Recently, I have given several presentations about the European Union’s General Data Protection Regulation (GDPR). A common question that arises is whether we should expect a similar data protection regulation in the US.  

This morning, an interesting article on the subject crossed my desk: “No more waiting: it’s time for a federal data breach law in the U.S.”

A few excerpts:

With the recent passage of data breach notification laws in Alabama and North Dakota, all U.S. states and the District of Columbia now require that companies let us know when our personal data are breached. It only took 15 years.

Notably, states overwhelmingly require notification only if some sort of financial data or password information is involved. That’s a problem because data breaches often entail other kinds of harm. A better, more rights-respecting standard — one that could be incorporated into existing state standards and a new federal law — would require companies to notify us of breaches of our personal information tied to other harms.

It is crucial that any new federal standard does not prevent states from adding protections. A federal breach law should create a floor of minimum standards that companies must meet, not a ceiling prohibiting tougher state enforcement.

Members of Congress have already proposed a number of data breach notification laws, but while some proposals are better than others, none have been great for the people these laws are supposed to protect. Even one of the better efforts had provisions to preempt stronger state laws. As we wait for the right bill, ordinary people remain vulnerable and without sufficient redress under many state laws.

It seems to me that demand in the US for privacy protection in general and breach notification in particular has lagged such demand in Europe, probably because of difference in culture and political philosophy.  However, due to the increaser in high-profile data breaches in the last couple of years, I expect we will see federal legislation fairly soon. 

 

This little exchange highlights the essence of an individual’s right to privacy – Individuals should have control over how their personal data is used. Do you have control?  Should you?

If you can’t see the video, you can access it on YouTube here.

I am reading a fascinating book, “Identity is the New Money,” by David Birch. The book was published three years ago, but I find it extremely relevant today.

I just read this paragraph:

Identity becomes the key to transactions and a crucial individual resource that needs to be looked after by responsible organizations.  We all need to start planning for the transition to identity based transactions.

This triggered a thought – isn’t paying for something or enabling some action via my Apple watch a good example of an identity-based transaction of the type Mr. Birch speaks?  It kind of amazes me that paying via phone or watch is still something of a novelty in many circles.  But for me, I am always on the lookout for somebody that accepts that sort of identity-based transaction.

Here is a list of some of the places where I have recently paid with my Identity via Apple Watch:

• Walgreens (An early adopter – the very first place I used Apple Pay)
• Trader Joe’s
• Whole Grain Bread
• A&P Nursery (the tree and plant kind of nursery)
• Church cafeteria
• Taxi
• Airport news/convenience store
• Gas station / convenience store

It is interesting how often the point of sale clerk will comment on the “high tech” or “newfangled” way I pay. Several times, they have said I was the first person they had seen pay with a watch.

I am really disappointed that the major retailers I often visit – Home Depot, Lowes, Walmart, Sam’s Club, Fry’s (Kroger), etc., haven’t jumped on the bandwagon.

I just find it so incredibly easy to pay with my watch – to pay with my identity.  I just wish the pace of adoption would accelerate!

As I read a recent Risk Management Monitor article “Companies Must Evolve to Keep Up With Hackers,” I couldn’t help but think – at what cost?  Perhaps you can calculate the amount a company spends on tools and processes to defend against cyberattacks, and perhaps even justify that expense by attempting to estimate the cost of a data breach were it to occur.

But what about cost of lost opporutunity?  Has anyone tried to estimate how much time, attention and resources are diverted from managing and innovating in the core business to defend against cyberattacks? I would guess that such diversion robs more from the overall business than the more visible expenses that show up on a balance sheet – which is growing at an alarming rate.

So, Mr. or Ms. Hacker, whoever you are, you are robbing our society blind – in ways that are really tough to measure. Man up and do something productive for a change!

 

P.S., Jerry Dixon, author of the article, is not related to me that I know of, but he writes a good article!

