Featured Video
This Week in Quality Digest Live
Risk Management Features
Dirk Dusharme @ Quality Digest
A cautionary tale
Thomas R. Cutler
Technology provides consistent instructions, real-time feedback. Everyone benefits.
Fred Schenkelberg
If no one is looking for the results, then don’t do it
Aiman Sakr
One factory’s current problem is another’s potential failure mode
Rick Barker
Are we making the workplace safer only when it is more profitable to be safer?

More Features

Risk Management News
The audit solution provides 360-degree, real-time visibility into nonconformance status and completion
Preparing your organization for the new innovative culture
Standard recognizes that everyone is critical to a successful quality management process.
Pharma quality teams will have performance-oriented objectives as well as regulatory compliance goals
Strategic investment positions EtQ to accelerate innovation efforts and growth strategy
If you want to understand a system, try and change it

More News

Risk Management

How Identity Data Are Turning Toxic for Big Companies

Not to mention expensive

Published: Thursday, January 4, 2018 - 13:01

Google might be in trouble for collecting the personal data of its users, but many companies have a growing incentive to rid their hands of the data that users entrust them with. This is because of growing costs of holding onto it.

A major cause is the rising number of cyber attacks where hackers steal the identity information held by companies, often to sell it on to various black markets. Take the recent example of U.S. giant Equifax, one of the top three companies in the consumer credit reporting industry. In October 2017 it chalked up another 2.5 million identity-theft casualties to its existing toll of 143 million. The firm has suffered a steady stream of identity information loss following a cyber attack that took place in May 2017, where hackers capitalized on weaknesses in its software.

The security breach—as a primary cause—resulted in about $4.8 billion being wiped off Equifax’s market value from May to September 2017. It also tarnished its image and cost the firm’s longstanding CEO his job.

The Equifax data breach is just the tip of the iceberg. The latest Breach Level Index (BLI) published by digital security company Gemalto shows a mounting figure of about 9.2 billion data-record losses since 2013. The BLI also reports that only a meager 368 million out of the 9.2 billion stolen records were concealed from potential hackers through the use of data-encoding technology.

The rate at which valuable identity information is flying out of the control of firms is alarming—more than 3,500 records per minute. About 23 percent of the top data breaches during the past five years contained consumers’ identity information—such as names, dates of birth, addresses, and account passwords. Corporate victims include big names such as Yahoo, eBay, and JP Morgan Chase.

The volume and sophistication of these cyber assaults will make top-level executives of firms that hold sensitive identity data anxious about their safe-keeping.

Growing cost of regulation

Along with cyber attacks, companies are having to contend with growing levels of regulation. As well as the regulations of the jurisdiction they are based in, firms that are spread across nations must also abide by international standards.

The costs of this compliance in the banking sector is increasing at an alarming rate. One report has found that banks spent nearly $100 billion on compliance in 2016, and the global spending on meeting the regulatory requirements increased from 15 percent to 25 percent during the previous four years. This skyrocketing cost on compliance leaves little room for product development.

It has now become imperative for companies holding information on European Union citizens to implement control mechanisms to protect personal data in accordance with the European Union’s strict General Data Protection Regulation (GDPR) guidelines. GDPR, in essence, is about enhancing existing privacy protection. It will be enforced from May 25, 2018.

Noncompliance with GDPR may lead to fines to the tune of €20 million or 4 percent of a firm’s global annual sales figure—whichever is greater. Already, implementing the necessary steps to adhere to the new regulation is proving to be expensive for organizations, especially firms with diverse and intertwined business portfolios.

Some estimates predict that purchasing the technology to adhere to the GDPR standards and avoid paying the exorbitant fines will cost Fortune 500 companies on average $1 million each. Add to this the costs of permanent staffing and legal advice for this compliance, and you get the picture of overall spending required for one set of regulatory standards. Clearly, the price of such compliance will compel large organizations to explore the burgeoning market of cost-effective and innovative regulatory technology.

A logical solution?

At the point where the cost of protecting identity assets outweighs the benefit of storing it, it becomes toxic for the organization. As with any risk, companies must act to mitigate or remove it—in this case breach of identity data. When similar risks emerged around the processes for securing payment card processing, solutions focused on tokenization of card information within an organization to minimize handling of clear text credit card numbers. It is hard to see how a similar approach could be applied to a multifaceted entity such as identity.

However, there is a potential in the application of decentralized technologies that have emerged from the development of cryptocurrencies such as Bitcoin. In these models people could choose whether a centralized entity—such as a bank, for example—would manage their identity or whether they could manage it themselves. Models for a decentralized identity are emerging with parallel developments in the creation of a decentralized web.

The ConversationThere are a number of challenges for both private individuals and the traditional identity provider to overcome for this move to become a reality—including wider adoption of peer-to-peer trust models. But it seems increasingly possible that the cost of cyber attacks, together with regulatory compliance, could be the nudge that drives organizations to surrender their control over vast pools of identity information.

This article was originally published on The Conversation. Read the original article.


About The Authors

Bhargav Mitra’s picture

Bhargav Mitra

Bhargav Mitra is a senior engineer at Queen’s University in Belfast, Ireland


Robert McCausland’s picture

Robert McCausland

Robert McCausland is the R&D program manager at Queen’s University in Belfast, Ireland