Deterministic Data Masking
Classify, Locate and De-Identify PII Everywhere
Outsmart Risk. Accurately Locate & Consistently Anonymize Sensitive Data in Structured, Semi-Structured, and Unstructured Sources.


Discovery, De-Identification, and Proof
Unsecured data can damage your company's reputation and cost it millions in fines. Award-winning data-centric ("startpoint") security software from IRI has been repeatedly proven in a wide range of breach nullification, privacy law compliance, and DevOps (test data) environments. Use fit-for-purpose IRI data 'shield' products or the comprehensive IRI Voracity platform to find and mask sensitive data -- whatever and wherever it may be --- and to prove that you protected it.
Personally Identifiable Information (PII)
Personally Identifiable Information (PII)
While there is no set list of PII across all privacy laws, there are common elements used across these laws. In short, PII is information, when used alone or with other data, that identifies an individual. Government regulations like SSAE16, SOC2, and the GDPR require that all PII be protected.
List of PII
- Social Security Number
- Credit Card Number
- Bank Account Number
- First Name
- Last Name
- Address
- Zip Code
- Email Address
- Birth Date
- Passwords
- Military ID
- Driver's License Number
- Vehicle License Number
- Phone Number
- Fax Number
Protected Health Information (PHI)
Protected Health Information (PHI)
In medical records, PHI identifies a health care recipient. US HIPAA regulations require that 18 key identifiers be effectively de-identified or anonymized.
List of PHI
- Names
- Addresses / Zip Codes / Geocodes
- Dates
- Phone Numbers
- Fax Numbers
- Email Addresses
- Social Security Numbers
- Medical Record Numbers
- Health Plan Beneficiary Numbers
- Account Numbers
- Certificate / License Numbers
- Vehicle Identifiers
- Device Identifiers
- URLs
- IP Addresses
- Biometric Identifiers
- Facial Images
- Any Other Unique Identifiers
Primary Account Numbers (PANs)
Primary Account Numbers (PANs)
PAN sare identifying numbers used in credit card transactions. The Payment Card Industry Data Security Standard (PCI DSS) requires card issuers, merchants, and testers to encrypt, tokenize, and otherwise protect this information.
List of PANs
-
There is no list of PANs, as they are unique to individual accounts.
A PAN is a 14, 15, or 16 digit number generated as a unique identifier for a primary account.
Other Sensitive Information
Other Sensitive Information
Information like codes and formulas that constitute trade or military secrets need to be protected. You cannot afford to have this critical data lost in a data breach.
List of Other Information
- Codes
- Formulas
- Trade Secrets
- Military Information
- Classified Information
- etc.
Privacy Laws
HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) implements industry-wide standards for health care information. Health care providers, organizations, and their associates are required to develop and follow procedures for PHI when it is transferred, received, handled, or shared. It applies to all forms of PHI, including written, electronic, and oral.
GDPR
Under the General Data Protection Regulation (GDPR), all personal data of a citizen from the European Union must be secured. Companies are required to protect any data that can directly or indirectly identify an individual ("data subject"). These identifiers include, but are not limited to:
- Social Security Number
- Credit Card Number
- Bank Account Number
- First Name
- Last Name
- Address
- Zip Code
- Email Address
- Medical Information
- Genomic Information
- IP Address
- Geolocation Data
- Income and Tax Data
- Race, Ethnicity, and Religious Affiliation
- Sexual Orientation
- Trade Union Membership
- Birth Date
- Password
- Military ID
- Passport Number
- Driver's License Number
- Vehicle License Number
- Phone and Fax Numbers
The law also provides citizens with the Right to be Forgotten, or the ability to request that all information about them be removed from a company's possession.
FERPA
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student records and information. FERPA gives rights and protections to parents and eligible students. Once a student reaches 18 years of age or enrolls in a post-secondary institution, he or she becomes an "eligible student," meaning all rights formerly controlled by the parents transfer to the student.
Under FERPA, a school may not generally disclose PII from an eligible student's records to third parties unless the student has provided written consent. Data protected includes PII and no less than the following additional information:
- Student Name
- Student ID Number
- Family Member Names
- Place of Birth
- Mother's Maiden Name
- Student Educational Records
- Immunization Records
- Health Records
- Individuals with Disabilities (IDEA) Records
- Attendance Records
FISMA
The Federal Information Security Management Act of 2002 (FISMA) is a federal law that recognizes the importance of data protection and information security to economic and national security interests. Every federal agency must develop, document, and implement an agency-wide course of action to secure the system and assets that support the agency, including those managed by another agency, contractor, or other sources.
Information that must be protected under FISMAincludes PII and other sensitive information from these categories:
- Medical
- Financial
- Contractor Sensitive
- Security Management
- Other information specified by executive order, specific law, directive, policy, or regulation
FFIEC
The Federal Financial Institutions Examination Council (FFIEC) is a government interagency body that sets uniform principles, standards, and report forms to promote uniformity in the supervisions of financial institutions. Additionally, the Council oversees real estate appraisal.
Banks, credit unions, and other financial institutions are subject to the rules enacted by the Council. In addition to PII and Non-Public Personal Information (NPI), these institutions need to protect:
- Income
- Credit Score
- Collection History
- Family Member PII and NPI
CCPA
The California Consumer Privacy Act of 2018 (CCPA) protects the data of Californians from being collected and mishandled. The law grants the citizens of California the rights to know all the information a business collects on them, to forbid companies from selling their data, to delete their data, and more.
International Compliance
At a minimum, U.S. and international data privacy laws require that PII be encrypted, pseudonymized or otherwise redacted. Beyond finding and de-identifying the key identifiers, you may also have to prove that an attacker of your masked data set cannot trace anyone from its remaining quasi-identifiers. That's why IRI FieldShield also scores re-identification risk. For the GDPR, it can deliver PII in any format you need to meet data portability requirements. Ask us about your mandates.
Multiple Masking Functions
Use the free IRI Workbench IDE built on Eclipse™ to discover, classify, and mask data quickly and easily. Choose to blur, encrypt, hash, pseudonymize, randomize, redact, scramble, tokenize, etc. Match your functions to data classes or column names, and apply your rules consistently to preserve realism and referential integrity.
Role Based Access Controls (RBAC)
Decide and enforce who can access or use specific: data sources and targets; masking rules and job scripts; data classifications and data layout definitions; decryption keys and log files; and, even the very data masking products themselves. Establish different roles for different data sources and different access rights based on those roles. Use roles to segregate administrative functions, too.
Auditability for Accountability
Verifying compliance is easy. Every IRI data masking solution produces query-ready audit logs that you can secure in order to reliably document everything that's been changed, and to verify compliance with data privacy laws without tampering concerns. That is how auditing is supposed to work.
Which Data Masking Product Should I Use?
Fieldshield
Find, classify, mask, and risk-score PII across legacy files, relational and NoSQL databases, cloud apps, etc. with AES-256 FPE, hashing, redaction, pseudonymization, tokenization, etc.
CellShield
Find, report on, mask, and audit PII in one or more Excel® spreadsheets at once.
DarkShield
Discover, deliver, and delete sensitive information in unstructured text files, PDFs, and more.
Voracity
Get data masking plus test data management within a total data lifecycle management platform that consolidates big data discovery, integration, migration, governance, and analytics. In addition to FieldShield, Voracity includes IRI RowGen so you can also create smart test data from scratch for DB/ETL prototyping, PII fabrication, and application stress-testing.
Resources