Chapter 68 Β· Concepts

Data Types and Classifications β€” Concept Reference

Data type taxonomy, PII vs. PHI comparison, all five classification levels with security controls, format types, and a classification selection guide in structured reference form.

Data Type Taxonomy β€” Full Reference

Data TypeDefinitionExamplesPrimary Protection GoalRegulatory Framework
RegulatedHandling requirements set by an external authorityCredit card data, health records, EU personal dataCompliance with external mandatesPCI DSS, HIPAA, GDPR, and others
Trade SecretConfidential org asset; value comes from remaining unknownFormulas, processes, pricing models, algorithmsConfidentiality β€” permanent loss on disclosureTrade secret law; no registration mechanism
Intellectual PropertyLegally protected creation; may be publicly visibleSoftware code, logos, inventions, published worksLegal rights enforcement against unauthorized useCopyright, trademark, patent law
Legal InformationCourt records, case files, attorney communicationsJudicial decisions, sealed records, attorney-client commsDual: transparency for public records + privacy for sensitive detailsCourt rules, attorney-client privilege statutes
Financial InformationInternal company financials + customer/individual financial dataBank accounts, credit cards, internal budgets, M&A targetsConfidentiality; compliance; prevent direct monetary theftPCI DSS, banking regulations, securities law

Data Format Types β€” Human-Readable vs. Non-Human-Readable

AttributeHuman-ReadableNon-Human-ReadableHybrid
DefinitionDirectly understandable by a person with no toolsRequires specialized tools or systems to interpretInterpretable by both humans and machines; requires format knowledge
ExamplesPlain text, emails, Word docs, printed reportsBarcodes, QR codes, binary files, encrypted ciphertext, raw imagesCSV, XML, JSON, HTML, YAML
Immediate exposure riskHigh β€” anyone who sees it understands itLower β€” requires tool to read, but data still presentModerate β€” readable in any text editor by anyone familiar with format
Security reliance on formatNone β€” no security benefit from the formatNone β€” format β‰  security; data still requires protectionNone β€” readable in any text editor; not an obscurity control
Common security incidentsExposed documents, misdelivered emails, printed records left unsecuredUnprotected database binaries, exposed backup files, unencrypted encoded dataCSV/JSON exports containing bulk PII; API responses with tokens/credentials
Exam noteNon-human-readable is NOT inherently more secureA barcode still encodes data; encrypted data still needs the key protectedJSON/XML/CSV are "both" β€” common in data breach scenarios

PII vs. PHI β€” Side-by-Side Comparison

AttributePII β€” Personally Identifiable InformationPHI β€” Protected Health Information
DefinitionAny data that can identify a specific individual β€” alone or combined with other dataHealth information associated with an identifiable individual β€” created, received, or maintained by a HIPAA-covered entity
ScopeBroad β€” applies to any sector, any organization collecting individual dataNarrow β€” specific to healthcare context (covered entities and business associates)
RelationshipBroader category β€” includes PHISubset of PII β€” PHI is always PII, but PII is not always PHI
Regulatory frameworkGDPR, CCPA, COPPA, and many sector-specific laws globallyHIPAA (U.S.) β€” specific penalties, breach notification requirements, Business Associate Agreements
Direct identifier examplesName, SSN, passport, driver's license, biometrics, email, phoneName + any of: diagnosis, treatment records, lab results, prescriptions, mental health records
Indirect identifiersDOB + gender + ZIP code identifies most individuals (aggregation risk)Appointment record (indicates healthcare was sought), payment for healthcare services
Key exam trapPII by itself β€” even a name + address β€” triggers privacy regulationsA payment record for healthcare services IS PHI β€” it becomes health-related when linked to healthcare
Breach notificationRequired under GDPR (72 hrs), CCPA, and many national lawsHIPAA: notify individuals within 60 days, notify HHS; major breaches (500+) notified to HHS immediately

