Egnyte Secure & Govern offers several built-in classification policies that are targeted toward compliance with data security and privacy standards in several regional jurisdictions.  An overview of all available policies can be found in this article.  Detailed policy-matching criteria for some specific policies can be found below.

Quick links to individual policy criteria:

HIPAA: Health Insurance Portability and Accountability Act

Egnyte HIPAA Narrow Version

Egnyte HIPAA Broad Version

GDPR: General Data Protection Regulation Policy

Egnyte GDPR Narrow Version

Egnyte GDPR Broad Version

CCPA: California Consumer Privacy Act Policy

Egnyte CCPA Narrow Version

Egnyte CCPA Broad Version

GLBA: Gramm-Leach-Bliley Financial Modernization Act Policy

Egnyte GLBA Narrow Version

Egnyte GLBA Broad Version

PCI-DSS: Payment Card Industry Data Security Standard Policy

SOX: Sarbanes-Oxley Act Policy

ITAR: International Traffic in Arms Regulations

CUI: Controlled Unclassified Information

 

Specific Classification Policy Criteria

HIPAA: Health Insurance Portability and Accountability Act

Egnyte HIPAA Narrow Version

Policy Criteria: To match the Narrow Version, an object must contain:

  1. Any of following:
    • Social Security Number (US)
    • Health Insurance Claim Number
  2. In addition to #1 above, a match to at least one of the following within 200 characters of above match:
    • ICD-10 Codes
    • ICD-10 Ailments Narrow version
    • ICD-10 PCS Codes
    • ICD-10 PCS Procedures
    • CPT Codes
    • CPT Procedures Narrow version
    • National Provider Identifier (NPI) number
    • DEA Registration Number

Egnyte HIPAA Broad Version

Policy Criteria: To match the Broad Version, an object must contain one identifier from each of the following lists:

  1. Personally Identifiable Information(PII) or Personal Health Information (PHI) of US which includes -
    • Person Name
    • Postal Address (US)
    • Date of Birth
    • Telephone/Fax Number (US)
    • Email address
    • Social Security Number (US)
    • Bank Account Number
    • VIN Number (US)
    • IP Addresses
  2. Medical terminology in one of the following categories -
    • ICD-10 Codes
    • ICD-10 Ailments
    • ICD PCS Codes
    • ICD PCS Procedures
    • CPT Codes
    • CPT Procedures
    • National Provider Identifier (NPI) number
    • DEA Registration Number
    • CMS Forms
    • Proprietary and generic names of drugs approved by the US FDA

GDPR: General Data Protection Regulation Policy

Egnyte GDPR Narrow Version

Policy Criteria: To match the Narrow Version, an object must contain at least one of the following:

Any of Personally Identifiable Information(PII) of EU which includes -

  • EU countries Driver's License Number
  • EU countries National Identifiers Number
  • and if any other pattern is added in the future for EU under the PII tag
  • Passport Number
  • Any of Banking Information(PIFI) of EU which includes -
  • EU Countries IBAN number
  • EU bank identifiers and bank account number
  • EU countries Single Euro Payments Area (SEPA) number
  • EU countries VAT number
  • and if any other pattern is added in the future for EU under the PIFI tag
  • Any of Personal Health Information (PHI) of EU which includes -
  • Personal Health Identifiers of supported EU countries
  • and if any other pattern is added in the future for EU under the PHI tag

Egnyte GDPR Broad Version

Policy Criteria: To match the Broad version, an object must contain Partially Personal Information (PPI) but only if a person's name is found within 200 characters of the matched content which includes:

  • EU Postal Address
  • EU Telephone Number
  • and if any other pattern is added in the future for EU under the PPI tag
  • Email Address
  • Date of Birth
  • Ip Address
  • WebLog
  • Any of Personally Identifiable Information(PII) of EU which includes -
  • EU countries Driver's License Number
  • EU countries National Identifiers Number
  • and if any other pattern is added in the future for EU under the PII tag
  • Passport Number
  • Any of Banking Information(PIFI) of EU which includes -
  • EU Countries IBAN number
  • EU bank identifiers and bank account number
  • EU countries Single Euro Payments Area (SEPA) number
  • EU countries VAT number
  • and if any other pattern is added in the future for EU under the PIFI tag
  • Any of Personal Health Information (PHI) of EU which includes -
  • Personal Health Identifiers of supported EU countries
  • and if any other pattern is added in the future for EU under the PHI tag

