Happy Data Privacy Day. Keep It Under Your Hat.
Posted January 26, 2015
In Conjunction with Data Privacy Day, ThreatMetrix Offers Strategies to Help Business Protect Privacy, Secure Data and Build Trust on the Internet.
Little more than a week after the President’s State of the Union call for vastly improved cybersecurity and privacy measures comes Data Privacy Day.
Coordinated and led by the National Cyber Security Alliance (NCSA), Data Privacy Day is held each year on January 28th to raise international awareness and empower individuals and businesses to better protect their privacy. This year’s theme is “Respecting Privacy, Safeguarding Data and Enabling Trust.”
ThreatMetrix Data Privacy Day Champion
For its third consecutive year, ThreatMetrix has signed on as a Data Privacy Day Champion, supporting the ideal that individuals, organizations, business and government all share the responsibility to be aware of data privacy challenges.
Cybersecurity on both Democratic and Republican agendas
The State of the Union address made it clear that cybersecurity is an urgent and growing concern for government, business, consumers, students — everyone. And, it is at least one thing that both parties agree on.
Privacy Bill of Rights
The proposed Privacy Bill of Rights would let consumers decide what personal data could be collected by companies and how the data would be used. Under the proposed legislation consumers could prohibit companies which collect data for one purpose to use it for another. These changes have the potential to significantly impact the way businesses process customer data.
Alisdair Faulkner, ThreatMetrix’s chief products officer
“The only way we can build trust on the Internet is through better control of the consumer data processed online. Obama’s proposed Privacy Bill of Rights will raise the bar for privacy protections, keeping all companies no matter where they reside to the same standards. It may seem backwards, but to build trust, businesses and government entities need to increase data sharing while ensuring privacy. This means implementing security solutions that share data in real time, but preserve customer privacy through encryption and tokenization.”
Businesses may have the will, but no way to ensure privacy and security
Many businesses are well-intentioned, but they lack the resources or knowledge to protect their customers’ privacy and data. And, through their use of stolen identities, compromised devices, and masked IP addresses, cybercriminals are often virtually impossible to locate or stop without special skill and resources.
“All businesses, regardless of industry, need efficient, automated processes for fraud detection and customer notification,” said Faulkner. “Any company that uses some form of online user authentication is now going to be held accountable for at least a minimal level of protecting customer privacy. The proposed Privacy Bill of Rights requires customers be notified by businesses about a data breach within 30 days, but cybercriminals can take data in the blink of an eye. Thirty days gives cybercriminals an eternity to monetize that information. Ideally, businesses need to be able to measure unauthorized access in real time, address the problem and notify customers immediately.”
ThreatMetrix strategies businesses can implement for combating cybercrime while building trust online:
- Digital Identity Proofing–Traditional identity verification technologies, e.g. challenge questions, rely on personal information that has already been breached and in the hands of the criminals they are trying to vet. Businesses need a different approach. By analyzing global patterns of identity usage, including locations, devices, accounts, transactions and associations over time, it’s possible to factor in all aspects of a user’s behavior without putting artificial speed-bumps in his/her path.
- Secure Anonymized Shared Intelligence– You have to have a network to fight a network. Additionally, you need “privacy by design” built into the ecosystem. Intelligence networks must anonymize and secure data not just from outside attacks, but also internal theft and social engineering attacks. Legal restrictions, such as those proposed by the President will fail to protect consumer data if not backed by solid technology and processes.
- Endpoint Threat Intelligence – To differentiate between trusted users and cybercriminals, businesses must consider the context of every access attempt and transaction from each user. Whether initiated by a customer or an employee, businesses have to establish the credibility of the transaction in real time based on the full context of the user’s identity, behavior over time and device threats. These threats include Man-in-the-Middle and Man-in-the-Browser attacks, account compromises, bots, proxies, and location and transaction anomaly screening to determine the level of authentication and authorization required to process the request.