Data masking technology is used across many industry verticals and across many geographies and cultures. Sensitive data protection demands are growing along with breaches. Protect yourself and your customers.



The Health Insurance Portability and Accountability Act of 1996:  the Standards Guide for Healthcare Among its provisions, HIPAA requires healthcare agencies to establish national standards for electronic health care transactions. It regulates the safeguarding of private, individually identifiable health information. It also creates several programs to control fraud and abuse within the health care system. Under HIPAA, the Department of Health and Human Services publicized five rules:

  • the Privacy Rule,

  • the Transactions and Code Sets Rule,

  • the Security Rule,

  • the Unique Identifiers Rule,

  • the Enforcement Rule

for covered entities such as:

  • health plans

  • health care providers health care clearinghouses

  • billing services

  • community health information systems

  • health insurers medical service providers

  • employer sponsored health plans

The following provisions can be safeguarded by using data masking components:

Section 164.308

Information access management's implementation specifications: Implement policies and procedures for granting access to electronic, protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. Such mechanisms can involve on-the-fly or static data masking for sensitive data such as social security, medicare number and patient namesfor unauthorized parties.

Section 164.312

Access control's implementation specifications:

  • (i) Unique user identification. Assign a unique name and/or number for identifying and tracking user identity.

  • (iv) Encryption and decryption

  • These requirements are reliably accomplished with substitution and enryption  components.

Section 164.502

Minimum necessary applies specification: When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

Organizations can dependably limit data to contractors or third party by masking the values.

Privacy Act defines Protected Health Information (PHI) that identifies rather broadly, sensitive data: "PHI is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual."


Finance. GLBA

Introduced in 1999 while removing barriers in the market among banks, insurance agencies, and investment institutions, GLBA also established a set of rules and regulations that protect consumer privacy and secure consumer's data.

Section 501(b) of GLBA requires organizations to establish financial institution standards for protecting the security and confidentiality of said financial institution's customers' non-public personal information. These standards relate to administrative, technical, and physical safeguards.

  • to insure the security and confidentiality of customer records and information;

  • to protect against any anticipated threats or hazards to the security or integrity of such records; and

  • to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer

The Federal Trade Commission helps define which organizations should satisfy the regulations:

These are some examples:

  • Banks

  • Loan lenders

  • Foreign exchange companies

  • Money transfer companies

  • Hedge fund management companies

  • Equity investment companies

  • Insurance companies

  • Mortgage Brokers

  • Asset Management firms

  • Financial advisers

  • Financial brokers

  • Credit companies

Using data masking in institutional standards helps organizations to adhere to the section 501(b).

It helps conceal sensitive data both in development environments and in production. In production, they often substitute sensitive values for use by personnel with limited access to data. An example of such a situation is an off-shored billing and other BPO operation with sensitive data.

It is customary for financial institutions to mask names, date of birth, social security, tax id number, accounts, credit card numbers


E-Commerce. PCI DSS

Merchants and credit card processing companies need to comply with Payment Card Industry Data Security Standard that facilitates consistent measures for data security globally. These organizations include any entity processing credit card transactions including but not limited to:

brick and mortar and internet commerce ATM and cash register operators money transfer companies money exchange companies

PCI DSS establishes the technical and operational framework needed to protect consumers from data security risks.

There are several persistent data elements that PCI DSS either dictates standards of protection for, or recommends best practices. These data elements include

  • Primary Account Number (PAN),

  • Cardholder Name

  • Expiration Date

  • Service Code

PCI DSS makes it mandatory to mask the PAN both in production and in development environments and recommends to protect the rest of the persistent elements in accordance with the local legislature and best practices. Many institutions decide to be proactive and safeguard names, dates and service codes with masking as well.



Pharmaceutical companies and laboratories gather a wealth of personally identifiable information in their software systems. They keep critical data elements of electronic health records. Along with healthcare and insurance companies, they are subject to HIPAA regulations.

As we reach our goal of "National Health Information Infrastructure (NHII), and greater use of electronic health records, protecting the confidentiality, integrity, and availability of EPHI becomes even more critical" (not sure what this is saying, clarify). Unlike healthcare practitioners, pharmacies often sell medicine in retail establishments and as such might have to comply with PCI/DSS as well.



Understanding the risks of exposing the PII of its citizens to unauthorized parties, more and more government agencies apply privacy safeguards to educational, statistical, tax, and many other types of data.

Besides following the regulation guidelines on data privacy that mainly apply to static data masking, they also de-identify data in real time so that only "authorized eyes" see sensitive information and so that researchers can work with data that is anonymized yet maintains the integrity of relevant information. PRODUCTS



Ever since of the release of the report on Consumer Privacy guidelines by the FTC in 2012, both the entertainment and consumer industries have improved their data privacy practices, inventing methods to protect data without sacrificing its quality.

FTC recommendations in particular included Privacy by Design", which ensure privacy at every stage of product development so that they "include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy".



Data Masking is usually used to conceal data as required by the federal Family Education Rights and Privacy Act (FERPA) for the purpose of protecting student confidentiality. Although these facts are not well, but about 30% of all the data breaches relate to the educational institutions: their students are usually culprits as often they are very versed in technology and not as educated in the law as people who already work under contractual responsibilities. Whether you want to protect schools and colleges non-production environments when developing school applications, or disclose data to third parties for example for PBMAS, use data masking tools to hide student identities while maintaining the reports.

Here is an excerpt of the guidelines developed by Privacy Technical Assistance Center: "Privacy of individual student records is protected under FERPA. To avoid unauthorized disclosure of personally identifiable information from education records (PII), students’ data must be adequately protected at all times. For example, when schools, districts, or states publish reports on student achievement or share students’ data with external researchers, these organizations should apply disclosure avoidance strategies, to prevent unauthorized release of information about individual students. To ensure successful data protection, it is essential that techniques are appropriate for the intended purpose and that their application follows the best practices."



GDPR, the European Union privacy regulation framework that became mandatory May 2018, requires the use of various data protection methods. Among them there is anonymization/pseudonymization that reduces the risks associated with the processing of sensitive data. Anonymization/pseudonymmization does not delete all the identifying information from the data but rather reduces the relationship of the data set to the original person's identifiers.

Among the methods that are available for the practitioner are directory replacement, masking, personalized anonymization, blurring. Data Masking is one of the standard and widely applicable solutions, because it allows organizations to maintain the convenience of using their customers' data while removing real identifiers. Using data masking, the data can be deidentified, so that personal information remains anonymous in the context of support, analytics, testing, or outsourcing.

BuildNumber = dev_20210906.1