Data Privacy Radar - A Federal Perspective
The Data Privacy Radar is an ongoing series by our data privacy team to explore compliance and information governance issues for organizations around the world. Check out the other posts on GDPR and our global approach, and the Cloud Computing Compliance Controls Catalogue (C5).
As a security and compliance team, we deal with a wide array of complex standards, but none are as complex as those from the U.S. federal government. And to make matters even more complicated, these standards are ever-changing.
Let's rewind to 40 years ago. For the first time, the government decided to take a stance on how federal agencies should properly govern, maintain, use and disseminate personally identifiable information about individuals with the Privacy Act of 1974.
Over time, technology has changed significantly, and the government's position on proper information governance has naturally changed as technology has modernized. More recently, the E-Government Act of 2002 required that government agencies provide assurances to the public that private information is protected in electronic systems. For example, agencies now need to conduct Privacy Impact Assessments for systems to identify what PII is being collected, why it is being collected and how it will be collected, used, accessed, shared, safeguarded and stored.
To address this act specifically, we provide our customers with a Privacy Impact Assessment template to make it easy for our federal customers to understand where PII would be stored in Box if that is within their use case. With these reports, they can be assured that Box is providing the requisite security and privacy controls commensurate with the law.
At Box, we have a dedicated federal compliance team that keeps a close pulse on these changing federal regulations. For example, when we heard that in fall of 2016, cloud vendors became able to apply for FedRAMP high certification, we immediately started evaluating our processes and technology so we could be eligible for the strictest FedRAMP certification in the land. We are one of the few cloud vendors who is now engaging in the process to achieve FedRAMP High. We feel it’s of the utmost importance to Box to obtain the highest level certifications as soon as we can.
We do this not just for the benefit of government organizations, but we do this for all the organizations that we work with. We apply the same level of security and privacy as detailed through our FedRAMP and DoD Impact Level 4 authorization to all content put in Box, regardless of whether it's government agency information or a lunch menu for the office.
One of our goals is to make compliance easier for our customers, so that they can focus on their mission. In addition to obtaining certifications, we have released Box Governance and Box KeySafe that help the security, legal, and compliance teams address retention requirements and privacy concerns through additional encryption options. To learn more about our security posture, check out Box Security and Compliance.