4.3.1. Data Types and Classifications

💡 First Principle: Not all data requires the same level of protection. Classification identifies data sensitivity so protection levels match the risk. Treating all data identically either over-spends on low-value data or under-protects high-value data.

Data types to protect:

• Regulated data — subject to legal requirements: PII (Personally Identifiable Information), PHI (Protected Health Information), financial data. Legal consequences for mishandling.
• Trade secrets — proprietary information providing competitive advantage. Loss may not trigger compliance penalties but can devastate the business.
• Intellectual property — patents, designs, source code, research. Must be protected from theft and unauthorized disclosure.
• Legal information — attorney-client privilege, litigation holds, compliance documentation. Improper disclosure can waive legal protections.
• Financial information — earnings, transactions, forecasts. Subject to regulations (SOX, PCI DSS) and insider trading laws.
• Human-readable vs. non-human-readable — data classification and protection apply regardless of format. Encrypted data and machine-readable data still require classification.

Classification levels (government: Top Secret → Secret → Confidential → Unclassified; corporate: Restricted → Confidential → Internal → Public). The classification determines handling requirements: who can access it, how it's stored, how it's transmitted, and how it's destroyed.

Classification process: The data owner (a business role, not IT) determines the classification based on sensitivity and regulatory requirements. IT implements the technical controls that match the classification. This separation ensures classification decisions are driven by business risk, not technical convenience. Data should be classified at creation and reclassified when its sensitivity changes — for example, a confidential product roadmap becomes public after the product launches.

Data labeling makes classification visible and enforceable. Labels can be applied as document headers/footers, file metadata tags, email sensitivity markers, or database field attributes. Tools like Microsoft Information Protection automatically apply and enforce labels, preventing users from sharing a "Restricted" document via unencrypted email.

⚠️ Exam Trap: PII is any information that can identify a specific individual — name, SSN, email, IP address, biometric data. PHI is PII combined with health information. PHI has stricter protections under HIPAA. If data includes both identity and health info, it's PHI.