Yesterday, I blogged about the inherent conflicts of interest that exist with most current or potential Identity Providers.  Is it just coincidence that today I would read a post on LinkedIn by Gary Rowe, CEO/Principal Consulting Analyst at TechVision Research, highlighting the TechVision Research report, “Banking on Identity?”

The report offers a compelling case: “The opportunities for banks to become identity service providers.” I was impressed when I read the downloaded report.  Here are a few excerpts:

Identity data in all its forms is going to power the global economy of the future and will become increasingly highly prized and sought after. Services that help manage the safekeeping and distribution of identity data could dominate that future.

This is certainly in harmony with the statements in my recent blog, “The Future of Digital Identity,” in which I quoted David Birch  author of “Identity is the new Money.”

For banks to proactively create a new set of identity services would not be that far removed from what they are required to provide today to comply with KYC (know your customer) and other regulations, both in Europe and the rest of the world. It would also offer a welcome opportunity to strengthen customer relationships and encourage customer loyalty at a time when other aspects of the banking business are being disrupted.

Yes, Identity is about relationships, and banks do seek to strengthen relationships with their customers. I place trust in the banks with which I do business.  Can I also trust them to safeguard my identity information, the “new money” of the global economy?

From a consumer perspective, the major initial attraction [in banks as identity service providers] will be convenience. Not having to repeatedly undergo the tiresome process of producing hard copy documentation verifying identity, as well as proof of residence, will be very attractive and remove an irritating barrier to getting business started as quickly as possible. Being able to use the trusted services of a bank will, in the majority of cases, likely be far more attractive than using the services of a social media or any other company.

As a consumer, I would definitely prefer my bank as identity provider over Facebook or Twitter!

For the banks, the principal advantage of becoming identity providers is about cost mitigation. Banks are already spending large amounts on KYC and other identity-related issues. Any opportunity to begin to monetize that sunk cost would provide a welcome additional income stream.

The report lays out a compelling case for benefits to banks in providing identity services.  The new ability to “monetize that sunk cost” is a benefit I hadn’t considered before.

Until recently the requirement for a customer-centric identity service was the stuff of long-term visions, and the idea that a bank would provide such a service would have been considered outlandish. But the demands of today’s heavy dependence on the Internet for every aspect of daily life has made the absence of safe, secure and reliable personal credentials one of the barriers to the growth of the digital economy.

I admit that I was one with long term dreams, if not visions, of a good identity service provider.  BofA, Chase, Wells Fargo — which of you will have the vision and courage to make it happen?

 

 

 

After uploading yesterday’s blog post, I realized that I had again made a statement about a problematic “conflict of interest” inherent in many Identity providers.

What do I mean by that?

For many years, I have dreamed of the concept of a broadly used Identity Provider enabling each of us to leverage one set of identity credentials to reach service providers, with personal control over which bits of our personal information would be shared with each service provider.  

I just checked way back on my blog to find a few examples of my early yearnings:

• May 2005: Credit Bureau as Identity Provider? (first month I blogged)
• June 2006: Verisign, Personal Identity Provider
• June 2006: Symantec – Identity Provider?
• May 2007: Mobile Operators as Identity Providers
• December 2009: My Christmas Wish List: Personal Identity-Persona Service (It wasn’t under the tree that year)
• December 2012: Facebook – My Identity Arbiter?

Well, now we are in 2017.  The technology is widely available to make that happen. Can’t we just use Facebook, Google, Twitter or Amazon? Well yes, sort of. However, I propose that the biggest problem with any of these organizations really filling the role of a universal identity provider is that they all have massive conflicts of interest.

Facebook, Google and Twitter really just want to sell my eyeballs and mouse clicks to the highest bidder in an advertising war.  Amazon just wants to sell me stuff. 

Why would any of these companies ever really want to allow me to use the relationship I have developed with them to establish a relationship with a competitor?  Only if it is calculated to benefit their their interests, to be sure.

