US regulators and companies can follow the lead of the EU, with its GDPR, to better protect consumer data while recognizing that the data belongs to the customer, not a company.
The European Union is leading the way in terms of individual data protection for consumers, but the US probably won’t be far behind given heightened scrutiny now as a result of the Equifax data breach.
Next May, the EU will begin to enforce what is known as GDPR, or General Data Protection Regulation, which the EU says is the biggest update to consumer data privacy regulations in 20 years and affects any company that resides in the EU, offers goods or services there, monitors behavior of EU residents or processes and holds personal data of EU residents, regardless of the company’s location.
The tightened requirements are welcome news. They require companies to have adequate data records, increase opt-out options, enable someone’s data to be erased and to disclose data breaches. Stiff fines of up to 4% of revenue may await those who don’t comply.
Already, there’s talk on Capitol Hill of the need to remake the credit reporting agencies given how they keep so much sensitive data on so many people, and for further data protection regulations in the US.
Unfortunately, I’m still placing bets on the cyber criminals to prevail in their quest to steal data. Here’s why: Most cybersecurity defenses are built around keeping bad guys out of systems, and without changing the way we protect the data, the cyber hackers will continue to play offense against an ineffective defense. Offense has always had an advantage over defense, and, in today’s hyperconnected economy and world, we’re continuously adding new avenues of attack on our personal data as more of our lives revolve around an online world.
If you need more proof that the current system isn’t working, look at the pace of security breaches. As of June 30, the U.S. has seen a record high of 791 major security breaches , a 29% increase from 2016’s same timeframe, indicates data from the Identity Theft Resource Center (ITRC) and CyberScout. Based on this pace, the ITRC projects breaches to hit 1,500 this year alone. That’s a 37% annual increase from 2016’s figure of 1,093 breaches, another all-time high.
How many people had private records exposed is anyone’s guess. A full 67% of the data breach notifications or public notices did not report on the number of records impacted, an all-time record high, the ITRC says. This is a frightening prospect: We don’t know how many records are impacted and entities aren’t being required to tell us. As many as 143 million Americans may have been exposed by the Equifax breach. More than 1 billion records have been exposed since 2004, the ITRC reports.
This is occurring despite the fact that worldwide spending on cybersecurity is expected to top $1 trillion between now and 2021, says a report from Cybersecurity Ventures.
This all means that what we don’t need are more rules and regulations that simply force companies to protect their network borders. Those kinds of rules — which worked in past decades and old iterations of our economy — reinforce a sense of false protection.
Companies are taking that route all by themselves. A 2016 report from the SANS Institute on security spending found that “rather than data protection and compliance, such as DLP and encryption … technology spending favors more traditional controls, such as network visibility and malware defense.” Remember, some threats come from within and organizations need to protect against those as well.
What we need is a wholesale mind shift on how to best protect consumer data. We need best practices and advanced technologies that protect the data, a Social Security number for instance, from intrusion even if it is just one of 1,000 numbers in a customer’s data file, or a healthcare patient’s name from exposure even while doctors can share other information on how that patient responded on day four of a drug trial.
That last point is key. Responsibly sharing and using data can lower costs, result in better drugs, and provide better consumer services. The goal of governance and security is not to stop sharing, and as a consequence wipe out all the potential benefits. It is to ensure that data is shared and used responsibly, safely, and legally.
GDPR will help. Any new regulations that may or may not come out of the Equifax situation may help, too.
But what will really move the needle is if companies finally get that consumer data doesn’t belong to them and isn’t something they can take for granted. It is an asset that belongs to the consumer, and if companies want to keep consumers, and stay in business, they’d better get serious about best practices that go beyond the network and secure the data itself.
Gary Bloom is Chief Executive Officer and President of Marklogic. Calling upon his extensive executive experience at Oracle and Veritas, he leads MarkLogic as the preeminent NoSQL database for the enterprise. During his 14-year tenure as an executive at Oracle, Gary helped organizations make the generational shift from mainframe to relational technology. As CEO of MarkLogic, he is driving another industry shift by spearheading solutions to the global challenge of aggregating and managing data from disparate sources and transforming that data into valuable information.
Prior to MarkLogic, Gary was CEO and president at eMeter, and a consultant of TPG, a global private investment firm. Gary was also the vice chair and president of Symantec Corp., where he led the company’s line of business organizations and the company’s corporate development efforts.
The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Cybersecurity Strategies for the Digital EraAt its core, digital business relies on strong security practices. In addition, leveraging security intelligence and integrating security with operations and developer teams can help organizations push the boundaries of innovation.