Skip to content
Sensitive Data

Handling sensitive data at work? Here’s some advice.

Employees that have access to sensitive data, or who’s devices could facilitate access to sensitive data storage, are constant targets of malicious entities that can directly profit from stealing that data. It’s important to identify what sensitive data you possessor have access to, and what kinds of data those entities are searching for.

“According to a Kaspersky Lab report, more than 46 percent of cybersecurity incidents are due to human error and enterprises suffer multi million-dollar losses recovering from staff-related disasters. For example, uninformed workers can harm a secure network by responding to phishing emails, visiting web pages infected with a malware program or storing their confidential information in an insecure storage location.”

“In the United States, certain classes of information are always deemed sensitive because law and regulation impose liability for improper or unauthorized access. Legislative definitions of personal information have broadened over time, led primarily by the state of California. In other countries, such as within the EU, data protection laws tend to be more comprehensive. One of the most well‐known types of sensitive data laws are breach notification laws. Starting with the General Data Protection Regulation, and most recently the California Consumer Privacy Protection Act of 2018 (CCPA), the majority of countries and states have enacted data privacy and breach notification laws. These laws require companies to protect customer data, share what data is stored, how it’s used, who it’s shared with, and to notify consumers when sensitive personal information is accessed by an unauthorized person.” Spirion

It isn’t just the company you work for that can be penalized if (or when) sensitive data is leaked or stolen – you as an employee could also be in some very hot water if your personal error or negligence facilitated a breach. Ensure that you’re adhering to your company’s privacy policies and information security protocols by keeping up-to-date on what they are, and what they say.
If your data has any information that would cause confidentiality concerns, or has any information that could aid in identity theft or financial fraud, it should be stored securely, and only accessed by accounts that have multi-factor authentication enabled. Even just a contact list of clients with no other information than their names and e-mail addresses is a welcome sight to an info-thief – ensure that you securely store all of your files that include customer or personal data of any kind.

“In addition to notification obligations, breach notification laws often impose additional duties, which vary depending on the storage media. For example, as outlined in the California Civil Code, businesses have a duty to “provide reasonable security” for personal information. Legislative findings in several states emphasize the importance of preserving trust and confidentiality. Others emphasize the need to protect consumers from identity theft.” Spirion

Data that you might consider innocuous may actually be sensitive – if you’re unaware of the data policies of software & apps that you use, you may even be sharing sensitive information over international networks without realizing it. Ask yourself these questions when saving, downloading, moving, or accessing work related data:

Would unauthorized access to this data violate confidentiality?
Is there information included that, if in the “wrong hands”, would violate privacy laws, client confidentiality laws, company regulations, or similar types of violations? Data like this should be stored securely, and only accessed by secure company devices.

Does it include legal names or contact information?
Consider how easy it is to use a full name, birthday, e-mail, or phone number to authenticate sign-in information. Having one or more of those types of information stored together is sensitive information. (Think supplier lists, or client contact spreadsheets.)

Does it contain customer or client-specific pricing or policy?
Is the data about, for, or from a customer or client, with the assumption and implication that you would not be negligent with it, and use it only for it’s expressed business purpose? Misuse of this type of data violates most privacy policies and could cause client retention issues as well as liability issues.

Is the data meant for a small subset of people?
Restricted access data is almost always sensitive. Although a “leak” of these types of information to employees outside the intended group might not seem like a severe infraction, it could actually violate internal and external policies and land the negligent parties in quite a bit of trouble.

There are some simple and basic steps you can take with personal devices that may help secure some of your personal private data, and even restrict access to company data by limiting bad actor’s access to your unique, identifying information. 

Review & Update App Permissions
The applications on your smart devices all have different permissions, so they can access certain parts of your data and modify it to make their programs function. You may find that some of your apps request access to data that isn’t truly necessary for them to perform their basic functions. You should also check that your application activity is not connected to any of your personal accounts that you may use for official purposes – like your Google or iCloud accounts.

Be Secure with your Network Information
It’s possible and common for bad actors to clone your network information and credentials, effectively spoofing them so they can connect to any saved networks or servers your device has ever connected to. Be sure to perform security checks on all devices, even personal ones, to ensure that network information & credentials are protected.

Add Extra Credentials Checks to Secure Storage
Your personal information is worth protecting, even if it isn’t directly related to clients, customers, or financial details. If you have a place on your device that you save your sensitive data to, ensure that it’s backed up regularly to a secondary, multi-factor enabled location. You should also ensure to use unique passwords, innocuous filenames structures, and failsafe procedures for all sensitive data, whether personal or work related.

JULY 14 2020
Authored here @ hello internet