Data Classification Levels β€” Full Spectrum

Classification LevelWho Can AccessTypical ContentsPrimary Security FocusCommon Controls
Public / UnclassifiedAnyone β€” no restrictionsMarketing materials, press releases, public websites, job postingsIntegrity (prevent unauthorized modification)Web application controls; no confidentiality controls needed
SensitiveEmployees with need-to-knowIP, PII, PHI, internal business dataConfidentiality β€” prevent external disclosureEncryption in transit and at rest; access logging; DLP policies; no sharing outside org without auth
ConfidentialExplicitly authorized individuals onlyExecutive comms, M&A plans, legal negotiations, unreleased financialsConfidentiality β€” strict access control; higher bar than sensitiveIndividual authorization per access grant; strong encryption; granular audit logs; physical controls possible
Private / Classified / RestrictedFormally vetted and authorized individuals; may require NDAGovernment classified intel, corporate trade secrets, sealed legal records, sensitive researchConfidentiality β€” formal access vetting; legal agreementsSecurity clearances (govt); NDA requirements; network segmentation; need-to-know enforcement within authorized group
CriticalAuthorized operational users β€” focus is on ensuring they can always access itOperational databases, authentication systems, emergency comms, medical systemsAvailability β€” data must always be accessibleRedundancy; backups; clustering; failover; disaster recovery testing; SLA monitoring

Trade Secret vs. Intellectual Property β€” Key Distinctions

AttributeTrade SecretIntellectual Property (IP)
VisibilityMust remain secret β€” value is entirely from confidentialityCan be publicly visible while still protected (a published novel, a registered logo)
Protection mechanismSecrecy β€” no registration, no public disclosureLegal rights β€” copyright, trademark, patent (all involve government registration or automatic legal protection)
DurationIndefinite β€” as long as secrecy is maintainedLimited β€” copyright (life + 70 years), patent (~20 years), trademark (renewable)
Protection lost whenSecret is disclosed β€” cannot be restored once publicTerm expires, or rights not enforced β€” legal remedies still apply during term
ExamplesCoca-Cola formula, Google's search algorithm, internal pricing modelSoftware code (copyright), Nike swoosh (trademark), pharmaceutical compound (patent)
Security control emphasisAccess controls, insider threat prevention, DLP β€” prevent any disclosureCopy protection, DRM, watermarking, legal enforcement β€” prevent unauthorized reproduction/use

Classification Selection Guide

ScenarioClassificationReason
A patient's name, diagnosis, and prescription history in a hospital databasePHI (and Sensitive)Health information associated with an identifiable individual held by a HIPAA-covered entity β€” highest regulated data protection requirements
A company's public-facing product brochure available for download from the websitePublic / UnclassifiedIntentionally distributed to anyone β€” no confidentiality requirement; integrity controls still apply
The authentication server that all employees use to log in β€” must never be unavailableCriticalAvailability is the primary concern β€” downtime immediately affects all users; drives redundancy and failover investment
The secret formula for a company's flagship product, known only to three executivesTrade Secret (and Confidential/Restricted)Entire value depends on remaining secret; loss of secrecy permanently destroys competitive advantage
A customer CSV export containing names, email addresses, and purchase historiesPII (and Sensitive)Names + email addresses + purchase behavior can identify individuals; privacy regulations apply; CSV format is easily readable β€” requires strong access controls
Preliminary merger acquisition plans not yet announced to the marketConfidential (and Restricted)Premature disclosure could violate securities law; limited to executives and legal team; requires explicit authorization per person
A government intelligence report requiring security clearance to access, with criminal penalties for unauthorized disclosureClassified (government)Formal government classification system; legal clearance requirements; criminal penalties define the restricted category in government context
A JSON API response containing session tokens and user account IDsSensitive (PII component)Hybrid format readable in any text editor; contains both PII (account IDs) and authentication credentials β€” high-risk data format in integration scenarios