information obfuscation: protecting corporate data

BT10 Concurrent Session 11/8/2012 3:45 PM

"Information Obfuscation: Protecting Corporate Data"

Presented by:

Michael Jay Freer Quality Business Intelligence

Brought to you by:

340 Corporate Way, Suite 300, Orange Park, FL 32073 888‐268‐8770 ∙ 904‐278‐0524 ∙ [email protected] ∙ www.sqe.com

Michael Jay Freer Quality Business Intelligence

Michael Jay Freer is a consultant specializing in business intelligence solutions. He has provided thought leadership and consulting services to Fortune 500 companies including MetLife, Tyco Safety Products, Capital One, Brinks Home Security, Rite Aid, and Zales. With more than twenty years of experience, Michael Jay has worked with business sponsors to provide solutions in financial, marketing, manufacturing, supply chain management, retail, and hospitality/cruise/tourism industries. A member of the PMI, IIBA, and ASQ, Michael Jay serves on the board of the South Florida Chapter of the Data Warehouse Institute.

Information Obfuscation Tuesday, September 04, 2012

Michael Jay Freer ([email protected])

(954) 2491530 1

Protecting Corporate Data-Assets

Presented by Michael Jay Freer

Information Obfuscation(Data Masking)

Michael Jay Freer, SSGB, ITIL(v3), -Information Management professional providing

thought leadership to fortune 500 companies

including MetLife Bank, Tyco Safety Products,

Capital One, Brinks Home Security, and Zales.

Over his 25+ years experience he has worked with

business executives providing solutions in

financial management, manufacturing, supply

chain management, retail, marketing, and hospitality industries.

As an Enterprise Architect at MetLife Bank, Michael Jay specialized in

Information Obfuscation facilitating project solutions for protecting

business Confidential and Restricted data.

Michael Jay Freer - Presenter Bio

Slide# 2

All rights reserved

[email protected]

(954) 249-1530 Michael Jay Freer



(954) 2491530 2

Presentation Ground Rules

� Start and Finish on time

� Questions at anytime

� Parking lot for longer discussion points

� “Electronics on Stun”

� Respect your peers

� No phone calls or email in the room

Slide# 3

All rights reserved

[email protected]


Information Obfuscation

(Data Masking)

Protecting Corporate Data-assets



(954) 2491530 3

Slide# 5

All rights reserved

Agenda

� Outlining the Problem

� Data Masking Golden Rule

� Defining Information Obfuscation

� Information Classification

� Who is Responsible

� Defining a Common Language

� Data-Centric Development

� [email protected]


Outlining the Problem

Problem StatementCorporate Data breaches are occurring at an alarming rate.

1) It is incumbent on organizations to protect the customer,

partner, and employee data with which they are entrusted.

2) Ease of access to sensitive information in business systems.

3) Using unmasked Confidential and Restricted data in non-

production environments exposes risks to company reputation.

Business Rationale for Obfuscating Data• Reduce Data Breach Risks

• Heightened Legal and Regulatory Scrutiny of Data Protection

Services (i.e.: SOX, HIPAA, GLBA, NPPI, FFIEC, PCI-DSS)

• Company Policies and Standards

• Fundamental assumption on the part of customers that their data

is already de-identified in non-production systemsSlide# 6

All rights reserved

[email protected]




(954) 2491530 4

Outlining the Problem

Problem StatementCorporate Data breaches are occurring at an alarming rate.

1) It is incumbent on organizations to protect the customer,

partner, and employee data with which they are entrusted.

2) Ease of access to sensitive information in business systems.

3) Using unmasked Confidential and Restricted data in non-

production environments exposes risks to company reputation.

Business Rationale for Obfuscating Data• Reduce Data Breach Risks

• Heightened Legal and Regulatory Scrutiny of Data Protection

Services (i.e.: SOX, HIPAA, GLBA, NPPI, FFIEC, PCI-DSS)

• Company Policies and Standards

• Fundamental assumption on the part of customers that their data

is already de-identified in non-production systemsSlide# 7

All rights reserved

[email protected]


Data Masking Golden Rule

To put Information-obfuscation (Data-masking) into

perspective simply think about yourself:

How many vendors or service-providers have your

personal information (banks, mortgage holders

physicians, pharmacies, retailers, schools you applied

to, utilities, cellular carriers, internet providers, etc.)?

