[Log In] []

Exploring the science and magic of Identity and Access Management
Tuesday, July 23, 2024

Personal Data: To Share or Not To Share?

Author: Mark Dixon
Monday, June 18, 2018
7:22 am

We talk a lot about restricting what personal data we share on line, but is that sharing all bad? Tom Fishburne nails the issue with this week’s Marketoonist post.

We’re in a marketing catch-22. Consumers increasingly demand hyper-personalized experiences but are increasingly reluctant to hand over the data needed to make those experiences personalized.

Marketoonist 180618

Comments Off on Personal Data: To Share or Not To Share? . Permalink . Trackback URL
WordPress Tags: ,

State by State Data Breach Map

Information Security, Privacy
Author: Mark Dixon
Wednesday, June 13, 2018
2:47 pm

Where data breach regulations are in force in your state?

Check out the Snell & Wilmer interactive, state by state Data Breach Map.


Comments Off on State by State Data Breach Map . Permalink . Trackback URL

GDPR Enforcement – What Will Happen Now?

Information Security, Privacy
Author: Mark Dixon
Tuesday, May 29, 2018
10:54 am

Gdpr1 1

Here we are, four days beyond May 25th – the date when enforcement of the Global Data Protection Regulation was to begin.  So far, no planes have fallen from the sky (remember dire Y2K warnings?) and no specific enforcement actions by the EU have been announced. Privacy activist Max Schrems’ organization noby.eu immediately filed $8.8 billion in lawsuits against Facebook and Google. But what of the EU regulators?  What are their plans?

Only time will tell.  I get the feeling that what will happen with GDPR enforcement is kind of like the Super Bowl.  There has been incessant conversation and speculation leading up to May 25th, and now the game has begun.  It will be played out on the field over the next months and years.  Then we will really know what will happen.

An Dark Reading article, “GDPR Oddsmakers: Who, Where, When Will Enforcement Hit First?”, includes some interesting speculation and advice from privacy experts.  I particularly like a comment in the article by  says Dave Lewis, global security advocate at Akamai Technologies. 

There has been an inordinate amount of focus on the potential fines. The reality is that GDPR is very much a push towards ensuring the accountability of the data for which [companies] are stewards.

If that accountability really improves, we should cheer GDPR, not live in fear of its dire consequences.

My two cents …

Comments Off on GDPR Enforcement – What Will Happen Now? . Permalink . Trackback URL
WordPress Tags:

GDPR Regulators Not Ready?

Author: Mark Dixon
Wednesday, May 9, 2018
7:22 am


I find it incredibly ironic that EU regulators may not be ready to enforce GDPR when scheduled on May 25th.

A Reuters Business News article, European regulators: We’re not ready for new privacy law, reported:

Many of the regulators who will police [GDPR} say they aren’t ready yet. …

Seventeen of 24 authorities who responded to a Reuters survey said they did not yet have the necessary funding, or would initially lack the powers, to fulfill their GDPR duties.

“We’ve realized that our resources were insufficient to cope with the new missions given by the GDPR,” Isabelle Falque-Pierrotin, president of France’s CNIL data privacy watchdog, said in an interview.

After working with customers about GDPR compliance preparation for over 18 months, it has been amazing to me how ill-prepared many companies are, but it was really surprising to learn that the EU may not be ready either!  It all goes to prove that it is much easier to talk about something than actually do it.


Comments Off on GDPR Regulators Not Ready? . Permalink . Trackback URL
WordPress Tags:

GDPR: A Cost vs. Benefit Analysis

Author: Mark Dixon
Tuesday, April 24, 2018
8:34 pm


With the May 25th enforcement date for GDPR looming before us, it is easy to focus on the huge investment companies are making in efforts to comply.  

However, an Information Week article authored by Dimitri Sirota, CEO and Co-founder, BigID, offers a brighter picture:

The International Association of Privacy Professionals estimates that Fortune’s Global 500 companies will spend roughly $7.8 billion in order to ensure they are compliant with GDPR – no small sum. Yet, viewing GDPR through the lens of compliance cost alone doesn’t reflect the broader change afforded by the sweeping regulation. Yes, there will be substantial cost association with operationalizing specific obligations inside the organization, but the benefits can be argued to far outweigh the investment.

