Chapter 68 Β· Glossary

Data Types and Classifications β€” Term Reference

Key terms for data categories, PII, PHI, proprietary data, and the full sensitivity classification spectrum.

Regulated Data
Data whose handling, storage, transmission, and protection requirements are defined by an external authority β€” a government, regulatory body, or industry standards organization β€” rather than solely by the organization that holds it. The organization must comply with externally imposed rules regardless of its own preferences. Examples include credit card data governed by PCI DSS, health information governed by HIPAA, and personal data of EU residents governed by GDPR. Non-compliance with regulated data requirements can result in legal penalties, financial fines, mandatory breach notifications, and loss of operating authority. Regulated data is the category where external compliance obligations intersect most directly with information security controls.
Trade Secret
Confidential organizational information that provides competitive advantage and derives its entire value from remaining secret. Unlike patents (which require public disclosure) or copyrights (which protect publicly visible works), trade secrets have no registration mechanism β€” protection depends on maintaining confidentiality. A trade secret can be any information that gives a business a competitive edge and is kept secret through reasonable measures: a formula, manufacturing process, pricing model, customer acquisition strategy, algorithm, or internal methodology. Once a trade secret is disclosed β€” whether through a breach, an employee departure, or reverse engineering β€” the competitive advantage is permanently lost. Security focus: confidentiality and insider threat prevention.
Intellectual Property (IP)
Creations of the mind that are protected by legal rights β€” copyright, trademark, patent, or trade secret law. Unlike trade secrets, intellectual property can be publicly visible while still being legally protected against unauthorized use. Copyright protects original works of authorship (software code, written content, artistic works) automatically upon creation. Trademark protects brand identifiers (names, logos, slogans) through registration with government offices. Patents protect inventions through a formal registration process that requires public disclosure of the invention in exchange for exclusive rights for a defined period. The security challenge with IP: protection is primarily through legal enforcement rather than access controls, but organizations must also implement technical controls to prevent unauthorized copying and distribution.
Legal Information
Data associated with legal proceedings and professional legal activities, including court records, case filings, attorney communications, judicial decisions, and case management information. Legal information has a dual nature: much of it is intentionally public (court decisions, docketed cases) to maintain transparency in the justice system, while other components contain highly sensitive personal information (victim identities, financial disclosures, medical evidence, attorney-client privileged communications). Legal systems typically store records across multiple systems with different access tiers β€” public dockets, restricted court systems, sealed records, and attorney work product repositories β€” requiring coordinated access controls across potentially legacy infrastructure.
Financial Information
Data encompassing both internal organizational financial details and customer/individual financial data. Internal financial data includes revenue figures, profit margins, budget plans, acquisition targets, and financial projections β€” sensitive for competitive and regulatory reasons (securities law). Customer financial data includes bank account numbers, credit card information, payment records, and purchase histories β€” regulated by PCI DSS, banking laws, and financial privacy regulations, and a primary target for attackers because of its direct monetary value. Financial data breaches are among the most costly and frequent, combining regulatory liability, direct monetary risk, and long-term reputational damage.
Human-Readable Data
Data that can be directly understood by a person without specialized tools or additional processing. Plain text files, emails, standard documents, spreadsheets, and printed records are all human-readable. The security implication: exposure of human-readable data is immediately impactful β€” anyone who views it understands its content without any technical skill. A plain-text file containing passwords, SSNs, or medical records is fully compromised the moment an unauthorized person sees it. Human-readable sensitive data requires strict access controls and cannot rely on obscurity of format for any protection.
Non-Human-Readable Data
Data that is encoded, compressed, or structured in ways that cannot be directly understood by a person without specialized tools, software, or systems. Examples include barcodes and QR codes (encode data visually), binary executable files, encrypted ciphertext, machine-generated data streams, and raw database binary formats. Non-human-readable data is not inherently more secure than human-readable data β€” it still contains the original information and requires the same protection. The format changes how the data must be accessed and processed, but does not eliminate the security requirement. A barcode still encodes specific values; encrypted data still contains the original plaintext accessible with the key.
Hybrid Data Formats
Data formats that are interpretable by both humans and machines β€” structured enough for automated processing but readable enough for a person with format knowledge to understand directly. Primary examples: CSV (Comma-Separated Values), XML (Extensible Markup Language), and JSON (JavaScript Object Notation). These formats are extensively used for system integration, API communication, and data exchange between applications. From a security perspective, hybrid formats are high-risk because they are commonly used to export sensitive bulk data (HR records, customer lists, transaction logs) and can be opened and read by anyone with basic tools. A CSV export from an HR system opens in any text editor or spreadsheet application β€” no special decoding required.
Proprietary Data
Data that belongs exclusively to an organization β€” created by the organization, owned by the organization, and not available to the public. As a classification label, "Proprietary" means this information should not be disclosed outside the organization. It includes trade secrets (the most sensitive subset), internal business processes, proprietary software and algorithms, research and development findings, customer lists, pricing models, and internal methodologies. The value of proprietary data lies in its exclusivity β€” once disclosed externally, competitive advantage is reduced or lost. Security focus: confidentiality controls to prevent unauthorized external disclosure, with insider threat prevention as a primary concern.
PII β€” Personally Identifiable Information
Any data that can identify a specific individual, either alone (direct identifiers) or in combination with other data (indirect identifiers). Direct identifiers: full name, SSN, passport number, driver's license number, biometric data, email address. Indirect identifiers: date of birth, home address, mother's maiden name, IP address, device identifiers. The combination problem: individually innocuous data points can become PII when aggregated β€” date of birth + gender + ZIP code alone identifies most individuals. PII is the primary subject of global privacy regulations (GDPR, CCPA, HIPAA, and many sector-specific laws). Organizations that collect, store, or process PII must comply with applicable privacy laws governing consent, access rights, retention limits, and breach notification.
PHI β€” Protected Health Information
A legally defined category under HIPAA (Health Insurance Portability and Accountability Act) β€” health information associated with an identifiable individual that is created, received, maintained, or transmitted by a covered entity (healthcare provider, health plan, or healthcare clearinghouse) or their business associates. PHI includes medical diagnoses, treatment records, prescription histories, lab results, mental health records, health insurance information, and payments for healthcare services. PHI is a subset of PII β€” it is personally identifiable health-related information. The healthcare payment record is PHI even though it looks like financial data. HIPAA requires access controls, audit logs, transmission encryption, and breach notification for PHI. Unauthorized PHI disclosure triggers mandatory reporting to HHS and affected individuals.
Critical Data Classification
A sensitivity classification that identifies data which must remain continuously available for organizational operations β€” the primary security concern is availability, not confidentiality. Loss of access to critical data, even temporarily, causes immediate operational disruption. Examples: real-time operational databases, authentication systems, emergency communication platforms, medical systems, financial trading infrastructure. Unlike other classification levels (which focus on restricting access), the critical classification drives investment in redundancy, backup systems, high availability architecture, and disaster recovery. Security controls for critical data include RAID storage, database clustering, geographically distributed backups, tested failover procedures, and SLA monitoring. The exam distinguishes critical from other levels by this availability-first focus.