Expand your cybersecurity education with an in-depth glossary of data security terminology and concepts.

European Data Protection Board

The primary supervisory authority established by the GDPR. The board consists of the heads of EU member states’ supervisory authorities as well as the European Data Protection Supervisor. The goal of the EDPB is to ensure consistent application of the GDPR by member states.

European Data Protection Supervisor

An independent authority that aims to ensure that European organizations and member states comply with the privacy rules of the GDPR.

Exact Matching

Where the a result of a query, algorithm or search only registers a match if there is a 100% match.


The unauthorized transfer of data off of a computer or network.


The Financial Industry Regulatory Authority (FINRA, Inc.) exists to protect investors. 

False Positive

A false positive is an alert that incorrectly indicates a vulnerability exists or malicious activity is occurring. These false positives add a substantial number of alerts that need to be evaluated, increasing the noise level for security teams.

File Clustering

An unsupervised learning method whereby a series of files is divided into multiple groups, so that the grouped files are more similar to the files in their own group and less similar to those in the other groups.

Fuzzy Matching

Where scores of a result can fall from 0 - 100, based on the degree to which the search data and file data values match.


The General Data Protection Regulation (GDPR) is a European Union regulation that requires companies to provide protection, transparency, and accountability for EU citizen’s personal data. The GDPR became effective on May 25, 2018.


The Gramm-Leach-Bliley Act (GLBA) compels financial institutions to secure and provide transparency of nonpublic personal information (NPI).

Ghost Data

Ghost data in cybersecurity refers to data that still exists within a database or storage system but is no longer actively used or known to be accessible.


An acronym for the Health Insurance Portability and Accountability Act. This is an American law that sets national standards and regulations for the transfer of electronic healthcare records. Under HIPAA, patients must opt in before their healthcare information can be shared with other organizations.


An acronym for the Health Information Technology for Economic and Clinical Health Act. This is an American law enacted as part of the American Recovery and Reinvestment Act of 2009. HITECH aims to build on the healthcare security and privacy requirements set forth by HIPAA. HITECH does so by adding tiered monetary penalties for noncompliance, as well as the requirement for breach notifications.

Health Breach Notification Rule

A Federal Trade Commission rule requiring vendors of personal health records to notify consumers following a breach involving unsecured information. And if a service provider to such a vendor is breached, they must notify the vendor. The rule also stipulates an exact timeline and method by which these public notifications must be made.


Information Rights Management is a subset of Digital Rights Management that protects corporate information from being viewed or edited by unwanted parties typically using encryption and permission management.

ISO 27001

International standard for how to manage information security, first published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, then revised in 2013. It outlines standards for creating, executing, maintaining and optimizing an information security management system, in order to help organizations make their information assets more security.

Information Security Policy

The directives, rules, regulations, and best practices that an organization follows to manage and secure information.

Insider Threat

Any individual with insider access to an organization's networks or resources that would allow them to exploit the vulnerabilities of that organization's security or steal data.


The assurance that information has not been changed and that it is accurate and complete. The GDPR mandates that data controllers and processors implement measures guarantee data integrity.

Least Privilege

A security principle which mandates that users should be granted the least amount of permissions necessary to perform their job.

Legal Basis for Processing

The GDPR mandates that data controllers must demonstrate a legal basis for data processing. The six legal bases for processing listed in the law are: consent, necessity, contract requirement, legal obligation, protection of data subject, public interest, or legitimate interest of the controller.


An acronym for Multifactor Authentication. This represents an authentication process that requires more than one factor of verification. An example would be a login that requires a username and password combination, as well as an SMS-code verification, or the use of a physical security key.


A deliberate configuration change within a system by a malicious actor, typically to create back-door access or exfiltrate information. While the original change in configuration might involve a compromised account or other vulnerability, a malconfiguration has the benefit of offering long term access using legitimate tools, without further need of a password or after a vulnerability is closed.


A term that represents a number of different types of malicious software that is intended to infiltrate computers or computer network.

Managed Database

A database with storage, data, and compute services that is managed and maintained by a third-party provider instead of by an organization's IT staff.

Masked Data

Sensitive information swapped with arbitrary data intended to resemble true production data, rendering it useless to bad actors. It's most frequently used in test or development environments, where realistic data is needed to build and test software, but where there is no need for developers to see the real data.


Data that describes other data. For databases, metadata describes properties of the data store itself, as well as the definition of the schema.


A dangerous or unapproved configuration of an account that could potentially lead to a compromise typically done by a well-intentioned user attempting to solve an immediate business problem. While there is no malicious intent, misconfiguration is actually the leading cause of data loss or compromise.

Misplaced Data

Misplaced data occurs when any data moves from an approved environment to an unapproved environment.