Sirota proposes tangible business benefits arising from work towards GDPR compliance (selected excerpts are shown):

Understanding the customer

First and foremost, compliance efforts help companies better understand their customer by better understanding their data. If customers are the lifeblood of a modern digital business, then knowing customers’ data takes on commercial “life or death” urgency.

Cyber insurance and civil action savings

Companies mandated to comply [with GDPR], and those showing proof of compliance with these stringent regulations will likely see a significant reduction in annual cyber insurance costs. …

A hard rule on public disclosure is understandably daunting, but the role GDPR will play in helping companies better understand what data they have, its risk and how to protect it, will prove greatly beneficial to avoiding a breach all together.

Minimizing response costs

Through increased data visibility required for compliance, funds spent on determining who exactly was affected by a breach will be all but eliminated.

In conclusion, Sirota takes the optimistic view:

GDPR aims to provide better consumer accountability through better data accounting. Ultimately, this helps build trust between a company and its customers. However, in a very real financial way it also has economic benefit. The investments required to comply with GDPR equip companies to better protect themselves and better extract value from its customers. GDPR at first blush looks like a cost for businesses to incur. But dig deeper and you find it opens up new protections and value.

I am a fan of looking for business benefits of security and compliance beyond reducing risk.  I think the most important benefit that Sirota proposes is understanding the customer because of better understanding of their data.  I really like how he puts it:

Data is the new oil, and knowing exactly what kind of oil, how much and where it is running through the engine not only provides a vehicle to safeguarding data, but also a way to unlock value within that data and improve performance, in a private and secure way.

Thanks for the insight, Dimitri!

Comments Off on GDPR: A Cost vs. Benefit Analysis . Permalink . Trackback URL
WordPress Tags: ,

5 stages of data privacy grief

Author: Mark Dixon
Monday, April 23, 2018
7:37 am

Do you want some tasty ice cream?  I think Tom Fishburne nailed the essence of why people put up with social media intrusion into their personal space.


Comments Off on 5 stages of data privacy grief . Permalink . Trackback URL

Everyone is a spidergram now

Freedom, Privacy
Author: Mark Dixon
Thursday, April 19, 2018
12:46 pm

Has mis-use of surveillance and analytics technology become ingrained in our culture?  Not long ago, it was the NSA surveillance scandal the rocked our sensibilities.  Now Facebook and and Cambridge Analytics are in the forefront of public consciousness.  And what technology did Cambridge Analytica use to process the data taken from Facebook? Palantir – a data analytics company that claims “We believe in augmenting human intelligence, not replacing it.”

A somewhat chilling Bloomberg article, “Palantir Knows Everything About You,” the authors claim,

Peter Thiel’s data-mining company is using War on Terror tools to track American citizens. The scary thing? Palantir is desperate for new customers.

The article further explains:

Founded in 2004 by Peter Thiel and some fellow PayPal alumni, Palantir cut its teeth working for the Pentagon and the CIA in Afghanistan and Iraq. The company’s engineers and products don’t do any spying themselves; they’re more like a spy’s brain, collecting and analyzing information that’s fed in from the hands, eyes, nose, and ears. The software combs through disparate data sources—financial documents, airline reservations, cellphone records, social media postings—and searches for connections that human analysts might miss. It then presents the linkages in colorful, easy-to-interpret graphics that look like spider webs.

This leads to my favorite sentence from the article, “Everyone is a spidergram now.”

Imagine that you are at the center off a spidergram like the one for Peter Thiel, but that your relationships and connections are shown, not his. How would you like such information to be revealed? 


How is it possible that a company founded to help protect citizens of the United States could mis-use technology to spy on the very citizens it was supported to protect?

I think the article got it right, “The scary thing? Palantir is desperate for new customers.”

In my observation, any mis-use of technology can be traced directly to the desire for money or power, and often both. If we want to understand the motivation behind such mis-use, just remember the famous words of Rod Tidwell (Cuba Goodiing, Jr.) in the film Jerry Maguire …

Comments Off on Everyone is a spidergram now . Permalink . Trackback URL

Keep your Personal Data Safe Online

Author: Mark Dixon
Thursday, April 19, 2018
11:51 am


In the wake of the US Senate grilling Mark Zuckerberg about the Cambridge Analytics scandal, and as we move ever so quickly towards the May 25th date when the EU will begin enforcing the General Data Protection Regulation (GDPR), it is easy to focus on the responsibilities online companies have for implementing what GDPR calls “Data Protection by Design and by Default.”

