We generally mask sensitive/classified Data to comply with regulations or laws. Some Regulations or laws that may implicitly or explicitly require data
masking are HIPPA,PCI,FCRA,ECPA. There are also otherInformation Privacy and Data Protection Directives in other regions of the world.
Sometimes we mask data because it is needs to be a one-way hash (think about masking a password as you type it). There are times that we mask data (think
of masking usernames) not because the Data is Sensitive but because we want the user to reconfirm their credentials so we can ensure they are authorized to
see the Data. Then there are times that we mask Data to protect against accidental data leak; but the user can easily click a button and re-display the
But in the End of the Day Masking one or two data fields won’t necessarily protect you against unauthorized viewing of the sensitive Data. Consider the
Following Data as described in Figure 1. Notice that masking Last Name and Data of Birth fields protects the person’s identity against most people. But if
somebody had access to backend data from the insurance company, they could easily narrow down the Number of people called Jim. They could cross referenced
all the people named Jim with that specific zip code and that are insured by that specific insurance company. Thus Masking Data only gets us so far;
sometimes we have to think about whom we are handing over the masked data to.
Figure 1: Web Form contains First Name, Last Name, Data of Birth, Zip Code, Gender, and Insurance Company.
Figure 2: Last Name, Date of Birth Fields have been masked away. But the data is not yet fully protected.