Who owns your data? Well, that depends on where you live. If you own it then you should have control over it. If you don\u2019t own it, then how secure is it?\u00a0The recent large-scale breaches that affected the majority of Americans prompted the Senate Commerce Committee to hold a long overdue hearing on consumer data security on November 8th. Witnesses included Paulino do Rego Barros Jr., Interim CEO of Equifax; former Equifax CEO Richard Smith, Marissa Mayer, former Yahoo CEO and others.Prompting me to write was the exchange between do Rego Barros Jr. and Senator Catherine Cortez Masto (D-Nev.).The Senator asked do Rego Barros why consumers do not have a say in opting in or out of the company's data collection. \u201cThis is part of the way the economy works.\u201dThe Senator fired back, \u201cThe consumer doesn't have a choice, sir. The consumer does not have a choice on the data that you\u2019re collecting,\u201d In fact, it is Equifax, and not consumers, that owns all the data collected about them, and that consumers cannot request to exit the company's files.\u00a0Mayer was asked if consumers should own their own data, and her response was, \u201cYes. I believe that they should.\u201dThe exchange was in stark contrast to the European Union\u2019s General Data Protection Regulation (GDPR) going into effect May 25, 2018. It is clearly stated in the regulation that it is the citizen who owns their personal data. The objective of the GDPR to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Multinational U.S. companies that handle data belonging to customers living in the EU must comply with the GDPR or face severe financial penalties.Although EU citizens own their personal data, organizations around the world who collect their data and use it for any means must take \u201cappropriate measures\u201d to protect the data. Well, given the large-scale breaches, many organizations are upgrading their systems and ridding themselves of passwords via multi-factor authenticators, such as software and hardware based-one-time passcodes, biometrics or FIDO authenticators based on public key cryptography.Verizon\u2019s 2017 Data Breach Investigations Report cites that 81 percent of hacking-related breaches leveraged either stolen and\/or weak passwords. Yet, Javelin Strategy & Research's 2017 State of Authentication Report, found that 100 percent of enterprises continue to use passwords. These results make me think of the witty definition of insanity \u2014 doing the same thing over and over again and expecting different results. That may be humorous, but when it comes to protecting personal data owned by the citizen and not owned by a credit bureau, Internet company, telco, bank or any other enterprise, I can assure you that GDPR auditors will come down hard on organizations \u201cprotecting\u201d data with passwords.GDPR will likely pave the way for strong authentication via biometrics, software or hardware authenticators. Since so many U.S. organizations must comply, strong authentication may just become the norm as envisioned in the U.S. National Strategy for Trusted Identities in Cyberspace.