Chapter 68 Β· Examples

Data Types and Classifications β€” Real-World Examples

Hospital data inventory, CSV export breach, classification level selection, and a multi-part data governance scenario.

Example 1

Hospital Data Inventory β€” Identifying Types and Classifications

A regional hospital is conducting a data classification audit. The security team must identify the data type and appropriate classification for each dataset they find. Here is their inventory:

Dataset FoundData TypeClassificationWhy
Patient medical records: name, DOB, diagnosis, treatment notes, prescriptionsPHI (and Regulated)Sensitive / RestrictedHIPAA-regulated health information linked to identifiable individuals. Contains both PII (name, DOB) and medical information. HIPAA mandates specific technical, administrative, and physical safeguards.
Billing records: patient name, insurance ID, procedure codes, amount paidPHI (and Financial/Regulated)Sensitive / RestrictedPayment for healthcare services is PHI under HIPAA β€” the financial record becomes health-related when linked to medical procedures. Also governed by financial privacy regulations.
Employee personnel files: SSNs, home addresses, bank account numbers for payrollPII (and Financial)ConfidentialContains direct PII identifiers (SSN) and financial data. Not PHI because it is employee data, not patient health data. Access should be limited to HR and payroll personnel only.
Patient appointment scheduling system: names, phone numbers, appointment datesPHISensitiveEven a scheduling record is PHI because it indicates the individual sought healthcare at a specific facility. The appointment date + hospital name = health information under HIPAA.
Hospital's publicly accessible website with general health information articlesPublic informationPublic / UnclassifiedIntentionally published for anyone to read. No confidentiality requirement. Integrity controls needed to prevent defacement or injection of false health information.
Hospital's proprietary care protocol documents β€” internal clinical procedures developed over 20 yearsProprietary / Trade SecretConfidentialRepresents the hospital's unique clinical expertise and operational IP. Not publicly available; provides competitive advantage. Access limited to clinical staff on need-to-know basis.
The patient master database that every clinical system queries in real time for patient lookupsPHI + CriticalSensitive + CriticalContains PHI (confidentiality requirement) AND is operationally critical β€” unavailability would halt clinical operations and potentially harm patients (availability requirement). Dual classification drives both access controls and redundancy investment.

Key lesson: Data can carry multiple classifications simultaneously. The patient master database is both PHI (triggering HIPAA confidentiality controls) and Critical (triggering high-availability architecture). The billing records are both PHI and financial data. Classification is additive β€” the most stringent applicable controls apply.

Example 2

The CSV Export Incident β€” Why Hybrid Formats Are High-Risk

A data analyst at a financial services company needs to analyze customer purchase patterns. They run a database query and export the results as a CSV file to their laptop for offline analysis. The CSV contains:

customer_id,first_name,last_name,email,date_of_birth,ssn,account_balance,last_transaction_date
10024,Jane,Doe,jane.doe@email.com,1985-03-14,555-12-3456,14250.00,2024-01-15
10025,John,Smith,john.smith@email.com,1979-07-22,444-98-7654,8300.00,2024-01-14
...

The analyst accidentally shares this file to a collaboration platform with incorrect permissions. The file is accessible to all employees for 3 hours before the mistake is discovered.

What went wrong β€” the hybrid format problem:

What should have been in place:

Breach notification implication: Because SSNs were exposed, this incident likely triggers mandatory breach notification under applicable state laws (most U.S. states require notification when SSNs are exposed). The organization must inventory how many customers are affected, notify them within the statutory timeframe, and potentially notify the state attorney general.

Example 3

Trade Secret vs. Intellectual Property β€” A Technology Company's Assets

A technology company needs to classify its key assets. The security team must distinguish trade secrets from intellectual property and apply appropriate controls to each.

