Understanding Cyfin’s Data Storage: Ensuring Privacy and Compliance with U.S. Privacy Regulations
Introduction
Cyfin provides comprehensive employee web use activity reports by analyzing activity logs collected from a company’s firewall or proxy server. These logs contain details about the interaction between employee devices and websites or web applications, helping businesses ensure compliance, productivity, and security.
However, it’s important to address any concerns regarding the type of data stored and whether Cyfin retains personally identifiable information (PII). This paper explains the nature of the data Cyfin processes, how it adheres to privacy standards, and why it does not store what is considered PII under United States privacy regulations.
What Type of Data Does Cyfin Store?
Cyfin collects and stores data about employees’ web use, such as:
- Date and Time: When the transaction or connection occurred.
- IP Address: The IP address of the employee’s device.
- Bytes: Data transferred during the session.
- Website Domain: The main website being accessed.
- Website URL: The specific page or resource visited.
- Website Category: General categories such as “news” or “social media.”
- Website Classification: More specific classifications (e.g., “work-related” vs. “non-work-related”).
- Content Type: Information on the type of content being accessed (e.g., image, video).
- User Agent: The browser or software used to access the site.
- Username: A system-generated username to associate actions with a particular user.
Is the Data Considered PII?
In the U.S., personally identifiable information (PII) refers to information that can be used to identify a specific individual either on its own or in combination with other data. Under major U.S. privacy laws such as the California Consumer Privacy Act (CCPA) and HIPAA, data is considered PII if it directly identifies a person (e.g., name, social security number, email address) or can be reasonably linked to an individual.
Cyfin does store usernames linked to network activity, but no other individual-specific information such as names, personal addresses, or social security numbers. A username on its own—without being combined with other personal identifiers—is not considered PII under U.S. law. It only serves as an internal identifier within the company’s own systems.
Optional Windows Active Directory Integration
For customers using Windows Active Directory integration, Cyfin offers an optional feature that allows additional user information to be stored. Specifically, the customer can choose to associate the employee’s Full Name and Department with the username.
This optional feature is entirely under the control of the customer, and the decision to store additional data, such as full names, is determined by their internal data management policies. When full names and departments are stored, this additional data could be considered PII, as it directly identifies individuals.
How Does Cyfin Ensure Data Privacy?
Cyfin is committed to maintaining the privacy of user data through:
- Limited Scope of Data Collection: Only information related to web activity (such as the types mentioned above) is stored, without collecting any personally identifying data like full names, unless the customer opts into the Active Directory integration feature.
- Data Security Practices: Data storage and transmission practices adhere to industry standards to ensure that sensitive information remains secure and protected from unauthorized access.
- Anonymization Potential: While usernames are stored, this data remains internal to the organization and cannot be tied to specific individuals by Cyfin itself, unless additional identifying information is associated through Active Directory integration.
Conclusion: Cyfin and U.S. Privacy Compliance
Cyfin helps companies monitor employee web use activity while ensuring that it does not store personally identifiable information unless specifically chosen by the customer through optional Active Directory integration. By limiting the data collected to non-sensitive information and ensuring that usernames alone cannot be used to identify individuals, Cyfin complies with U.S. privacy regulations.
Cyfin remains a valuable tool for businesses seeking to monitor network activity responsibly, ensuring privacy and compliance at every step.