The True Cost of Failing to Redact Properly
March 02, 2020 | 6 minutes read
No one is perfect.
You can have the most rigorous education in the world and be surrounded by the best and brightest, but still, make a mistake.
The problem is that some mistakes are much more severe than others.
Some mistakes ruin your business’s reputation.
Some mistakes lead to lawsuits.
Some mistakes end in bankruptcy.
Some mistakes are entirely avoidable. Those that involve video redaction, audio redaction, image redaction, and PDF redaction often are.
In today’s post, we’ll explain what redaction is, when redaction is required by the law, when and how to redact, and how redaction benefits your organization.
Redaction – What is it?
To redact is to edit or prepare something for publishing. It sounds simple, but it is much more than putting black boxes over information or blurring a face. Redaction is not just removing the ability to read or view the data; it is the act of eliminating all traces that the information ever existed in the first place.
It’s not always easy to redact properly. For example, in recent months, Lawyers from the Jones Day law firm found themselves apologizing before a federal judge for exposing grand jury information in a case regarding opioids because they failed to redact data properly.
Similarly, the Medical Council of New South Wales accidentally published improperly redacted protected health information of patients on their website. When redacting the document, staff placed black boxes over areas of the report containing the personal health information. They soon found out this wasn’t a complete redaction. The staff thought that because the information was covered, it wasn’t there, which was not true. Unlike human eyes, search engines and other software can see additional data generally hidden from our view. In this case, Google’s bots indexed the entire page, including the information that was under the black boxes placed there by the employee. Ultimately, the incorrect redaction had the same impact of doing no redactions done at all.
Redactions Are Required
Why are redactions so necessary? Every company, regardless of the type of business, has access to sensitive data that needs to be secured. Aside from the fact that its good for your business to protect and secure information, there are actual laws on the books which require organizations to redact information. Failure to comply with privacy regulations can come at a very high price.
In the case of schools that are required to maintain student privacy via the Family Educational Rights and Privacy Act (FERPA), failing to comply can cause school districts to lose their entire federal funding for the following year. Failing to comply with the GDPR, the ramifications can be severe. Organizations who are found in violation of the GDPR can be fined up to 17 million euros or up to 4% of their gross annual turnover. The California Attorney General can levy fines of up to $7500 per violation, which could be substantial depending on the number of consumers affected by a breach of privacy.
When and How to Redact
One way to get a handle on privacy and data security is to conduct a privacy impact assessment or PIA. As readers of CaseGuard articles may know, we recently published a three-part series on how to do Privacy Impact Assessment (PIA).
This assessment is usually done with a privacy or data specialist that can walk through your data trail from the point of acquisition to destruction. At each step along the way, you and your team can identify ways to minimize any security risks.
Each company has its unique circumstances, which may direct the most appropriate times to redact, but with each change to the company workflow, the policy should be updated and reviewed. Generally speaking, there are five main decision points where you should consider redaction:
1. Upon Receipt of Data
When your company acquires data, it may not be necessary for employees to have access to this information. In some cases, data can be separated by department need. For example, staff in human resources may not need access to customer data. Choosing to redact and disseminate information according to job clearance and need to know can eliminate a large portion of the risk.
2. Prior to Release of Data
After any redaction, it is essential to have someone with a firm grasp of security best practices check the remaining data for accuracy before being released. Redactions can be different from one department to the next. While you may not want to share your document widely before its release, if you have a way to share the information with a trusted colleague selectively, you should consider doing so. Such a technique is similar to select compartmentalization, which is done within the military and other organizations to control the spread of information. This technique lets you keep control over who accesses what and when making it easier to audit the information’s trail.
3. Upon Completion
After completing a first redaction job, it’s crucial to ensure that every bit of sensitive data is removed. Specialized software, like CaseGuard, can help with this task. Removing sensitive data applies a layer of protection, ensuring your company avoids keeping unnecessary data. Not reacting when the job is finished would be like maintaining passwords for applications you are no longer using written boldly on post-it notes stuck to your computer and expecting nothing to occur.
4. At Time of Storage
There are specific data that organizations retain for a designated amount of time because they are mandated by law. It can be account information, health records, any number of interactions that contain sensitive data. When it’s time to move a file or report to a permanent storage area, it’s wise to review the data for any additional sensitive material that the company no longer needs to be held liable for holding. If it is removed before data storage, then even if the facility or storage system is breached, the personal information is no longer available.
5. Before Permanent Destruction
This is the decision point where an organization tries to destroy data permanently. Before destroying data, realize it is not as simple as running paper through the shredder or even emptying your computer’s trashcan. Deletion is not destruction. Redacting as much information as possible before deleting material makes permanent removal much more manageable. However, permanently deleting electronic data tends to require either reformatting hard drives or forever to destroy them.
How To Redact Quickly and Safely
One way to improve the accuracy and speed of your redaction process by using a video or data redaction software system. These applications are designed to accurately find data points by assigned labels and remove them from the data permanently. Through the use of these applications, data is thoroughly removed, even in video footage. For example, CaseGuard’s software is designed to capture the data from every frame and remove it. In contrast, other methods such as manual redaction may miss individual frames, leaving the data there for someone to find, making it far easier to end up in court or saddled with a hefty fine.