Data Type Taxonomy β Full Reference
| Data Type | Definition | Examples | Primary Protection Goal | Regulatory Framework |
|---|---|---|---|---|
| Regulated | Handling requirements set by an external authority | Credit card data, health records, EU personal data | Compliance with external mandates | PCI DSS, HIPAA, GDPR, and others |
| Trade Secret | Confidential org asset; value comes from remaining unknown | Formulas, processes, pricing models, algorithms | Confidentiality β permanent loss on disclosure | Trade secret law; no registration mechanism |
| Intellectual Property | Legally protected creation; may be publicly visible | Software code, logos, inventions, published works | Legal rights enforcement against unauthorized use | Copyright, trademark, patent law |
| Legal Information | Court records, case files, attorney communications | Judicial decisions, sealed records, attorney-client comms | Dual: transparency for public records + privacy for sensitive details | Court rules, attorney-client privilege statutes |
| Financial Information | Internal company financials + customer/individual financial data | Bank accounts, credit cards, internal budgets, M&A targets | Confidentiality; compliance; prevent direct monetary theft | PCI DSS, banking regulations, securities law |
Data Format Types β Human-Readable vs. Non-Human-Readable
| Attribute | Human-Readable | Non-Human-Readable | Hybrid |
|---|---|---|---|
| Definition | Directly understandable by a person with no tools | Requires specialized tools or systems to interpret | Interpretable by both humans and machines; requires format knowledge |
| Examples | Plain text, emails, Word docs, printed reports | Barcodes, QR codes, binary files, encrypted ciphertext, raw images | CSV, XML, JSON, HTML, YAML |
| Immediate exposure risk | High β anyone who sees it understands it | Lower β requires tool to read, but data still present | Moderate β readable in any text editor by anyone familiar with format |
| Security reliance on format | None β no security benefit from the format | None β format β security; data still requires protection | None β readable in any text editor; not an obscurity control |
| Common security incidents | Exposed documents, misdelivered emails, printed records left unsecured | Unprotected database binaries, exposed backup files, unencrypted encoded data | CSV/JSON exports containing bulk PII; API responses with tokens/credentials |
| Exam note | Non-human-readable is NOT inherently more secure | A barcode still encodes data; encrypted data still needs the key protected | JSON/XML/CSV are "both" β common in data breach scenarios |
PII vs. PHI β Side-by-Side Comparison
| Attribute | PII β Personally Identifiable Information | PHI β Protected Health Information |
|---|---|---|
| Definition | Any data that can identify a specific individual β alone or combined with other data | Health information associated with an identifiable individual β created, received, or maintained by a HIPAA-covered entity |
| Scope | Broad β applies to any sector, any organization collecting individual data | Narrow β specific to healthcare context (covered entities and business associates) |
| Relationship | Broader category β includes PHI | Subset of PII β PHI is always PII, but PII is not always PHI |
| Regulatory framework | GDPR, CCPA, COPPA, and many sector-specific laws globally | HIPAA (U.S.) β specific penalties, breach notification requirements, Business Associate Agreements |
| Direct identifier examples | Name, SSN, passport, driver's license, biometrics, email, phone | Name + any of: diagnosis, treatment records, lab results, prescriptions, mental health records |
| Indirect identifiers | DOB + gender + ZIP code identifies most individuals (aggregation risk) | Appointment record (indicates healthcare was sought), payment for healthcare services |
| Key exam trap | PII by itself β even a name + address β triggers privacy regulations | A payment record for healthcare services IS PHI β it becomes health-related when linked to healthcare |
| Breach notification | Required under GDPR (72 hrs), CCPA, and many national laws | HIPAA: notify individuals within 60 days, notify HHS; major breaches (500+) notified to HHS immediately |
Data Classification Levels β Full Spectrum
| Classification Level | Who Can Access | Typical Contents | Primary Security Focus | Common Controls |
|---|---|---|---|---|
| Public / Unclassified | Anyone β no restrictions | Marketing materials, press releases, public websites, job postings | Integrity (prevent unauthorized modification) | Web application controls; no confidentiality controls needed |
| Sensitive | Employees with need-to-know | IP, PII, PHI, internal business data | Confidentiality β prevent external disclosure | Encryption in transit and at rest; access logging; DLP policies; no sharing outside org without auth |
| Confidential | Explicitly authorized individuals only | Executive comms, M&A plans, legal negotiations, unreleased financials | Confidentiality β strict access control; higher bar than sensitive | Individual authorization per access grant; strong encryption; granular audit logs; physical controls possible |
| Private / Classified / Restricted | Formally vetted and authorized individuals; may require NDA | Government classified intel, corporate trade secrets, sealed legal records, sensitive research | Confidentiality β formal access vetting; legal agreements | Security clearances (govt); NDA requirements; network segmentation; need-to-know enforcement within authorized group |
| Critical | Authorized operational users β focus is on ensuring they can always access it | Operational databases, authentication systems, emergency comms, medical systems | Availability β data must always be accessible | Redundancy; backups; clustering; failover; disaster recovery testing; SLA monitoring |
Trade Secret vs. Intellectual Property β Key Distinctions
| Attribute | Trade Secret | Intellectual Property (IP) |
|---|---|---|
| Visibility | Must remain secret β value is entirely from confidentiality | Can be publicly visible while still protected (a published novel, a registered logo) |
| Protection mechanism | Secrecy β no registration, no public disclosure | Legal rights β copyright, trademark, patent (all involve government registration or automatic legal protection) |
| Duration | Indefinite β as long as secrecy is maintained | Limited β copyright (life + 70 years), patent (~20 years), trademark (renewable) |
| Protection lost when | Secret is disclosed β cannot be restored once public | Term expires, or rights not enforced β legal remedies still apply during term |
| Examples | Coca-Cola formula, Google's search algorithm, internal pricing model | Software code (copyright), Nike swoosh (trademark), pharmaceutical compound (patent) |
| Security control emphasis | Access controls, insider threat prevention, DLP β prevent any disclosure | Copy protection, DRM, watermarking, legal enforcement β prevent unauthorized reproduction/use |
Classification Selection Guide
| Scenario | Classification | Reason |
|---|---|---|
| A patient's name, diagnosis, and prescription history in a hospital database | PHI (and Sensitive) | Health information associated with an identifiable individual held by a HIPAA-covered entity β highest regulated data protection requirements |
| A company's public-facing product brochure available for download from the website | Public / Unclassified | Intentionally distributed to anyone β no confidentiality requirement; integrity controls still apply |
| The authentication server that all employees use to log in β must never be unavailable | Critical | Availability is the primary concern β downtime immediately affects all users; drives redundancy and failover investment |
| The secret formula for a company's flagship product, known only to three executives | Trade Secret (and Confidential/Restricted) | Entire value depends on remaining secret; loss of secrecy permanently destroys competitive advantage |
| A customer CSV export containing names, email addresses, and purchase histories | PII (and Sensitive) | Names + email addresses + purchase behavior can identify individuals; privacy regulations apply; CSV format is easily readable β requires strong access controls |
| Preliminary merger acquisition plans not yet announced to the market | Confidential (and Restricted) | Premature disclosure could violate securities law; limited to executives and legal team; requires explicit authorization per person |
| A government intelligence report requiring security clearance to access, with criminal penalties for unauthorized disclosure | Classified (government) | Formal government classification system; legal clearance requirements; criminal penalties define the restricted category in government context |
| A JSON API response containing session tokens and user account IDs | Sensitive (PII component) | Hybrid format readable in any text editor; contains both PII (account IDs) and authentication credentials β high-risk data format in integration scenarios |