The EBU’s Media Cybersecurity working group has published guidance for media companies to help classify data, manage confidential information better, and protect critical information against theft and leakage. Systematic approaches to data protection have become even more important with the increasing use of AI in organizations. EBU R 168 recommends a classification of data based on the potential damage caused if it is misused. The Recommendation is freely available to EBU Members and system vendors.
Media organizations handle large volumes of sensitive information, including personal identifiable information, business data, media assets, and journalistic research. Leakage or tampering with this data can lead to legal, technical, or business risks, disrupt operations, open attack vectors to critical infrastructure, and even endanger the safety of journalists or staff. The increasing use of AI means companies also need to protect information from scraping or unintended ingestion.
EBU R 168 recommends that media companies categorize information based on its potential impact if exposed. This approach ensures appropriate protective measures are applied to sensitive data.
The 4 proposed information classes are:
- Public: Data already made available to the public, such as published articles or press releases.
- Restricted: Less sensitive data that could disrupt operations if leaked, such as internal reports or workflows. Proposed protective measures include storage on company-controlled infrastructure only.
- Confidential: Sensitive data whose leakage could cause significant damage. Examples include internal communications or unreleased media content. Proposed protective measures include no storage on devices, encryption at rest and in transit, and clear labelling in metadata.
- Strictly Confidential: Data whose unauthorized exposure could lead to severe legal or business consequences or put employees at significant personal risk. Protective measures for this class should include strict prevention of storage or processing on private devices, encryption with encryption keys unknown to service providers, and clear labelling in the metadata.
More about the EBU Media Cybersecurity group can be found here.