Michael Jay’s Data Masking Golden Rule“Do unto your company’s corporate data assets as you

would have your banker, healthcare provider, or retailer

do unto your personal information.”

(Use this as your compass to navigate)

Slide# 8

All rights reserved

[email protected]




(954) 2491530 5

Data Masking Golden Rule

To put Information-obfuscation (Data-masking) into

perspective simply think about yourself:

How many vendors or service-providers have your

personal information (banks, mortgage holders

physicians, pharmacies, retailers, schools you applied

to, utilities, cellular carriers, internet providers, etc.)?

Michael Jay’s Data Masking Golden Rule“Do unto your company’s corporate data-assets as you



(Use this as your compass to navigate)

Slide# 9

All rights reserved

[email protected]


Defining Information Obfuscation

DefinitionInformation Obfuscation is the effort in both business

operations and non-production systems to protect business

confidential and restricted data from easy access or

visibility by unauthorized parties.

FrameworkFor our purposes, obfuscation includes access

management, data masking, encryption of data-at-rest

(DAR) and encryption of data-in-transit including

principles for protecting business communications.

Slide# 10

All rights reserved

[email protected]




(954) 2491530 6

Information Classification

Sensitive Data “Sensitive” is a broad term for information considered to be

a business trade-secret; or consider “private” by regulatory

rule, legal act, or trade association (i.e.: GLBA, HIPAA,

FFIEC, PCI, PHI, PII).

Slide# 11

All rights reserved

[email protected]



Information Classification Levels �Public – non-sensitive data, disclosure will not violate

privacy rights

�Internal Use Only – generally available to employees and

approved non-employees. May require a non-disclosure

agreement.

�Confidential – intended for use only by specified employee

groups. Disclosure may compromise an organization,

customer, or employee.

�Restricted – very sensitive, intended for use only by named

individuals.

�Sealed – extremely sensitive, irreparable destruction of

confidence in and reputation of the organizationSlide# 12

All rights reserved

[email protected]




(954) 2491530 7


Information Classification Levels �Public – non-sensitive data, disclosure will not violate

privacy rights

�Internal Use Only – generally available to employees and

approved non-employees. May require a non-disclosure

agreement.

�Confidential – intended for use only by specified employee

groups. Disclosure may compromise an organization,

customer, or employee.

�Restricted – very sensitive, intended for use only by named

individuals.

�Sealed – extremely sensitive, irreparable destruction of

confidence in and reputation of the organizationSlide# 13

All rights reserved

[email protected]


PII (Personally Identifiable Information) will

vary based on your company, your industry,

government regulations, and jurisdiction.

Who is Responsible

Slide# 14

All rights reserved

[email protected]




(954) 2491530 8

Who is Responsible

You are!No matter your role in the organization, you are

responsible for protecting the “corporate data-assets.”

Slide# 15

All rights reserved

[email protected]


Who is Responsible

You are!No matter your role in the organization, you are

responsible for protecting the “corporate data-assets.”

Everyone else is also ResponsibleAll of your peers are also responsible for protecting the

Corporate Data-Assets.

However, you don’t have control over your peers, only

over your own vigilance and how you make your

management aware of any concerns, risk, or issues with the

security of the corporate data-assets.

Slide# 16

All rights reserved

[email protected]




(954) 2491530 9

Defining a Common Language

Information ObfuscationInformation Obfuscation (or Data Masking) is the practice

of concealing, restricting, fabricating, encrypting, or

otherwise obscuring sensitive data.

This is usually thought of in the context of non-production

systems but it really encompasses the full information

management lifecycle from on boarding of data to

developing new functionality to archiving and purging

historical data.

Slide# 17

All rights reserved

[email protected]



CommunicationThe Business-Information Owner, Project Stakeholders,

Development Teams, and Support Teams need to use a

common language when discussing the various obfuscation

methods and where in the environment lifecycle an action

will occur.

Slide# 18

All rights reserved

[email protected]




(954) 2491530 10


CommunicationThe Business-Information Owner, Project Stakeholders,

Development Teams, and Support Teams need to use a

common language when discussing the various obfuscation

methods and where in the environment lifecycle an action

will occur.

Slide# 19

All rights reserved

[email protected]


The simple phrase ‘Just mask the data’ does

not address what to mask, how to mask, where to

mask, or who is responsible for understanding

the impact masking will have on business

functionality.

