From NDAs, Secure Closed Systems and a SCIF… How Safe is Your Data?

Written by Lee Konstanty
GM Revenue – USA

How Safe is Your Data?

Regardless of if you and your organization are looking to source translation services or if you have a longstanding relationship with a localization service provider, it is incredibly important that you work with a reputable source with robust security measures in place and you are well informed about how security is being handled within your providers architecture. Depending on your translation needs you may be sending financial records, legal documents, HIPPA compliant information, ITAR compliant materials or information that contains intellectual property. In short, materials that aren’t for worldwide public consumption.

Localization is one of the few industries that necessitates the transfer of critical data on such a large scale to an outside entity and organizations should be incredibly weary of where data is going, how data is getting there and what’s being done with it when it arrives. You likely go to great lengths to secure data within your system and you should demand and ensure the same care be taken by your language service provider. In today’s blog, our aim is to look at the world of data breaches, common mitigation tactics and hopefully prepare you to ask the right questions when looking for a translation provider.

Oh, The Horror

Naturally, no blog about data security is complete without a section that paints an apocalyptic view of the horrible world in which we live that would make one want to sequester themselves off the grid a million miles from the nearest cell tower. I personally chose a jungle hut that required a Cessna to access and can tell you, it was wonderful experience, snake bites hurt a lot and not all water is created equal. If I’m honest it was not a sustainable solution to any of life’s troubles; so back to the issue at hand.

In cold hard quantifiable numbers, a data breach on average costs $3.86 million dollars. (IBM) After that initial hit, lost business can persist up to $4.2 million dollars, and in the event that the data is that of others, the bill to let them all know about the issue is up at $740,000. (IBM) There is some good news, if you are able to contain that breach within 30 days, you’re off the hook for around $1M. (IBM) Unfortunately, the running average to contain a breach is 69 days; bleaker yet for the healthcare industry where the average is 103 days. (IBM) Chances are, even detecting the breach takes 197 days on average, and if you happen to work in the entertainment industry (Spoiler Alert), if a breach occurred today, it would take 287 more days until anyone knew about it, unlike the end of the movie that was leaked, which will take a few hours to hit the internet. (IBM) These numbers are of course if the breach is detected, estimates say we’re only catching around 15 percent. (GF) How’s that mountain hideout sounding now?

So, the world is a horrible place, nothing is secure, I’m moving to the top of a mountain in Nepal and will spend my days chanting peacefully and drinking tea. Sure, it’s an option, but let’s take a look at practical measures that you and your team can take to be a bit safer in a crazy world.

NDA’s

I can’t recall a day as a translation professional in which an NDA hasn’t made its way to my desk. As unique as fingerprints, there is no limit to the legal creativity involved which necessitates a critical review of each and every tedious page. Consequently, with no legal training, I could likely recite the basic tenants of an NDA in my sleep; I may do so now without evening knowing it. I personally don’t see any issue with an NDA as a preventative measure, I’m simply not convinced that they adequately achieve the stated goal of protecting signatories from a breach. To put it bluntly, they are onerous, difficult to enforce and regardless of which side of an NDA you are on, have the potential to be amazingly expensive to action. Not to mention that most breaches aren’t detected. Do NDA’s have a place in the world, certainly, like my nephew’s security blanket, if it makes you feel better, go for broke, but please don’t be lulled into a false sense of security, after all, NDA’s are only deterrents; I have a pair of socks that stops Tiger attacks, they too work well, until the day they don’t.

A SCIF

No, not a tiny boat for fishing, that would just be silly, although you could use it to escape to uninhabited island and forgo any security concerns for the rest of your days. A SCIF is a Sensitive Compartmented Information Facility. They come in different shapes and sizes, however, if you are incredibly serious about information security, this is a near 100% secure option. Think bank fault that is air-gapped from the outside world with biometric scanners to get in. It may well be under the mountain you are considering chanting on in an orange robe. The only drawback here is that unless your data is critical to the national security of the country, you likely do not have access to a SCIF, nor could I imagine it would be a cost-effective way to ensure secure translation services. If you do however tell your CFO that you need $300 per square foot to build one, please post their reaction in the comments so we can all enjoy. (ST) Let’s just say, this is likely overkill for your purposes, but you could always take a modular one to the far reaches of Siberia to avoid having to deal with anyone ever again.

Secure Closed Systems

Now that we’ve established that NDA’s are likely insufficient and owning your very own SCIF, is really cool, but overkill. The answer lies in the middle. When you’re looking at a translation provider, please be sure of the following. Firstly, that there is a secure file transfer mechanism, Gmail assuredly does not count, not to mention that emails are the glitter of the professional world, they are everywhere, and you can’t get rid of them. Secondly, ensure that once the data has arrived with your provider, that it is stored on a secure server and not downloaded to be worked on offline. If you have specialized security needs, such as HIPPA or ITAR, please do your due diligence and have these practices audited. Anyone can say they are ITAR and HIPPA compliant, however, the reality is that many are not in practice. Lastly, check with your provider to ensure that they can monitor what is happening with the data, when it is accessed, from where and by whom. If, heaven forbid, there is a breach, as has happened with at least one of the largest language service providers in the not distance past, at least you will know about it. Finally, make use of the tools that are provided, many in the localization space have gone to great lengths, Straker included through our RAY platforms, to provide these secure tools, but we can only be as good about security as your internal teams. Ask your provider for a demo, tutorials or an onsite class about managing data as it pertains to translations.

Last but not least, keep an eye out for our upcoming list of security questions you should be asking potential providers. If they are unable or unwilling to answer your questions to your satisfaction or that of your security and compliance staff, look elsewhere.

If, on the other hand, you do move to a remote part of Mauritania to herd cattle free of human interaction, just send up periodic smoke signals, we’ll be sure to look west from time to time.