In May 2015, hackers accessed approximately 114,000 Internal Revenue Service accounts and obtained personal information. By February 2016, the IRS reported that number grew to 724,000.
A Social Security number is gold to cybercriminals. With those nine numbers, someone could apply for a loan, get medical treatment or receive tax refunds. That's why you need to implement data redaction in your business practice.
Your customers and business partners trust you with the information they provide, and their sensitive information should be securely protected and appropriately managed by the right people to reduce the risk of exposure and cyber crime. It's also essential to meeting safety and compliance standards, such as the Payment Card Industry, Data Security Standard, and HIPAA.
Data redaction can transform personally identifiable information (PII) into an unintelligible pattern, completely encrypt particular pieces of data or block certain users from accessing sensitive information. Let's first break down the types and methods of redaction you can implement within your existing infrastructure.
The first option you have is to redact information on a permanent basis. This means that redaction is completed before going on to the repository. It can be based on a zone or location on a page such as the slotted space for a Social Security or credit card number. You can also do it on pattern matching (searching documents for three numbers and a dash followed by two numbers and a dash followed by four numbers) and redact the information in all pairing instances.
Remember that this route will be permanent: You can't get that information back. But this solution is ideal since it eliminates any potential risk that a hacker could gain access to your file depository for raw files with sensitive information.
Redaction of Pre-existing Files
The second option you have is to redact pre-existing documents temporarily. You can set up pre-set user rules that redact upon presentation or request. For example, a particular employee attempting to pull a document without the proper user credentials will see PII data in a redacted format. Keep in mind that the PII information is still stored within your repository, making it accessible to hackers.
You should also consider what data you're referencing, how often you use it and if you might use it in the future. Think about the roles and privileges you need to make available: Does every account manager need access to customers' credit card numbers? Or just those in higher-level positions?
There are a number of ways to tackle data redaction. Here are some basic steps to get you started:
Discover: Determine what information needs to be redacted, what types of reports contain sensitive information, and what are your current processes.
Identify: Make a list of reports or documents with information needing to be redacted, make a plan for how to find and scan data with matching patterns or specific information.
Redact: Define how and when you will redact information from which documents (by pattern matching, manually or by page), receive approval from key people, and train appropriate personnel.
When you start editing and removing information before it becomes published or distributed, it will significantly elevate the level of security for employee, customer, and company data. Just remember every organization has different requirements and workflows to consider - which means you need a customized redaction solution to manage sensitive information appropriately.