Data Privacy and Compliance

Omniscien » Language Studio » Data Privacy, Security and Compliance

People are the weakest link in compliance

Every day, in millions of organizations around the world, millions of people are inadvertently leaking sensitive information and personal data to third parties.

Despite best efforts with staff training and frequent data privacy awareness campaigns, organizations are challenged to control the natural behavior of users who find that necessary tools are not available in their office, and then without intent seek out unsecure and untrusted websites to achieve everyday office activities in violation of strict compliance and data privacy regulations.

• Translating documents using Google Translate or Microsoft Translator via the web or Microsoft Office.
• Converting images and Adobe PDF into Microsoft Office and other formats using online websites.
• Transcribing and dictating content using cloud-based voice recognition services, virtual meeting services or within Microsoft Office (sends content to Microsoft).
• Converting and viewing files on unsecured web sites because the file type specific software is not installed on users’ office computers.

By using untrusted websites, web applications and internet services, legal rights are inadvertently lost to untrusted third parties who may use your sensitive data  and your valuable intellectual property for their own purposes, including in some cases selling it to others. 

Data may travel between legal jurisdictions (i.e., from the EU to the USA) for processing, or could be shared or sold, in violation of GDPR and other compliance regulations. Data sovereignty is becoming a critical issue for many Compliance Officers and Data Privacy Officers.

Even with a contract in place with a public cloud service provider, many contracts do not fully protect valuable data and, if courts were to subpoena a public cloud service provider, they would be legally required to share your sensitive data with the authorities and potentially many others.

Google and Microsoft are just two of many examples of free, public, untrusted, internet based cloud service providers that take rights in your data automatically every time you use them. These services are not free. The cost of using these services is that they use your sensitive data. How your data is used will vary by service. But even with the most restrictive of uses, there are security and privacy concerns.

What could possibly go wrong? Take a look at some of these examples of data breaches and loss of control of sensitive content:

• In 2018 a Google data breach caused a major data privacy scandal in which the Google+ API exposed the confidential data of over five hundred thousand users. Google did not reveal the leak to the network’s users. In November 2018, another data breach occurred following an update to the Google+ API where personally identifiable information (PII) of approximately 52.5 million users was potentially exposed. – Learn More >>
• On September 24, 2022, Microsoft customers’ sensitive information was exposed by a misconfigured Microsoft server accessible over the Internet. SOCRadar claims to have found 2.4 TB of data containing the personal information of 65,000 entities, with more than 335,000 emails, 133,000 projects, and 548,000 exposed users across 111 countries. The exposed data includes, emails from US .gov, talking about Office 365 projects, monetary information, customer emails, SOW documents, product offers, POC (Proof of Concept) works, partner ecosystem details, invoices, project details, customer product price list, POE documents, product orders, signed customer documents, internal comments for customers, sales strategies, and customer asset documents, etc. – Learn More >>
• “Last week employees in Statoil discovered that text that had been typed in on the web site could be found by anyone conducting a search. ” … “We found notices of dismissal, plans of workforce reductions and outsourcing, passwords, code information and contracts.” … “When we sat down and googled we just thought: ‘Wow! What is this?’ This was information from organizations, private companies, government agencies,” – Learn More >>
• “We exploited Facebook to harvest millions of people’s profiles and built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.” – Learn More >>
• LinkedIn data associated with user data from 700 million accounts posted on a dark web forum in June 2021, impacting more than 90% of its user base. A hacker going by the moniker of “God User” used data scraping techniques by exploiting flaws in the site’s API. Data gathered included email addresses, phone numbers, geolocation records, genders, and more. LinkedIn claimed it was not a data breach, but a breach of terms of service. Does it matter? The stolen data has now been shared across the dark web. – Learn More >>
• In January 2022, an AWS S3 buckets was not appropriately secured, exposing over one million files (3TB) on the internet. The data included employee records (ID card photos, Personally identifiable information (PII), including names, photos, occupations, and national ID numbers.) for El Dorado International Airport (COL), Alfonso Bonilla Aragón International Airport (COL), José María Córdova International Airport (COL), and Aeropuerto Internacional Jorge Chávez (PE) dating back to 2018. – Learn More >>

If this kind of exposure and data breaches are happening on the biggest of websites and organizations that have the highest of security standards and large security budgets to prevent such issues, one can only imagine how much inadvertent data leakage is occurring on smaller, less robust, less prominent inline services. Even if a service claims to not share your data with anyone, you lose control of your data when it is not kept within your network and can never be truly sure how it is being used or who has access to it and how others are preventing unauthorized access to your data. Can your organization afford the risk of such data loss from third-parties?

Language Studio provides a single internal destination for hundreds of secure and private AI-powered features, greatly eliminating the cases where users would typically leave the office network to use unsecure third-party websites.

All of Language Studio’s secure, scalable and enterprise ready AI tools can be deployed via on-premises servers or in your own private cloud platform (Google Cloud, AWS, Microsoft Azure, etc.). The platform provides hundreds of tools for translating, sanitizing, comparing, converting, extracting, analyzing, OCR, voice recognition and transcription and more.

The roles of Chief Compliance Officer and Data Protection Officer came into sudden sharp focus after the EU’s General Data Protection Regulation law came into effect on May 2018. Since that time many other regions and countries have passed similar laws. While these roles cover a vast scope of data privacy and compliance related issues, some issues have been focused on more by technology providers that others.

A key concern for Compliance Officers and Data Protection Officers is ensuring that data is used legitimately and safely. If data leaves the organizations network, then there is a loss of control. Omniscien recognizes that the features offered by public cloud services are very valuable to the business and every day office activities. However, many are not incorporated well into the overall compliance and data privacy landscape.

The Language Studio solution is to provide a wide range of the most popular, advanced, and state-of-the-art artificial intelligence technologies within the organizations own network in a single server platform, thereby eliminating the risk of sharing data with third-party public cloud services. 

In designing Language Studio, the Omniscien team focused on reducing risk of data being used in a non-legitimate and non-safe manner. By applying the concepts of Secure By Design to every stage of software development, and by carefully planning for and building in data privacy features for all the tools and technologies that are offered in the Language Studio platform,

• Stop users from sending data to unauthorized external third parties by providing them access to state-of-the-art equivalent internal AI-powered tools and technologies.
• Retain control of your sensitive data by always keeping it within your own organizations network.
• All data is stored during processing using 256-bit AES encryption.
• All data is segmented by user so that it cannot be accessed by another user.
• Once processed, data is deleted immediately. If not collected (i.e. batch jobs that need to be downloaded), stale data is automatically deleted housekeeping.
• All file deletions are performed using the US Department of Defense (DoD 5220.22-M) Wiping Standard.
• All traffic to, from and within the server uses the latest SSL/TLS encryption protocols.
• Users are authenticated using LDAP, SAML2, or OATH2. 2-Factor-Authentication (2FA) is also supported.
• Hardened operating systems using the CIS-Security standards and tools, combined by a secure architecture ensure that the server platform remains robust and able to stand up to determined attacks.