Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

How Varonis Helps Agencies Avoid the Pain and Penalties of Public Record Requests

Freedom of Information (FOI) requests are one of the ways that public organizations are held accountable by the media and the members of the community they serve. FOI laws require...
Michael Buckbee
4 min read
Published October 7, 2020
Last updated October 21, 2021

Freedom of Information (FOI) requests are one of the ways that public organizations are held accountable by the media and the members of the community they serve. FOI laws require public organizations (i.e., government offices, public colleges, universities, and schools, for example) to release documents concerning a current issue or court case. FOIA.gov says, “The basic function of the Freedom of Information Act (FOIA) is to ensure informed citizens, vital to the functioning of a democratic society.”

In short, you issue an FOI request, a government official processes that request and finds the documents, redacts the documents to secure privacy, and then sends them to you.

A free press needs FOI laws to provide accountability to government organizations. FOI requests are vital to facilitate legal discovery and litigation. There is no argument against FOI in principle. However, FOI requests present a budgetary, legal, and procedural challenge to the governments that have to fulfill them.

Challenges Managing FOI Requests

State and local governments face budgetary pressures to cut costs, but managing FOI requests counter those efforts in several ways. Depending on the state laws, failure to respond to FOI requests in the legislated time could lead to hefty fines for the state organization, and governments may even be responsible for paying the legal fees of the parties that made the FOI requests. These laws vary from state to state.

Here is an example of how FOI laws can be “weaponized” to drain an agency of time and money.

Unscrupulous lawyers submit FOI requests and, in parallel, file an empty lawsuit to subpoena the same data they requested in the FOI requests. In most cases, the people who respond to FOIs are not the same people who respond to subpoenas, and they frequently have access to different datasets. When two different results sets are returned, the shady lawyer will pinpoint the discrepancies, launch a lawsuit, and seek compensation via the FOI Act for failure to disclose everything. Additionally, trends show that FOI requests have increased in recent years and threaten to bog down state agencies in the document gathering and redaction process.

All of these factors create a feedback loop on an already bogged down FOI system. More FOI requests mean potentially more fines, which means more financial stress upon governments.

Let’s check out a totally fictitious FOI request and show how Varonis can help make the process simpler.

How Would You Manage an FOI Request?

Scenario. A local investigative reporter is looking into allegations of institutional grade-fixing to keep athletes eligible despite not attending classes. The reporter submits an FOI request for all correspondence and records for these anomalous classes over the past thirty years.

To fulfill this request, someone has to search for all the documents (emails, grade records, evaluations, term papers, etc.) involving anyone that worked for or took those classes at the institution.

Searching databases is pretty simple. It’s the unstructured data that’s the real killer. In our example, the grades and attendance records might exist in a central database, but the syllabi and assignments don’t. The sheer volume of data required to search and the number of systems you have to search doesn’t make a nice linear curve, and that is for just one name. Imagine how many names they might need to search in our scenario?

How Does Varonis Help With FOI Requests?

Varonis DatAnswers is a powerful search engine that can help teams fulfill FOI requests quickly and accurately. DatAnswers lets users search an index of unstructured data in their organization and makes it easy to export a list of matched files, so people working on FOI requests can grab the files they need to fulfill the request quickly from all available datasets at once.

DatAnswers adds context to data, building search results with more than just keyword matching. It’s an intelligent search engine that is fueled by Varonis’ unique metadata and contextual signals to produce better search results. Before you enter the search in DatAnswers, Varonis knows what data you have, where that data lives, who has access to that data, and which data is sensitive. We use sophisticated logic to ensure you get high-fidelity results with few false positives and we surface results fast.

For our scenario, all you’d have to do is type the list of students into DatAnswers, and Varonis will instantly search across your cloud and on-prem data stores to get your results. Once the search is complete, you can filter, copy, or export the results to process them.

 

“I call DatAnswers the ‘search engine’ of Varonis. When a user doesn’t know exactly where they put a sensitive file, we use DatAnswers to track it down. We also use DatAnswers for all of our legal team’s searches. I appreciate the ease and functionality of being able to do that through a web browser.”

– Network Admin, Regional Healthcare Provider

Before results are sent to the requestor, the government agency must ensure that they’re not disclosing any confidential information. Data Classification Engine continuously discovers sensitive unstructured and semi-structured data on-premises and in the cloud (on Windows servers, NAS devices, SharePoint, UNIX/Linux servers, and Office 365 (OneDrive and SharePoint Online), with support for file types such as .doc, .pptx, .xlsx, .zip, .rar, .pdf and many more.)

Varonis contains a pre-built library of almost 50 built-in rules and more than 400 patterns for all of the common laws and standards (HIPAA, SOX, PCI, GDPR, and more). Our classification engine goes beyond regular expressions and includes pre-built databases of known-valid values, proximity matching, negative keywords, and algorithmic verification to generate high-fidelity results.

Even more granular Policy Packs help agencies discover personal information related to GDPR & CCPA and federal-specific information that’s top-secret, secret, or confidential.

  • Policy Pack is an ever-expanding library of accurate and comprehensive rules to find and protect GDPR and CCPA data. Varonis has over 340 GDPR patterns alone, covering all of the EU nations.
  • Federal Policy Pack builds on the Data Classification Engine with patterns built specifically to identify top secret, secret, and confidential documents, as well as controlled unclassified information (CUI) and other sensitive government forms.

With all this information in one interface, FOI requests are faster and easier to process.

If needed, Data Transport Engine can securely move relevant files for a FOI request to a single working folder where you can process the data before sending it back to the requestor.

These aren’t the only benefits of using the Varonis Data Security Platform. You also get full-service data protection and compliance functionality with built-in threat detection and analytics capability. Not only can you deal with FOI and public records requests more easily, but you can also protect your data and prevent unauthorized access to your non-public information.

Check out a demo to see exactly how Varonis can help you!

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

beyond-privacy-and-dsars:-public-data-requests-(foi)-are-the-law-in-50-states
Beyond Privacy and DSARs: Public Data Requests (FOI) Are the Law in 50 States
Happy 2020!  The New Year brings Californians under the California Consumer Privacy Act (CCPA). CA consumers can ask state-based companies for all relevant data, and to request that companies delete...
cybersecurity-laws-get-serious:-eu’s-nis-directive
Cybersecurity Laws Get Serious: EU’s NIS Directive
In the IOS blog, our cyberattack focus has mostly been on hackers stealing PII and other sensitive personal data. The breach notification laws and regulations that we write about require...
penetration-testing-explained,-part-i:-risky-business
Penetration Testing Explained, Part I: Risky Business
In most of the security standards and regulations that I’ve been following there’s typically a part titled Risk Assessment. You can find this requirement in HIPAA, PCI DSS, EU GDPR,…
what-is-itar-compliance?-definition-and-regulations
What is ITAR Compliance? Definition and Regulations
Learn more about ITAR compliance, requirements, and penalties. Find the definition, detail of regulations, types of defense articles, and more from Varonis.