Every day government legislation is passing Consumer Privacy laws geared to protect consumer data from malicious entities. California and Illinois have been the latest to introduce these laws, including a Biometric Information Privacy Act. For many organizations, data can be spread across a wide range of systems, which can be challenging to keep up with Privacy law enactments.
In the first six months of 2019, a reported 3,813 data breaches affected 4.1 billion records, an increase from 2018. Of which, 70% of leaks exposed user emails, while 65% included sensitive information revealing passwords. According to IBM, the average time it takes for an organization to identify a data breach occurred is 206 days, with an organizational cost of $3.92 million.
All organizations are subject to security attacks. Zendesk is also not immune. In 2016 Zendesk was subject to a data breach exposing 10,000 Zendesk accounts where sensitive PII (Personally Identifiable Information) was accessed.
Should sensitive data be stored in Zendesk tickets?
Most businesses have a company-wide policy not to accept sensitive personal data like SSN, Bank Numbers, and Credit Card Numbers on Zendesk tickets. Users sometimes enter sensitive information such as credit card numbers in Zendesk tickets when they shouldn't. In addition to being visible to anybody with access to the ticket, the credit card number automatically gets stored in a database with the rest of the ticket, creating security and compliance risks for the business.
Privacy laws like CCPA in the US provide users the Request to Delete Personal Information, which means users may request that businesses delete the personal information they collected from users and tell their service providers to do the same. So, in the context of a Zendesk account, if a user reaches out to the business to delete their personal information, the business has to delete all of that personal information across all service providers (including Zendesk tickets/comments).
And importantly most employees don't even need access to sensitive data after the ticket is resolved.
How to remove sensitive data from your Zendesk account?
Authorized employees can manually scan for sensitive personal information and redact them manually. The manual redaction has its problems:
It is forgetful as humans forget and may miss redacting sensitive data,
It is time-consuming as the employee has to constantly look for sensitive data in Zendesk comments/attachments in addition to the employee's actual job of serving customers and resolving their problems,
It is error-prone as sometimes what looks like an account number could be a ticket number and should not have been redacted
Businesses can invest significant capital (dozens of engineers) and time (multiple years) to build a solution by developing custom PII-specific machine learning models to detect and redact sensitive data. It is hard as an ML model has to be trained with various training data sets across hundreds of PII data elements and different attachments (PDFs, JPEGs, PNGs, DOCX, Video/Audio files, etc.)
Is there an automatic way to redact sensitive data?
Strac's Data Loss Prevention (DLP) Solution for Zendesk automatically detects and redacts sensitive data like PII (SSN, DL, Passport, etc.), PHI (patient data, dob, etc.), credit card numbers, bank account details, API keys, and more from Zendesk comments and tickets.
Strac's Redactor is powered by its Machine Learning models that are trained to help businesses to comply with PCI, HIPAA, SOC2 and various privacy laws by automatically redacting sensitive data. Strac also exposes REST APIs for redacting any data.
Book a demo to see how Strac's unique redaction technology will eliminate your security and compliance risks.
If you have any questions or want to see protect your Zendesk account from security, compliance and PII risks, please book a meeting with us.