22 Oct Securing your personal information – What if we ‘Got it ALL Wrong?’
Earlier this year, Equifax experienced a data breach that resulted in exposure of 143 Million US and European citizens Personal Identifiable Information (PII.) Shortly thereafter, Yahoo confessed to a breach of all One Billion of its user’s information on three distinct occasions that only surfaced following an audit by the acquisition into Verizon.
At what point do Corporations really realize the risks and liability they are assuming by maintaining all of this data? Does the ROI of maintaining the data truly warrant the financially, publicity and reputation risks? In time, the emerging lawsuits will define the individual’s ownership position on their PII through regulation and policy. Companies will be forced to re-evaluate their position and technology on maintaining PII in active and archive systems; on-premise and in the “cloud”.
There is a new approaching regulatory requirement that companies must certify compliance to in May 2018. The GDPR (General Data Protection Regulation) imposed by the European Union (EU.) This regulation has stiff penalties for violating a person’s data rights. It requires all companies to be transparent about the data tracking, storage and use of PII belonging to EU citizens. Even if you have a single customer in the EU, you are required to comply, which includes having Data Protection Officer, employee training and so on.
But what if we got it wrong?
Could we reverse the data storage model to ensure elimination of the risk, while maintaining access to the data required?
There is so much data today that at our current collection rates, we even coined the term “Big Data” to highlight the sheer weight and volume of data being collected and stored. Some companies are collecting over a million points of data per second in retail, IOT and web-based operations. Because there is so much information, we need business intelligence and artificial intelligence systems to digest and normalize the data to even begin to make it applicable to decision making.
In this world of information, the ownership of storing information as Intellectual Property (IP), has largely been held to be owned by the company acquiring and/or storing the information. Data that identifies me (my name, DOB, address, Social, Driver’s License number, zip code, IP address, height, weight, device, operating system, click order, etc.) have long been collected by many companies for marketing, operations, and other business needs.
The EU has argued, and regulated with the GDPR, that a person’s individual information belongs to, or is owned by, the citizen to whom it is relevant. Therein lies the challenge for US Based companies: release the ownership of a person’s information or face potential loss (up to 4% of annual gross revenue) due to mishandling or blatant abuse of that data.
The underlying challenge to the existing information storage model is the data is being stored by companies who face constant malicious attack to gain access to this data. The data storage is outside the control of the person that is struggling to protect themselves from abuse of their personal information being compromised.
Let’s Find a NEW Way!
Warning: Companies that monetize large amounts of information may not be pleased with the following idea!
While the methodology proposed here is theoretical, and at present doesn’t have the final technical means to production, the emergent technology exists, and we can find a way to make it the reality.
The Proposal: Place an individual’s personal information back into the control of the owner, and solicit their permission to access it.
The Concept: You own a wallet, much like the purse or wallet in your possession right now. Within that wallet is your Driver’s License, Passport, Insurance Card, money and other personal information. There is no argument the wallet or purse belongs to you. So, let’s build a secured electronic wallet using blockchain technology that provides the individual the ability to grant access to specific information stored within their wallet to whom they so choose.
Example: Company X wants to access to some of your information for billing purposes. Instead of Company X creating a database system that stores your PII, Company X only stores field(s) of information that “point” to your secured electronic wallet on a blockchain. The information stored by Company X, if compromised, by itself has no value.
Through the secured wallet that you control, Company X requests access to the fields of information you grant them access to retrieve. To retrieve the information, Company X must first validate their identity on the blockchain against your wallet and the information they want to retrieve at the time they need it. Company X’s system can read the data, but not store or place that information in anything but temporal processing locations that can be validated and scrubbed to meet regulatory requirements. The reverse would be true for placing information into your wallet, such as medical information.
You as the wallet owner have complete visibility every time Company X requests access to your data, and have the power to turn the switch from on to off, on any or all of the information.
A Win-Win all around!
The GPDR is an attempt at the approach of individual control of personal information but falls short as compliance mechanism to implement stronger and more stringent security controls. This is because an individual’s information is still stored across dozens, if not hundreds of company’s databases that are under constant attack.
The secured wallet proposal herein makes for a more sustainable, secure, and compliant model that places the control of an individual’s information back into the hands of those impacted by every breach: the IP owner or you and I the citizen affected. Company’s remove their risk, we respect the rights of the individual, meet compliance and regulatory requirements, and offer control of personal information back into the hands of the ultimate person that it means the most too: You and me.