Data Classification Levels (2024)

Every business has at least one thing in common—a lot of data. No matter what industry you are in, the fact of the matter is that you handle information on a daily basis, accumulating records and files of many different types. One of the trickier categories of data to deal with is unstructured data. Unlike structured data, information that is formatted and contained in tools like databases, unstructured data is information that is often found in individual files, stored in a variety of locations. Due to this, unstructured data is difficult to search, organize, and analyze. For example, unstructured data can look like:

• Live chat records
• Customer-generated content
• Ebooks and whitepapers
• Email correspondence
• Internal communications
• Media and multimedia (images, audio, video)
• Medical records
• Mobile data
• Social media content
• Text files
• Web server logs
• Website content

Unstructured data encompasses many different important types of information that are often very valuable and prone to security risks. The process of sensitive data discovery, where you search and identify information that should be restricted from unauthorized access, is vital. Without it, your business could run afoul of governmental regulations as well as compromising the privacy and security of your stakeholders. And then, once identified, how do you sort and organize the unstructured data in order to continue to know what is sensitive data and what is not?

Data classification levels are the answer to this question. Using these practices, you can establish an appropriate system and mitigate much of the risk of storing unstructured data.

Data classification is a way of defining and categorizing unstructured data for a business. Rather than storing files haphazardly in an unsecured way, data classification gives you the framework to sort, organize, and store unstructured data into an appropriate system.

Imagine that you have just moved from one apartment to another. When packing, you didn’t label or organize any of the boxes. Once you’ve arrived at your new apartment, it’s time to unpack. But how do you know which boxes to put in which room? Not only that, but how can you delegate the appropriate boxes to the right person? After all, setting up your kitchen to work for you is important—if everyone is pitching and helping to unpack, your brother might end up with a box full of cooking utensils that he won’t know how to put in a new space to suit your workflow.

There are two problems that surface when you start looking at data classification:

1. How should you “pack” or store data? What data should be organized together?
2. Who should be allowed to access each “box” or be able to use which pieces of data?

Data classification can help answer these questions, giving greater access to and control over unstructured data.

When data is classified with three levels, typically this is organized into:

1. Low sensitivity data: This is information that is meant for anyone to access and use. For example, your business’ social media pages are filled with low sensitivity data. The public is welcome to engage and consume this level of information as there is nothing being shared that is a security threat.
2. Medium sensitivity data: Data that falls into this category should be considered for internal use only. While it doesn’t include highly confidential information, it still encompasses data that could be potentially harmful for unauthorized people to access. For example, inter-office emails or memos could fall into this category.
3. High sensitivity data: This classification level encompasses business-critical data and customer-specific details. If this data were compromised, it could have serious business impacts. High sensitivity data could include:
   1. • Personal Identifiable Information (PII) – any data that identifies an individual. For example, their name, address, social security number, or phone number.
      • Protected Health Information (PHI) – any data that contains identifiable health information. For example, your medical records or billing information between you and your physician.
      • Nonpublic Personal Information (NPI) – any data with personally identifiable financial information. For example, a bank account number or how much someone’s house is worth.
      • Material Non-Public Information (MNPI) – any company data that has not been released to the public. For example, information like upcoming acquisitions or mergers that could also influence share price.
4. Confidential, Regulated, and High-Risk Business Information: Any data that is particularly sensitive to a business. For example, a patent or other proprietary intellectual property. This can overlap with the other categories, as it includes similar data.

Get a free unstructured data assessment

Another way to establish data classification standards is to use four levels of classification:

1. Public data: Just like low sensitivity data, this classification level is used for information that can be viewed, accessed and used by anyone.
2. Internal data: This data level is specifically for all the information that is used internally. It correlates to the medium sensitivity level.
3. Confidential data: Typically, this data is meant for internal use and is often limited to specific teams, individuals, or departments due to the confidential nature. This classification level can contain either medium or high sensitivity data.
4. Restricted data: This is the highest level of sensitivity, and this info is carefully controlled. Access is only given to individuals who need the data to do their jobs.

An excellent example of data classification levels, the U.S. government uses a three level method. The three levels are:

1. Confidential – the lowest level of sensitivity, although this is still defined as information that would “damage” national security if the public were made aware of these details.
2. Secret – the second highest classification, the unauthorized release of these details would cause “serious damage” to national security.
3. Top secret – the highest level of sensitive information that would cause “exceptionally grave danger” if unauthorized parties accessed and used this data.
   As you can see, these levels correlate to the three data classification levels discussed above, however, the sensitivity level of the data is higher overall.

The most important reason to have a data classification policy is to ensure data security and privacy. After all, these aspects will suffer if time and attention is not dedicated to getting your classification levels right. If you don’t know where your data lives or how it needs to be protected, these are major risks. These issues lead to risks like:

• Data being lost in data silos
• Mishandling and accessing of data by unauthorized people
• Incurring fines and penalties for improper data handling and storage
• Potential lawsuits due to breached customer data

The best place to start when creating a data classification policy is by asking a few questions:

• What types of data are you collecting, processing, and storing?
  Every industry has specific regulations around the data that is used. It’s important to take stock of which regulations you will have to comply with in order to set a data classification policy that is right for you.
• What data do you already have and who will be conducting the data discovery process?
  Before you start setting up your policy, you need to know what information is already held by your company and who will be in charge of discovering your current data situation.
• Who should be able to access specific information?
  Think through how sensitive your data is and use the categories listed above to guide your process. Remember to consider whether each piece of data is intended for public, internal, confidential, or restricted access.

With these questions answered, it’s time to start developing rules for consistent and reliable data classification. Luckily, there are data classification tools that can assist you with this process.