Securing Unstructured Data to Comply with Privacy Laws

I don’t know about you, but I cannot stand the expression, “Not to mention.” It sets my teeth on edge, not to mention the fact that it violates the communication principle of keeping things simple and direct. Wait, did I just do that? I’ll go stand in the corner for a moment. My dear friend, Ellen Jovin, who runs the Grammar Table in New York’s Verdi Square Park, would tell me I need to learn to live with the phase—that it’s just apophasis, the rhetorical deice of bringing up a subject by denying it.

Unlikable as it may be, apophasis, with its implied double-whammy-ness, does suit the current wave of data privacy laws. The EU has GDPR. The state of California now has CA AB 375, the California Consumer Privacy Act of 2018. The new California law is similar to GDPR, giving citizens the right to request that a business disclose the personal data they have collected about them. This law, like GDPR, will drive significant changes in database management, not to mention the impact it will have on unstructured data. See how that works? Apophasis has its uses, I suppose.

Mark Bower

This topic arose in a recent conversation with Mark Bower, Chief Revenue Officer at Egress Software. “The challenge in complying with AB 375 is going to be around unstructured data,” he said. Indeed, the major RDBS vendors have introduced privacy compliance modules for structured data. While not exactly easy to use, they provide a mechanism for automating responses to requests for personal information. Unstructured data is far more difficult to manage in this way.

“Most companies have huge amounts of documents, videos, photos and so forth,” said Bower, citing credit applications as an example. “The cloud and mobile devices are adding to the scale and scope of unstructured data. The problem is that unstructured data often contains personal information that is covered by the new privacy laws.” To Bower, the issue is one of efficiency. “If you don’t mind manually responding to requests for personal information, you’ll be fine. But, who wants to deal with that?”

As Bower pointed out, the enactment of GDPR has led to a spike in privacy inquiries in the EU. California will likely experience a similar flood of requests. Handling the requests will be time consuming and expensive, not to mention error-prone. Ugh, sorry… that slipped out by accident, I swear. Egress offers a solution for the automation of securing unstructured data and tracking personally identifiable information contained. In this way, Egress enables compliance with new privacy laws.

According to Bower, though, there’s an even bigger problem looming. California also has SB1386, the Data Privacy Bill. Under this law, organizations must disclose breaches of personal information. To avoid breaches and the costly SB1386 notification process, companies have taken to encrypting data at rest. While this is a generally sound move, in security terms, it conflicts directly with consumer privacy laws. It’s hard to process requests for personal information when all that information is encrypted. Dealing with this tension is going to be complex, not to mention costly. Oops, I really didn’t mean to do that.

Costs are very much in the minds of compliance managers. There are the direct costs of compliance, including software and policy changes, without even mentioning the potential fines. Sorry. I hate myself. Financial penalties are a notable area of difference between the California law and GDPR. GDPR does levy large fines for violators, but they are based on revenue. The California law has per-violation fines, so there is no cap on how much it will cost a company if they violate the law. That’s not even mentioning the liability to consumer liability. Note to self: We need to talk. The EU is also experiencing an increase in consumer litigation around privacy. California can expect the same. Bower believes the risk of litigation will drive compliance.

The California law is due to take effect at the start of 2020. That’s only 14 months from now. That’s not much time, as Bower pointed out. California businesses should be actively seeking solutions for privacy compliance for both structured and unstructured data today.
Photo Credit: grittycitygirl Flickr via Compfight cc