Retail – Internal Privacy Policy & FDA Regulations

Company Profile

Multi-billion dollar, global chain of department and warehouse stores, with over one million employees.

Business Problem

A major global retailer needed to protect the identities of their many employees, primarily their Social Security Numbers (SSN), according to internal privacy policies.

This meant applying protection capabilities in the Teradata IDW, as well as Pivotal HD and SQL Server.

Subsequent drivers included protecting the identities of their customers to enable secure analytical and operational processes according to the US Food & Drug Administration (FDA) reporting requirements.

Protegrity Solution

Protegrity implemented Database Protectors to protect sensitive employee data in the Teradata IDW. Database Protectors were also implemented on SQL Server and Big Data Protectors installed in Pivotal HD, in order to protect customer data.

The solution leverages Protegrity Vaultless Tokenization (PVT) which secures sensitive data by replacing it with secure tokens of the same type and length, and removes the need for any changes to existing tables or applications.

Protegrity also installed the Enterprise Security Administrator (ESA), which provides a separation of duties, allows the security team to monitor and restrict access to sensitive data, and defines alerts, reporting auditing on the entire data security system.

Requirements & Challenges

  • Protect SSN of employees in Teradata IDW
  • Protect private customer data in Pivotal HD & SQL Server according to FDA OTC drug reporting requirements
  • Enable security scalability and expansion to new business systems
  • Implement with very little to no negative impact on existing business processes
  • Provide a centralized security architecture for unified administration

Results & Benefits

  • Enabled data security in Teradata IDW, SQL Server & Pivotal HD
  • Employee SSN protected without negative impact to business processes
  • Private customer data secured at rest, in use, and in transit
  • Re-identified data can be provided to authorized users
  • Central management and control of all data security operations
  • Separation of duties implemented with the data security policy