Such conflicts of interest are grounds for employee termination in many companies (or should be), yet it happens all the time on the Internet.  I suppose that only when truly independent identity providers like Sovrin are widely adopted will we escape these conflicts of interest. 

Following a blog post recommendation by Emma Firth, Communications Director of Digi.me, I just read an insightful article, “Transforming the Digital Identity Landscape,” in the June 2017 issue of Leo, an e-magazine published by Luxembourg for Finance.

It was particularly interesting to read the viewpoints of four Digital Identity thought leaders who spoke at the Fintech Stage Luxemourg conference:

A few excerpts:

David Birch, Director of Research at Consult Hyperion and author of “Identity is the new Money.”

To me, digital identity is the bridge between the world of virtual identities that only exist on-line and the things that exist in the real world.

You can think of the problem as being that there are two sides to that bridge: we need to connect the bridge to the real world, and that´s complicated and time-consuming and expensive. Nobody wants to have to manage personal data. Especially because you have new data protection laws coming, and the costs of having to manage this ‘toxic waste’ and deal with it when it is tangential to your business are not what you want to do.

Connecting the bridge to the virtual world, in contrast, is easy. We should have many virtual identities, one for each of our online relationships.

I like the concepts of Identity being a bridge (or set of bridges) between the virtual world of online identities and reality.

His comment about the difficulty of managing the “toxic” waste of personal data which is only tangential to real business is particularly relevant in the GDPR countdown to May 25, 2018.

Julian Ranger, Chairman and Founder of digi.me

We have always been multi-dimensional. The question is, are our financial services able to support that multi-dimensionality and work for me across all of those dimensions?”

If you consider identity not to be just identification of data, but all the things that I do, then it’s a holistic through-life process, and you should be using digital identity by engaging directly with me and looking at me across all aspects of my life.

I liked how Mr. Ranger described Digital Identity as a “holistic through-life process,” challenging financial services companies to embrace the inherent multi-dimensional reality of the customers they serve.

David Brear, Founder and CEO of 11:FS, a FinTech consultancy

When you look at digital identity there is no de facto listing globally. 

This is so critical to identity that if you don’t trust the system that the identities are being captured and contained within, it makes it tough for that system to be very useful within the realms of what you are trying to do. This is why people have started to look at irrefutable databases. Things like distributive ledgers and blockchain-like identity schemes are very interesting for this.

Yes, Digital Identity begs for a global “irrefutable database,” perhaps using “distributive ledgers and blockchain-like identity schemes.”  I believe this type of mechanism is essential to really solve the current conflict of interest nature of Identity providers.

Sam Maule, Director, Director, Senior Practice Lead, Digital & FInTech at NTT DATA Americas

I believe we overuse and overhype the term blockchain. I believe that distributive ledger technology does serve as an excellent tool, but in the future, we are going to have components of Artificial Intelligence that we haven’t looked at before, with which we will be able to fine-tune this concept of digital identity.

Startups and FinTech can streamline and simplify the process around identity, and I believe the banks themselves can secure it and make sure it’s compliant, and the two work hand in hand together.

I agree that “blockchain” is an overhyped term, but it is interesting that Mr. Maule turned to another over-hyped term, “Artificial Intelligence,” in the quest to fine tune and simplify the problems of Digital Identity.  I expect that we will see a number of technologies converge to meet the global requirements of Digital Identity.

In all, fascinating concepts:

• Digital identity is the “bridge” between our many online virtual identities and our real-world selves.
• Digital Identity must be a “holistic through-life process,” accommodating the inherent multi-dimensional aspect of our lives.
• Technologies like blockchain and distributed ledgers will be essential to enable global, irrefutable databases for Digital Identity.
• Blockchain alone won’t solve all the problems.  Leveraging other emerging technologies such as artificial intelligence will be essential to meet real world Digital Identity demands.

I love these discussions about Identity.  We have a great future ahead.

