Confidential Business Information (CBI) is a catch-all term for information your business must protect. Enterprise data security must protect a huge range of data, from HR records, to customer billing info, to IP, to potentially embarrassing internal conversations. Because of the sheer quantity and variety of confidential information, it’s crucial to come up with a unified strategy to keep everything secure.
What is Confidential Business Information?
The broad categories of confidential business information include:
- Intellectual property such as manuscripts, business processes, designs — if it’s not supposed to be public knowledge, it’s CBI.
- Trade secrets including business processes, manufacturing techniques, branding and marketing strategies and any other confidential internal data.
- Sensitive communications whose release could harm you, your partners, or your clients should also be considered confidential business information. This includes cases that violate compliance, even if they’re not directly harmful. For example, if you’re a doctor and a customer emails you to confirm an appointment, that email is confidential business information because it’s covered by HIPAA — even if the topic doesn’t seem particularly sensitive.
Personally identifiable information including anything that could identify a customer, worker or partner:
- Name, address, and Social Security number.
- Financial data like credit card numbers and purchase histories,
- Other personal data, such as medical records, educational records or internal evaluations.
How to Protect Confidential Business Information
As the above examples of confidential information illustrate, there’s a wide range of data that need to be protected according to different requirements. Some confidential business information is governed by legal agreements such as NDAs, or business associate agreements. Others fall within the scope of PCI DSS, CFPB, or other compliance law.
Similarly, the circumstances under which confidential business information can be shared and the consequences of inadvertent disclosure vary tremendously. Accidentally including a client on an internal conversation about a meeting could be just a minor embarrassment, while sharing the plans for a new product could seriously undermine your business.
The best strategy is to simplify as much as possible. Creating a single, uniform strategy that meets all the compliance standards your business is subject to, while also meeting all your internal security needs is easier and safer than trying to create a separate standard for each compliance regime. For example, if you use a secure client portal for confidential client communications and a separate secure communication tool for confidential internal business, and regular unencrypted email for general business, it’s easy to slip up and fail to properly protect certain communications.
Using a single secure email provider, backed up with a Data Loss Prevention (DLP) solution, results in a much lower risk of a mistake. Workers can encrypt anything with a click without disrupting their workflow, so they don’t have to worry about switching accounts or interfaces to protect confidential information. DLP automates your compliance rules and security policies, providing continuous retraining and enforcement. That makes it easier to keep data secure across your organization.
To learn more about how to keep confidential information secure, check out how our client-side data protection works.