You're thinking about this very much from a techy point of view.
We have a similar value prop with our platform (we store PII including actual identity documents).
It's not about making it impossible for users to download and store sensitive data. Everyone knows that that's impossible - yet somehow Snapchat and its disappearing messages is still a thing.
Instead, it is intended to be coupled with policies. As long as the company has a policy against downloading/storing confidential information, then the company is covered.
Then, when a case of e.g identity theft happens through a rogue employee, the company can demonstrate that it has taken all reasonable steps to avoid it.
That is a much better position than showing up in court and saying "yeah, we didn't try to prevent people from downloading PII, that's impossible anyway".
This is exactly right. It doesn't stop espionage or a rogue employee - it is not supposed to; but it does stop inadvertent duplication all over the place in ways the company could be liable for due to inaction or insufficient policy around PII, etc.
We have a similar value prop with our platform (we store PII including actual identity documents).
It's not about making it impossible for users to download and store sensitive data. Everyone knows that that's impossible - yet somehow Snapchat and its disappearing messages is still a thing.
Instead, it is intended to be coupled with policies. As long as the company has a policy against downloading/storing confidential information, then the company is covered.
Then, when a case of e.g identity theft happens through a rogue employee, the company can demonstrate that it has taken all reasonable steps to avoid it.
That is a much better position than showing up in court and saying "yeah, we didn't try to prevent people from downloading PII, that's impossible anyway".