What is it?
The safeguarding of data from unauthorized access or disclosure.
Why is it important?
Confidentiality is part of the confidentiality, integrity, and availability (CIA) security triad. In the CIA security model, the objective of confidentiality is to prevent the disclosure of information to unauthorized entities.
Why does a business professional need to know this?
Confidentiality is a fundamental concept of information security that business professionals, as well as cybersecurity professionals, must understand. After information is collected or generated, it must be evaluated and assigned a level of security appropriate to company policy and other regulatory controls. Maintaining confidentiality in accordance with the security level assigned by the organization is a responsibility of all business professionals.
The question of data confidentiality gained media attention when Edward Snowden disclosed NSA documents in 2013, revealing data collected by the U.S. government’s internet and phone surveillance program. The issue in this case was whether Snowden was acting as a whistleblower when he disclosed these documents and whether acting as a whistleblower justified the release of these documents, despite their level of confidentiality.
Regulatory legislation and standards to protect personal information exist at all levels from international standards to local laws. Examples include the following:
- US: Health Insurance Portability and Accountability Act (HIPAA)
- EU: General Data Protection Regulation (GDPR)
- Industry: Payment Card Industry Data Security Standard (PCI DSS)
- US: Children’s Online Privacy Protection Act (COPPA)
- California: Shine the Light Law
Once information is classified, organizations use employee education (for example, password complexity guidelines) and technical controls to protect confidentiality. Technical controls include secure protocols, encryption, password protection, firewalls, and antivirus mechanisms.
To design a secure infrastructure, companies must provide safeguards against unauthorized access and maintain the confidentiality of information assets as mandated by both the relevant regulatory bodies and business policy.