Compliant Data Masking

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) implements industry-wide standards for health care information. Health care providers, organizations, and their associates are required to develop and follow procedures for PHI when it is transferred, received, handled, or shared. It applies to all forms of PHI, including written, electronic, and oral.

Under the General Data Protection Regulation (GDPR), all personal data of a citizen from the European Union must be secured. Companies are required to protect any data that can directly or indirectly identify an individual ("data subject"). These identifiers include, but are not limited to:

• Social Security Number
• Credit Card Number
• Bank Account Number
• First Name
• Last Name
• Address
• Zip Code
• Email Address
• Medical Information
• Genomic Information
• IP Address
• Geolocation Data
• Income and Tax Data
• Race, Ethnicity, and Religious Affiliation
• Sexual Orientation
• Trade Union Membership
• Birth Date
• Password
• Military ID
• Passport Number
• Driver's License Number
• Vehicle License Number
• Phone and Fax Numbers

The law also provides citizens with the Right to be Forgotten, or the ability to request that all information about them be removed from a company's possession.

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student records and information. FERPA gives rights and protections to parents and eligible students. Once a student reaches 18 years of age or enrolls in a post-secondary institution, he or she becomes an "eligible student," meaning all rights formerly controlled by the parents transfer to the student.

Under FERPA, a school may not generally disclose PII from an eligible student's records to third parties unless the student has provided written consent. Data protected includes PII and no less than the following additional information:

• Student Name
• Student ID Number
• Family Member Names
• Place of Birth
• Mother's Maiden Name
• Student Educational Records
• Immunization Records
• Health Records
• Individuals with Disabilities (IDEA) Records
• Attendance Records

The Federal Information Security Management Act of 2002 (FISMA) is a federal law that recognizes the importance of data protection and information security to economic and national security interests. Every federal agency must develop, document, and implement an agency-wide course of action to secure the system and assets that support the agency, including those managed by another agency, contractor, or other sources.

Information that must be protected under FISMA includes PII and other sensitive information from these categories:

• Medical
• Financial
• Contractor Sensitive
• Security Management
• Other information specified by executive order, specific law, directive, policy, or regulation

The Federal Financial Institutions Examination Council (FFIEC) is a government inter-agency body that sets uniform principles, standards, and report forms to promote uniformity in the supervisions of financial institutions. Additionally, the Council oversees real estate appraisal.

Banks, credit unions, and other financial institutions are subject to the rules enacted by the Council. In addition to PII and Non-Public Personal Information (NPI), these institutions need to protect:

• Income
• Credit Score
• Collection History
• Family Member PII and NPI

The California Consumer Privacy Act of 2018 (CCPA) protects the data of Californians from being collected and mishandled. The law grants the citizens of California the rights to know all the information a business collects on them, to forbid companies from selling their data, to delete their data, and more.