AssetTrade Secret or IP?WhySecurity Approach
The company's software product (published, sold to customers)Intellectual Property (copyright)Publicly visible β€” customers use and see the software. Protected by copyright law, not by secrecy. Customers cannot legally copy or redistribute it, but they can see and use it.Licensing enforcement, DRM, DMCA takedown process. Technical controls: code obfuscation, license key enforcement. Legal: copyright registration, terms of service.
The source code for that same software productTrade Secret (and IP)The compiled product is public IP; the source code is a trade secret β€” it reveals the implementation details, algorithms, and architecture that competitors would find valuable. Not publicly distributed. Dual classification.Source code repository access controls; code signing; strict employee access limits; NDA for contractors; DLP monitoring for code repository exfiltration.
The company logo and product nameIntellectual Property (trademark)Publicly visible β€” displayed on all products and marketing. Protected from imitation by competitors through trademark registration. Not a trade secret because it is intentionally public.Trademark registration; monitoring for counterfeit products; legal enforcement against infringers. No secrecy control needed.
The algorithm that powers the product's AI recommendation engineTrade SecretNot publicly disclosed. The competitive value of the algorithm depends entirely on competitors not knowing it. Even if a patent could protect it, the company may prefer trade secret protection to avoid the public disclosure required by patent registration.Maximum confidentiality controls: need-to-know access, no external sharing, NDA for all who access it, insider threat monitoring, DLP policies.
A research paper the company published describing a new encryption techniqueIntellectual Property (copyright + potentially patent)Intentionally made public. Protected by copyright (the writing) and potentially patent (the invention). The public disclosure may preclude future trade secret protection of the same technique.Copyright notice, publication tracking, patent filing if appropriate. The publication itself is the intended use β€” no confidentiality control needed.

Key lesson: The same company can have both trade secrets and intellectual property. The distinction turns on whether the asset's value comes from secrecy (trade secret) or from publicly enforceable legal rights (IP). Source code and compiled software are a common example where the same work is simultaneously IP (the published product) and a trade secret (the unpublished source).

Example 4

Critical vs. Confidential β€” Same Data, Different Focus

A financial services company has two databases that both contain highly sensitive information. The security team must decide which classification drives the primary security investment for each.

Database A: Customer PII and account details

Contains: names, SSNs, addresses, account numbers, credit scores, transaction histories for 2 million customers. This data is heavily regulated (bank privacy laws, PCI DSS for card data). Exposure would trigger mandatory breach notification, regulatory penalties, and severe reputational damage. Customers would be at risk for identity theft and financial fraud.

Primary classification: Confidential / Sensitive (PII + Financial + Regulated)

The primary security concern is confidentiality β€” preventing unauthorized access and disclosure. Security investment: strong encryption at rest and in transit, strict role-based access control, access audit logging, DLP to prevent export, network segmentation, penetration testing.

Availability matters too β€” but a few minutes of downtime is not a crisis. The database can have a maintenance window.

Database B: The real-time transaction authorization database

Contains: the same customer data plus real-time transaction processing state. Every credit card swipe at every merchant queries this database. Response time must be under 200ms. If this database is unavailable for even 60 seconds, every card transaction at every merchant fails. Revenue loss: thousands of dollars per second. Customer and merchant experience: catastrophic. This database processes $50 million in transactions per day.

Primary classification: Critical (in addition to Confidential/Sensitive)

The additional Critical classification drives a fundamentally different investment: multi-region active-active clustering, zero-downtime failover, sub-second replication, automated health monitoring with immediate alerting, disaster recovery tests with recovery time objectives measured in seconds, not hours. The 99.999% uptime target (5 nines = <5 minutes downtime per year) requires architecture that confidentiality controls alone do not address.

Key lesson: Database A and Database B may contain similar data types, but their operational roles are different. The Critical classification does not replace the Confidential classification β€” both apply. The Critical classification adds an availability requirement on top of the existing confidentiality requirement. Security architecture must address both dimensions.

