Metadata for Securing Information

Regulation regarding information are numerous and often obscure. For this reason, employees are trained on regulations relating to their specific department. Employees in other departments have no way to know that something like sales data is potentially insider information unless some regulatory "metadata" somehow follows the data flow. Security classifications can be employed to fill this gap, and they work for simple problems: if the data is classified, and you don't have the training, then don't read it. There is an underlying implication that employees have access to data they shouldn't, and that the problem is simple enough to where a label will suffice when a system of checks and balances is required.

Elevated security classifications do not communicate the precise actions which may be required to comply with HIPAA disclosure of health data, or SEC insider information constraints related to planned mergers. A more directive means of communicating data regulatory requirements is required to achieve specific compliance goals.