Building a foundation of trust through robust security.


Secure data processing for privacy compliance

A fundamental requirement of ensuring the confidentiality, integrity, and availability of personal information is the underlying security in the information systems that process personal data. Global privacy and data security laws require reasonable security measures to be put in place for the storing, transmitting, and processing of personal information.

Legal requirements for reasonable security

Data security is not just a good idea—it’s the law. In the United States, reasonable security is a legal requirement for specific classification of information such as financial, health, and personal information. Reasonable security is required under laws regarding fair business practices. Outside of the United States, the European Union General Data Protection Regulation (GDPR) and other global privacy laws specifically require reasonable security for the protection of personal data.

The protection of personal information is not the only factor for legal requirements for data security. The European Union’s Network Information Security Directive and Cybersecurity Act require data protection measures to be put in place regardless of whether the data being protected is personal information. New York’s Department of Financial Services regulations require a specifically structured cybersecurity plan focusing on systems rather than data classifications.

In practice, though, organizations only rarely segregate data into separate systems designed to meet security protocols applicable only to a given data classification. Instead, a single information systems security plan is put in place that is reasonable in light of all of the classifications of data it will hold.

What is reasonable security?

Despite the prevalence of the term reasonable security in privacy and data security regulation, there is no defined standard or engineering control set attached to the term. Instead, the law indicates that reasonable security is comprehensive in that it includes controls for physical, administrative, and technical safeguards. What those safeguards are depends on the type and nature of the data in question, the risks associated with applicable information systems, the impact on people or businesses, and industry best practices in information security. Despite this level of ambiguity, regulators and courts recognize several areas as being integral to reasonable security.


Encryption is recognized as a means by which the risk associated with a security incident can be mitigated. Encrypting data reduces the likelihood that any data obtained in a security incident can be used to harm individuals or entities. This includes both encryption during the transmission of data and the encryption of data “at rest” (e.g., in a stored state). Encryption offers more information about encryption in general as well as NetApp encryption solutions.

Access and authentication controls

Global privacy principles recognize both “purpose specification” and “use limitation” as foundational to protecting personal information. These principles are typically met through restrictions on who can access, and under what circumstances they can access, personal information. Controlling access necessarily requires that the person authorized to access personal information is authenticated to ensure they are who they claim to be. NetApp provides a variety of account management tools for managing access and authentication, so that customers can manage access to personal information.

Breach reporting

A data breach is broadly understood to be a violation of security protocols that leads to the loss, alteration, or disclosure of data, or unauthorized access to it. When that data is personal information, this is called a personal information breach. Notification of personal information breaches is a common legal requirement, as well as common practice. NetApp is committed to meeting these legal obligations and to empowering our customers to do the same through NetApp Cloud Data Service Terms, which commit to reporting all security incidents, regardless of whether the affected information is personal information.

Data loss prevention

Data loss prevention (DLP) is a system of tools and protocols used to protect data from loss, theft, or unauthorized manipulation. A DLP program typically consists of protocols to detect and respond to unauthorized access to data, prevent modification of data, and to recover from lost data. NetApp offers a variety of tools that help our customers protect against data loss, including audit logging, write-once, read-many (WORM) file locking, and other functionality to mitigate against ransomware attacks.

Patch management

Patch management is a system of tools and protocols used to acquire, test, and install changes to software or ancillary data, and that are designed to update, fix, or improve the software or ancillary data (the “patch”). Patches are typically released to address known issues within software or data, such as a software bug or a security vulnerability. NetApp is committed to providing up-to-date information about and patches to address the security of personal information.

Reasonable security and NetApp

NetApp not only implements technical, administrative, and procedural safeguards to protect its own information systems and the corporate and customer data that exist there, we also build products and services to empower our customers to do the same. We continuously monitor and adapt to the evolving standards required under the law and strive for transparency in our security operations and offerings. We also provide information on security compliance programs, which provide evidence of our information security management systems as assessed under national and international standards.

abstract shapes