An acronym for the National Institute of Standards and Technology. NIST is a unit of the US Commerce Department tasked with promoting and maintaining measurement standards. NIST leads the development and issuance of security standards and guidelines for the federal government.


An acronym for nonpublic personal information.

NYDFS Cybersecurity Regulation

NYDFS is an acronym for the New York Department of Financial Services.


In data security or privacy terms, this is the breach of a legal duty to protect personal information.

Notice at Collection

Notice at Collection, is a transparency requirement that compels businesses to inform consumers, at or before the point of collection, about the category of personal information (PI) that they collect.

Obfuscated Data

Sensitive information swapped with arbitrary data intended to resemble true production data, rendering it useless to bad actors. It's most frequently used in test or development environments, where realistic data is needed to build and test software, but where there is no need for developers to see the real data.

Opt In

When an individual makes an active indication of choice, such as checking a box indicating willingness to share information with third parties.

Opt Out

Either an explicit request for a user to no longer share information or receive updates from an organization, or a lack of action that implies that the choice has been made, such as when a person does not uncheck a box indicating willingness to share information with third parties.


An acronym for the Payment Card Industry Data Security Standard. This is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.


Protected health information (PHI) is a distinct category of sensitive data that is intimately linked to an individual's health and healthcare services.


Personally identifiable information (PII) refers to any information that can be used to identify an individual directly or indirectly.

Passive Data Collection

Any data collection technique that gathers information automatically, with or without the end user’s knowledge.

Purpose limitation

Purpose limitation or data use limitations requires that businesses ensure that they limit the use of personal information (PI) to the purposes for which it was collected.The GDPR provides more leeway when it comes to purpose limitation.


A type of malware that encrypts the files on an endpoint device using a mechanism for which only the attacker has the keys. While the attacker will offer the key in exchange for payment, fewer than half of victims that do pay actually recover their files.


The idea that organizations should only retain information as long as it is pertinent.

Right of Access

An individual’s right to request and receive their personal data from a business or other organization.

Right to Correct

The right for individuals to correct or amend information about themselves that is inaccurate.

Right to Deletion

An individual’s right to have their personal data deleted by a business or other organization possessing or controlling that data.

Right to be Forgotten

An individual’s right to have their personal data deleted by a business or other organization possessing or controlling that data.

Right to be Informed

The “right to be informed,” is a transparency requirement that compels businesses to inform data subjects, at the time of collection, about the personal data collected, purpose for processing the personal data, period of the personal data, and who the personal data will be shared with.

Risk Assessment

In cybersecurity, a risk assessment is a comprehensive analysis of an organization to identify vulnerabilities and threats. The goal of a risk assessment is to identify an organization’s risks and make recommendations for mitigating those risks.


The Sarbanes-Oxley Act (SOX) establishes auditing and financial accounting standards for publicly traded companies.

Sarbanes-Oxley Act

The Sarbanes-Oxley Act (SOX) is a federal law designed to improve financial transparency and responsibility for U.S. public companies. It’s enactment in 2002 was prompted by several well-publicized accounting scandals established a number of standards for public companies to follow.

Sensitive Data

Any information that is protected against unwarranted disclosures, for reasons either legal, ethical, privacy, financial, or otherwise. This can include, but is not limited to: health data, personal information, confidential data such as trade secrets, etc...

Sensitive Data Discovery and Classification

Sensitive data discovery and classification is a process used to identify and categorize sensitive or confidential information within an organization's digital assets.

Sensitive Information

Data that must be protected from unauthorized access to safeguard the privacy or security of an individual or organization. According to NIST, this represents information, the loss, misuse, or unauthorized access to or modification of, that could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act), but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.GDPR refers to this as sensitive personal data that represents a mixture of private opinions and health information that falls into specialized, legally protected categories. Businesses must treat this data with the highest security.

Sensitive Personally Identifiable Information

Sensitive personally identifiable information (SPII) is a subset of PII, but with heightened significance and risks.

Shadow IT

Any unapproved cloud-based account or solution implemented by an employee for business use. It might also include the use of an unknown account with an approved provider, but administered by the user rather than corporate IT.

Shadow SaaS

An unapproved cloud application that is connected in some way (typically by API) to that organization's SaaS or IaaS with access to corporate data but without permission from the organization.

Stale Data

Stale data is data collected that is no longer needed by an organization for daily operations. Sometimes the data collected was never needed at all. Most organizations store a significant amount of stale data.

Structured Data

Data in a standardized format, with a well-defined structure that is easily readable by humans and programs. Most structured data is typically stored in a database. Though structured data only comprises 20 percent of data stored worldwide, its ease of accessibility and accuracy of outcomes makes it the foundation of current big data research and applications.