[Washington Release] Mitigating the risk of inadvertent sensitive data exposure with Data Privacy

In this blog post we will cover the topic of inadvertent sensitive data exposure. Then cover how the ServiceNow platform equips our customers with purpose built privacy tools that help with discovering, labeling and anonymizing sensitive data. 

Understanding Sensitive Data Exposure

Inadvertent disclosure of sensitive data transpires when confidential information, such as social security numbers (SSNs) and credit card numbers (CCNs), are inadvertently accessed by unauthorized individuals. Such occurrences predominantly stem from human error or system misconfigurations rather than malevolent intent.

Within the context of the ServiceNow Platform, agents may inadvertently interact with SSNs, CCNs, and phone numbers while fulfilling workflows. Allowing such data to reside in various tables on the platform without proper safeguards can lead to unintentional sensitive data exposure.

While organizational policies to minimize an exchange of sensitive information (between a requestor and fulfiller) are an effective means to limiting exposure in the first place, they need to be met with compensating controls to avoid putting your ServiceNow instance at risk from both a regulatory and security compliance perspective.  

Impact of Inadvertent Sensitive Data Exposure

Before we explore steps to mitigate risk, let’s recap the impact of sensitive data exposure.

1: Non-compliance with regulations: When sensitive data is exposed, an individual's privacy is compromised. This could be a workforce employee’s or consumer’s data. Regulations like General Data Protection Regulation (GDPR) mandate specific security measures for protecting sensitive data. Exposure of sensitive data can result in privacy violations. Other regulations and standards include the California Consumer Privacy Act (CCPA), Health Insurance Portability and Accountability Act (HIPAA), Personal Information Protection and Electronic Documents Act (PIPEDA), Payment Card Industry Data Security Standard (PCI DSS). The key takeaway is organizations are expected to comply with these regulations which includes inadvertent exposure scenarios.

2: Loss of reputation / damage: Data exposure and mishandling of sensitive data can erode trust and confidence in the organization among customers, partners, and stakeholders. Once trust is lost, it can be challenging to regain, leading to long-term reputational damage and loss of business opportunities. There are numerous case studies of organizations that faced challenges with repairing customer trust and the costs associated with remediation of data exposure incidents and recovery of revenue.

3: Risk of unauthorized access: Unauthorized access to sensitive data could lead to various negative outcomes, such as data breaches, financial loss, identity theft and reputational damage. Sensitive information can often be the starting point in a larger more coordinated attack aimed at account takeover and identity fraud beyond just extracting financial information like CCNs.

ServiceNow Inadvertent Sensitive Data Exposure Solutions

ServiceNow provides Data Privacy solutions that include three main aspects of safeguarding sensitive data on the platform, whether it be workforce or consumer data residing in a ServiceNow instance. These are offered as two different packages and are intended to be a comprehensive solution to data privacy needs.

• Data Classification (foundational to the ServiceNow platform) for establishing data governance around sensitive data on an instance. A foundational starting point for organizations to label/tag their data based on different compliance standards such as PCI DSS, HIPAA, SOX, and/or GDPR for data on the ServiceNow platform.

• Data Discovery (part of a ServiceNow Vault or ServiceNow Data Privacy bundle) for scanning and detecting where sensitive data may live on an instance. A common use-case is creating a pattern for detecting credit card numbers and running regular scans to detect if an CCN has been introduced and anonymizing the data.

• Data Anonymization (part of ServiceNow Vault or ServiceNow Data Privacy bundle) for taking steps to safeguard, secure and handle sensitive data on an instance while preserving data context. Anonymization removes PII identifiers that can be linked back to an identity and permanently removes values from the database. A common use-case is preventing sensitive data leakage in lower environments by scheduling Data Anonymization job as part of clone. Another use-case is complying with “Right to Be Forgotten” when an employee is no longer part of the company and the organization would like to limit the legal liability, or if the request is in accordance with GDPR RTBF initiated by the user.

As part of the Washington release, we expanded our offerings of the Data Privacy store app by  introducing real time data discovery and real time data anonymization APIs. In combination with business rules or flow designer they allow for instant discovery and anonymization. With real-time privacy APIs, sensitive data can be properly handled as soon as it is inserted in a particular table/column. For example, you can choose to anonymize sensitive data in an incident after 3 months of closure or anonymize sensitive data as soon as a case is closed. 

(The illustrations demonstrate a request/incident before and after sensitive data was inadvertently added to an incident and how ServiceNow Data Privacy APIs were leveraged to anonymize the data without removing the context of the description.)

Preventing Inadvertent Sensitive Data Exposure in Practice

So how do put all these components into practice? There are 3 key steps organizations should consider taking to prevent inadvertent sensitive data exposure.

1. The first step is to add checks in common places where sensitive data may show up like emails, incident description, comments, chat etc. These may include User Tables, such as “sys_user”, “sys_user_group” or HR Tables like “hr_employee”, “hr_profile” that house PII. It also may include tables like “incident” and “sc_request”part of ITSM. Creating an inventory of data using Data Classification is a vital step in establishing Data Governance around sensitive data. Data Discovery scans your instance for potential sensitive data based on data patterns (regular expressions, keywords, etc) to be used both as a starting point and as part of continuous lifecycle of sensitive data discovery. The combination of Data Classification and Data Discovery as a two-pronged approach is the ideal first step. The bottom-line is a comprehensive audit is needed to identify where sensitive data already exists and that may offer clues of where and how it might be introduced.
2. Once you have these checks in place, automating your compensating controls without disrupting business operations is key. Data Anonymization supports multiple structure and format preserving techniques that can help keep the last 4 digits of Social Security Number or first and last 4 digits of credit card number to help the business running without overexposing sensitive data. Accepting that inadvertent sensitive data may be introduced to your instance and having rules in place to handle it to mitigate the risk – that’s due diligence and due care.
3. The last step is to acknowledge that to protect from inadvertent sensitive data exposure the process is cyclical and requires identifying new entry points for data and introducing new patterns to discover. Remember to schedule regular Data Discovery scans and detect where sensitive data is saved on the platform. It’s important that as new compliance and regulation standards continue to evolve to stay proactive on planning how it will impact your data handling processes. There are several resources that track global privacy legislation and can help you determine what actions to take. The key is to track what data resides on your instance(s) which regulations and compliance standards apply and then determine the proper way to handle the data.

If you are interested in taking these steps to safeguard your organization, let ServiceNow help you learn more, and when you are ready, work with our customer teams to help guide you to acquiring these solutions.

What’s Next?

• Watch our real time data discovery and real time data anonymization APIs as part of our What's new in the Washington DC release: Platform Privacy & Security
• Want to get started with data classification and start protecting sensitive data? Try out the Data Privacy Store App (Includes Classification and Anonymization) in sub-production.
• Need help with discovering sensitive data? Try out the Data Discovery Store App
• A defense in depth approach is required to safeguard sensitive data, for example there are times when data encryption is a better choice than data anonymization. Check out ServiceNow Vault which is a suite of products includes Data Privacy, Encryption, Log Export Service, Zero Trust Access, and Secrets Management.
• Engage with us in the comments, tell us your Data Privacy use-cases and how you are going about mitigating the risk of introducing inadvertent sensitive data.