Portals & Rails

« My Bleeding Heart | Main | There's No Such Thing as a Good Data Breach »

April 28, 2014

Is Personal Data Privacy Going, Going, Gone?

Since last December, it seems that not a week has gone by without a headline about another breach of consumers' payment or personal data. These articles—which are no longer limited to banking or IT industry publications—have created both weariness and concern among consumers. The market research firm GfK conducted a national survey of U.S. consumers in March 2014 to measure the impact of these breaches and better understand how consumers view and manage their personal data. They surveyed 1,000 individuals over the age of 18 and sorted the results by generation. Some of the findings I found most interesting were:

  • All generations are concerned about the protection of their personal data and, overall, 59 percent indicated that their concern has risen over the last 12 months.
    Question: Are you concerned about the protection of your personal data?
  • One-third of the survey participants indicated that they had been the victim of the misuse of their personal data at least once over the past year.
  • Over half (54 percent) of those surveyed don't believe the U.S. government is doing enough to protect their data, with two-thirds of the pre-boomers taking that position.
  • Overall, 80 percent of the respondents believe there should be additional regulations preventing organizations from reselling their personal data to third parties.
  • There is a strong demand from consumers for all consumer-facing industries to change their data privacy and personal data usage policies, but that demand is the highest for credit card companies and social networks.
  • Banks are in the top four trusted organizations regarding the protection of personal data but trailing health care organizations, online payment systems, and online retailers. Social networks, international businesses, and marketers and advertisers are the least trusted.
  • Although more than half of the participants do not agree with the tracking or recording of communication data without their permission, younger generations are not as concerned.
    Agreement with the statement: I accept that my communications data (e.g. phone, online) can be recorded without my approval to prevent crime.

So how are consumers behaving in light of this increased concern? Almost half (48 percent) indicated that they have changed their online practices and are avoiding the use of online auctions, online banking, and online social networks to reduce the likelihood that their personal data might be compromised or misused in some way. I have seen other research indicating that as much as 40 percent of a retailer's customers that have had their personal data compromised through a breach at that retailer will avoid that retailer, at least in the immediate term.

So what is the best approach to develop and maintain safeguards for consumer's personal information and transaction data? The private sector has always championed self-regulation through standards efforts such as PCI-DSS, but we all recognize that being compliant with a common minimum standard is not the same as being totally secure. There has been no shortage of recent congressional discussion on this issue, and future major breaches will likely add to the momentum such that it will be difficult to stop. Is that where you think we are headed—a regulatory fix coming from a legislative mandate? Let us hear from you.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 28, 2014 in consumer fraud, consumer protection, data security, regulations | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a3fcfb4cc5970b

Listed below are links to blogs that reference Is Personal Data Privacy Going, Going, Gone?:

Comments

The Target breach, in which 110 million Americans lost critical personal and financial data, is just the latest problem caused by extending legacy payment networks built in the 1960s to internet originated payments.

In the classic New Yorker cartoon, one dog says to the other, "On the Internet, nobody knows you're a dog." Until we solve this problem, the legacy payment networks cannot be made secure. They were not architected with security built into them to do what we are doing today by extending them to payments generated from the internet. The security of any network is only as good as its weakest node. By moving access to the legacy payment systems to the internet, we added tens of millions of nodes to each legacy payment system and most of those nodes are not securely authenticated or truly secure.

A next generation payment system is required that is architected with security and encryption of all data "end to end", with no data ever “in the clear” and in which all users are "strongly authenticated". It is less expensive by orders of magnitude to build a new next generation payment system that can do that, than to retrofit one of the existing legacy payment systems, as I was once told by the former global CIO of VISA International. The existing legacy payment systems are all designed to have required information "in the clear" at multiple points in the transaction cycle.

The rapid rise of Bitcoin, despite its significant flaws, highlights the hunger in the marketplace for a better and more secure internet based global payment system. It would be better if that next generation payment system was also bank-centric and properly regulated, none of which Bitcoin is.

FYI, the New Yorker cartoon was first published in 1994, so this problem has been building for over 20 years.

Posted by: Stephen Lange Ranzini | April 28, 2014 at 05:31 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in