Get alerts

Sensitive information 

Sensitive information is any data your business has access to that needs to be protected from theft by unauthorized parties.

Quick tips

Protecting your business’s sensitive data and information requires you to carefully review your business and prepare a cohesive plan for both you and your employees to follow.

Here are some quick tips to get you started.

Identify

  • Know the value of your information
  • Know where high-value information is stored
  • Identify employees who have access to high-value information
  • Identify your organization’s vulnerabilities and possible threats

Protect

  • Limit access to sensitive systems and information
  • Encrypt sensitive information
  • Install software updates and patches when available
  • Use web and email filters
  • Wipe all sensitive data from hardware before you dispose of it

Detect

  • Use anti-virus and anti-malware software
  • Enable, maintain, and monitor activity logs to identify issues or incidents

Respond

  • Develop a response plan for incidents
  • Train employees on their role and responsibilities

Recover

  • Back up information regularly
  • Consider if cyber insurance is right for you


Examples of sensitive information

  • Passwords
  • Health card numbers
  • Banking information
  • Medical records
  • Credit and loan records
  • Home addresses
  • Tax identification numbers
  • Intellectual property and trade secrets

Remember, you’re not only safeguarding your employees’ sensitive information. You’re protecting your customers’ sensitive information as well.

Create a classification system for your sensitive data 

An important aspect of protecting sensitive data in your business is to have a standardized system for data classification.

By having a classification system, you and your employees can quickly and effectively determine how to handle a specific set of data based on its classification level.

This allows you to properly allocate your time and resources to protecting highly sensitive data over low-priority information.

How to determine which information is sensitive:

  • Locate where your business’s data is stored: server, cloud, physical, etc.
  • Determine the severity of harm your business would face for each group of information you’ve identified if it were stolen or lost. You can use a rating scale from 1–5, where 1 is "insignificant" and 5 is "catastrophic.”
  • Information that’s rated higher is more "sensitive" and should be given higher priority. For example, if a software company had it source code stolen that would be considered a catastrophic loss of intellectual property.

Here’s an example of a simple classification model:

Public information is any information related to your business that can be accessed by everyone and anyone, inside and outside your business. The transparency and wide availability of this information poses no threat to your business. This type of information doesn’t require any special handling. An example of public information is an update posted to your business website.

Restricted information requires a level of protection and is often limited to a select group of people, such as employees, specific clients, and vendors/service providers. An example of restricted information is payroll documentation that’s being accessed by your business’s accountant.

Confidential information is only accessible by a select few individuals. Loss or theft of confidential information would cause great damage to your business and must be handled carefully. An example of confidential information is sensitive client data, such as private medical records or banking information.

Remember, it’s important that you play an active role educating your employees on how to handle and work with sensitive information.

We’ve created a list of do’s and don’ts that you and your employees can reference to better secure your business’s sensitive information.

Report an incident or suspicious activity

Report an issue