Privacy Laws: Who Owns Personal Data?

Michael Magrath,

Who owns your data, and what privacy laws govern it? Well, that depends on where you live. If you own it, you should have control over it. If you don’t own it, how secure is it?

Recent data breaches that affected the majority of Americans have begun a national dialogue around the security of personal data. In fact, the high profile Equifax breach and others like it have prompted the Senate Commerce Committee to hold hearings on “Protecting Consumers in the Era of Major Data Breaches”. The latest took place on November 8, 2017. Those testifying included the Interim CEO of Equifax, Paulino do Rego Barros Jr.; former Equifax CEO, Richard Smith; and former Yahoo CEO, Marissa Mayer.

Prompting me to write was the exchange between do Rego Barros Jr. and Senator Catherine Cortez Masto (D-Nev.). When the Senator asked Barros why consumers cannot opt out of Equifax's data collection, he said, “This is part of the way the economy works.”

The Senator fired back, “The consumer doesn't have a choice, sir. The consumer does not have a choice on the data that you’re collecting.” The Senator’s point being that Equifax owns all data collected about consumers. According to the Washington Post, “consumers cannot request to exit the company's files.”

The Difference with EU Privacy Laws

That exchange was in stark contrast to consumer-related data protection controls like the European Union’s General Data Protection Regulation (GDPR) going into effect May 25, 2018. The GDPR clearly states that the citizen owns their personal data. The objective of the Regulation is to give citizens and residents control over their data. Multinational U.S. companies that handle data belonging to customers living in the EU must comply with the GDPR or face severe financial penalties.

Although EU citizens own their personal data, organizations around the world who collect consumer data and use it for any means, must take “appropriate measures” to protect it.

Given the large-scale breaches, many organizations are upgrading their systems and ridding themselves of passwords in favor of multi-factor authenticators, such as software authentication, hardware-based one-time passcodes, biometrics, or FIDO authenticators based on public key cryptography.

Time to Replace Passwords with Strong Authentication

The Verizon 2017 Data Breach Investigations Report states that 81% of hacking-related breaches leveraged either stolen and/or weak passwords. Yet, Javelin Strategy & Research's 2017 State of Authentication Report found that 100% of enterprises continue to use passwords. These results make me think of the witty definition of insanity — doing the same thing over and over, and expecting different results.

That may be humorous, but when it comes to protecting personal data owned by the citizen (not owned by a credit bureau, Internet provider, telco, bank or any other enterprise), I can assure you that GDPR auditors will come down hard on organizations “protecting” data with passwords.

Data protection controls such as GDPR will likely pave the way for strong authentication through biometrics, software or hardware authenticators. Since so many U.S. organizations must comply, strong authentication, as it relates to the security of personal data codified in myriad privacy laws, may just become the norm as envisioned in the U.S. National Strategy for Trusted Identities in Cyberspace.

Michael Magrath is responsible for aligning OneSpan’s solution roadmap with standards and regulatory requirements globally. He is Co-Chair of the FIDO Alliance’s Government Deployment Working Group and is on the Board of Directors of the Electronic Signature and Records Association (ESRA).