to find relevant forms, as well as digital assets and information about the brand. Twitter: @simpplr

27. Budget spreadsheets and revenue projections. Revenue projections are important tools that help organizations make decisions. The forecasting team uses existing data (such as previous monthly expenses and sales data) to create a long-term projection, with the company’s financial planning dependent upon this forecast. Both the data and the projections are private and may only be accessible to the teams working on the forecast. Twitter: @indeed

28. Telecommunication systems information. Telecommunication systems consist of emails, texts, downloads, phone calls, and all forms of communication that use electrical signals. No matter which mode of communication is used, the data travels on the company network and belongs to the organization. It is therefore considered private data. Twitter: @lawinsider

29. Email and messenger platforms. Emails or messenger platforms can contain private information about an individual, and are classified as private data. Identity thieves can use email addresses to access the financial information of an individual and to reset passwords. Twitter: @ABC

30. Archived files. Archived files are usually stored in a compressed format that makes them portable, and are therefore easier to transfer from one medium to another. File archives are directories on a company’s server that hold archived files. These backed up files are internal to a company and thus classified as private data. Twitter: @lifewiretech

31. Internet protocol (IP) addresses. An IP address is private data and is used to identify a device on the internet or intranet. When someone goes online, they have a unique IP address that’s visible to the servers they access. The IP address of an individual or an employee gives away some important information about them, such as their ISP and location. Twitter: @kaspersky

32. Social Security numbers. Social security numbers (SSNs) are 9-digit numbers used to track earnings and credit reports. SSNs are used to open bank accounts, get credit, obtain government benefits, enroll in medicare, etc. Identity thieves can use SSNs to commit fraud, and this is why SSNs are considered confidential data. If your SSN is lost, an identity thief can obtain credit in your name. Twitter:@Investopedia

33. Business plans and strategies. Every organization has certain plans and strategies. Most businesses like to keep their cards close to their chest, and for good reasons. The leadership at an organization will come up with an action plan, with this plan considered confidential data and only available to authorized officials. Not all employees have access to it and it is available on a need-to-know basis. Twitter: @TalkBusinessMag

34. State-issued identification card numbers or driver's license numbers. A state-issued identification card asserts the identity of an individual, is issued by a US territory and holds important information such as a person’s name and address. If someone’s driving license or state-issued identification card is lost, it could lead to identity theft, as these cards can be used to impersonate an individual in banks or to access online services. They can also be sold on the dark web. For these reasons, driver’s licenses and state-issued identification cards are classified as confidential. Twitter: @EVerify

35. Vehicle identification numbers (VINs). A VIN is a 17-digit number that identifies a particular vehicle and contains unique information about the automobile, such as its manufacture and specifications. The VIN is confidential data, and can be used to register illegal or stolen vehicles, to file claims on crashed cars, and to obtain duplicate keys to your car. Twitter: @VTDMV

36. Medical and health records, protected health information (HIPAA). The Health Insurance Portability & Accountability Act (HIPAA) mandates that sensitive patient information should be kept confidential and not be disclosed without the knowledge or consent of the patient. This makes medical and health records confidential data. To comply with HIPAA, all entities holding patient information must ensure its confidentiality. If someone gains access and changes a patient’s records, this could lead to the wrong treatment and can be life-threatening. Twitter: @HIPAAJournal

37. Insurance provider information. An individual has to reveal confidential health information while filing a claim, and it’s the ethical obligation of insurance providers to maintain the privacy of the insured. Finding efficient data security solutions has become even more important as more people opt for health policies. This is why states have started to adopt regulatory approaches to maintain the privacy of patients. Twitter: @JournalofEthics

38. Credit card numbers, PINs, and expiration dates. When you make an online purchase, you need the credit card number, CVV/PIN, and expiration date. If someone else has these details, they can make an online purchase from your bank or credit card account, and as such, these numbers are considered confidential data. If someone has access to these numbers, they can commit credit card fraud and make purchases under your name. Twitter: @ForbesAdvisor

39. Information on a credit card's magnetic strip. Although many banks are phasing them out, many issuers still use magnetic strips on the back of their credit and debit cards. The strip contains information about the cardholder, and is classified as confidential data. Theft of this data can lead to financial fraud, which is why it’s important to keep credit cards secure. Twitter: @Investopedia

