---
title: "Sensitive Data — AP Cybersecurity Definition & Exam Guide"
description: "Sensitive data is information that causes real harm if exposed, like PII, PHI, or regulated records. Learn how it ties to confidentiality risk and Unit 5 attacks."
canonical: "https://fiveable.me/ap-cybersecurity/key-terms/sensitive-data"
type: "key-term"
subject: "AP Cybersecurity"
unit: "Unit 5"
---

# Sensitive Data — AP Cybersecurity Definition & Exam Guide

## Definition

In AP Cybersecurity, sensitive data is information that would cause loss, harm, or legal trouble if accessed by the wrong people, such as PII, PHI, financial records, or data governed by laws and regulations.

## What It Is

Sensitive data is any information that needs protection because exposing it causes real damage. Think personal records (PII), health information (PHI), payment card data (PCI), or proprietary designs like the next jet engine a company is building for the Air Force. If an [adversary](/ap-cybersecurity/key-terms/adversary "fv-autolink") gets it, someone gets hurt, sued, or robbed.

The key idea from **EK 5.1.C.1** is that protecting sensitive data means guarding all three parts of the CIA triad. Confidentiality is compromised when unauthorized people can read it. Integrity is compromised when someone alters it. Availability is compromised when it gets destroyed or [encrypted](/ap-cybersecurity/unit-1/best-practices-for-public-networks/study-guide/nli0fCFfA8OIiMHEGsBP "fv-autolink") so the real owner can't reach it. **EK 5.1.C.2** adds the part that matters most for risk scoring: data governed by laws or regulations counts as *highly* sensitive, so a likely [exploit](/ap-cybersecurity/unit-2/cyber-foundations/study-guide/0oS8jJyX7iolYntwz5Eh "fv-autolink") against it is a high risk, not a minor one.

## Why It Matters

Sensitive data is the payoff target in [Unit 5](/ap-cybersecurity/unit-5 "fv-autolink"): Securing Applications and Data, specifically topic 5.1. The whole unit makes more sense once you realize attacks like SQL injection or directory traversal aren't the point. They're the *path* to the sensitive data at the end. Learning objective **[AP Cybersecurity](/ap-cybersecurity "fv-autolink") 5.1.C** asks you to assess and document risks from data vulnerabilities, and you can't do that without judging how sensitive the data is. The more sensitive the data and the more likely the exploit, the higher the risk score. That's the core reasoning move the CED wants from you.

## Connections

### PII, PHI, and PCI (Unit 5)

These three are the named, regulated categories of sensitive data. PII is personal info, PHI is health info, PCI is payment card info. They're examples of the 'governed by laws or regulations' data that EK 5.1.C.2 calls highly sensitive, so a breach of any of them automatically scores as high [risk](/ap-cybersecurity/key-terms/risk "fv-autolink").

### Data at rest, in transit, and in use (Unit 5)

Sensitive data exists in three states, and each needs different protection. EK 5.1.A.1 warns that an adversary can read any unencrypted file at rest if they reach the drive, which is exactly why [encryption](/ap-cybersecurity/key-terms/encryption "fv-autolink") matters for sensitive data.

### SQL injection and directory traversal (Unit 5)

These are application attacks that exploit [vulnerabilities](/ap-cybersecurity/key-terms/vulnerability "fv-autolink") to reach sensitive data. SQL injection tricks a database into handing over records, and directory traversal lets an attacker climb to files they shouldn't see. The vulnerability is the door; sensitive data is what's in the room.

### Confidentiality, integrity, and availability (Units 1, 5)

The CIA triad is the lens you use to describe what went wrong with sensitive data. Reading it without permission breaks confidentiality, altering it breaks integrity, and locking or destroying it breaks availability.

## On the AP Exam

Expect sensitive data to show up inside risk-assessment and attack scenarios rather than as a standalone definition question. Multiple-choice stems describe an attack (a phished login that opens a gradebook, a script that steals session tokens) and ask you to name the attack or the security property that was compromised. Your job is to connect the attack to the sensitive data it exposed and decide which part of the CIA triad failed. On free-response, you'd assess and document risk: rate how sensitive the data is, estimate how likely the exploit is, and explain why regulated data pushes the risk to 'high.' Lead your reasoning with the data's sensitivity, then the likelihood of the exploit.

## sensitive data vs PII

PII is a *type* of sensitive data, not a synonym for it. Sensitive data is the broad umbrella for anything harmful to expose, including health records, payment data, and proprietary designs. PII specifically means personally identifiable information like names, Social Security numbers, and addresses. All PII is sensitive data, but not all sensitive data is PII.

## Key Takeaways

- Sensitive data is any information that causes loss, harm, or legal trouble if the wrong person accesses it, and data governed by laws counts as highly sensitive.
- Protecting sensitive data means defending confidentiality, integrity, and availability, since an attacker can read it, alter it, or destroy it.
- Per EK 5.1.A.1, an adversary can read any unencrypted file at rest if they reach the device, which is why encryption is the baseline defense.
- High risk comes from highly sensitive data plus a likely exploit, so you weigh both factors when documenting risk under AP Cybersecurity 5.1.C.
- Attacks like SQL injection and directory traversal are the path to sensitive data, not the goal itself.

