New York Data Loss Prevention User Group

 View Only
  • 1.  Non-US PII Data Elements?

    Posted May 05, 2010 05:59 PM

    Hello all,

    Looking for any input from your experience with Data in Motion.  What, if any, type of data elements do you look for to detect non-US personally identifiable information (PII)?  I'm specifically interetsed if you use any of the data identifiers for the UK or Hong Kong and other data elements for those locations or Bermuda.



  • 2.  RE: Non-US PII Data Elements?

    Posted May 06, 2010 09:23 AM

    Vontu has many built in policies that address the UK identifiers. As for Hong Kong and other locations, nearly evey country that I can think of has a unique identifier, similar to our U.S. SSN - Google can easily find those formats and regex's for you to work with. There are bank account numbers and credit card numbers to look at as well.

    One thing you may want to consider prior to implementing these policies is the Privacy laws for each of the countires that you are monitoring. We had extensive talks with our Legal staff - both U.S. and abroad- and it was determined that we were not allowed to monitor the traffic out of certain countries. For example, any emails sent from Korea could not be monitored by U.S. staff. These incidents could only be viewed by those in Korea.

    Vontu/Symantec's Legal department put together a great .pdf that covers the Privacy laws for a lot of the Asia-pac countries. I tried finding it on-line, but no luck. Maybe one of the fine folks at Symantec could get that over to you.


  • 3.  RE: Non-US PII Data Elements?

    Posted May 06, 2010 09:45 AM

    Really great analysis Eric, our legal team came to the same conclusions -- there were certain countries we simply couldn't currently monitor (due to data privacy laws, not data protection laws) or have to keep information in country.  We haven't had the same success in identifying the magic identifyers for each of our operating presences, however, and many of the regexes for international data do not have checksums (HK is very nice, Singapore too I believe, because they have checksums to validate the ID numbers).  Saudi Arabia and a number of Middle Eastern countries, for instance, are one where we do not currently know the "SSN equivalent".

    We have tested all of the generic Vontu policies, and have found some of them to have acceptable rates of false positives, but again with a regex that only looks for a certain format you might run into a dataset too large to process if you have a population that works with a lot of numbers.  Also, we generated the business case for supporting non-US PII through a thorough analysis of all of the possible fines and penalties the Data Protection Agencies or relevant legislation in each country could levy against our company.

  • 4.  RE: Non-US PII Data Elements?

    Posted Oct 25, 2010 11:55 AM

    lol... sorry Jeremy. didn't realize it was you!

  • 5.  RE: Non-US PII Data Elements?

    Posted Oct 25, 2010 09:29 PM

    Sorry -- we don't have any data off shore so we are not tracking anything.  Wish we could be of more help.