Laws, Regulation and Compliance
Agencies are required to retain only records necessary for official functions and to dispose of them when they no longer serve a legitimate governmental purpose. Individuals are entitled to access records maintained about them and to request amendments to any inaccuracies.
What is the Privacy Act of 1974
Tom thought he had removed an old project from his computer by deleting it. However, even though the file wasn’t showing up anymore, the actual data was still stored on the hard drive. Over time, as new files were added, the system would eventually overwrite the old data, but this could take months.
Without realizing it, Tom’s deleted file could be recovered easily using basic recovery tools, proving that simply removing it didn’t make it disappear for good.
What is Erasing?
Dr. Lee’s clinic wanted to help researchers study patient trends without exposing personal details. Instead of sharing names or contact info, they labeled each patient with a code like “Patient 23456.” The real names and details were stored separately in a secure system.
This way, researchers could analyze medical records without knowing who the patients were, and the clinic could still link the data back to individuals if needed. It was a smart way to protect privacy while still supporting important research.
What is Pseudonymization?
At a major hospital, the head of the cardiology department was in charge of overseeing all patient heart records. She determined how sensitive the information was, labeled it accordingly, and ensured only authorized staff could access it. She collaborated with IT to establish proper security measures and worked on defining the rules for system usage. When a new research system was introduced, she reviewed access requests and helped assess shared security protocols. Her careful management ensured that patient data stayed protected and the hospital remained compliant.
What is a Data Owner?
At a large company, the IT team installs a system at the edge of the network to monitor outgoing data. One day, an employee tries to send a file containing sensitive customer information via email. The system detects the restricted data, prevents the file from being sent, and sends an alert to the administrator. This stops a potential data breach and ensures the company’s sensitive information remains secure. A similar setup can be used for data stored and shared online.
What is a Network-Based DLP ?
Jenna sent a private email, unaware someone had accessed it without permission. Luckily, a law protects electronic communications, making it illegal to intercept or access messages like emails or voicemails without consent. Thanks to this, Jenna's privacy was defended and the intruder held accountable.
What is the Electronic Communications Privacy Act of 1986
Jane was getting ready to sell her old laptop and wanted to make sure no personal data was left behind. She used a method to overwrite the entire hard drive with random data, thinking it would completely remove any traces of her information.
However, she soon learned that even after overwriting, there were still ways for someone with the right tools to recover parts of her original data, especially from hidden areas on the drive. Modern storage devices, like SSDs, don’t always handle the process well, leaving some data behind.
In the end, Jane realized that while her method made it more difficult to retrieve her information, it wasn’t guaranteed to erase everything, and she’d need to be extra cautious before selling the laptop.
What is Clearing?
Becky linked her credit card to a mobile wallet on her phone. Instead of storing the actual card number, the system generated a unique code tied to it and stored the real details securely.
When she bought coffee, her phone sent the code to the checkout system, which passed it to the credit card processor. The processor matched the code to her real card in a secure vault, approved the payment, and credited the café.
Since only the code was shared, her card number stayed hidden, reducing the risk of theft—even if someone intercepted the code, it wouldn't work elsewhere.
What is Tokenization?
At a large retail company, the head of the IT department was in charge of the web servers, while the database administrator was responsible for the back-end database. Both departments worked closely to ensure customer data was handled securely. The IT manager coordinated with the database team to develop and maintain security plans, making sure the servers followed the necessary protocols. Whenever significant changes were made, they updated the security plans accordingly. Both teams also ensured employees received training on security policies. This collaboration kept sensitive customer information safe, whether stored, in transit, or in use.
What is an Asset Owner?
At Microsoft, the IT team implements a system to monitor data on employee workstations. One day, an employee tries to copy a sensitive document to a USB flash drive. The system detects keywords in the file, blocks the transfer, and sends an alert to the administrator. It also regularly scans files on the network, ensuring that any unauthorized files or sensitive data are flagged and prevented from being shared or printed. This proactive approach helps safeguard confidential information across various devices.
What is Endpoint-Based DLP ?
Alex, a young dinosaur fan, visits a fun website that asks for his name and email. But before collecting any info, the site must notify his parents and get their permission. That’s because a law protects kids online by requiring websites to get parental consent before collecting personal data from children. Thanks to this rule, Alex can explore safely while his privacy stays protected.
What is the Children’s Online Privacy Protection Act of 1998
Tom was tasked with preparing old office hard drives for reuse and needed to ensure no data could be recovered. He used a method that involved overwriting the drive multiple times and even used a machine to disrupt the magnetic fields, making the original data unreadable.
However, he soon learned that for the most sensitive information, such methods weren’t considered secure enough. For example, the U.S. government requires that top-secret data be destroyed physically, no matter what process had been used.
Tom realized that while his method worked for most cases, certain levels of security demanded more extreme precautions.
What is Purging?
A company moved its data storage to the cloud but wanted to make sure everything uploaded was encrypted. To manage this, they set up a system that sat between users and the cloud, watching all traffic.