40. FISMA protected information. The Federal Information Security Management Act (FISMA) maintains security standards for electronic government processes. To be FISMA compliant, an organization needs to have an information inventory, risk categorization, and a system security plan. FISMA plans and strategies are considered confidential and should be kept protected. There are penalties for non-compliance, such as a decrease in federal funding. Twitter: @DigitalGuardian

41. Bank account information. If anyone wants to send you money, they’ll need the correct bank account information, such as your account number and routing number. However, these two numbers can also be used to commitAutomatic Clearing House (ACH) fraud, which can result in a scammer setting up ACH transfers for bill payments. Bank account information is confidential and it’s important to keep it protected. Twitter: @TechTarget

42. Certification or employment license numbers. Occupational licensing laws are used to signify that an employee has a specific skill set. There are state mandated licenses for particular types of employment, especially the ones that might have health and safety risks. If an unauthorized person gains access to an employment license number, they can impersonate a skilled worker and create health and safety hazards for themselves and others. This is why certification or employment license numbers are confidential. Twitter: @NCSLorg

43. Student education records (FERPA). Student records are maintained by a university, college, or other educational institutions. These records contain course schedules, classes, grades, health records, disciplinary action details, financial information, etc. Since they contain sensitive information about the student, they are considered confidential. The Family Education Rights and Privacy Act (FERPA) ensures they are kept secure. Twitter: @EdNCES

44. Employee records. It’s legally mandatory to keep employee records and to maintain and update them regularly. Employee records could contain personal details (such as name, date of birth, marital status, etc.), contact details (such as phone number, email address, physical address, etc.), employment details (such as employment type, hire date, previous employment details), payroll details (bank account number, basic salary, increments, etc.), and other information. Since these details reveal a lot about an employee, they are confidential. Twitter: @TechAmoeba

45. Biometric identifiers, like fingerprints. Biometric identifiers make logging in much easier. There’s no need to enter the username and password separately, as you can just touch the fingerprint scanner and the system will authenticate you. However, stolen biometric data is a huge security concern. If authentication credentials such as voice recordings or fingerprint scans are stolen from a device, they can help unauthorized parties enter the company network. This makes biometric identifiers confidential. Twitter: @CSOonline

46. Confidentiality agreements. Companies often sign confidentiality agreements with vendors, customers, employees, or other parties. These agreements will mention who will have what kind of access to what type of information. They are legally binding and any breach of contract will lead to penalties. The data protected by such agreements is restricted in nature and is protected by legal terms. Twitter: @ContrctsCounsel

47. Federal tax information. Federal Tax Information (FTI) consists of the financial and personal information of taxpayers and is protected by law. It is classified as restricted data, and should only be accessed by the individual taxpayer. The FTI of an employee can be disclosed to the employer, and it’s the legal obligation of the employer to protect this information. Twitter: @lawinsider

48. Protected health information (PHI). Protected Health Information, under HIPAA, consists of restricted data about a patient. It could be any information about the past or present condition of a patient and is individually identifiable, which means it is possible to find the particular individual to whom it belongs. Twitter: @HIPAAJournal

49. Intellectual property. Intellectual property refers to intangible assets that belong to an organization or a company and are restricted in nature. They could be almost anything, such as a mechanical design, a song, an art form, or even an idea. There are several legal ways in which a company can protect its intellectual properties For example, a company can file for patents, copyrights, trademarks, or other licenses to make sure nobody can use their idea. A company’s trade secrets and digital assets are also its intellectual property. Twitter: @Wipo

50. Financial records. All tangible and intangible assets of a business come under its financial records. The company’s liabilities are also a part of its financial information. If someone has these details, they can harm the reputation of the company and thus lower the value of its stock or cause other types of financial distress. This is why financial records are restricted in nature and must be kept private. Twitter: @oxylabs

The main benefit of data classification is to help companies answer some questions about their data – What do they have? How sensitive is it? What will happen if it is stolen, altered, or deleted? This helps them safeguard important data and mitigate risks based on its confidentiality or sensitivity.