CCPA: California Consumer Privacy Act Policy 

Egnyte CCPA Narrow Version 

To match the Narrow Version, an object must contain the following: 

  1. A match to any of the following patterns only if a person's name is found within 200 characters of the matched content
    • Social Security Number 
    • Drivers License Number (US) 
    • VISA Number (US) 
    • MagStripe track 
    • Credit/debit card number 
    • Bank account number (US) 
    • Health Insurance Claim Number(US)

Egnyte CCPA Broad Version

Policy criteria: To match the Broad Version, an object must contain at least one of the following:

  • A match to any of the following pattern only if a person's name is found within 200 characters of the matched content 
    • Social Security Number 
    • Drivers License Number (US) 
    • VISA Number (US) 
    • MagStripe track 
    • Credit/debit card number 
    • Bank account number (US) 
    • Health Insurance Claim Number(US) 
  • A match to any of the following patterns only if a privacy policy keyword is found within 200 characters of the matched content: 
    • Email address

GLBA: Gramm-Leach-Bliley Financial Modernization Act Policy

Egnyte GLBA Narrow Version 

To match the Narrow Version, an object must contain the following: 

  • Social Security Number (US) 
  • In addition to SSN, a match to at least one of the following - 
    • Registered Investment Advisors (RIAs) 
    • US Bank names 
    • Bank account number (US) 
    • Credit/debit card number 
    • MagStripe Track

Egnyte GLBA Broad Version 

Policy criteria: To match the Broad Version, an object must match to any of Personally Identifiable Information(PII) of US which includes

  • Social Security Number (US) 
  • Drivers License Number (US) 
  • VISA Number(US) 
  • and if any other pattern is added in the future for US under the PII tag 
  • Passport Number 

In addition to above, a match to at least one of the following

  • Registered Investment Advisors (RIAs) 
  • US Bank names 
  • Bank account number (US) 
  • Credit/debit card number 
  • MagStripe Track 
  • At least two Personal Finance terms

PCI-DSS: Payment Card Industry Data Security Standard Policy 

Policy criteria: To match the PCI-DSS Policy, an object must contain Payment Information, which includes any of the following: 

  • Credit/Debit Card Number 
  • MagStripe Track

SOX: Sarbanes-Oxley Act Policy 

Policy criteria: To match the SOX Policy, an object must contain at least one of the following: 

  • Corporate Information of US and the Securities and Exchange Commission (SEC) Fair Disclosure forms. Corporate Information includes
    • IRS Employer Identification Number (US) 
    • National Provider Identifier (NPI) number (US) 
    • DEA Registration Number 
    • IRS Employer Identification Number of US with at least five unique terms from Common Financial Statement Terms 
    • At least ten unique Common Financial Statement Terms

ITAR: International Traffic in Arms Regulations 

Policy criteria: To match the ITAR policy, an object must contain a match to at least one of the following:

  • US Munitions which consists of 19 different lists of munitions keywords 
  • Aeca Debarred Parties List 
  • Export Control and Distribution Statement List

CUI:  Controlled Unclassified Information 

Policy criteria: To match the CUI policy, an object must contain a match to at least one of the following (based on https://www.archives.gov/cui/registry/category-marking-list):

General rules for markings:

  • Markings are mostly UPPERCASE letters with some hyphen characters and spaces - dissemination controls (see below) may contain lower case characters.
  • Markings are split into portions which are separated by '//' and '/'.
  • There is a defined set of values for markings - note that the sets of possible values are CASE SENSITIVE.

Marking makeup:

  • markings always begin with CONTROLLED or CUI (both are interchangeable)
    • (optional after CONTROLLED or CUI), // followed by one or more category markings. Multiple category markings are split by a single forward slash /
    • (optional after category markings), // followed by one or more dissemination controls. multiple dissemination controls are separated by a single forward slash:

Valid examples (note that all of the following would appear in the header of all documents that meet CUI):

  • CUI (Basic marking, no category marking)
  • CONTROLLED (alternative basic marking, no category marking)
  • CUI//PERS/ (Single category marking)
  • CUI//SP-PERS/SP-SUB (Multiple category markings)
  • CUI//PERS//NOFORN (single category, single dissemination control)
  • CUI//SP-PERS/SP-SUB//NOFORN/NOCON (multiple categories, multiple dissemination controls)
  • CONTROLLED//SP-PERS//REL TO [USA,AUS,CAN]  (single category, single dissemination control with country codes)