Data classification, handling requirements, and regulatory compliance
Protected data refers to information that requires special handling due to its sensitivity, regulatory requirements, or business value. SOC analysts must understand data classifications to properly prioritize alerts and respond to potential data breaches.
Data that can identify an individual: SSN, driver's license, biometric data, full name + address.
Medical records, diagnoses, treatment information. Governed by HIPAA.
Credit card numbers, CVV codes, cardholder data. Governed by PCI DSS.
Trade secrets, source code, patents, proprietary business processes.
When a DLP alert fires, you need to instantly assess what type of data is at risk. The response escalation depends on the data type:
| Data Type | Examples of Identifiers | DLP Detection Pattern | Breach Impact |
|---|---|---|---|
| PII | SSN (XXX-XX-XXXX), passport numbers, biometric templates | Regex: \d{3}-\d{2}-\d{4}, keyword: "social security" |
Identity theft, regulatory fines, class-action lawsuits |
| PHI | Medical record numbers, diagnoses (ICD codes), prescription data | Keyword lists, document fingerprinting of medical forms | HIPAA violation ($100-$50,000 per record), criminal penalties |
| PCI | Primary Account Number (PAN), track data, CVV | Luhn algorithm validation, BIN matching, regex for 16-digit patterns | Card brand fines ($5K-$100K/month), loss of processing ability |
| IP | Source code, design documents, customer lists, trade secrets | Document classification labels, bulk transfer detection | Competitive advantage loss, potentially billions in value |
Most data breaches involving protected data come from inside the organization — employees with legitimate access who exfiltrate data before leaving (see the SOC Triage Simulator scenario 4 for a hands-on example). DLP alerts for departing employees should always receive elevated scrutiny, especially during notice periods.
This topic extends the Data Lifecycle Visualizer from Shield House, adding SOC-specific data protection monitoring perspectives.
| Level | Description | Examples | Handling |
|---|---|---|---|
| Public | Information freely available | Marketing materials, public website | No restrictions |
| Internal | For employees only | Org charts, internal procedures | Don't share externally |
| Confidential | Limited business access | Financial reports, contracts | Encryption, access controls |
| Restricted | Highest sensitivity | PII, PHI, trade secrets, PCI | Strict encryption, audit logging, DLP |
72-hour breach notification, right to erasure, data portability, consent requirements.
Consumer rights to know, delete, opt-out of sale. Applies to large businesses.
Privacy and security rules for PHI. Breach notification within 60 days.
12 requirements for cardholder data protection. Quarterly scans, annual audits.
Different regulations have different notification requirements. GDPR: 72 hours. HIPAA: 60 days. PCI: Varies by contract. Know your organization's obligations!
| Alert Type | Data Type | Priority | Action |
|---|---|---|---|
| Email with SSN pattern | PII | High | Verify intent, check recipient, escalate if external |
| Large file upload to cloud storage | Unknown | Medium | Check file type, user role, destination service |
| Credit card pattern in logs | PCI | Critical | Immediate investigation - should never appear in logs |
| Medical record access off-hours | PHI | High | Verify user role, check if patient is assigned |
Large outbound transfers, uploads to personal cloud, encrypted archives, unusual USB activity.
After-hours database queries, bulk record access, printing sensitive documents.
Email to competitors, file shares with external parties, VPN from unusual locations.
Know What's Where: Work with data governance to understand where protected data lives in your environment. DLP is only effective if it knows what to protect. Ask: "Where is our crown jewels data stored?"
Verify data was actually exposed, not just accessed. Document evidence.
What data types? How many records? What time period?
Stop ongoing exfiltration, preserve evidence, isolate affected systems.
Legal, Privacy Officer, Management - follow IR plan escalation matrix.
Test your understanding of protected data. Score 80% or higher to pass.
1. Which data classification level would apply to customer Social Security Numbers?
2. What is the GDPR breach notification timeline?
3. A DLP alert shows credit card numbers appearing in application logs. What priority is this?
4. Which regulation specifically governs Protected Health Information (PHI)?
5. What is the FIRST step when a potential data breach is detected?