• United States




Who owns your data?

Nov 27, 20173 mins
Data and Information SecurityData BreachSecurity

How secure is your data (whether you own it yourself or not)?

Equifax logo with keyboard lock and credit cards
Credit: Dado Ruvic/Reuters

Who owns your data? Well, that depends on where you live. If you own it then you should have control over it. If you don’t own it, then how secure is it? 

The recent large-scale breaches that affected the majority of Americans prompted the Senate Commerce Committee to hold a long overdue hearing on consumer data security on November 8th. Witnesses included Paulino do Rego Barros Jr., Interim CEO of Equifax; former Equifax CEO Richard Smith, Marissa Mayer, former Yahoo CEO and others.

Prompting me to write was the exchange between do Rego Barros Jr. and Senator Catherine Cortez Masto (D-Nev.).The Senator asked do Rego Barros why consumers do not have a say in opting in or out of the company’s data collection. “This is part of the way the economy works.”

The Senator fired back, “The consumer doesn’t have a choice, sir. The consumer does not have a choice on the data that you’re collecting,” In fact, it is Equifax, and not consumers, that owns all the data collected about them, and that consumers cannot request to exit the company’s files. 

Mayer was asked if consumers should own their own data, and her response was, “Yes. I believe that they should.”

The exchange was in stark contrast to the European Union’s General Data Protection Regulation (GDPR) going into effect May 25, 2018. It is clearly stated in the regulation that it is the citizen who owns their personal data. The objective of the GDPR to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Multinational U.S. companies that handle data belonging to customers living in the EU must comply with the GDPR or face severe financial penalties.

Although EU citizens own their personal data, organizations around the world who collect their data and use it for any means must take “appropriate measures” to protect the data. Well, given the large-scale breaches, many organizations are upgrading their systems and ridding themselves of passwords via multi-factor authenticators, such as software and hardware based-one-time passcodes, biometrics or FIDO authenticators based on public key cryptography.

Verizon’s 2017 Data Breach Investigations Report cites that 81 percent of hacking-related breaches leveraged either stolen and/or weak passwords. Yet, Javelin Strategy & Research’s 2017 State of Authentication Report, found that 100 percent of enterprises continue to use passwords. These results make me think of the witty definition of insanity — doing the same thing over and over again and expecting different results. That may be humorous, but when it comes to protecting personal data owned by the citizen and not owned by a credit bureau, Internet company, telco, bank or any other enterprise, I can assure you that GDPR auditors will come down hard on organizations “protecting” data with passwords.

GDPR will likely pave the way for strong authentication via biometrics, software or hardware authenticators. Since so many U.S. organizations must comply, strong authentication may just become the norm as envisioned in the U.S. National Strategy for Trusted Identities in Cyberspace.


Michael Magrath is responsible for aligning OneSpan’s solution roadmap with standards and regulatory requirements globally.

He is Co-Chair of the FIDO Alliance’s Government Deployment Working Group and is on the Board of Directors of the Electronic Signature and Records Association (ESRA). He also served as a member of the Board of Directors for the Identity Ecosystem Steering Group’s (IDESG) and was Chair of the Health Information Management Systems Society (HIMSS) Identity Management Task Force.

Prior to OneSpan, he served as Director for Identity Solutions for DrFirst, a leading U.S. health IT solution provider, and focused on streamlining and securing the identity management process for healthcare providers nationwide and increasing the adoption of electronically prescribing controlled substances (EPCS).

Before DrFirst, Mike lead Gemalto’s market and business development activities in the U.S. government and healthcare markets and was a contributing member of the Health Record Banking Alliance, WEDI, HIMSS, the Medical Identity Fraud Alliance and the Secure ID Coalition.

He served as Chairman of the Secure Technology Alliance’s (formerly the Smart Card Alliance) Health & Human Services Council from 2010-2014 where he led initiatives to stimulate the understanding, adoption, use and widespread application of smart card technology in healthcare. He served as an advisor to the American Medical Association supporting a Center for Disease Control grant to develop and test the viability of a "Health Security Card" to identify and expeditiously treat victims in the event of a disaster.

Mike holds a Bachelor’s Degree in Psychology from the University of Massachusetts at Amherst. He is married with three children and resides in Northern Virginia.

More from this author