🔐 Sensitive Data Types
A Data Loss Prevention (DLP) program is only as effective as the data it protects. To secure your systems and stay compliant with regulations, you must first identify what qualifies as "sensitive data."
This section covers the most common types of sensitive data that organizations need to protect — from personal records to source code.
📦 1. Personally Identifiable Information (PII)
📝 What It Is:
PII includes any information that can be used to identify an individual.
✅ Examples:
- Full name
- Address
- Phone number
- Date of birth
- Social Security Number (SSN) / Aadhaar number
- Passport/driver’s license number
- Email address (especially work + personal combination)
📌 Regulations:
- GDPR (EU)
- CCPA (California)
- India’s DPDP Act
🛡️ DLP Role:
- Detects PII patterns (e.g., regex for SSNs)
- Prevents sending files with PII to unauthorized destinations
- Encrypts or redacts sensitive personal info
❤️🩹 2. Protected Health Information (PHI)
📝 What It Is:
PHI refers to medical and health-related data tied to an individual. It’s especially critical in healthcare and insurance industries.
✅ Examples:
- Medical history
- Lab reports
- Prescription details
- Insurance claims
- Doctor’s notes
- Electronic Health Records (EHR)
📌 Regulations:
- HIPAA (USA)
- HL7 Standards
🛡️ DLP Role:
- Blocks the sharing of medical reports via unsecured channels
- Alerts when unencrypted PHI leaves the organization
- Helps healthcare providers remain HIPAA-compliant
🧠 3. Intellectual Property (IP)
📝 What It Is:
Intellectual Property includes confidential business knowledge and proprietary content that gives a company its competitive edge.
✅ Examples:
- Product designs
- Engineering diagrams
- Proprietary algorithms
- Research data
- Formulas and trade secrets
📌 Risk:
Losing IP can result in huge losses — especially in R&D, manufacturing, and software industries.
🛡️ DLP Role:
- Prevents copying or uploading of proprietary blueprints or documents
- Tags and tracks usage of sensitive internal files
- Prevents email exfiltration or printing of confidential IP
💰 4. Financial and Payment Data
📝 What It Is:
This category includes sensitive financial records and payment information — crucial for both individuals and businesses.
✅ Examples:
- Credit/Debit card numbers
- Bank account numbers
- Tax identification numbers
- Invoices and financial reports
- Payroll data
📌 Regulations:
- PCI-DSS
- SOX (Sarbanes-Oxley Act)
🛡️ DLP Role:
- Detects credit card formats (Luhn check)
- Blocks spreadsheets or PDFs with bank data
- Monitors finance team communication for data leaks
💻 5. Source Code and Technical Assets
📝 What It Is:
Modern businesses are built on digital products and custom code — often stored in internal repositories or developer laptops.
✅ Examples:
- Source code files (.cpp, .js, .py, etc.)
- Configuration files
- Internal APIs and access keys
- Build pipelines (CI/CD YAMLs)
📌 Risks:
- Code leaks can expose security flaws
- Competitors may replicate the product
- API keys can be exploited to attack infrastructure
🛡️ DLP Role:
- Fingerprints and monitors source code repositories
- Prevents uploads to GitHub/GitLab
- Alerts on file transfers or clipboard use involving code
Summary Table
| Data Type | Examples | Related Regulation | DLP Actions |
|---|---|---|---|
| PII | Name, ID, Email, SSN | GDPR, CCPA | Mask, block, encrypt |
| PHI | Medical records, prescriptions | HIPAA | Prevent, audit, encrypt |
| IP | Designs, trade secrets, formulas | Trade Secret Laws | Restrict, fingerprint |
| Financial | Bank details, payroll, tax data | PCI-DSS, SOX | Block, monitor, redact |
| Source Code | .cpp, .py, API keys, YAMLs | Internal Controls | Alert, block, scan for secrets |
🎯 Why It Matters
Before you can protect data, you must know:
- What you’re protecting
- Where it’s stored
- How it moves inside and outside your network
This foundational step helps tailor your DLP strategy to what matters most in your organization.