Common Language – Environment Lifecycle

Common Environments

1. Development – Code is created, modified and unit tested

2. Testing / QA – System, integration, & regression testing

3. User Acceptance (UAT) – Business-user validation

Test new business requirements and regression test

existing functionality

4. Business Operations – Day-to-day business

environment

5. Business Support – Replicate and troubleshoot business

issues

Slide# 20

All rights reserved

[email protected]




(954) 2491530 11


Common Environments

1. Development – Code is created, modified and unit tested

2. Testing / QA – System, integration, & regression testing

3. User Acceptance (UAT) – Business-user validation

Test new business requirements and regression test

existing functionality

4. Business Operations – Day-to-day business

environment

5. Business Support – Replicate and troubleshoot business

issues

Question for Another Time

“Which of these environments will hold some

level of “sensitive-data” and which are

maintained as “Production Environments?”

Slide# 21

All rights reserved

[email protected]



Other Possible Environments

� Isolated On-boarding – When data from 3rd party

partners are transitioned in, there may requirements for a

secured environment to cleanse and prepare data for

integration into the business operations environments

� Isolated Data-Masking – Unmasked Confidential and

Restricted Data should not be transferred to non-

production environments. A separate secure environment

allows for standardized data masking in-place

Slide# 22

All rights reserved

[email protected]




(954) 2491530 12











Slide# 23

All rights reserved

[email protected]







integration into the business operations environments.





Slide# 24

All rights reserved

[email protected]


A mortgage service provider staging loans when

the servicing responsibility has not officially

transferred.

Example



(954) 2491530 13






integration into the business operations environments.





Slide# 25

All rights reserved

[email protected]


A mortgage service provider staging loans when

the servicing responsibility has not officially

transferred.

Do you consider this to be “production data?”

Example











Slide# 26

All rights reserved

[email protected]




(954) 2491530 14











Slide# 27

All rights reserved

[email protected]


Company policies often state sensitive data may

not be stored in non-production environments.

Moving data to “development” or “test” environments

before masking would violate such company policies.

Example











Slide# 28

All rights reserved

[email protected]




(954) 2491530 15

Common Language – Masking Taxonomy

Methods of Obfuscating Information

� Pruning Data

� Concealing Data

� Fabricating Data

� Trimming Data

� Encrypting Data

� Separating Data

Slide# 29

All rights reserved

[email protected]




� Pruning Data

� Concealing Data


� Trimming Data

� Encrypting Data

� Separating Data

Slide# 30

All rights reserved

[email protected]




(954) 2491530 16

Common Language – Where to Obfuscate

� Data Movement – Data can be removed, shorten, or encrypted

� Data Stores – Data can be encrypted , data-at-rest (DAR)

� Interactive User Interfaces – Only show required data or portions

of attributes for identification (i.e. account#, license#, SS#)

� Static Reporting – More restrictive than Interactive User Interfaces

Dev

elopm

ent Environm

ent

Data

Sto

rag

e

Encrypted

Encrypted

Data

Mov

emen

t

Encrypted

Slide# 31

All rights reserved

[email protected]








Dev

elopm

ent Environm

ent

Data

Sto

rag

e

Encrypted

Encrypted

Data

Mov

emen

t

Encrypted

Slide# 32

All rights reserved

[email protected]




(954) 2491530 17







Dev

elopm

ent Environm

ent

Data

Sto

rag

e

Encrypted

Encrypted

Data

Mov

emen

t

Encrypted

Slide# 33

All rights reserved

[email protected]








Dev

elopm

ent Environm

ent

Data

Sto

rag

e

Encrypted

Encrypted

Data

Mov

emen

t

Encrypted

Slide# 34

All rights reserved

[email protected]




(954) 2491530 18







Dev

elopm

ent Environm

ent

Data

Sto

rag

e

Encrypted

Encrypted

Data

Mov

emen

t

Encrypted

Slide# 35

All rights reserved

[email protected]




� Pruning Data

� Concealing Data


� Trimming Data

� Encrypting Data

� Separating Data

Slide# 36

All rights reserved

[email protected]




(954) 2491530 19

Common Language – Pruning Data

Pruning Data: Removes sensitive data from attributes

in non-production environments. The attribute will still

appear on data entry screens and reporting but be left blank.