Exam Scenario β€” Multi-Part

Regional Law Firm Data Governance Assessment

You have been hired as a security consultant to assess a regional law firm's data governance posture. The firm handles corporate litigation, employment law, and criminal defense. You discover the following during your assessment:

Part 1: The firm stores client case files on a file server with a single shared folder that all attorneys and paralegals can access. The files include: client names and contact information, case strategies and confidential legal theories, financial settlement figures under negotiation, medical records provided as case evidence, and sealed court documents marked confidential by court order. The IT director says "everyone who works here has signed an NDA, so sharing between staff is fine." Identify the data classification problems and recommend corrective actions.

Show Answer

The problems:

The firm has at least four distinct data classification tiers co-mingled in one shared folder with uniform access:

1. Client PII (names, contact info) β€” Sensitive classification. Appropriate for attorneys working the case; not appropriate for all attorneys and paralegals on unrelated cases. Attorney-client privilege requires limiting access to the specific legal team.

2. Case strategies and confidential legal theories β€” Confidential / Restricted (attorney work product doctrine). This is attorney work product β€” protected from disclosure to opposing counsel and others. Should be accessible only to the specific case team, not firm-wide. The NDA only covers external disclosure β€” it does not justify exposing one client's strategy to attorneys working for opposing clients in other matters (conflict of interest risk).

3. Medical records provided as evidence β€” PHI. The firm is handling medical records as part of litigation β€” they are acting as a business associate receiving PHI from a covered entity. HIPAA Business Associate Agreement (BAA) obligations apply. PHI must be stored in a system with access controls, audit logging, and encryption, not in a general shared folder accessible to all staff.

4. Sealed court documents β€” Restricted (court order). Court-ordered sealing has legal force. Access must be limited to authorized parties as specified in the sealing order. Making these accessible to all staff potentially violates the court order and could result in sanctions.

Corrective actions: (1) Implement folder-level access control: separate folders per classification level with RBAC limiting access to specific case teams. (2) Create a separate, HIPAA-compliant storage system or folder with audit logging for PHI evidence. (3) Implement a sealed documents vault with access controlled by the case partner and monitored by the records manager. (4) Deploy DLP rules to prevent distribution of sealed documents via email or external file transfer. (5) The NDA argument is a red herring β€” NDAs address external disclosure, not internal access compartmentalization.

Part 2: The firm's client intake form collects: full name, home address, date of birth, employer, annual income, criminal history, and the legal matter they are seeking help with (e.g., "charged with DUI," "being sued by former employer for discrimination"). The form data is stored in a cloud CRM accessible via web browser. What data type is this, and what are the security implications?

Show Answer

Data type and classification:

The intake form contains multiple overlapping data types:

PII: Name, address, DOB, and employer are all PII. Together, they form a complete identity profile that enables identity theft and is subject to privacy regulations. The combination of DOB + address + employer is sufficient to uniquely identify most individuals.

Financial PII: Annual income is sensitive financial information. Combined with the other identifiers, it creates a financial profile.

Sensitive legal information: The legal matter description ("charged with DUI," "being sued for discrimination") is highly sensitive. It reveals criminal justice involvement, employment disputes, or other personal circumstances the individual likely considers private. In many jurisdictions, pending charges that are not yet convictions carry specific privacy protections.

Potentially regulated data: Depending on jurisdiction, criminal history information may be subject to specific privacy statutes limiting its collection and retention.

Security implications:

1. Cloud storage of sensitive PII: The CRM vendor must be assessed for compliance with applicable data protection laws. A cloud vendor processing this data on the firm's behalf may require a data processing agreement (DPA under GDPR) or Business Associate Agreement (if any PHI is collected).

2. Web browser access: Browser-accessible CRM means the data is accessible from any device β€” including personal devices and unsecured networks. The firm should enforce MFA, TLS for all browser sessions, and may want to restrict access to managed devices via a ZTNA or MDM policy.

3. Retention and minimization: If a potential client does not become an actual client, what happens to their intake form? Data minimization principles (collect only what is needed, retain only as long as needed) apply. The legal matter description may not need to be retained after intake is complete.

