Researchers often require and collect sensitive information about individuals to answer important scientific questions that impact individual health and well-being and the public health. Researchers recognize they have a duty to maintain the confidentiality of the data they collect and typically make promises, which are documented in the consent form. The legal interests of others, however, can threaten researchers' promises of confidentiality, if they seek access to the data through subpoena. Certificates of Confidentiality (Certificates), authorized by federal statute, are an important tool for protecting individually identifiable sensitive research data from compelled disclosure. However, questions persist in the research community about the strength of Certificate protections, and the evidence on which to judge the strength is scant. In this article, we address those questions through a careful examination of the legislation and regulations concerning Certificates and the reported and unreported cases we have identified through our legal research and interviews with legal counsel about their experiences with Certificates. We also analyze other statutes that protect research data to compare them to the Certificate's protections, and we review other legal strategies available for protecting research data. Based on our analysis, we conclude with recommendations for how to strengthen protection of sensitive research data.