When employees accessed or uploaded files, the system checked permissions, enforced encryption, and logged all actions. One day, it flagged a new cloud service someone tried to use without IT’s approval. This helped the company detect and block unapproved tools, keeping their data safe and their policies enforced.
The sales department ran online operations that depended on systems managed by IT and developers. When security upgrades were proposed, sales weighed the risk of breaches against potential revenue loss from slower performance. Though they didn’t manage the servers, they controlled how the systems were used to generate income. Their job was to ensure the systems supported business goals without unnecessary risk or cost.
What are the Business / Mission Owners?
A software company implements a system to monitor the usage of its product. One day, the activity log detects that a user is logged in from two different countries at the same time. The system flags the activity as suspicious and alerts the security team, who investigate and confirm that the license was being shared improperly. With the usage log in place, the company can quickly identify and address unauthorized use, protecting both their product and revenue.
In 1999, a major change happened in the financial world. Before then, banks, insurance companies, and credit providers couldn’t share much information with each other. But with a new law, these institutions could now offer more services and share certain information, making it easier for customers to access a range of financial products.
However, lawmakers were cautious about privacy. They knew that the relaxed rules could risk customer data being misused. To protect people, the law required banks and other financial institutions to give customers clear privacy policies, explaining how their information would be used and protected.
Thanks to this law, financial institutions could collaborate more, but customer privacy remained a top priority.
What is the Gramm–Leach–Bliley Act of 1999
Sarah was cleaning out old backup tapes at work and used a method to erase the data, returning the tapes to their original state. The process successfully wiped the tapes clean.
She also tried the same method on an old hard disk, thinking it would work the same way. However, the process damaged the drive's electronics, making it unusable. While the electronics were destroyed, Sarah realized that someone could still recover the data by opening the drive in a controlled environment and transferring the platters to another device.
Sarah learned that while the method worked for tapes, it wasn’t reliable for hard drives.
What is Degaussing?
Maya’s novel blew up overnight. The digital version hit bestseller lists, and things were looking good—until someone grabbed a copy, stripped the protections, and uploaded it to shady sites.
Soon, her book was everywhere—bootlegged, resold, and passed around for free. People claimed they had her permission, but she never gave it. Sales tanked while strangers profited off her work.
To fight back, Maya started embedding hidden data in her files to trace leaks, locked access with time limits, and required readers to stay connected for verification. It didn’t stop every pirate, but it slowed them down—and helped her regain some control.
What is a Digital Rights Management (DRM)?
An executive defines the sensitivity of company data but delegates its protection to the IT team. A system admin steps in—backing up files, managing permissions, and maintaining audit logs. While not the decision-maker, this admin ensures the data stays secure and intact behind the scenes.
What are Data Custodians?
Sarah just bought a new music streaming app that requires an internet connection to function. Each time she opens the app, it automatically connects to the app's server to verify her subscription. If the app can’t authenticate her credentials, it won’t allow her to access any music. One day, when Sarah’s internet cuts out, the app blocks access until it can reconnect to the server, ensuring only authorized users can use the service.
What is Persistent Online Authentication ?
At a local high school, Sarah’s parents were always involved in her education, but once she turned 18, things changed. Under a law that protects students’ privacy, Sarah now had control over her own academic records. If her parents wanted to access her grades or disciplinary records, they would need her permission.
This law, which applies to nearly every school that receives federal funding, ensures that both students and their parents have privacy rights when it comes to educational records. It gives Sarah the ability to manage who sees her personal information, even as she steps into adulthood.
What is the Family Educational Rights and Privacy Act
Mark worked in a secure facility handling sensitive data. When it was time to dispose of old hard drives, he didn’t just delete the files or wipe them—he physically destroyed them. Some were shredded, others crushed or even dissolved with chemicals.
For the most classified drives, Mark removed the internal platters and destroyed them separately to ensure nothing could be recovered. He knew that once the drives were destroyed, there was no way to reuse them or extract any data—making it the most secure way to protect information.
What is Destruction?
A research team wanted to study actor salaries without exposing personal identities. They deleted names from their database, thinking it was anonymous. But a curious analyst noticed that one unnamed actor had starred in over 70 specific films—just like Gene Hackman. By matching movie patterns, the analyst could infer exactly how much he made per film.
Realizing the risk, the team switched to a smarter approach. They scrambled details like age and salary within columns, so while no real record matched a real person, the overall trends remained accurate for analysis. This let them study the data without risking anyone’s privacy.
What is Anonymization?
A company collects employee data to run payroll — they decide what’s collected, why, and how. That makes them the one in control. But they hire a payroll firm to handle the payments — this firm processes the data only on their instructions. If the processor misuses the data or transfers it outside the EU without proper safeguards, the controller is still accountable under GDPR. That’s why many firms now have a data privacy officer to ensure they stay within legal lines.
What are Data Processors / Data Controllers?
You purchased a movie online, and with the download, you received a small file containing the terms of use. This file also included a decryption key that allowed you to access and view the movie. Without the key, the file remained locked, ensuring only authorized users could watch it according to the set rules.
What is a DRM License?