Careers & Certifications

12:30 PM
David Hill
David Hill
Commentary
50%
50%

Openness vs. Privacy: The Important Role Data Redaction Plays In Data Privacy

Data privacy is a hot topic for all enterprises, both private and public, and data redaction often has an important role in these efforts. That said, redaction is a term that some IT organizations have never heard of. Even if they have, they would probably be hard pressed to define it or explain its importance to their organizations, but that situation is changing quickly as organizations realize that redaction offers a solution that balances the need for data openness with the need for data pri

Here's where the value of redaction becomes clear. So what is redaction? Redaction has more than one meaning but here we are concerned with the business or legal definition in which redaction is the process of removing sensitive information, usually through the liberal use of black marking pens or whiteout fluid for paper documents and their electronic equivalents for digital documents.

Though by definition redaction does remove sensitive information, it is about not "throwing the information baby out with the privileged information bathwater." For technologically-enabled redaction to work properly, an IT solution must answer the question of how to "black out" or obscure confidential information while retaining non-confidential information.

So why is redaction so important? Consider two of the primary benefits it can provide:

  • Meet governmental regulatory compliance requirements, including those invoked in data privacy laws, without restricting the legitimate use of non-confidential information that is otherwise commingled with confidential information -- thus avoiding sanctions, penalties and costs associated with addressing a data breach after the fact, or embarrassing public exposure.
  • Share information with customers, partners, and other third parties without having to fear that they may be inappropriately exposed to sensitive information. This enables people to get the information they need to do their jobs or for other proper purposes. Note that this information is not necessarily subject to regulatory compliance but it can encompass data an enterprise wants to share in only a limited form, such as customer order or financial data, and intellectual property.

Automated software-based redaction must perform the physical black pen redaction (or whiteout) of sensitive text in a document.  For example, during World War II, soldiers' letters to home were censored in order to prevent inadvertently revealing military intelligence. This censorship was performed manually and very primitively as compared to today's requirements to manage redaction for vast volumes of ESI (electronically stored information).  These early physical processes did not scale and posed additional risk of inadvertent admissions, among other shortcomings.

In order to work properly, a modern software-based redaction solution must have characteristics that include the following:

  • No data may be lost -- even though a redacted copy needs to be made available as appropriate with the sensitive information removed, the original un-redacted version needs to be saved in its original form in a secure place or be able to be reconstituted with the proper links.
  • The redactions must be justifiable -- Rather than simply masking text with no marking, a generic label, such as the words Social Security Number for the redacted text may be inserted for readability.  This not only improves the ability to read the document, but, in effect, provides the underlying reason for the redaction (although a link might be necessary for further explanation).
  • The solution must scale to large numbers of documents -- To address the growing amount of electronically stored information, the solution must be capable of automating the process to tag suggested redactions, but also still allow for manual review (to accept or reject suggested redactions) as well as to make further redactions deemed appropriate.  This approach is designed to deliver the highest rates of accuracy.

These are only a sampling of the general characteristics that software-based redaction has to have.

Competitive Landscape
A number of companies offer standalone software-based data redaction solutions, including, but not necessarily limited to the following: Appligent Document Solutions (Redax), CSI (Intellidact), Extract Systems (IDShield), EDAC Systems, Inc. (VeriDact), IBM (Optim Data Redaction), Informative Graphics (Redact-It), and OnStream Systems (RapidRedact). With the exception of IBM, the players in the data redaction market are smaller companies. That could change though if other larger vendors see an advantage in either acquiring one of the smaller companies or deciding to develop the technology on its own.

David Hill is principal of Mesabi Group LLC, which focuses on helping organizations make complex IT infrastructure decisions simpler and easier to understand. He is the author of the book "Data Protection: Governance, Risk Management, and Compliance." View Full Bio
Previous
2 of 3
Next
Comment  | 
Print  | 
More Insights
Cartoon
Slideshows
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
Video
Twitter Feed