When it comes to data, not all information is created equal. In the case of a security incident, some datasets will need to be treated differently than others.
From an incident response planning perspective, it’s essential to identify the types of business data held by the company so the proper measures can be put in place. Incident response planners can effectively develop plans to protect each type of information in the event of a security breach or attack. It also equips them to take the correct remediation steps, such as meeting legal obligations by informing certain stakeholders.
In this blog post, we take a look at what organizational data is and the different data types that might be relevant to your organization by becoming a liability.
What is Organizational Data?
In broad terms, organizational data refers to any information that is collected and stored by an organization. This can include everything from financial records and customer surveys to employee performance data and social media analytics. Information may be stored in hardcopy format, for example, in files, folders and cabinets, or in the form of digital data.
To be truly useful, data must be accurate, up to date, and relevant to the organization's goals. With the right tools and processes in place, data can be a powerful asset for any business. However, in the case of a breach, data can be detrimental to an organization.
Organizational data exposure incidents can cause privacy and safety concerns and lead to financial losses, lowered competitive advantage and a damaged reputation.
Learn more about protecting critical organizational data with incident response planning.
Understanding the data types your organization works with plays a pivotal role in effective IR planning. Yet, incident response is only one aspect of maintaining data privacy and security. To explore more, check out our Q+A on the most common privacy law questions.
Organizational Data Overview and Examples
Wondering what types of data are relevant to your organization? We outline the various classes below, along with examples.
Company Information
Company information refers to any and all data and details pertaining to a specific organization or business. This can include the company's size, history, employees, contact information, financial records, notoriety and more. Company information is important for incident response planning because it can help responders understand the context of an incident, identify key stakeholders, and develop an appropriate response.
Confidential Business Information
Confidential business information is any information that could potentially give a rival company an unfair competitive advantage. This business data could include things like trade secrets, customer lists or confidential financial information.
Exposure of confidential business information could cause reputational damage, increased customer acquisition costs, loss of intellectual property value, or even third party litigation.
During incident response planning, it’s important to identify this information, prioritize its protection, and devise remediation plans in case of a breach or exposure.
Consumer Credit Information
Consumer credit information is a type of business data that includes information about an individual's credit history and borrowing habits. It can also be linked to highly sensitive personal information such as Social Security numbers (SSNs). Consumer credit information is typically protected under the Fair Credit Reporting Act (FCRA), which governs access to consumer credit report records
It’s vital for the IR team to be aware of the collection of such information, whether it’s in relation to employees, vendors, or customers so that it may be properly protected and parties can be notified in case a data leak does occur.
Information Subject to Banking Regulations
Information subject to banking regulations refers to any information that is regulated by banking laws and regulations. This includes information about financial transactions, customer accounts, and other sensitive data.
Banking and financial institution regulations are designed to protect consumers and ensure the stability of the financial system. Incident response planning must take into account the potential for data breaches and other security threats to this type of information.
Federal banking regulators require companies to protect individuals’ financial information. The primary agencies include the Office of the Comptroller of the Currency (OCC), the Federal Reserve System, the Federal Deposit Insurance Corporation, Federal Trade Commission, and the Consumer Financial Protection Bureau. The federal laws that apply include the Bank Secrecy Act and Gramm-Leach-Bliley Act, among others. State banking regulators and laws apply to certain banking entities as well.
Intellectual Property
Intellectual property is a type of property that includes intangible assets such as ideas, creations and knowledge. While some intellectual property is protected by patents, copyrights and trademarks, other data types, for example, trade secrets, are not. It’s important that incident responders can distinguish between the two so that they can understand the severity of a data breach and determine how to prioritize containment and recovery operations.
Material Nonpublic Information (MNPI) / Market Moving Information
Material nonpublic information is any information that has not been publicly disclosed and that would be considered important to investors (i.e., that could influence the market (company stock price). This could include data related to basic organizational operations like quarterly financial results, upcoming product launches, or mergers and acquisitions, news about a company, economic data or even political events. For incident response planning, awareness of MNPI enables you to take steps to minimize losses and avoid violating SEC non-disclosure and disclosure requirements. Furthermore, if an organization were to experience a data breach and material nonpublic information was leaked, it could have a significant impact on the company's stock price. This is why it's important to have a plan in place and an awareness of the data as well as where it is stored for how to respond to a data breach and to make sure that all employees are aware of the importance of keeping material nonpublic information confidential.
Nonpublic (Financial) Information (NPI)
Nonpublic (financial) information is a defined term for personally identifiable information that a financial institution holds about a consumer. The Gramm-Leach-Bliley Act’s Privacy Rule requires financial institutions to safeguard NPI and is enforced by the FTC. NPI is personally identifiable financial information that isn’t publicly available and that a financial institution receives in connection with a financial product or service either directly from a consumer or in connection with a transaction with the consumer.
