Who owns your data?

Who owns your data? Well, that depends on where you live. If you own it then you should have control over it. If you don’t own it, then how secure is it? 

The recent large-scale breaches that affected the majority of Americans prompted the Senate Commerce Committee to hold a long overdue hearing on consumer data security on November 8th. Witnesses included Paulino do Rego Barros Jr., Interim CEO of Equifax; former Equifax CEO Richard Smith, Marissa Mayer, former Yahoo CEO and others.

Prompting me to write was the exchange between do Rego Barros Jr. and Senator Catherine Cortez Masto (D-Nev.).The Senator asked do Rego Barros why consumers do not have a say in opting in or out of the company’s data collection. “This is part of the way the economy works.”

The Senator fired back, “The consumer doesn’t have a choice, sir. The consumer does not have a choice on the data that you’re collecting,” In fact, it is Equifax, and not consumers, that owns all the data collected about them, and that consumers cannot request to exit the company’s files. 

Mayer was asked if consumers should own their own data, and her response was, “Yes. I believe that they should.”

The exchange was in stark contrast to the European Union’s General Data Protection Regulation (GDPR) going into effect May 25, 2018. It is clearly stated in the regulation that it is the citizen who owns their personal data. The objective of the GDPR to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Multinational U.S. companies that handle data belonging to customers living in the EU must comply with the GDPR or face severe financial penalties.

Although EU citizens own their personal data, organizations around the world who collect their data and use it for any means must take “appropriate measures” to protect the data. Well, given the large-scale breaches, many organizations are upgrading their systems and ridding themselves of passwords via multi-factor authenticators, such as software and hardware based-one-time passcodes, biometrics or FIDO authenticators based on public key cryptography.

Verizon’s 2017 Data Breach Investigations Report cites that 81 percent of hacking-related breaches leveraged either stolen and/or weak passwords. Yet, Javelin Strategy & Research’s 2017 State of Authentication Report, found that 100 percent of enterprises continue to use passwords. These results make me think of the witty definition of insanity — doing the same thing over and over again and expecting different results. That may be humorous, but when it comes to protecting personal data owned by the citizen and not owned by a credit bureau, Internet company, telco, bank or any other enterprise, I can assure you that GDPR auditors will come down hard on organizations “protecting” data with passwords.

GDPR will likely pave the way for strong authentication via biometrics, software or hardware authenticators. Since so many U.S. organizations must comply, strong authentication may just become the norm as envisioned in the U.S. National Strategy for Trusted Identities in Cyberspace.