Dev

elopm

ent Environm

ent

Data

Sto

rage

Encrypted

Encrypted

Da

ta M

ov

emen

t

Encrypted

Slide# 37

All rights reserved

[email protected]


Common Language – Pruning Data

Pruning Data: Removes sensitive data from attributes

in non-production environments. The attribute will still

appear on data entry screens and reporting but be left blank.

Dev

elopm

ent Environm

ent

Data

Sto

rage

Encrypted

Encrypted

Da

ta M

ov

emen

t

Encrypted

Slide# 38

All rights reserved

[email protected]


Executive Salaries: Employee personnel records

can de-identify by changing Emp#, SS#, & names but

executive management records are easily tied back to

the organizational hierarchy (e.g., top 10 salaries).

Example



(954) 2491530 20

Common Language – Concealing Data

Concealing Data: Removes sensitive data from user

access and visibility. For data entry screens and reports, the

attribute does not appear at all versus being Pruned (blank).Concealing data depends on clear rules for Access, Authentication, and

Accountability.

Dev

elopm

ent Environm

ent

Data

Sto

rage

Encrypted

Encrypted

Da

ta M

ov

emen

t

Encrypted

Slide# 39

All rights reserved

[email protected]


Common Language – Concealing Data

Concealing Data: Removes sensitive data from user

access and visibility. For data entry screens and reports, the

attribute does not appear at all versus being Pruned (blank).Concealing data depends on clear rules for Access, Authentication, and

Accountability.

Dev

elopm

ent Environm

ent

Data

Sto

rage

Encrypted

Encrypted

Da

ta M

ov

emen

t

Encrypted

Slide# 40

All rights reserved

[email protected]


Bank / Loan Account#: Bank web sites generally

do not display account numbers even to the account

holder.

Example



(954) 2491530 21

Common Language – Fabricating Data

Fabricating Data:1) Creating data to replace sensitive data

2) Creating data to facilitate full functional testing

3) Creating date for negative testing (error handling)

Dev

elopm

ent Environm

ent

Data

Sto

rag

e

Encrypted

Encrypted

Data

Mov

emen

t

Encrypted

Slide# 41

All rights reserved

[email protected]


Common Language – Fabricating Data

Fabricating Data:1) Creating data to replace sensitive data

2) Creating data to facilitate full functional testing

3) Creating date for negative testing (error handling)

Dev

elopm

ent Environm

ent

Data

Sto

rag

e

Encrypted

Encrypted

Data

Mov

emen

t

Encrypted

Slide# 42

All rights reserved

[email protected]


Contact >ame or ID#:Replacing contact name and ID# is the standard

method for de-identifying customer and employee

records.

Example



(954) 2491530 22

Common Language – Trimming Data

Trimming Data: Removes part of an attribute’s value

versus Pruning which removes the entire attribute value.

Dev

elopm

ent Environm

ent

Da

ta S

tora

ge

Encrypted

Encrypted

Da

ta M

ovem

ent

Encrypted

Slide# 43

All rights reserved

[email protected]


Common Language – Trimming Data

Trimming Data: Removes part of an attribute’s value

versus Pruning which removes the entire attribute value.

Dev

elopm

ent Environm

ent

Da

ta S

tora

ge

Encrypted

Encrypted

Da

ta M

ovem

ent

Encrypted

Slide# 44

All rights reserved

[email protected]


Social Security# and Credit Card#:

Changing SSN# from 123-45-6789 to XXX-XX-6789

(or a new attribute = 6789) so that only part of the

information is available, usually for identification.

Example



(954) 2491530 23

Common Language – Encrypting Data

Encrypting Data: Encryption can be done at the

attribute, table, or database levels

(Encrypted data can be decrypted back to the original value)

Dev

elopm

ent Environm

ent

Data

Sto

rag

e

Encrypted

Encrypted

Data

Mov

emen

t

Encrypted

Slide# 45

All rights reserved

[email protected]


Common Language – Encrypting Data

Encrypting Data: Encryption can be done at the

attribute, table, or database levels

(Encrypted data can be decrypted back to the original value)

Dev

elopm

ent Environm

ent

Data

Sto

rag

e

Encrypted

Encrypted

Data

Mov

emen

t

Encrypted

Slide# 46

All rights reserved

[email protected]


Credit Card#: Credit card numbers are often encrypted

for data transmission for PCI DSS compliance.

Encrypting credit card numbers at rest (DAR) provides

additional security.

Example

Credit Card# is an example of an attribute that often falls into

multiple Obfuscation Methods.



(954) 2491530 24

Move

Sen

sitive

Dat

a to

a S

ecure

d T

able

Data Separation: Moves sensitive data into multiple

tables. Data can still be joined but Sensitive and Non-

sensitive attributes do not reside in a single record.

Common Language – Separating Data

Slide# 47

All rights reserved

[email protected]


Move

Sen

sitive

Dat

a to

a S

ecure

d T

able





Slide# 48

All rights reserved

[email protected]




(954) 2491530 25

Move

Sen

sitive

Dat

a to

a S

ecure

d T

able





Slide# 49

All rights reserved

[email protected]


Move

Sen

sitive

Dat

a to

a S

ecure

d T

able





Slide# 50

All rights reserved

[email protected]




(954) 2491530 26

Move

Sen

sitive

Dat

a to

a S

ecure

d T

able





Slide# 51

All rights reserved

[email protected]





Move

Sen

sitive

Dat

a to

a S

ecure

d T

able


Slide# 52

All rights reserved

[email protected]




(954) 2491530 27




Move

Sen

sitive

Dat

a to

a S

ecure

d T

able


Slide# 53

All rights reserved

[email protected]





Move

Sen

sitive

Dat

a to

a S

ecure

d T

able


Slide# 54

All rights reserved

[email protected]




(954) 2491530 28




Move

Sen

sitive

Dat

a to

a S

ecure

d T

able


Slide# 55

All rights reserved

[email protected]





Move

Sen

sitive

Dat

a to

a S

ecure

d T

able


Slide# 56

All rights reserved

[email protected]




(954) 2491530 29


� Prune – Removes values from non-production systems. Attribute

appears on data entry screens and reporting but are blank.

� Conceal – Removes sensitive data from user access or visibility. For

data entry screens and reports, the attribute may not appear at all or be

obscured versus being Pruned (blank).

� Fabricate – Creating data to replace sensitive data and facilitate

proper application testing.

� Trim – Removes part of a data attribute’s value (Pruning removes the

entire attribute value)

� Encrypt – Unlike Fabricated Data, encrypted data can be decrypted

back to the original value.

� Data Separation – Moves specific segments of data or individual

datum into separate tables / databases to limit user access or visibility

Slide# 57

All rights reserved

[email protected]


Busines

s End-U

ser A

cces

sIs

sue

Support S

taff

Qual

ity A

ssura

nce

Devel

opm

ent Sta

ff

Matrix – Method, Environment, Access

Slide# 58

All rights reserved

[email protected]




(954) 2491530 30

Busines

s End-U

ser A

cces

sIs

sue

Support S

taff

Qual

ity A

ssura

nce

Devel

opm

ent Sta

ff


Slide# 59

All rights reserved

[email protected]


Use

r G

roups

Environments

Obfuscation Method

Busi

ness

End-U

ser A

cce

ssIs

sue

Support S

taff

Qual

ity A

ssura

nce

Dev

elopm

ent Sta

ff


Slide# 60

All rights reserved

[email protected]


No Access to Data



(954) 2491530 31

Busi

ness

End-U

ser A

cce

ssIs

sue

Support S

taff

Qual

ity A

ssura

nce

Dev

elopm

ent Sta

ff


Slide# 61

All rights reserved

[email protected]


Last Four Digits

Busi

ness

End-U

ser A

cce

ssIs

sue

Support S

taff

Qual

ity A

ssura

nce

Dev

elopm

ent Sta

ff


Slide# 62

All rights reserved

[email protected]


Fabricate Data



(954) 2491530 32

Busi

ness

End-U

ser A

cce

ssIs

sue

Support S

taff

Qual

ity A

ssura

nce

Dev

elopm

ent Sta

ff


Slide# 63

All rights reserved

[email protected]


Not Acknowledged

Busi

ness

End-U

ser A

cce

ssIs

sue

Support S

taff

Qual

ity A

ssura

nce

Dev

elopm

ent Sta

ff


Slide# 64

All rights reserved

[email protected]




(954) 2491530 33

Data-Centric Development

Projects that center around data analysis (i.e.: dashboards, BI,

data-marts / warehouses, etc.) often claim that they must have

“production data” to develop the solution.

