A recent previous question of mine had an answer that sparked a different and unrelated question in my mind:
Customer wants to modify the .properties files packaged in our WAR file
The question that I thought of after reading this answer is, just how low-risk is the data being collected on people (non-users, lets just say, "people") in my application?
- A first name and last name
- Company or organization that person currently is employed at.
- (Optional) An email address
- (Optional) A persons phone number
- A photograph of the persons face
- An digitally signed PDF document physically signed with electronic signature pad (a persons hand written signature)
No other sensitive data like social security numbers, credit card numbers or anything that can accurately identify a person with 100% accuracy. How sensitive would you rate the data types listed above? Is identity theft even remotely possible with the above information?
In light of all the recent news outbreaks of hacking successes and data breaches, if such a thing were to happen to my application (assume that I have reasonable security measures, SSL, encrypted passwords with salt, account lock after so many failed attempts, etc…), what kind of a response would be appropriate for my organization in your opinion? Should every attempt be made to notify the persons that this information has been compromised? Is it worth it?
Thanks for sharing your thoughts.
Best Answer
Anything that can be used to harm your users is sensitive
It's not only 'sensitive' when it allows for identity theft, that is but one form of harm.
If data can be used that way depends on the context.
For example: the first and last names and the portrait are definitively sensitive user data in, uhmm, 'adult toy stores', they are not on facebook. The phone number may be non-sensitive for all those who let it print in phone books, but it may be for the unlucky ones that get stalked.
The user is in a better position to judge his context than you, therefore i would consider all of your items sensitve, until proven otherwise or told by the user.