Examples include: Information a consumer provides to a financial institution on an application to obtain a loan, credit card, or other financial product or service; account balance information, payment history, overdraft history, and credit or debit card purchase information; the fact that an individual is or has been one of a customer or has obtained a financial product or service; and information collected through an Internet “cookie”.
This type of information can be used to commit identity theft or fraud if it falls into the wrong hands and needs to be on the radar during incident response planning to ensure proper measures are in place and proper reporting obligations are met under various banking-sector laws.
Which U.S. State Privacy acts apply to your organization? Find out in this blog!
Payment Card Information (PCI)
Payment card information, one of the critical data types, refers to the data stored on the chip or magstripe of a credit or debit card. This includes the cardholder's name, account number, expiration date and security code, as well as the type of card (airline miles). Critical to the basic organizational operations, this information can be used to make unauthorized purchases or withdrawals.
If this information is compromised, it is important to alert consumers so they can take steps to prevent further damage, such as canceling the card and changing the account number. Businesses that accept payment cards may be responsible for notifying credit reporting agencies, payment card brands (e.g., MasterCard, VISA, American Express, Discover), payment processors, acquiring banks, and state AGs in addition to consumers, depending on the extent of the exposure.
Personal Data (GDPR)
Personal data, data related to the identification of an individual, is a term defined under the European Union and UK’s General Data Protection Regulations (GDPR) that generally refers to any information that may be used to identify an individual. This includes, but is not limited to, name, address, phone number, email address, SSN and date of birth. For businesses that are subject to the GDPR, the full definition will need to be outlined in the IR plan. The GDPR also outlines regulations for response protocols in case this type of data is involved in a breach, including notifying regulators as soon as 48 hours after discovering an incident.
Personal Information (PI)
Similar to personal data, personal information is the term used in most U.S. laws regarding personally-identifiable information. Most state data breach notification laws define personal information as a first and last name (or first initial and last name) plus external data that is not typically publicly available, e.g., SSNs, bank account number, username and password, or health insurance ID number. Increasingly, however, as states pass comprehensive privacy legislation, the definition of “personal information” has been expanded to cover a much broader set of information, similar to personal data: i.e., any information related to an identifiable individual.
The definition of personal information should be included in the IR plan, but note that this differs depending on the location of the organization and its customers. Associated legal obligations may also differ.
Protected Health Information (PHI)
Protected health information (PHI) is defined as any personally identifiable information relating to an individual's past, present or future physical or mental health; provision of healthcare; or past, present or future payment for healthcare. To be considered PHI, the information must have been created or received by a health care provider, health plan, employer, or health care clearinghouse. This includes, but is not limited to, information such as prescription records, diagnosis, treatment and related records, or insurance claims.
Incidents that expose PHI can have a significant impact on an individual's privacy, payment obligations and their ability to access healthcare. When planning for incident response, it is important to consider how PHI will be protected and what steps will be taken to ensure that it is not compromised.
PHI is protected by a number of federal and state laws, including the Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires covered entities to take measures to protect the confidentiality, integrity and availability of PHI. These measures include implementing physical, administrative, and technical safeguards. Covered entities must also have incident response plans in place that address how they will respond to incidents involving PHI. HIPAA lays out specific ways a company must evaluate the seriousness of a breach to determine notification obligations.
Third Parties’ Confidential Information
Third parties’ confidential information refers to any non-public information regarding a third-party entity, or data related from a third-party entity, that is held by a company or organization that, if disclosed, could potentially harm that entity. This external data can include trade secrets, financial data sensitive customer information, planned business changes, customer lists, or any information the third-party is required to protect against disclosure under law or contract.
Incident response plans should identify these categories of information and have protocols in place for alerting appropriate parties in the company (e.g., legal) so the company can make sure to meet any legal notification requirements and/or to remediate the cause of any unauthorized disclosures. Failure to handle this properly could lead to legal action by the third party against the organization suffering the breach.
Incident response planning involves developing business processes that reduce data breach recovery time and costs, minimize collateral damage and ensure the smooth functioning of normal business operations. Understanding the types of data your organization plays a pivotal role in effective IR planning.
Incident response planning is not a set-it-and-forget-it process. When was the last time you reviewed your organizational data and internal security processes?
The fast-paced digital landscape demands a deep understanding of privacy regulations, especially regarding integrating artificial intelligence within basic organizational operations. To equip your organization with the necessary knowledge and tools, we invite you to explore our comprehensive blog post, Privacy Regulations and AI for Organizations.
Learn more about the IR planning process and why it’s critical to protect your organization and your customers with our Incident Response Planning Guide. ZeroDay Law can help you outline and implement an effective incident response plan and prepare your team to fight back against threat actors. Keep in mind, developing an organizational IR strategy and process is only half the battle, the document, while valuable, is just part of the equation. The work required to decide the IR strategy and build the IR process the organization will follow is critical; having a trusted partner to walk you through how to execute these steps is important. Learn more about our cyber law and privacy expertise or get in touch with our team to get started today.