All that focus is good, but we should not forget the responsibilities each person has for making sure their own personal data is safe. In her blog post today, Emma Firth of digi.me proposes “10 ways to keep your personal data safe online.”

Please take a few minutes to read Emma’s commentary, but here are the ten points she recommends:

  1. Be clear who can see what
  2. Have strong passwords – and don’t reuse them or write them down
  3. Take care not to post information that is often used as security questions 
  4. Don’t fall for dodgy or so-called phishing emails
  5. Be careful where you log-on – take care to disconnect from a session if using public computers
  6. Make sure your home wifi is password-protected
  7. Be wary about who you befriend online
  8. Beware what pictures and status updates on social media tell a potential criminal about you
  9. Be sensible and always have your wits about you

Thanks, Emma, for your insightful reminders.

And remember, in the words of Sergeant Phil Esterhaus (Michael Conrad) of Hill Street Blues fame …

Comments Off on Keep your Personal Data Safe Online . Permalink . Trackback URL
WordPress Tags: ,

Bermuda Personal Information Protection Act

Author: Mark Dixon
Monday, April 16, 2018
9:07 am

When I give a presentation about the Global Data Protection Regulation (GDPR), someone usually asks how long it will be before the United States has a similar regulation?  I really don’t know, but the Senate Facebook hearings last week show that the topic is certainly on the minds of our elected leaders.


Another strong indicator that a US regulation is forthcoming is the emergence of “GDPR-like” regulations in other countries.  For example, the article “A paradise for data privacy advocates – Bermuda’s privacy law now in full effect,” states:

With enactment of the Personal Information Protection Act (PIPA), Bermuda can now count itself among the ever-expanding list of jurisdictions with enhanced privacy protections. PIPA, passed on July 27, 2016, and entered into force in December 2017, shares many of the more stringent requirements and protections with Europe’s impending General Data Protection Regulation (GDPR), which indicates a growing, global trend towards stepped-up privacy regimes. 

Regulations such as this will put pressure on the US to act, in order to facilitate economic interaction with other countries:

Unless and until the United States passes an overarching privacy statute providing comparable levels of protection over the use of one’s personal information, including for non-US Persons, it is unlikely that the Privacy Commissioner will allow for the free flow of personal information between Bermuda and the United States.

A concluding statement

Ultimately, the trend towards greater privacy protections—and the limitation on cross-border data transfers, especially to the United States—is only picking up steam, as this Bermuda law highlights. And more may still be to come.

How soon do you think the United States will act?

Comments Off on Bermuda Personal Information Protection Act . Permalink . Trackback URL
WordPress Tags: ,

Time for a Federal Data Breach Law in the US?

Author: Mark Dixon
Friday, April 13, 2018
6:55 am

Data breach

Recently, I have given several presentations about the European Union’s General Data Protection Regulation (GDPR). A common question that arises is whether we should expect a similar data protection regulation in the US.  

This morning, an interesting article on the subject crossed my desk: “No more waiting: it’s time for a federal data breach law in the U.S.”

A few excerpts:

With the recent passage of data breach notification laws in Alabama and North Dakota, all U.S. states and the District of Columbia now require that companies let us know when our personal data are breached. It only took 15 years.

Notably, states overwhelmingly require notification only if some sort of financial data or password information is involved. That’s a problem because data breaches often entail other kinds of harm. A better, more rights-respecting standard — one that could be incorporated into existing state standards and a new federal law — would require companies to notify us of breaches of our personal information tied to other harms.

It is crucial that any new federal standard does not prevent states from adding protections. A federal breach law should create a floor of minimum standards that companies must meet, not a ceiling prohibiting tougher state enforcement.

Members of Congress have already proposed a number of data breach notification laws, but while some proposals are better than others, none have been great for the people these laws are supposed to protect. Even one of the better efforts had provisions to preempt stronger state laws. As we wait for the right bill, ordinary people remain vulnerable and without sufficient redress under many state laws.

It seems to me that demand in the US for privacy protection in general and breach notification in particular has lagged such demand in Europe, probably because of difference in culture and political philosophy.  However, due to the increaser in high-profile data breaches in the last couple of years, I expect we will see federal legislation fairly soon. 


Comments Off on Time for a Federal Data Breach Law in the US? . Permalink . Trackback URL
WordPress Tags: ,
Copyright © 2005-2016, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.