24/7 Breach Assistance

Case Studies

Protecting Sensitive Data and the Importance of an Incident Response Plan

With cyber incidents and breaches on the rise, it is important to discuss the responsibility of businesses to protect consumer and employee data, be aware of cyber and data privacy legislation, and cover emerging issues, such as biometric privacy. With technology advancing at an unprecedented rate, it is more important than ever for businesses to ensure they are doing the right things to protect their customer's and employees' sensitive information and data. In this post, we will explore why this is so critical, and introduce a few measures businesses can implement to safeguard sensitive data.


First, let's talk about health data. Health data is one of the most sensitive types of information a business can safeguard for its customers and employees. Health data can reveal a lot about a person, including their medical history, medical diagnosis, prescribed medications, and any treatments they may be undergoing. Health data became protected to prevent discrimination, stigmatization, and the loss of employment or insurance coverage. And personal health information (PHI) is commonly used to perpetrate identity theft, financial fraud, profiling, and other criminal activities.

To address these concerns, governments around the world have enacted legislation to protect personal health information (PHI). For example, in 1996, the US passed the Health Insurance Portability and Accountability Act (HIPAA). HIPAA established a national standard to ensure the privacy and security of individually identifiable health information, including electronic records (ePHI), to safeguard individual privacy and prevent the misuse of information for harmful purposes. HIPAA defines two categories of personal health information data owners - covered entities and business associates. A covered entity includes healthcare providers, health plans, and healthcare clearinghouses, while a business associate is a third-party person or organization that works with or for the covered entity. Under HIPAA, both entities are responsible for protecting PHI's privacy and security. There are specific security requirements to ensure PHI's confidentiality, integrity, and availability outlined within the HIPAA security rule. These include administrative, physical, and technical safeguards and organizational requirements to prevent, detect, contain, and correct security violations, incidents, breaches, and other failures.

A covered entity is required to have written policies and procedures in place to comply with the Privacy Rule, have a designated security officer, and conduct regular security awareness training for all members of its workforce. On the other hand, a business associate must have a written agreement with the covered entity that outlines the specific requirements for safeguarding PHI.


Next up is biometric data. Biometric data is data obtained from a person's unique physical or behavioral characteristics used to identify them, typically for access to a secure area, to unlock a device, or verify your identity. Examples are fingerprints, retinal scans, facial recognition, and voice recognition.

Biometric data is considered personal data because it is unique to an individual. As a result, biometric data collection, storage, and use are subject to specific laws and regulations.

As the new kid on the block, laws and regulations regarding biometric data are only beginning to unfold. In the US, specific state laws include the Illinois Biometric Information Privacy Act (BIPA), Texas Biometric Privacy Act (TBPA), Washington State Biometric Privacy Act (SBPA), and the California Consumer Privacy Act (CCPA). These laws all require reasonable security measures to protect biometric data from unauthorized access, use, and disclosure and for the secure retention and destruction of the data.


Sensitive information is any information that, if disclosed, could harm or negatively affect an individual or organization. This information includes personal information (PI) such as financial, medical, biometric data, and other types of personally identifiable information (PII).

Sensitive information can also include confidential or proprietary information. Examples include trade secrets, intellectual property (IP), client lists, business plans, trade secrets, classified national security information, military secrets, and other government information.

Sensitive information is subject to specific laws and regulations that govern its collection, storage, and use and requires special protections and security measures to prevent unauthorized access, use, or disclosure. Examples are HIPAA for medical information, the General Data Protection Regulation (GDPR) for personal data in the European Union (EU), and various state-level data breach notification laws in the US that require companies to notify individuals or entities of a security data breach involving sensitive information.


As you can see, cybersecurity and data privacy are not for the faint of heart. Companies must comply with legal and regulatory requirements to ensure their systems and data are reasonably protected. Data privacy and cybersecurity are closely aligned and sometimes overlapping fields concerned with protecting information from unauthorized access, use, and disclosure. There are several areas of overlap between data privacy and cybersecurity:

  1. Information protection: specific security measures required to protect personal information, such as encryption, access controls, and data retention policies.
  2. Risk management: involves several key steps to identify, assess, and prioritize risks to an organization's operations, assets and information, and then implementing strategies to mitigate or manage those risks.
  3. Risk prioritization: prioritizing risks based on their likelihood and potential impact.
  4. Risk mitigation: strategies to reduce or manage identified risks. This includes implementing security controls, developing an incident response plan, and transferring risk through insurance.
  5. Risk monitoring and review: regularly reviewing the effectiveness of risk management strategies and making adjustments based on changes in the risk landscape or organization's operations.
In summary, you can see that data and information are protected and highly regulated. While there are different types of data – personal information (PI), personally identifiable information (PII), personal health information (PHI), and sensitive data, governments around the world have determined data that can be used to identify a person and potentially cause harm, as well as the systems that store it, must be reasonably protected. And when security measures fail, you must have an incident response plan to remediate the incident or breach, harden your security, and notify the people involved.

Share this:

Get breach assistance now.

After a cyber breach, you need a team ready to hit the ground running. We’re here for you 24/7/365. That’s our promise.

Our incident response project managers, data analytics experts, and review specialists are seasoned professionals who understand the magnitude of the situation your company is facing and the related expenses.We are here to ensure timely, accurate notification of affected parties.

CyTrex Cyber - Incident Response Service

CyTrex Cyber helps entities that need assistance managing a cybersecurity incident or that want to learn more about cyber breach management. Insurance carriers, law firms, businesses, government agencies, and educational institutions depend on us for cyber incident response support.

Privacy Policy

© 2023 CyTrex Cyber, Inc

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram