Since its launch in 2014, Snowflake has been focused on enabling the data cloud—innovating with their speed, approach to cloud scaling, and consumption-based business model. But they have also led the way with their investment in extensibility and support for the programming languages, frameworks, and data science tools and technologies its users prefer. This partnership with complementary technologies helps deliver great benefits to Snowflake customers. As one of those technology partners, we’d like to congratulate Snowflake on its announcement of new their extensibility features: Snowpark developer experience and Java UDFs. These additions will allow developers and data scientists to leverage Snowflake’s powerful platform capabilities and the benefits of Snowflake’s Data Cloud throughout their data science, integration, quality, and BI projects for increased efficiency and insights.  

ALTR is also leading the way in taking advantage of Snowflake’s commitment to extensibility by delivering our cloud-based data governance and security solutions through direct integration with Snowflake. ALTR taps into Snowflake’s existing masking policies, user-defined functions, (UDFs) and external functions in order to securely protect sensitive data. The powerful and flexible masking policies are connected to columns identified as sensitive. Whenever a masked column is queried, from anywhere inside or outside Snowflake, a UDF within Snowflake is called to act as a bridge to the external function which communicates with ALTR. ALTR then provides direction for how the data in that column should be governed based on established rules and policies.  

“ALTR is an innovator in using Snowflake’s extensibility features,” said Tarik Dwiek, Head of Technology Alliances at Snowflake. “By utilizing these features, they’re able to deliver powerful data protection and security natively integrated, allowing our customers to get more value from their Snowflake investment.”  

ALTR’s integration with these extensibility features allows Snowflake customers to add governance and security more quickly—without any software having to be deployed or code written. They can add sensitive data faster, more securely and deliver more flexible data access because natively-embedded security policies will always be invoked. More data with more flexible access allows data insights to come faster for the business. And this kind of native integration enables the cloud-based, highly scalable Snowflake data platform to interact directly with the cloud-based, highly scalable ALTR data governance and security platform, with no outside components to impede or impair the combined power of the two solutions.  

We believe that this is where the cloud data ecosystem is going—native integrations enabled by extensible platform trailblazers like Snowflake. And we’re thrilled to see Snowflake continue leading the way.  

Watch our webinar with Q2 and Snowflake on how to take a security first approach to moving your data to the cloud.

‍

As an increasing number of companies join the Snowflake Data Cloud to extract business value and insights from data, the ability to utilize and govern sensitive data on the platform has become a critical priority. Since kicking off our partnership in 2020, launching our cloud-native integration in February 2021, and now as a Snowflake Premier Partner, ALTR has been laser-focused on delivering enterprise-class Snowflake data governance solutions that make governing data as simple and easy as possible for Snowflake customers.  

By leveraging Snowflake’s native data governance capabilities, we’re able to deliver unprecedented data usage visibility and analytics, automated policy-based access controls, and the highest-levels of data protection—all with no code required to implement, maintain, or manage. Removing the roadblocks to protecting sensitive data means Snowflake users can extract the most value from their data and maximize their investment in the platform.

‍We’re proud to join the initiative to make Snowflake data governance a top focus and enable powerful new features for our shared customers as a member of the Snowflake Data Governance Accelerated Program.  

Investment in Snowflake data governance technology

ALTR is a natural fit for the Snowflake Governance Accelerated Program because we’ve tightly integrated with Snowflake’s native capabilities to enable no-code data governance at scale from day one. As Snowflake continues to make new features and capabilities available, we integrate them into our platform, allowing customers to leverage Snowflake's native capabilities in an easier, more scalable way.  

Dynamic Data Masking

ALTR simplifies how organizations implement and maintain data masking policies to protect private information in Snowflake. With ALTR, you can see the data and roles your policies are applied to and implement new or modify existing masking policies all without writing any SQL code.  

Object Tagging

ALTR has pre-built support for Snowflake’s upcoming native Classification feature, which classifies data and tags objects directly in Snowflake without customer data leaving the platform. Using ALTR, customers can automate the discovery and classification process without writing any code.

Access History

ALTR automatically visualizes data from Snowflake’s Access History in both a heatmap and timeline view. You can use this intelligence to audit and report on data access, confirm your governance policies are being enforced correctly, and identify areas where new policies can be applied.  

See Snowflake data governance features in action:

‍

Through the powerful Snowflake data governance capabilities, Snowflake and ALTR enable organizations to effectively secure, govern, and unlock the full potential of their data. In addition, ALTR’s SaaS platform, no-code technology, and free plan democratize data governance, removing the barriers of long, complex implementations, coding knowledge, and high costs, making it even easier for Snowflake customers to protect their data and get full value from their investment in Snowflake.

Snowflake, the Web's hottest cloud data platform, has enjoyed a rapid rise to popularity because of two major forces in business. The first is the cold reality that businesses of all shapes and sizes must become data-driven or face significant disadvantages in competing with those who are. The second is that, mostly due to the Cloud, users' expectations have changed forever. Technology must be simple: simple to use, simple to buy, simple to grow.

One by one traditional software categories have moved to the Cloud, and this is as true for parts of the cybersecurity software world as any. Still, Data Security stands as one of the last holdouts. For decades it has been dominated by solutions that were difficult and complex to implement, involving infrastructure components that have to be integrated, configured and maintained. They are difficult to administer, requiring complex role/access analysis and maintenance as people and data move constantly in and out of the company. And most of them aren't built to scale massively the way a platform like Snowflake is. This means that when you connect a traditional data security product to Snowflake it is, in the words of a colleague of mine, "like connecting a bicycle to the back of a sports car."

At ALTR we continue to make it our mission to provide the world's most secure cloud platform for data consumption intelligence, governance, and protection in a way that is exceptionally simple. This is why we're so pleased to announce the general availability of our direct cloud integration with Snowflake.

This new integration means you can plug ALTR into your Snowflake instance seamlessly by providing only two pieces of information: the URL for your instance, and credentials that allow ALTR to access it. From there, you simply log into ALTR to instantly gain deep insight into your consumption of data and put in place smart access and consumption controls that protect your business against even the most privileged privacy and security threats. 

Because ALTR is integrated directly into the Snowflake platform, there is no proxy server in between you and your data. You can change anything you do to access data, from using Snowflake itself to using any variety of third party analytics tools or inbound or outbound ETL processes. You can be in any Snowflake deployment, from AWS to Azure to GCP. You can scale massively up, or down. As things change, ALTR will keep pace transparently, continuing to give you observability and control over who is accessing data, and how much of it, in real time.

ALTR + Snowflake. Building out your focus on data, and doing so safely, has never been so simple.

If you'd like to learn more, request a demo or see first-hand how ALTR can work for you by signing up for a free 7-day trial.

‍

Back in September, Lou Senko, Chief Availability Officer at Q2, put out a paper in ABA entitled “Leaping the Innovation Chasm by Securing the Data". In the 12-page article, he outlines how, too often, security and compliance are viewed as opposing forces to innovation and speed. But when done right, more security and resilience actually leads to faster innovation with less friction and less risk. Here are a few highlights from Lou's article as well as an update on how Q2 is continuing to leverage a security-first approach.  

Working with ALTR

Understandably, Lou didn’t want to end up in the headlines as the latest software company to suffer a breach, yet he knew traditional methods of security were no longer working. Company after company keeps bolting on more and more security solutions that take endless resources to manage, hinder performance, and still leave data exposed. Lou decided to take a radical leap. His team at Q2 asked themselves, “What if we just assumed the network was already breached and the bad actors were already inside (a key principle of Zero Trust)? If the data is both the target and the risk point, what if we simply removed it?” That was the “ah ha!” moment: the best way to keep the data safe is to not have the data at all.  

Resolved to remove all of Q2’s sensitive data from their own environment and securely store it in the cloud, his team needed a solution that could isolate and protect all their sensitive data in the cloud while providing intelligence and control over how data is being consumed. They chose ALTR for our proprietary tokenization as a service and for our shared belief that you should treat your sensitive data how your treat your money; using ALTR as an ATM for their data, Q2 could:

• Provide a view of all transactions (Bank Statement)
• Create rules and thresholds to mask or limit consumption (Withdrawal Limits or Freezing Accounts)
• Provide a secure cloud-native vault (Literal Bank Vault)

With ALTR, Lou’s vision came to life. Their data was secure plus they had better visibility and control over data consumption. To learn more about how Q2 uses ALTR to protect their data, read the full case study here.

Working with ALTR, Continued...

But that’s not the end of it.  

Being as innovation-driven as they are, it’s not surprising that Q2 continues to grow rapidly. Looking to maximize the value of their data, they invested in Snowflake’s Data Cloud, and Lou was once again thinking about security and risk efforts associated with a project like this. Coincidentally, their investment in Snowflake corresponded with the availability of ALTR’s new cloud integration for Snowflake.  

To hear the rest of the story and learn how to achieve a security-first approach to re-platforming data in the cloud, sign up for our upcoming webinar with Lou and Snowflake’s Head of Cybersecurity Strategy Omer Singer.

‍

I recently received a gift card to a popular coffee shop – score, right? When I tried to add it to the app to take advantage of the power and convenience of technology, it required my home address! Why would it need to know where I live in order to let me use a gift card I already had? No explanation, but it’s just another example of the kinds of data retailers are gathering. Maybe in the past I would have simply gone along, but like many other consumers, I’m increasingly skeptical of requests for data. This is making it harder for retailers, but also presents an opportunity to build a brand advantage.

Consumer privacy concerns rise right behind retail PII data collection

Retailers and CPG companies can do amazing things for customers with data. At the Snowflake Retail and CPG Data Analytics Forum, I heard how companies can use hurricane forecasts to predict peanut butter purchases – I'm sure buyers making the trip to the store ahead of the storm appreciate having enough jars for everyone! I also heard how values-driven MOD Pizza used Snowflake, Tableau and a focus on privacy to enable their shift to new order channels, support employees, and deliver data-driven family and bundle offers to customers during the COVID-19 pandemic. Collecting and utilizing data to provide better service to customers can build affinity for the brand and deliver a powerful competitive advantage.  

But after the increasing number of consumer data breaches in the headlines in recent years, personal data collection can also raise customer privacy alarms. In an eye-opening 2019 Pew Research Center study, 81% of Americans said that the potential risks they face because of data collection by companies outweigh the benefits. This might be because 72% say they personally benefit very little or not at all from the data companies gather about them. Additionally, 79% of adults are not confident that companies will admit mistakes and take responsibility if they misuse or compromise personal information, and 70% say their personal data is less secure than it was five years ago.  

A recent McKinsey survey showed that consumers are more likely to trust companies that only ask for information relevant to the transaction and react quickly to hacks and breaches or actively disclose incidents. Consumers had a higher level of trust for industries with a history of handling sensitive data – financial and healthcare – but lower in other industries including retail.  

Some retailers don’t quite realize the risk, or the opportunity. A separate McKinsey survey showed that 64 percent of retail marketing leaders don’t think regulations will limit current practices, and 51 percent said they don’t think consumers will limit access to their data. This has already been disproven with Virginia and Colorado rolling out state-level privacy regulations in 2021 and proposed federal data protection laws bubbling back up. And Apple’s recent deployment of privacy features including App Tracking Transparency empower consumers to control what information apps gather about them on their phones.  

4 ways for retailers to build trust, strengthen customer relationships, and reduce risk by safeguarding personal data

It’s clear that retailers can’t continue to gather data at will with no consequences – consumers are awake to the risks now and demanding more. This gives retailers a chance to strengthen the relationship with their customers by meeting and exceeding their expectations around privacy.  

If personalization creates a bond with customers, imagine how much more powerful that will be if consumers also trust you.  

Luckily, based on the surveys and studies above we have insights into what customers want and how you can deliver that:  

1. Apply stricter privacy guidelines: Follow the lead of industries experienced in handling and protecting personal data: healthcare and financial. Adopt the stricter privacy guidelines these industries are already required to follow. It’s clearly working to gain customer trust.  

2. Gather only the minimum necessary information: Collect just the information necessary to carry out the specific activity or transaction the consumer requests. In other words, don’t require my home address in order to use a gift card. This also lowers your company’s risk by limiting the amount of data you are responsible for.    

3. Be open and transparent: Inform consumers and the public when data is misused or leaked. All 50 states have security breach notification laws with guidelines around notifications when personally identifiable information (PII) is leaked, but go beyond what is required by law to show customers and consumers you make their privacy a priority.  

4. Implement a complete Data Governance solution: this needs to include data intelligence, discovery, and classification; automated access controls; consumption visibility, thresholds and alerts; and tokenization of critically sensitive data in order to be complete. This will help retailers ensure that they’re not only meeting privacy regulations, but going the extra to mile to minimize the possibility of data leakage, exposure or theft—reducing risk to your customers and your business. And, if you’re using Snowflake Data Cloud to deliver data-driven insights, streamline efficiencies across your company, or create real-time, personalized customer experiences, you can easily add ALTR’s complete Data Governance solution natively to your database.

Reduce your risk and protect the value you’ve created

McKinsey asks the critical question: “How are you managing your data to derive value-creating analytic insight from personalization without causing value-destroying financial or operational loss due to privacy or security incidents?”  

This isn’t just about consumer feelings or preferences – this is about risk to your business. All the value created by utilizing data for personalization can be wiped out in a second with one data incident. Make sure you’re prepared to minimize that risk and actually move your brand forward by building trust with your customers.  

One of the most emotional, exciting and often intimidating journey in one’s life is the process of starting a family. Couples and singles in the process of seeking reproductive assistance place complete trust in fertility organizations to help grow their families. They want to know that their most critical and personal information is safe from the reach of bad actors.

Egg donor and surrogate search service Donor Concierge recently partnered with us to oversee the data security and privacy integration of its FRTYL platform. The FRTYL platform is a state-of-the-art centralized database that brings a growing repository of surrogates and more than 15,000 egg donors together in one place so they can be matched more quickly with intended parents. The company’s patient-first mission is to create a global software platform that transforms how prospective parents use technology to find third-party fertility options by consolidating services such as sperm donation, embryo adoption, surrogacy, cryobanking, implantation, and pharmaceuticals. FRTYL streamlines every step of the donor matching process, including initial application, acceptance, registration and image uploads, all while reducing the administrative burden that comes with making the right match.

FRTYL’S NEED FOR SECURITY

All of the information being stored, sorted and shared between donors, surrogates, recipients and practitioners is extremely sensitive. And today’s HIPAA regulations impose strict guidelines about how this information can be stored. FRTYL knew that it needed cutting-edge technology that would safeguard their users’ privacy. Security solutions that simply stack software on top of an application only introduce more gaps for a breach of data.

Consider that the cost of cyberattacks last year reached more than 1 trillion dollars, with organizations in the U.S. spending more on cybersecurity than on natural disaster recovery. On top of that, credentialed individuals instigated 58 percent of breaches, making them the leading suspects for insider threats. For FRTYL, the solution had to be bulletproof.

TOKENIZING DATA THROUGH THE CLOUD

Enter ALTR. Through our partnership, FRTYL is the first donor matching service to leverage the powerful data security capabilities of blockchain. We’ve enabled FRTYL to safely store and retrieve data, as well as anonymize it so that it can be used as a trusted resource for parents seeking to build their families. This is done by removing sensitive information from the database, fragmenting and scattering it across nodes in our cloud-based vault called the ALTRchain. All that remains are nondescript tokens that point back to the first piece of the blockchain; there’s literally nothing left to steal from the database. This secure network of nodes makes the data self-describing, quantum-safe and protected from any threat, including those posed by insiders. Since there is no key or map to be stolen like traditional tokenization and encryption methods, FRTYL ensures their customers sensitive data is always safe.

This pioneering approach to protecting FRTYL through tokenization is made possible through Amazon Web Services, the world’s most comprehensive and broadly adopted cloud platform. Because we utilize the AWS cloud to power our technology, we can guarantee our Data Security as a Service (DSaaS) customers that their information will stay private and protected. While the cloud may be formidable to some, our approach constitutes the cloud a safe place to do business: data is fragmented across storage locations and is unable to be assembled by anyone other than the customer, even those with privileged access to the cloud infrastructure.

We’re helping FRTYL actualize its goal of transforming the way prospective parents use technology to find third-party fertility options. Gail Sexton Anderson, the founder of Donor Concierge and one of the fertility industry’s leading innovators and creative thinkers, told us that our work with FRTYL will give couples and singles “repose that their most precious personal information is protected.”

USING THE CLOUD TO MAKE CLOUD SAFER

With the benefits of the cloud being undeniable, many organizations today feel like they are giving up privacy, control and security for efficiency and scalability. FRTYL is a great example of how our DSaaS approach means you don’t have to sacrifice a thing.

‍

Getting your sensitive data under control doesn’t have to be complicated, time-consuming or costly. In fact, there’s a lot you can do with ALTR’s free plan to know, control, and protect sensitive data quickly so you can move on to more value-adding activities. ALTR lets you see who’s using what data, when, and how much. Within minutes, you can quickly classify data, apply controls, and generate alerts, even block access. Don’t believe me? Let’s review five things you can do in an hour with ALTR.

1. Automatically classify your data
2. View every query your data
3. Set masking policies
4. Block access
5. Receive alerts on anomalies

‍

1. Classify your data

Before you can govern private data, you need to know which data is sensitive.

First, let’s assume you’ve already set-up your ATLR SaaS platform account and have logged in. To classify your data, all you need to do next is connect one of your databases. As you're connecting the database, simply check the option to classify this data. ALTR then categorizes the data and presents a tab for Classification, which is where you can find the data grouped under common data tags.

If you did not classify a database when it was first connected, you can go back later to classify it. Just click the name of the database from within the ALTR screen, select the classify data checkbox, and update your database. In a few minutes, ALTR presents the classification report.

The report shows how data is classified as sensitive. ALTR categorizes the private data into types, such as social security numbers, email addresses, and names. You can use this information to then add controls to any column of data, such as locking or blocking people from access.

You can also allow access, but see every attempt to access the data, known as a query.

2. View every query on classified data

The second way to protect your sensitive data is to use the Query Log function, which lets you know immediately who is trying to do what with your sensitive data. ALTR lists every single query that users executed on your sensitive data: the log includes the exact query and who created it. All of this information is collected in one place, allowing you to filter the queries so you can see immediately what's happening across your company. After the first 24 hours, ALTR presents a heat map that provides a visualization of the activity on your sensitive data. The heat map is updated once a day.

3. Set masking policies

When you’re putting a lock on a particular column of data, you can also add a masking policy. With masking, the goal is to give users only the minimal amount of information they need from the data, nothing more, to provide the most protection possible. In real terms, not everyone needs the same level of access to the same data.

For example, a marketing specialist might need a full email address whereas an analyst only wants to know how many people have a specific service like Gmail, so they just need to see the @domain. They don’t need the entire, fully qualified, email address.

Another common masking technique is to only show the last four digits of the social security number to allow a call center employee to verify your SSN—but they don't need access to the whole thing to verify that you are who you say you are. Masking is a simple yet highly effective way to enable functionality without fear of inadvertently showing the digital crown jewels.

4. Block access to sensitive data

ALTR allows you to add thresholds that prevent or allow access to datasets.

To prevent access, you can set the threshold for a Block action when a rule is met. The threshold rule for blocking could be based on access rate, when someone tries to access the data a certain number of times; a time window, like the weekend; or from a range of IP addresses. You can include other parameters such as user groups that the threshold rule applies to.

5. Generate alerts when sensitive data is accessed

Lastly, to protect your sensitive data, you can also set a threshold to Generate Anomaly, which instead of blocking access, grants access, but also sends an alert that lets you know who is accessing the sensitive data. Similar to blocks, you can establish anomaly thresholds based on access rate, time window, and IP address. For example, you may grant access while sending alerts at a certain time, such as during the weekdays when an administrator is on duty, and block access completely during the weekend or at night. ALTR sends alerts whenever someone tries to access the data.

Protect sensitive data in minutes—without code

Regardless of the policy you choose, ALTR allows you to set controls in minutes without code. You can classify sensitive data, block access, or generate alerts as soon as you connect ALTR to your data. Just pick the dataset that you want to and apply the rules. You can do a lot within that first hour. And it just gets better from there.

‍Start now!

Most of today’s workforce is accustomed to working in an office under carefully crafted IT systems. However, the abrupt shift to remote work due to the pandemic has caused a lot of new risks and exposures. Teams are now decentralized, and security is top of mind, so organizations are relying on things like multifactor authentication, remote access, and encryption – but is that really enough?

Since COVID-19, the FBI has seen a 300% increase in reported cyber crimes, which is only accelerating the urgency to adapt.  There is no silver bullet for success in this unpredictable environment, but there are certainly new best practices and lessons to be learned.

At ALTR, we are helping our customers protect valuable data, and we’ve seen first-hand the struggles they are facing. Here are a few questions we are answering for them:

1. How is data being consumed across our organization?

2. What can we do if an employee's credentials are stolen?  

3. How do we ensure the security of data in the cloud?

ALTR’s cloud-native service embeds observability, governance, and protection at the code level to close those gaps and improve security, simplify compliance, and increase accountability. This unique approach to data access controls fosters more rapid development and deployment of secure applications, and it enables greater innovation across the entire enterprise.

It’s more important now than ever before to share knowledge and work together to adapt in these uncertain times – that’s why ALTR is participating in IDG’s ”New Reality Virtual Tradeshow Series.”  It has been a great platform to discuss the new risk and security landscape with peers and other industry experts. The intention of the conference is to have all attendees walk away knowing:

• How leading CISOs, CSOs, and organizations are currently managing security budgets
• What actions they’re taking to adapt security to match the new remote working experience
• How they’re integrating security measures as initiatives accelerate to meet customer needs
• What you can do now to help set your company up for long-term success

Our own VP of Product & Marketing, Doug Wick, spoke about “Remote Access and the Rising Tide of Sensitive Data.” This presentation and many more are still available OnDemand during the final 2 days of the event (July 28-29). Check out the virtual conference here.

To find out more about how ALTR protects sensitive data across the enterprise, stop by our virtual booth, or read more here.  

‍

How embarrassing: one second you’re trying to provide a third-party vendor with the information they need to perform a very specific task, and the next thing you know you’ve accidentally dangled all of your private data right in front of their eyes. Best case scenario, the vendor is kind enough to turn and look the other way while you put your unseeables back where they belong. Worst case scenario, the vendor exploits your unintended exposure by selling your vulnerability to the highest bidder.

It’s an all too common tale of the 21st century, and something every business should consider since every organization has sensitive data and countless users can access that data. Here’s why it’s so dang hard to keep data protected these days.

Risk 1: Going Global

The operations landscape nowadays is far more complex than those of previous eras. Businesses today rely on their relationships with contractors, vendors, and partners to ensure every facet of their organization is optimized, and many of those relationships are now location agnostic. Thanks to the internet, the entire world has become one big talent pool, but with cloud allowing you to be anywhere, the risk to your data has multiplied.

Risk 2: You Can’t Trust Anyone

It’s not that everyone these days is dishonest, it’s that even your most trusted business partners are capable of making an honest mistake. Without proper tools to secure data, even trustworthy vendors may see more than they should. Take, for instance, the risk posed by third-party application developers. Oftentimes, in an effort to use realistic datasets to build and maintain applications, developers end up accessing production data. This puts the development partner and the business at an increased risk of a regulatory or compliance breach, not to mention detrimental reputation loss. Improper data exposure with partners is common, and everyone from HVAC vendors (in the case of the Target breach) to medical transport providers is seeing more than they should.

Risk 3: Access-Management Tools Are Antiquated

The most common method for protecting private data is controlling access at the application level. This is definitely important to keep the bad guys out, but what about the data itself? Are you also managing what data and how much these users can consume? What happens if the user’s password is guessed or stolen by a cybercriminal? All your sensitive data is now exposed to a malicious third party with credentialed access to as much data as they like.  

Risk 4: User Error

The reason these risks present themselves in the first place is because current solutions fail to focus on what it is that needs protection: data. In essence, these controls are about users, not about protecting the data itself.  Newer methods use dynamic data masking and thresholds so that credentialed users can only see the minimum amount of data they need to perform their jobs and can only access a certain amount of data in a chosen time frame.

Solution: Data Security as a Service

That’s how ALTR’s Data Security as a Service delivers the privacy your data deserves. With ALTR, organizations gain a clearer understanding of the relationships between users and the actual data they are accessing. They also provide format-preserving dynamic masking of data to ensure sensitive data is hidden from unauthorized groups. Lastly, they provide real-time breach mitigation by imposing thresholds on how much data can be accessed based on normal usage patterns. By understanding who is accessing what data, and how much, businesses are better able to secure private data before it is exposed without having to re-engineer applications.

To learn more about how ALTR protects your business, download our complimentary white paper, How to Address the Top 5 Human Threats to Your Data.

In 2018, California passed the California Consumer Privacy Act (CCPA), which grants California residents the right to knowledge concerning the data harvested from them by corporations and control over its dissemination. The CCPA includes six key principles with respect to data protection for California residents, who have the rights to:

1. Know when companies are collecting their data, and how much;
2. Know whether any data collector sells or otherwise discloses the data to another party;
3. Refuse sale of their personal data;
4. Access any personal data collected;
5. Demand that personal data previously collected be deleted; and
6. Not to face discrimination for exercising the other five rights.

In other words, if you live in California, you’ve got a right to know what corporations know about you – and the ability to stop them from sharing it with other companies. It doesn’t apply to every company, only to businesses over a certain revenue threshold that make significant profits off of consumer data. But that describes a lot of companies out there, and it probably includes your bank, in part because the CCPA applies to any company that uses the data of California residents whether or not the company itself is located in California.

If you’re steering the company ship, what can you do to comply with the CCPA and protect your reputation? To start, since customers have the right to know what data a company holds and whether it’s sold or transferred to another entity, internal record keeping is more vital than ever. If you maintain accurate records that trace the movement of any given customer’s data in order to be able to provide it back to the customer on request, you’re in good shape.

It also pays to install protocols both for protecting and destroying data, as customers are allowed to refuse the sale of their data or demand it be deleted. Let’s say a customer calls and requests their data be purged. You remove it from your company’s internal system, but then what? To satisfy the customer and remain in compliance with the CCPA, you’ll need to audit vendors or other entities you regularly work with to ensure you’re all securely on the same page. Controlling the data that you share externally in the first place by using a program like ALTR can help. Instead of giving every vendor unchecked access to the entire pool of customer data, ALTR dynamically mask chosen fields and only gives each vendor access to exactly what they need to complete their work. Along with controlling what they see, you can also control how much by imposing thresholds that will block access once limits are exceeded, preventing a breach in real time.  Curbing the flow of data this way makes it easier to fulfill those customer requests.

When it comes to customer calls, the CCPA gives companies 45 days to respond to consumer data requests. Creating a team specifically trained to respond to data requests within this timeframe will put your company ahead of the curve. Training a few key employees to efficiently and easily respond to requests will almost certainly be easier than scrambling to comply only after requests have started to pile up. ALTR’s Data Access Monitoring as a Service can help the team to identify who accessed what data, when they accessed it, and how much was viewed, and give that information directly back to the customer in real time. Logging all data requests and responses immutably, you now have an audit trail that makes compliance easy.

While the CCPA does not go as far as its New York counterpart act with respect to potential lawsuits, leaving enforcement primarily to the office of the attorney general, it’s of course better to avoid lawsuits altogether by ensuring you’re in compliance. California will thank you, and so will your customers.

To learn how ALTR is helping organizations like yours, check out our latest CCPA case study.

___________________________________________________________________________________________________

‍

What’s more valuable – your credit card number or your name? It may depend on the situation, but many of us never thought the information about us that’s freely and publicly available – our names, our addresses, our emails – or even less public data like our social security numbers, would be worth something to somebody someday. But the world of data has changed in the last few years, that day is here, and when you look at PII vs PCI, PII data is now worth its weight in credit cards.  

History of PCI Data Security

As recently as the early 2000s, there was no clear way to deal with credit card fraud. Who was on the hook for the purchases made by a scammer with a stolen credit card number? Generally, it was the credit card company. That created an incentive for those companies to impose stronger security on companies that wanted to offer the benefits of credit card payments to their customers. Eventually the industry came together on the Payment Card Industry Data Security Standard (PCI DSS) in 2006.  

In order for merchants and other vendors to be compliant with PCI DSS, they must meet requirements for secure networks and protection of cardholder data, validated by audit. And the requirements are scaled by the number of transactions handled, from less than 20,000 to more than 6 million annually. Non-compliance can result in fines from some major credit card companies. While compliance with PCI DSS is not required by federal law, it does have the effect of putting a focus on credit card data security.  

PII vs PCI: PII Data is More Valuable Than We Ever Realized

Obviously, credit card companies had an incentive to ensure data was secure in order to limit their liability for fraud. But how do PCI vs PII value and risk stack up? What’s the liability for breaches of personally identifiable information (PII)? Until recently, there was very little. One of the reasons was that we simply didn’t realize PII data was valuable.  

Around the same time PCI credit card protections were being implemented in 2006, Facebook was ramping up. While we understood that credit cards could be stolen and used to purchase goods, we were putting our names, our hometowns, our mother’s names, our dog’s names, our employers, our favorite restaurants out there for the world to see without a thought for what could be done with this data.  

It turns out that PII data is supremely valuable. In fact, PII, PCI and PHI (personal health information) represent the data treasure trove. Facebook and others turned our personal information into lucrative revenue streams by offering it to third parties for advertising targeting, political research, and more. A study calculated that internet companies earned an average of $202 per American internet user in 2018 from personal data. Many companies use the information they gather about us as customers to send targeted offers to increase sales, create new product lines, or optimize distribution channels.

And the value of PII is not lost on cyber bad actors: PII can be used for everything from fraudulent tax returns to synthetic identity fraud.  In fact, when you compare PII vs PCI, PII comes out ahead. Because PII tends to be a longer-term identifier – you don’t change your name or your social security number it stays with us just like our PHI health histories – it has more value to thieves than credit card numbers that can be easily canceled and reissued.    

PII Regulations Mean It Finally Costs Less to Protect PII Than to Lose It

So, while the value of PII is increasing for both legitimate users and bad actors, the penalty for PII breaches is finally increasing as well. All 50 U.S states now have PII regulations like personal data breach notification laws. Europe’s General Data Protection Law (GDPR), the California Consumer Privacy Act (CCPA), and laws under consideration in 10 states add fines onto direct and indirect costs such as time and effort to deal with a breach and lost opportunities. According to the IBM 2020 Cost of a Data Breach Report, PII data was the most frequently compromised data and more costly than other types. The average cost to companies is now $150 per PII record. The combined costs of a breach now create a significant liability for those companies that gather, hold and share PII data.  

The good news is that the cost and difficulty of securing that data is decreasing. Merchants have moved from encryption to tokenization when storing credit card data for its ease of use, low overhead, and the fact that breaches don’t result in data that can be utilized by thieves. Protectors of PII can do the same. Combine that with the increase in compute power promised by Moore’s law and SaaS-based solutions like ALTR’s can deliver low-cost, easy-to-implement data security that democratizes PII security.  

See our complete guide to PII data - How to identify, understand and protect the personally identifiable information your company is responsible for.

It's Past Time to Protect PII data as Stringently as PCI

Just like there was a critical inflection point for PCI data where the amount of theft and fraud drove the credit card companies to require better security, there is an inflection point for PII data where the cost of breaches outweigh the cost of security. And we’ve passed it. Especially as we move sensitive data to the cloud, where access is much more rampant than in your locked down data center, it’s critical to ensure that data is secure. Breaches are only going to get more expensive, and it’s past time protect PII as stringently as PCI.

Get started protecting PII, PCI and PHI data in the cloud with the ALTR free plan.

In the Data Management Body of Knowledge, data strategy is defined as a “set of choices and decisions that together, chart a high-level course of action to achieve high-level goals.” Data strategy sits at a critical spot within any organization: you’re defining what you’re going to do with data to reach the business outcomes you want to achieve. In doing so, you must take into account things like your regulatory environment, current infrastructure, and the limits on what you’re able to do with data.

In an article published in Harvard Business Review, the authors view data strategy as having two styles: offense and defense. Offensive data strategy focuses on getting value out of data to build better products, improve your competitive position, and improve profitability, while a defensive data strategy is focused on things like regulatory compliance, risk mitigation, and data security. An organization must make considered trade-offs between offense and defense, the authors propose, as there are limited resources available and attempting to accomplish all of your offensive and defensive goals is akin to having your cake and eating it too.

Here’s the thing: we disagree.

The Harvard Business Review article was published in the spring of 2017, before the privacy regulations we know and love today were in effect, before 2020’s massive shift to the cloud, and before data solidified itself as the critical new trend. The world has changed since then, yet this viewpoint is still echoed by leaders in the fields of data governance and data management as true. It’s time to take a step back and refresh our thinking. Here’s what we know:

Offensive data strategy is now much easier

Hardly anyone knew the name “Snowflake” in 2017, and in 2020 the Cloud Data Platform became the largest IPO by a software company in U.S. history. They did so by offering a simple way for organizations to store and analyze huge amounts of information. They’re not alone, either. Companies like Fivetran and Matillion make it easy to load data into cloud data platforms like Snowflake, while those like Tableau allow you to extract value from data within those platforms. With the shift to the cloud, it’s easier than ever to implement an offensive data strategy. Unfortunately, new and increasing privacy regulations mean your focus is forced elsewhere.

But, you must focus on defensive data strategy

The Harvard Business Review article was right when it said companies in highly regulated environments must focus on defensive data strategies. What wasn’t accounted for in 2017 were the sweeping privacy regulations that have come into effect around the globe. Now, every company is a regulated company and must spend time and resources implementing a defensive data strategy to avoid the costly penalties that come with a data breach. So if you must focus on defense, is there a way to somehow get the best of both worlds?

Simplicity is the key

Defensive strategies must take a page out of the offensive playbook and implement tools for risk mitigation, data governance, and data security as simply as possible. If tools can be implemented as services, without requiring resources to install and maintain, your team can accomplish both your offensive and defensive goals. Further, tools that can mitigate the risk of credentialed threats through proactive security allow you to enhance your offensive capabilities by moving more sensitive workloads to the cloud and sharing data with more teams.

You can have both offensive and defensive data strategies

You no longer have to make considered trade-offs between offensive and defensive data strategies. By implementing a defensive data strategy that mirrors the simplicity of your offensive tools, you can actually increase your ability to get value out of data. In this case, you truly can have your cake and eat it too.

ALTR's cloud platform helps mitigate data risk so you can confidently share and analyze sensitive data. To see how ALTR can help your organization request a demo or try it for yourself!