Recently, I started filling out paperwork for my 3-year-old and 5-year-old while in the process of opening up two 529 accounts for their future college education. To complete the process, I needed to provide a critical piece of information: my children’s social security numbers. When I first received their social security cards shortly after they were born, I physically locked the cards in a safe. This is where they have been ever since. In my mind, that data was (and still is) priceless and needs to be kept secured at all times.
At the mere thought of sharing my kids’ social security information with a third party, I started thinking about the consequence of a child’s personal identifier being breached. So, I stopped in my tracks. I stopped filling out the paperwork and returned the social security cards to the safe. The idea of potentially exposing their SSNs to a data breach felt far too risky for me and a far greater threat than not securing college tuition. Crazy? Maybe not.
This is the reality we now face. How much risk are we willing to take when it comes to our identities? Or how about the identifiers that reveal who we are? And perhaps even more importantly, are those identifiers still valid anymore? As adults, we can all be certain that our social security numbers can be found on the darknet. Identifiers include not just our social security numbers but potentially also biometric data: our fingerprints and even our facial features via facial recognition tools.
So, if our social security numbers have been breached, is it game over? It has now become near impossible to fully trust that any transaction made using our personal data is legitimate and not an act of fraud. We have lost our identities if any criminals can grab and use them for their own nefarious means.
Where Do We Go From Here?
The data breach landscape has reached too far and wide at this point to expect that our own data has never been breached. So what is the answer if our identities are no longer safe? Can biometrics be a way forward as an identifier that will prove that we are who we say we are before a transaction is completed on our behalf? As U.S. Office of Personnel Management breach victims can attest, biometrics clearly are not foolproof, either.
From a business perspective, organizations are struggling with the right solution to safeguard customer data. Regulations like the General Data Protection Regulation (GDPR) in Europe, which includes the ability for consumers to request the “right to be forgotten,” are trying to force change at the business level. But companies, as they prepare for the regulation to take effect in May 2018, are currently not equipped to adequately respond to their customers’ requests to be forgotten. Being able to see and understand where all personal data lives across all of their IT systems, either structured or unstructured ones, is a huge challenge for organizations at the moment. There is just too much data, and most companies do not have full visibility into where it all lives, let alone the ability to find and remove it should a consumer request it.
Interactive Permissions: An Interim Step Forward
If we start to operate in a world where it is assumed that our identities have been compromised in some way, the only way forward is to become stewards of our own data. Until now, most of us have likely taken a passive role with our personal data. We may change up our passwords now and then, some of us might be using multi-factor authentication and others are now even taking advantage of increased biometrics capabilities.
But it is time to take these technology-driven processes a step further. Instead of notifying us, the consumers, that a transaction was made, perhaps we could be asked a specific question that only we would know how to answer before a transaction is approved. And that question would be different for each transaction and could be delivered in various ways (via text, email, etc.). For that to be effective, a threshold would need to be set and defined for each type of transaction, whether it be a large withdrawal, a loan request, an IRS submission or a health care claim. The key here is that consumers would become proactive and take an active role in protecting their data.
The question remains, though: How long will it take for enterprises in all industries, from banking and finance to healthcare and retail, to figure out a way to add this additional layer of security oversight? For now, it is clear that consumers need to step away from simply relying on technology or third-party organizations to secure their data — it is time for us to get involved. It is time for interactive permissions to take hold.
This problem will not be resolved tomorrow or even in the next year. We cannot revert back to a world where our bank accounts resembled stuffing cash under the mattresses in our bedrooms. Nor is it realistic for consumers to stop sharing their personal data, as that would mean all transactions would come to a standstill, which, in today’s digital world, would halt our economy (but it did stop me from opening two 529 accounts). Ultimately, consumers need to be much more alert and proactive about how and where their data is used. This would require businesses to follow suit and become innovative not just in regard their core business but on how to secure their customers’ data.
This article was previously published on Forbes.com.