It is true that the business will need production data for user

acceptance testing (UAT) but let’s consider a few other facts:

1) Negative testing will require fabricated data

2) New functionality will also likely require fabricated data

3) Existing production data may not contain all possible values

or permutations of data so full positive testing will also

require some level of fabricated data

4) Full regression testing will require a standardized test set

including the items above and is likely to be a combination of

fabricated and masked data

Slide# 65

All rights reserved

[email protected]
















Slide# 66

All rights reserved

[email protected]




(954) 2491530 34















Slide# 67

All rights reserved

[email protected]
















If your source data has already been cleansed, how would

you test for exceptions (negative testing)?

Based on functional-requirements, negative tests should

be created for everything outside expected ranges.

Slide# 68

All rights reserved

[email protected]




(954) 2491530 36















As systems become more complex and as regulations

increase, functional tests require data sets for situations

not yet present within the production data.

Slide# 71

All rights reserved

[email protected]













4) Full regression testing will require a standardized test set,

including the items above, and is likely to be a combination

of fabricated and masked data (de-identified records)

Slide# 72

All rights reserved

[email protected]




(954) 2491530 37












4) Full regression testing will require a standardized test set,

including the items above, and is likely to be a combination

of fabricated and masked data (de-identified records)

Leverage test-datasets already created for source

systems.

Slide# 73

All rights reserved

[email protected]


Governance

Data stewardship is a key success factor for good data

governance and in this case for good information

obfuscation.

No one person will be aware of every government

regulation, trade association guideline, business functional

requirement, or company policy.

Include representatives from data stewardship, security,

internal audit, and quality assurance teams in your solution

planning and project development teams.

Slide# 74

All rights reserved

[email protected]




(954) 2491530 38

Information Obfuscation Summary

1. Obfuscation occurs throughout the information lifecycle

not just in non-production environments

2. Everyone is responsible for protecting the corporate data

assets and the best data security tool is vigilance

3. Use a defined language to communicate who, what,

where, when, and how obfuscation will occur

4. Make Information Obfuscation part of your

organization’s business-as-usual (BAU) processes

5. Follow Michael Jay’s Data Masking Golden Rule

“Do unto your company’s corporate data assets as you



Slide# 75

All rights reserved

[email protected]















Slide# 76

All rights reserved

[email protected]




(954) 2491530 42

Appendix

Reference Material

Slide# 83

All rights reserved

[email protected]


Legal & Regulatory Alphabet Soup (Sampling)

� GLBA – The Gramm–Leach–Bliley Act allowed consolidation

of commercial & investment banks, securities, & insurance co.

� >PPI – Nonpublic Personal Information - Financial

consumer’s personally identifiable information (see GLBA)

� OCC – Office of the Controller of Currency regulates banks.

� PCI – Payment Card Industry; defines Data Security Standard

(PCI DSS) processing, storage, or transmitting credit card info.

� PHI – Patient Health Information - Dept of Health & Human

Services (“HHS”) Privacy Rule (see HIPAA).

� PII – Personally Identifiable Information; used to uniquely

identify an individual. (Legal definitions vary by jurisdiction.)

Slide# 84

All rights reserved

[email protected]




(954) 2491530 43

Sample Cross Reference Chart

Data PointPII

PCI >PPI PHI

Customer - The Fact That an Individual is a Customer ** X

First, or Last Name *; Mother's Maiden Name X X

Country, State, Or City Of Residence * X X

Telephone# (Home, Cell, Fax) X X

Birthday, Birthplace, Age, Gender, or Race *

Social Security#, Account#, Driver's License#, National ID ++

X X

Passport#, Issuing Country

Credit Card Numbers, Expiration Date, Credit Card Security Code X X

Credit Card Purchase X

Grades, Salary, or Job Position *

Vehicle Identifiers, Serial Numbers, License Plate Numbers X

Email - Electronic Mail Addresses; IP Address, Web URLs X

Biometric Identifiers, Face, Fingerprints, or Handwriting

Dates - All Elements of Dates (Except Year +) X

Medical Record#, Genetic Information, Health Plan Beneficiary# X

* More likely used in combination with other personal data

** GLBA regulation to fall into the “Restricted” classification

+ All elements of dates (including year) if age 90 or older

++ Varies by Jurisdiction

Slide# 85

All rights reserved

[email protected]


information obfuscation: protecting corporate data

Technology