This coming January 28th marks the sixth annual Data Privacy Day (sponsored by the National Cyber Security Alliance.) And looking at the course of business history since the first Data Privacy Day in 2009, we’re not getting any better at managing privacy.
2013 still leaves lingering bad memories, with news cycles about NSA spying and massive data breaches at Target, Adobe, Snapchat and others. It was so bad that Dictionary.com chose privacy as the word of the year for 2013.
If the definition of insanity is doing the same things over and over and expecting different results, then we’re officially insane. We need to break the cycle that’s eroding trust in the Internet and our financial identities.
The Same Old Practices Aren’t Working Anymore
When it comes to data privacy, most businesses are concerned with data loss prevention. They focus on protecting data at rest (stored within their systems and applications) and in motion (in transit on networks). They use an array of information security techniques to prevent data breaches. But attackers and criminals frequently find ways around these safeguards, sometimes through human engineering.
Once those protections fail, businesses have nothing left to do but to notify customers of the breach and do damage control. (Some businesses aren’t even very good at those steps.) Those efforts are like closing the stable door after the horse has bolted. The customer’s data is out there.
I think we need to make significant changes to how we think about and manage data privacy. And the very first change I propose is this:
Let’s focus as much on protecting identities in use as data at rest and in motion.
Protecting Customer Identities in Use
A data breach does its real damage when the stolen data is used for illicit purposes. If businesses commit to protecting their customer identities ‘in use’ as well as data at rest and in motion, they can go a long way towards making cybercrime less successful and restoring trust.
What does it mean to protect identities in use? It means that business take accountability for protecting customer data – even if a breach happened elsewhere. When someone logs in or makes a transaction using the customers’ identity, the business will take every effort to make sure that the customer’s identity is legitimate, not stolen.
This change requires new ways of authorizing logins and transactions. It springs from a broader sense of accountability for data privacy. And it will depend on global collaboration across businesses to share information about online identities and devices.
ThreatMetrix is helping businesses protect identities in use today through the concept of Persona IDs. We’re adding context-based authentication to online identities, and enabling location authorization to confirm the location of a device making a transaction. And we’ve built a massive global data repository in the ThreatMetrix™ Global Trust Intelligence Network.
I will share more thoughts on data privacy in upcoming posts. To read more about what ThreatMetrix is doing for Data Privacy Day, see our press release.