Here's where the value of redaction becomes clear. So what is redaction? Redaction has more than one meaning but here we are concerned with the business or legal definition in which redaction is the process of removing sensitive information, usually through the liberal use of black marking pens or whiteout fluid for paper documents and their electronic equivalents for digital documents.
Though by definition redaction does remove sensitive information, it is about not "throwing the information baby out with the privileged information bathwater." For technologically-enabled redaction to work properly, an IT solution must answer the question of how to "black out" or obscure confidential information while retaining non-confidential information.
So why is redaction so important? Consider two of the primary benefits it can provide:
- Meet governmental regulatory compliance requirements, including those invoked in data privacy laws, without restricting the legitimate use of non-confidential information that is otherwise commingled with confidential information -- thus avoiding sanctions, penalties and costs associated with addressing a data breach after the fact, or embarrassing public exposure.
- Share information with customers, partners, and other third parties without having to fear that they may be inappropriately exposed to sensitive information. This enables people to get the information they need to do their jobs or for other proper purposes. Note that this information is not necessarily subject to regulatory compliance but it can encompass data an enterprise wants to share in only a limited form, such as customer order or financial data, and intellectual property.
Automated software-based redaction must perform the physical black pen redaction (or whiteout) of sensitive text in a document. For example, during World War II, soldiers' letters to home were censored in order to prevent inadvertently revealing military intelligence. This censorship was performed manually and very primitively as compared to today's requirements to manage redaction for vast volumes of ESI (electronically stored information). These early physical processes did not scale and posed additional risk of inadvertent admissions, among other shortcomings.
In order to work properly, a modern software-based redaction solution must have characteristics that include the following:
- No data may be lost -- even though a redacted copy needs to be made available as appropriate with the sensitive information removed, the original un-redacted version needs to be saved in its original form in a secure place or be able to be reconstituted with the proper links.
- The redactions must be justifiable -- Rather than simply masking text with no marking, a generic label, such as the words Social Security Number for the redacted text may be inserted for readability. This not only improves the ability to read the document, but, in effect, provides the underlying reason for the redaction (although a link might be necessary for further explanation).
- The solution must scale to large numbers of documents -- To address the growing amount of electronically stored information, the solution must be capable of automating the process to tag suggested redactions, but also still allow for manual review (to accept or reject suggested redactions) as well as to make further redactions deemed appropriate. This approach is designed to deliver the highest rates of accuracy.
These are only a sampling of the general characteristics that software-based redaction has to have.
A number of companies offer standalone software-based data redaction solutions, including, but not necessarily limited to the following: Appligent Document Solutions (Redax), CSI (Intellidact), Extract Systems (IDShield), EDAC Systems, Inc. (VeriDact), IBM (Optim Data Redaction), Informative Graphics (Redact-It), and OnStream Systems (RapidRedact). With the exception of IBM, the players in the data redaction market are smaller companies. That could change though if other larger vendors see an advantage in either acquiring one of the smaller companies or deciding to develop the technology on its own.