How critical is Identity and Access Management to GDPR Compliance?

The somewhat radical, but underlying philosophy of GDPR is that enterprises must enable individual data subjects (EU citizens) to control their own Personally Identifiable Information (PII), and grant or withdraw permission to store and use such data. Certainly, appropriate processes and technology are essential to protect the data “by design and default,” but the question remains – how can enterprises keep track of all the data subjects and their PII data?

I propose that Identity is at the heart of the matter.  How can an enterprise:

1. Know who all data subjects are and what personal data is being maintained?
2. Know what rights of data use each data subject has granted? 
3. Know PII data elements are being maintained and processed for each data subject?
4. Enable data subjects to edit (rectify) any of the data elements being maintained?
5. Allow each data subject to grant or withdraw consent?
6. Securely authenticate and authorize data subjects when they desire access to their PII?
7. Guarantee that only people with legitimate need-to-know can access PII?
8. Enable data subjects to request erasure?
9. Audit and certify processes for consent, use and erasure?
10. Notify data subjects of any breaches?

There are probably more reasons, but this list is a start. In my opinion, Identity at the heart of effective GDPR compliance.

By the way, as of today, there are only 300 days left.

May 25, 2018 is bearing down on us like a proverbial freight train. That is the date when the European Union General Data Protection Regulation (GDPR) becomes binding law on all companies who store or use personal information related to EU citizens. (Check out the count down clock on the GDPR website).

Last week, Oracle published a new white paper, “Helping Address GDPR Compliance Using Oracle Security Solutions.”

Leveraging our experience built over the years and our technological capabilities, Oracle is committed to help customers implement a strategy designed to address GDPR security compliance. This whitepaper explains how Oracle Security solutions can be used to help implement a security framework that addresses GDPR.

GDPR is primarily focused on protecting fundamental privacy rights for individuals. By necessity, protection of personal information requires good data security. As stated in the white paper, 

The protection of the individuals whose personal data is being collected and processed is a fundamental right that necessarily incorporates IT security.

In modern society, IT systems are ubiquitous and GDPR requirements call for good IT security. In particular, to protect and secure personal data it is, among other things, necessary to:

• Know where the data resides (data inventory)
• Understand risk exposure (risk awareness)
• Review and, where necessary, modify existing applications (application modification)
• Integrate security into IT architecture (architecture integration)

Oracle proposes the following framework to 

… help address GDPR requirements that impact data inventory, risk awareness, application modification, and architecture integration. The following diagram provides a high-level representation of Oracle’s security solutions framework, which includes a wide range of products and cloud services.

 

The paper primarily focuses on the “Enforcement” portion of this model, postposing that:

… four security requirements are a part of many global regulatory requirements and well-known security best practices (i.e. ISO 27000 family of standards, NIST 800-53, PCI-DSS 3.2, OWASP and CIS Controls).

In conclusion, the paper states:

The path towards GDPR compliance includes a coordinated strategy involving different organizational entities including legal, human resources, marketing, security, IT and others. Organizations should therefore have a clear strategy and action plan to address the GDPR requirements with an eye towards the 25 May, 2018 deadline.

Based on our experience and technological capabilities, Oracle is committed to help customers with a strategy designed to achieve GDPR security compliance.

 

May 25, 2018 is less than ten short months away.  We all have a lot of work to do.

 

 

 

This morning I read a short article stating, “Arizona businesses lead the nation in malware detections.” Wouldn’t you know — Arizona leads the nation — but not in some fun way like an NBA Championship.

I immediately thought of another dubious distinction for our state – the Arizona bark scorpion is the most venomous scorpion in North America.

I propose that we begin to think of cyber attackers as “Virtual Scorpions”- sneaky, scary, venomous and treacherous.

If only we could deal with cyber attackers like our grandkids detect and obliterate scorpions in Arizona –  armed with ultraviolet lights and a blowtorch.

Enjoy the show.