Client Privacy Issues - High Stakes Game

Failed Redactions Create Lawsuit Risk

by Michael David McGuire

The unintentional release of sensitive client data has become one of the most underestimated lawsuit risks for those in the medical, legal and financial industries. Damages can range into the millions of dollars. Losses to business through disclosure of sensitive financial data can be even higher. A recent article in the ABA Journal suggests that the problem of failed redactions may be by far more widespread than now acknowledged. In one study earlier this year at Princeton University, Timothy Lee, a PhD candidate in computer science, found failed redactions in almost 20% of the redacted documents he identified in Princeton’s document collection. These failed redactions included names of court witnesses, jurors, sensitive personal information and trade secrets. The negative ramifications for major firms are obvious… but the implications for smaller businesses are even more devastating.

As we have seen in the recent past, a failed redaction can leak sensitive financial information that can greatly affect stock price and company valuation. But this problem does not end at Wall Street. Tighter privacy regulations… including the broad new HIPAA rules… makes redaction failure an issue that touches the core of Main Street. From the corner pharmacy… to the local real estate agency… to dental offices, single provider medical practices and small regional hospitals… a single lawsuit caused by a failed redaction could mean the difference between continuing in business or not.

Many small firms are still redacting documents manually… a process that is prone to failure caused by a range of issues from variation in ink application thickness to worker error, eye strain and/or fatigue. Automatic redaction software has been considered unaffordable or unmanageable by many small businesses for many years. The concern has centered on the high cost of software relative to the small number of redactions needed… and the complications associated with requiring existing staff to learn a completely new computer program. But now, one San Francisco-based technology company thinks they have found a solution that meets the budget and staff concerns of small business… while protecting those same business owners from the liability associated with failed redactions.

“This system works just like sending an email,” said Andy Ferguson, Code Origami CEO and head concept guy. “It uses exactly the same copy, cut and paste functions of any word processing program.” In a recent online demonstration, Ferguson took a stack twelve IRS 1040 Forms and was able to create a redaction parameter that only took out the filers’ name and Social Security numbers. The entire process… through each document… was complete in less than three minutes. With the same un-redacted 1040 Forms, Ferguson then changed the redaction parameter to include the redaction of all financials… an obviously more complicated task. Once again the redactions were 100% complete… taking only a few seconds longer than the earlier, simpler redaction.

“One lawsuit.. or even the threat of a lawsuit… can do great harm to small business,” Ferguson said. “Our goal is to cut that risk… at least from failed redactions… down to zero.” Ferguson’s proprietary software approach is called InfoRazor… and costs a business, no maier the size, less than a hundred dollars a month. “I’m really proud of what we’ve created. And I’ve seen first hand how our clients are not only beier protected… but actually seeing significant reductions in staff costs associated with document redaction.”

Other automatic software redaction programs are offered commercially, however, Ferguson claims that no other program is as effective or as east-to-use. “With our InfoRazor redaction software we found the right balance between cost-effective results and a user friendly approach. I know we’re saving our small and medium sized business clients thousands of dollars a year in staff costs associated with manual redactions. For me, though, the peace of mind we offer… against the threat of privacy related lawsuits… really makes this all worthwhile.”

Ferguson’s company even offers an online “play space” to test the InfoRazor redaction technology for free. “Lot’s of people will check out our Code Origami web site to just play around taking out different words… or people’s names. When they see how easy it is to use… we almost always get a new customer.”

* * *

Readers are invited to “test drive” the new InfoRazor automatic redaction software by going to CodeOrigami.com. Additional product information is available by calling Code Origami at (415) 267-1880. Michael David McGuire is a New York-based journalist covering new technology issues. Mr. McGuire can be reached at (323) 656-3000.

---

New InfoRazor Server Feature: Reasons

June 14, 2011 by codeorigami

You are almost always choosing to Redact something for a reason. Whether it be a client’s name, social security number, other personal identifiable data, or whatever, you have a reason for removing it.
Often, keeping the context of that data can make the redacted document a lot more readable.
An example of this is if you have the following sentence:

When I walked in the room, Harry had Jim pinned to the floor. Michael pushed Harry and Jim ran out the back door.

If you Redact the names, you get (XXXX denoting a Redaction):

When I walked in the room, XXXX had XXXX pinned to the floor. XXXX pushed XXXX and XXXX ran out the back door.

We’ve lost the context and don’t really know who did what to whom.
If we Redact again and this time add Reasons, we can still see the flow of the story, even if we don’t know the names. As follows:

When I walked in the room, XP1X had XP2X pinned to the floor. XP3X pushed XP1X and XP2X ran out the back door.

Now we can see the flow of the document and understand the scenario much better.

We have implemented this in InfoRazor Server by way of a tag, and this is how it works:

Your phrases to Redact
——–
Harry<reason=P1>
Jim<reason=P2>
Michael<reason=P3>
——–
The reasons are, of course, totally optional.

Sometimes you need to state the reason for removing the text for legal purposes. Especially for FOI. What this means, is you need to state things like “this text was removed due to Section 34 of the Privacy Act”.

The way you would do this is the same as above:

Betty Jones<reason=Section 34>

The Redacted area would now have “Section 34″ stamped on it.

We hope this helps you save time and money.

---

When PDF Redaction Goes Wrong

April 26, 2011 by codeorigami

There have been some rather high-profile information leaking incidents since electronic documents, or “native files”, became much more commonly used.

Some of these have come from the highest levels of government

This is not a shortcoming of the PDF Format, but more with how people expect it to work, and the difference with the tools they have used in the past.

Let’s look at a brief history of the art of Document Redaction and how these problems come about.

Traditionally, Redaction was performed on paper documents by cutting strips of paper or tape and sticking it over the words to be removed from the document. The document was then photocopied again so that the information was permanently obscured and could not be seen under.

The next phase saw the use of scanned images, mostly TIFFs, which were then often hosted in a system and used as “electronic documents”. These are usually quite easy to Redact, as tools exist that allow boxes to be drawn on top of the image in a layer, and these layers are then “merged” or “flattened” with the underlying image, in which the place where the redacted words occupied are all changed to black dots or pixels. The words no longer exist in the document.

PDF, on the other hand, is an awesome format, but it was really designed for printing. It’s drawcard is it looks pretty much the same anywhere. It is very descriptive about it’s layout and positioning. They were not designed to be edited. People often say if you need to edit a PDF, you should go back to the source document (MS Word, etc.), edit that, and republish to PDF.

The trick with PDFs is understanding that when you draw a black box over words in a PDF, the text underneath is not removed. This is equivalent to applying the tape to the paper document and handing that over to the public. The public can essentially lift the tape and read what is underneath. Even if you merge the layers in the PDF the actual text still exists and can either be “Copy/Pasted” into another document, or seen if the viewer’s computer is a little slow as it may render the text before the covering boxes.

A product like Info Razor Server takes care of removing the text underneath the boxes and actually just adds the boxes for decoration, as this is a convention people are used to.

HOW IT WORKS | FEATURES AND BENEFITS | VIDEO TUTORIAL | FREE ONLINE DEMO

Buy InfoRazor About Us Client Support Blog

“InfoRazor shows you the results quickly…
    the redacted PDF is delivered back to you within minutes!”

before

after