4. Attorney-client privilege: The legal matter description may be protected by attorney-client privilege as soon as a client relationship is contemplated β€” meaning unauthorized disclosure could violate professional conduct rules, not just data protection law.

Part 3: The firm's case management system goes offline for 4 hours due to a hardware failure. Attorneys cannot access case files, deadlines, or court schedules. A hearing is missed because the attorney could not access the case information. How does this relate to data classification, and what controls should have been in place?

Show Answer

Classification relevance:

The case management system should have been classified as Critical β€” data that must remain continuously available because unavailability causes immediate operational harm. The missed hearing is a concrete example of that harm: a professional obligation was violated because of data unavailability.

The failure mode here is not a confidentiality breach β€” no data was exposed. It is an availability failure. The Critical classification is specifically designed to drive investment in availability controls that prevent this scenario. If the system had been classified as Critical, the security and IT teams would have implemented availability controls as a priority.

Controls that should have been in place:

1. RAID storage: At minimum, the server should have used RAID redundancy so a single disk failure does not cause data unavailability. RAID protects against hardware failure at the storage layer.

2. Tested backup and recovery: Regular backups with a documented and tested recovery procedure. If the hardware failed, how quickly can the system be restored? Recovery Time Objective (RTO) should be defined and tested β€” "4 hours of downtime" suggests either no backup restoration process, or one that was never practiced.

3. High availability architecture: For a Critical system, a single server is a single point of failure. A standby server with automatic failover, or a clustered architecture, would have maintained availability during the hardware failure.

4. Deadline and calendar synchronization: Critical court dates and deadlines should also be maintained in a separate calendar system (email calendar, mobile device) as a backup. Relying on a single system for hearing dates is a procedural vulnerability independent of the technical failure.

5. Classification-driven risk assessment: If the firm had a formal data classification process that labeled the case management system as Critical, the risk assessment for that system would have identified the single-server architecture as a gap requiring remediation before a failure occurred.

Part 4: A paralegal exports the firm's entire client list as a JSON file to send to a marketing vendor for a client newsletter campaign. The JSON contains: client full names, email addresses, and the practice area they used (e.g., "criminal defense," "employment litigation"). What classification issue does this scenario represent, and what policy or control failure enabled it?

Show Answer

Classification issue:

The JSON file contains PII (names + email addresses) combined with legal matter information (practice area). The practice area field transforms this from a simple contact list into sensitive legal PII:

β€” "John Smith, john@email.com, criminal defense" discloses that John Smith has been a criminal defense client β€” information he likely considers highly private.

β€” "Jane Doe, jane@email.com, employment litigation" reveals that Jane Doe has been involved in employment litigation β€” which could affect her professional reputation.

The data is classified as Sensitive PII with legal confidentiality implications. Attorney-client privilege may apply to the practice area field β€” disclosing which legal services a client used could breach confidentiality obligations. This is not just a data classification issue; it may constitute a professional conduct violation in most jurisdictions.

Policy and control failures:

1. Data classification failure: The client list was not labeled with its sensitivity level. A properly labeled "Sensitive / Confidential β€” Client PII" classification on the data would have triggered handling procedures before export.

2. No DLP on external data transfer: A DLP system scanning for PII patterns (email addresses in bulk JSON exports) going to external parties would have flagged or blocked this transfer.

3. No vendor review process: Sending client data to a marketing vendor requires a data processing agreement β€” the vendor must meet privacy and confidentiality standards. The paralegal apparently sent this without any vendor review or contractual agreement in place.

4. No need-to-know check: The marketing campaign may only need email addresses β€” not names or practice areas. Data minimization: send only what the vendor needs for the task. The practice area field has no legitimate use in a general newsletter campaign and should not have been included.

5. JSON format risk: The JSON format is a hybrid β€” any text editor opens it. It is not encrypted. Sending unencrypted client PII to a vendor via JSON file transfer is a controls gap regardless of classification β€” encrypted transfer with access-controlled delivery should be standard for any PII transfer.