## FAQs

### What is sensitive data in AP Cybersecurity?

It's information that would cause harm, loss, or legal problems if exposed, such as PII, PHI, payment data, or proprietary designs. The CED treats data governed by laws or regulations as highly sensitive, which raises its risk score.

### Is all sensitive data the same as PII?

No. PII (personally identifiable information) is just one category of sensitive data. Health records (PHI), payment card data (PCI), and trade secrets are also sensitive but aren't PII. All PII is sensitive, but sensitive data is the wider umbrella.

### How does sensitive data relate to the CIA triad?

The CIA triad describes what an attacker can do to it. Reading it without permission breaks confidentiality, changing it breaks integrity, and destroying or encrypting it breaks availability. EK 5.1.C.1 ties all three to data security risk.

### Why is regulated data considered higher risk on the exam?

Because EK 5.1.C.2 says high risks often involve highly sensitive data, like data governed by laws or regulations. If that kind of data faces a likely exploit, you'd document it as a high risk, not a minor one.

### How do attacks like SQL injection connect to sensitive data?

Those attacks are the method, and sensitive data is the prize. SQL injection and directory traversal exploit application vulnerabilities to reach files or database records the attacker shouldn't have, which is why they appear in the same Unit 5 topic.

## Related Study Guides

- [5.1 Application and Data Vulnerabilities and Attacks](/ap-cybersecurity/unit-5/application-and-data-vulnerabilities-and-attacks/study-guide/T25I7qaDw4w4XT1rkAYr)

## Structured Data

```json
{"@context":"https://schema.org","@graph":[{"@type":"LearningResource","@id":"https://fiveable.me/ap-cybersecurity/key-terms/sensitive-data#resource","name":"Sensitive Data — AP Cybersecurity Definition & Exam Guide","url":"https://fiveable.me/ap-cybersecurity/key-terms/sensitive-data","learningResourceType":"Concept explainer","educationalLevel":"AP® / High School","about":{"@id":"https://fiveable.me/ap-cybersecurity/key-terms/sensitive-data#term"},"audience":{"@type":"EducationalAudience","educationalRole":"student"},"dateModified":"2026-06-15T18:59:29.914Z","isPartOf":{"@type":"Collection","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"publisher":{"@type":"Organization","name":"Fiveable","url":"https://fiveable.me"}},{"@type":"DefinedTerm","@id":"https://fiveable.me/ap-cybersecurity/key-terms/sensitive-data#term","name":"sensitive data","description":"In AP Cybersecurity, sensitive data is information that would cause loss, harm, or legal trouble if accessed by the wrong people, such as PII, PHI, financial records, or data governed by laws and regulations.","url":"https://fiveable.me/ap-cybersecurity/key-terms/sensitive-data","inDefinedTermSet":{"@type":"DefinedTermSet","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"educationalAlignment":[{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 5, Topic 5.1, LO 5.1.A"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 5, Topic 5.1, LO 5.1.B"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 5, Topic 5.1, LO 5.1.C"}]},{"@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is sensitive data in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"It's information that would cause harm, loss, or legal problems if exposed, such as PII, PHI, payment data, or proprietary designs. The CED treats data governed by laws or regulations as highly sensitive, which raises its risk score."}},{"@type":"Question","name":"Is all sensitive data the same as PII?","acceptedAnswer":{"@type":"Answer","text":"No. PII (personally identifiable information) is just one category of sensitive data. Health records (PHI), payment card data (PCI), and trade secrets are also sensitive but aren't PII. All PII is sensitive, but sensitive data is the wider umbrella."}},{"@type":"Question","name":"How does sensitive data relate to the CIA triad?","acceptedAnswer":{"@type":"Answer","text":"The CIA triad describes what an attacker can do to it. Reading it without permission breaks confidentiality, changing it breaks integrity, and destroying or encrypting it breaks availability. EK 5.1.C.1 ties all three to data security risk."}},{"@type":"Question","name":"Why is regulated data considered higher risk on the exam?","acceptedAnswer":{"@type":"Answer","text":"Because EK 5.1.C.2 says high risks often involve highly sensitive data, like data governed by laws or regulations. If that kind of data faces a likely exploit, you'd document it as a high risk, not a minor one."}},{"@type":"Question","name":"How do attacks like SQL injection connect to sensitive data?","acceptedAnswer":{"@type":"Answer","text":"Those attacks are the method, and sensitive data is the prize. SQL injection and directory traversal exploit application vulnerabilities to reach files or database records the attacker shouldn't have, which is why they appear in the same Unit 5 topic."}}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"AP Cybersecurity","item":"https://fiveable.me/ap-cybersecurity"},{"@type":"ListItem","position":2,"name":"Key Terms","item":"https://fiveable.me/ap-cybersecurity/key-terms"},{"@type":"ListItem","position":3,"name":"Unit 5","item":"https://fiveable.me/ap-cybersecurity/unit-5"},{"@type":"ListItem","position":4,"name":"sensitive data"}]}]}
```
