The new set of privacy laws that went into effect in California on January 1 affects companies in and outside of the state – across the US and even around the world. A somewhat similar set of rules went into effect in Europe in 2018. Its effects are also felt well beyond European borders, by all companies above a certain size that provide services to Europeans.
For the most part, these laws are designed to protect individual consumers’ privacy. Both the California Consumer Privacy Act (CCPA) and Europe's General Data Protection Regulation (GDPR) include the "right to be forgotten." It entitles every consumer to request that a company delete all the information it has collected about them, with a few exceptions, such as cases where the data needs to be retained to comply with other requirements.
If IP addresses are collected for cybersecurity purposes, for example, to ensure that only legitimate users are accessing data and systems, the information falls under one of the nine exceptions to this provision of the CCPA.
In most companies, it will be up to the individual business units, with the help of IT, legal, and marketing, to manage collection of consumer data and create processes to delete it on request. Does this mean data center managers are off the hook and can ignore CCPA?
Data Center Customers Have Privacy Rights Too
Boston-based Iron Mountain provides data center services, data storage, and backups to nearly every company in the Fortune 1000. But it also provides services to individuals, said Michael Zurcher, the company’s global privacy officer. And it has employees in California.
For those two reasons, Iron Mountain falls under CCPA, but for most of its business CCPA is only indirectly relevant, he said.
"The CCPA really focuses on the organization that has the relationship with the individual," Zurcher said. "We don't have access to the information on the servers – we just provide the infrastructure. But the data itself, that's typically not something that we can touch or have access to."
So, what happens if an employee at a client company asks Iron Mountain to delete all their personal data? That would cause problems, said Zurcher.
"If a customer's employee is disgruntled, and the final act they do is to order Iron Mountain to destroy all the customer's boxes, we need to be able to retain that record, the instruction to delete the data," he said. "If they say, delete everything about me, then there's no way of tracing it back. Our customers would not be very happy if they didn't have an audit trail."
Fortunately, he said, the CCPA provides an exception for this. While there's no generic exception for B2B businesses, in October the CCPA was amended to include a provision specifically exempting personal data of business customers’ employees.
Record-Level Data Deletion
Data center managers are often asked to delete data or restore data from backups. Until now, these requests have typically been for entire files, or even full accounts, rather than individual records.
For example, a customer switching data center providers may transfer all their data to a new vendor and ask the old vendor to wipe their servers. In another example, a customer that suffered a ransomware attack or a server crash could ask to restore the last backup. An employee could also accidentally delete important files and ask to get them back.
Larger data centers may have automated processes in place to handle these kinds of requests. When individual records are deleted, it's usually through an application that accesses the data, not at the data center level.
Under CCPA, however, the requests to delete all the data on particular customers may come outside of traditional channels, require deletion across multiple systems, and at a scale too large to handle through existing processes.
Data center managers may be required to step up and provide tools to ensure that the record deletion request is property authenticated and then executed across all storage platforms and environments.
Errors can be costly. Not deleting all the data that falls under the scope of the law could be a compliance violation. Deleting the wrong data could hurt business.
Deleting the key that unlocks encrypted data is as good as deleting the data itself. Unfortunately, most data management systems today encrypt entire files or in some cases individual fields – for example, all the social security numbers might be encrypted.
It's not common to find a platform that will encrypt all of John Smith's data under one key and all of Jane Doe's data under another. But that is likely to change, and data center managers may want to keep an eye on this technology, either for on-prem data stores or for cloud-based deployments.
Finding the Data
The first step to deleting customer data is of course finding it.
"One of the issues that data center managers have is that they don't know where all their data is," said Ameesh Divatia, CEO at Baffle, a Santa Clara-based data security company.
There are tools available, he said, that can help companies search all their storage and data repositories for personal data that falls under the GDPR or CCPA definitions.
"It's a massive data management problem," he said.
Backups: A Gray Area
Data backups are one of CCPA and GDPR gray areas.
For example, if John Smith's data stored in a live database also exists in an off-site backup, the backup needs to be erased, since the company may switch to it at any time.
But what if the backups are on magnetic tape and hard to get to? This is one of the most challenging aspects of CCPA, said Avinash Ramineni, CTO at Kogni, an Arizona-based security vendor. In some cases, companies have chosen to wait until the guidelines are clearer, which can take years.
“A lot of companies are making their best effort to take the data out of databases and file shares,” he said. “But with backup storage and tapes, they are in a wait-and-watch mode.”
One workaround for medium-term and long-term backups is to not erase backup data when the deletion request comes in, but if it is ever restored, delete it before it’s put back into use.
Cloud Providers Lagging
If the data is stored in the cloud, are cloud providers stepping up?
For the most part, no. The ones that say that they are CCPA-compliant typically mean that they protect privacy of their own customers – not that they've set up CCPA-compliant processes to search through your data and delete records.
"One of the challenges is that it depends on how the data is stored," said Ramineni. Other than in SaaS environments, the enterprise itself makes those decisions. Cloud infrastructure providers provide the databases, but it's the enterprise users who decide what data is stored in those databases, and who creates applications to access it.
Cloud providers offer file-level deletion but don't usually have an easy, automated way to find and delete individual records.
"The way that companies use and store data is very different and specific to their business processes," Ramineni said. "It's a little onerous on cloud providers to offer something generic. But they do provide you with some low-level tools that require companies to build their own workflows to enforce the right to deletion."
New Business Opportunities
The CCPA and other privacy laws coming down the line are putting increased pressure on companies to take privacy seriously.
This could be an opportunity for forward-thinking data centers to improve the data management tools they offer to their business users – or to sell new data management services to external customers.
"If you're running a data center for multiple clients, your CCPA risks are significantly less," said Chris May, a leader in the forensic practice at Deloitte Risk and Financial Advisory.
That's because it's the data owner that bears the primary responsibility for protecting that data, he said. But data centers could help their customers with this new responsibility.
"You might want to think about using this as a differentiator," he said.