What is it?
The safeguarding of data from unauthorized access or disclosure.
Why is it important?
Confidentiality is part of the confidentiality, integrity, and availability (CIA) security triad. In the CIA security model, the objective of confidentiality is to prevent the disclosure of information to unauthorized entities.
Why does a business professional need to know this?
Confidentiality is a fundamental concept of information security that business professionals, as well as cybersecurity professionals, must understand. After information is collected or generated, it must be evaluated and assigned a level of security appropriate to company policy and other regulatory controls. Maintaining confidentiality in accordance with the security level assigned by the organization is a responsibility of all business professionals.
The question of data confidentiality gained media attention when Edward Snowden disclosed NSA documents in 2013, revealing data collected by the U.S. government’s internet and phone surveillance program (Snowden, Edward)(House of Representatives report 2016). The issue in this case was whether Snowden was acting as a whistleblower when he disclosed these documents and whether acting as a whistleblower justified the release of these documents, despite their level of confidentiality.
Regulatory legislation and standards to protect personal information exist at all levels from international standards to local laws. Examples include the following:
- US: Health Insurance Portability and Accountability Act (HIPAA)(HIPAA)
- EU: General Data Protection Regulation (GDPR)(GDPR)
- Industry: Payment Card Industry Data Security Standard (PCI DSS)(PCI-DSS)
- US: Children’s Online Privacy Protection Act (COPPA)(COPPA).
- California: Shine the Light Law(CA 2003)
Once information is classified, organizations use employee education (for example, password complexity guidelines) and technical controls to protect confidentiality. Technical controls include: secure protocols, encryption, password protection, firewalls, and antivirus mechanisms.
To design a secure infrastructure, companies must provide safeguards against unauthorized access and maintain the confidentiality of information assets as mandated by both the relevant regulatory bodies and business policy.
- (GDPR) European Union Data Protection Regulations (EU GDPR): European Commission (2016). Summary of the European Union (EU) General Data Protection Regulation (GDPR) including obligations of non-European organizations receiving personal data from residents of the EU.
- (COPPA) Children’s Online Privacy Protection Act (COPPA): US Law (16 CFR Part 32). Covers how websites and other online services must handle the collection of information from -- and tracking of interactions with -- children under 13 years old.
- (CA 2003) Personal Information Protection Rules.: California Code, Civil Code - CIV 1798.83. California rules governing privacy policies and the handling of personal information of residents to prevent unauthorized disclosure of their personally-identifiable information to third parties.
- (House of Representatives report 2016) Executive Summary of Review of the Unauthorized Disclosures of Former National Security Agency Contractor Edward Snowden: US House of Representatives (2016). PDF. Unclassified Congressional report about the Snowden disclosures.
- (McCallister 2010) Guide to Protecting the Confidentiality of Personally Identifiable Information (PII): McCallister, Erika, et al. (2010). NIST SP 800-122. PDF. Guidelines for taking a risk-based approach to protecting the confidentiality of personally identifiable information.
- (Snowden, Edward) Biography and brief history of Edward Snowden.: Wikipedia. Biography and brief history of Edward Snowden.