Another day, another data breach. That’s what it has felt like this year. So, where are the security solutions?
SEIM, denial of service protection, yet another encryption product, but no real offers to do something to actually protect customer data.
Because dealing with data breaches means dealing with real dollars. Target’s breach costs are now estimated to be on the order of $252 million and counting. Some estimates put the total cost of a data breach at $154 per lost record. Smart companies are looking at their customer lists and wondering how much potential liability they are facing.
From the consumer perspective, things are much worse. The average cost of identity theft is on the order of $4,841 and, in the case of medical identity theft, $13,450.
In addition to direct costs, long-term costs in terms of damaged credit and time are hard to calculate.
Something needs to be done.
Actual security is hard
And yet, real solutions do not seem to be out there anywhere. The problem for a security provider is that typical security product and service offerings offer (potentially) helpful tools. They don’t ever, actually promise security.
You can’t. You never know the entire environment that your offering is going into. You don’t know the details of the business. And you don’t know what is going to happen 10 seconds after you’ve set things up.
Even managed security service offerings promise encryption, intrusion detection, denial of service protection. They don’t promise customer record protection, hacker exclusion, or availability…. at least once you get down to the fine print.
And the only “protection” you’ll get offered against a data breach is a credit monitoring service for a year or so.
No one in the security field actually promises or delivers security.
Personal information protection today
There are bits and pieces out there that can lead a way forward. Email service providers externalize customer lists. PayPal has virtualized some payments. Facebook, Google, and others offer external login services. And, if you are old enough to remember, Network Solutions once upon a time offered personal digital certificates.
In addition, the payment industry has security standards (PCI DSS) and protocols, which are nice, but what is most important is that there is a clear notion of transferrable liability.
‘… that is where the money is’
Increasingly, your “money” is not in your bank, it is your personal information. It’s not your cash, it’s your account numbers that are valuable.
But, unlike your cash, your account numbers are everywhere, held by everyone.
… and very few of these people really know what they are doing from a security perspective.
… and none of them are really held accountable when they screw up.
It is time start offering real personal information protection. And the only way to do it is to actually move personal data out of companies and into a trustworthy, accountable third party.
Towards a Bank of Personal Information
Companies do need customer information to operate, but they don’t actually need to hold that data. After all, your credit card number is not actually your money and your email address and your ID numbers are not actually “you.”
By externalizing identification (and, by implication, authentication and authorization) information, companies can transfer the liability for protecting customer data to an entity that can do the job and is paid to do so.
This is not magic.
A specialist business can protect information cost-effectively. It can hold customer data in trust for both the company and the consumer. It could even be regulated and held to a suitable legal standard for due diligence.
Businesses would benefit by being able to transfer a costly liability and risk to their reputations. Customers would benefit by having their data held by an accountable entity. And the BPIs have the potential to be very profitable through smart business and engineering. After all, they should be able to not just monetize every consumer, but every business relationship.