T 0.19 Disclosure of Sensitive Information
Confidential data and information should only be accessible to the persons entitled to receive such information. Next to integrity and availability, confidentiality belongs to the basic parameters of information security. For confidential information (like passwords, personal data, official or trade secrets, development data) there exists an inherent danger that these are disclosed by technical failure, carelessness or also by deliberate actions.
This confidential information can be accessed in differing forms, for example:
- on storage media within computers (hard disks),
- on removable storage media (USB sticks, CDs or DVDs),
- in printed form on paper (print outs, files) and
- on transmission paths during data transmission.
The way how information is disclosed also can vary widely, for example:
- unauthorised access to read files,
- inadvertent dissemination e.g. in the course of repair orders,
vinadequate deletion or destruction of data storage media, - theft of data storage media and subsequent data perusal,
- eavesdropping on transmission lines,
- infection of IT systems with malicious software,
- intercepting by viewing data on screen or eavesdropping on conversations
Disclosure of sensitive information can have serious consequences for an institution. Loss of confidentiality can among other things lead to the following negative impact on an institution:
- violation of laws, for example data protection and banking secrecy,
- negative interior effects, for example demoralisation of the employees,
- negative exterior effects, for example impairment of the relations to business partners, lost confidence of customers,
- financial consequences, for example claims for compensation, fines, litigation costs
- impairment of the informational right of self-determination.
A loss of confidentiality is not always immediately noticed. Often, it turns out only later that unauthorised persons have obtained access to confidential information, e.g. by press inquiries.
Examples:
- Buyers of second-hand computers, hard disks, mobile telephones or similar equipment repeatedly find highly confidential information stored on them, like medical records or account numbers.