Fix grammatical issues in Data Theft section.

Co-authored-by: Ted Thibodeau Jr <[email protected]>

index.html

@@ -5168,40 +5168,40 @@ <h3>Data Theft</h3>
 <a>verifiable presentations</a> are valuable since they contain authentic
 statements made by trusted third parties, such as <a>issuers</a>, or
 individuals, such as <a>holders</a> and <a>subjects</a>. Storing this data
-can create sensitive data honeypots that attackers are motivated to
-break into in order to acquire and exchange it for financial gain.
+can create honeypots of sensitive data that attackers are motivated to
+break into in order to acquire and exchange that data for financial gain.
         </p>
         <p>
-<a>Issuers</a> are advised to hold on to the minimum amount of data
+<a>Issuers</a> are advised to retain the minimum amount of data
 necessary to issue <a>verifiable credentials</a> to <a>holders</a> and
 manage the status and revocation of those credentials.
         </p>
         <p>
 <a>Holders</a> are advised to use implementations that appropriately
-encrypt their data in transit and at rest, and protect sensitive
+encrypt their data both in transit and at rest, and protect sensitive
 material (such as cryptographic secrets) in ways that cannot be easily
 extracted from hardware devices. Furthermore, it is suggested that
-<a>holders<a> store and manipulate their data on devices that they control,
-away from centralized systems, in order to reduce the likelihood of attack
-on their data, or large-scale theft if an attack is successful.
+<a>holders<a> store and manipulate their data only on devices that they
+control, away from centralized systems, to reduce the likelihood of
+attack on their data, or large-scale theft if an attack is successful.
         </p>
         <p>
 <a>Verifiers</a> are advised to only ask for data necessary for a particular
-transaction and to not hold on to any data beyond the needs of any particular
+transaction and to not retain any data beyond the needs of any particular
 transaction.
         </p>
         <p>
-Regulators are advised to rethink the audit requirements such that more
+Regulators are advised to rethink audit requirements such that more
 privacy-preserving mechanisms can be used to achieve similar levels of
-enforcement and audit capabilities. For example, regulations that insist on the
-collection and long-term storage of personally identifiable information for the
-purposes of auditing can create harms to individuals and organizations if that
-same information is compromised and accessed by an attacker. The technologies
-described by this specification enable <a>holders</a> to more readily prove
+enforcement and audit capabilities. For example, audit-focused regulations
+that insist on collection and long-term retention of personally identifiable
+information can cause harm to individuals and organizations if that same
+information is compromised and accessed by an attacker. The technologies
+described by this specification enable <a>holders</a> to more-readily prove
 attributes about themselves and others, reducing the need for long-term data
-archival by <a>verifiers</a>. Alternatives include keeping logs that the
-information was collected and checked along with random audits to ensure that
-compliance regimes are operating as expected.
+retention by <a>verifiers</a>. Alternatives include keeping logs that the
+information was collected and checked, as well as random tests to ensure
+that compliance regimes are operating as expected.
         </p>
       </section>