Personal data theft is a pandemic, a factor that drove the EU to shift control of personal data away from international businesses into the hands of its own citizens. Toward that end, this past May it enacted GDPR (General Data Protection Regulation). With $172 billion stolen from 978 million consumers in 20 countries in 2017, it couldn’t come a moment too soon.
EU citizens now have the right to obtain no-cost access to all data collected, to obtain confirmation of processing methods and to correct, erase and port their own personal data. GDPR also provides precise and comprehensive guidelines on how businesses collect, process, protect, maintain accuracy and store personal information.
The motivation for businesses is clear. Penalties for non-compliance are severe: up to four percent of global worldwide revenue or €25 million. Should a breach occur, one of the primary factors used to assess fines will be the strength of identity and authentication solutions; if they are found to be weak, static and easily compromised, the offender could be stuck with a meteoric fine.
Is the US on board with privacy regulations?
GDPR fines really hit home. Privacy was already a hot button, high-pressure issue for CIOs, CISOs and other US business leaders. GDPR requirements—and potential consequences—made it a top priority.
So what’s in store for America? First, a few facts:
- Consumers lost $19.4 billion to cybercriminals in 2017.
- A majority of Americans (64%) have personally experienced a significant data breach.
- About half of Americans lack trust in key institutions to keep their data safe, especially the federal government and social media sites.
US consumers are paying attention and making purchasing decisions based on how companies safeguard their data. They are saying “no” to unauthorized data usage, confusing privacy policies, and the non-consensual collection and analysis online activities and behaviors as well as the sale of data related to it. They are tired of having data theft wreak havoc on their lives.
California takes on data privacy
Proving the point, California privacy advocates are launching one of the biggest US regulatory fights over data control, pitting powerful online tech giants against consumers. While the soon-to-be-determined regulations on the collection, sharing and access to data won’t be as sweeping as GDPR, the California Consumer Privacy Act has the potential to produce a domino effect in the US. The implications of the law are just now being fully considered as organizations take a breath after GDPR.
Where are you now?
If you planned adequately for GDPR, you should now know where customers’ sensitive data lives in your organization. Now you can potentially control access to it and ensure the identity and authentication of users. But is your solution enough?
GDPR regulatory language suggests the implementation of multi-factor authentication (MFA), which uses a combination of passwords, security questions, USB fobs and other factors. While MFA is on the rise, it can be a pain for both users and IT departments and can still be “hackable” under certain conditions.
Enter the age of biometrics
With GDPR, potentially tougher US regulations and consumer demand forcing the issue, the search continues for more effective, convenient and efficient security solutions. As a result, biometric solutions — including fingerprints, iris scanning, facial recognition — are on the upswing across virtually all industry sectors. We also see the increasing adoption of even more sophisticated contextual, behavioral and risk-based solutions.
In your own search, consider how biometrics can fit into your advanced data protection strategy. Crossmatch can help Data Privacy Officers (DPOs), and IT leaders further understand the implications of GDPR and identify solutions for exceptional risk mitigation against data breaches — completely, quickly and cost-effectively.
Jeff Carpenter is Director of Identity and Access Management solutions at Crossmatch. In this role, he is responsible for evangelizing Crossmatch’s DigitalPersona® solution. In his 10+ years in cybersecurity, Jeff has held positions with a number of top tier cybersecurity and technology companies, most recently he was with RSA, a Dell Technologies company. Jeff earned a Bachelor of Science degree in Business Administration from Creighton University in Omaha, Nebraska. He holds both a Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional (CCSP) designation.