Why securing personal data is optional, and needs to be licenced?

You are forgiven if you think no one really cares about protecting your personal data. No one is worrying too much or losing sleep. Breaches will just happen more frequently, so get over it and get used to it. However your payment card data will be safe so you can sleep easy about that.

Every week there are too many information security breaches disclosing personal data to keep track of. The large breaches make the headlines but even achieving that prize is very competitive and something awarded to only the really large breaches for household names. Most states or countries don’t even require companies to report breaches to regulators.

Let’s take a look at why people’s payment cards are protected far more than their personal data, and see are there lessons we can learn.

Who has a vested Interest:
Payment Cards: For starters there are clear vested interests in any payment card scheme. Traditionally these interested parties have been banks, who suffered significant losses when a data breach occurred. They suffered the direct costs from transactions using stolen credit cards, but also the administrative cost of cancelling and replacing all cards that were compromised. It is in their interest that no breaches occur.

Personal Data: Your personal information belongs to you, but you are very limited in the powers you have to protect it. You can simply decide to give your personal information over to third parties or not. However the practical implication of not given certain personal data to third parties can be immense. I’m sure if you try to sign up for a new cell phone account without giving your date of birth it will be almost impossible to complete the transaction. In some cases, such as opening a bank account you are legally obliged to hand over certain personal information. We are then relying on the local laws to protect our data, but law is faceless and doesn’t have the same vested interest as we do, or as the card schemes do for payment card data.

A data storage and use licence:
Payment Cards: That payment schemes such as Visa, MasterCard, JCB, Discover and Amex own the data and dictate how it is protected and used. This is effectively a licencing model. If you don’t conform to the terms of the licence you will not be allowed to store or process the data. This has worked really well (it is not perfect but far better than the personal data protection model). It has raised a high barrier to those who want to store payment data, and this has driven users to contract third parties who are focused on securing the data as their core business. These payment processors conform to all the requirements set out by the card schemes and have a “license” to process and store the data.

Personal Data: You cannot in any practical way dictate to third parties how they should protect your individual data; they simply won’t listen to you or just tell you that the process or systems work in certain ways. Individuals rely on the legal directives to protect their data. These laws are typically general in nature when you compare to the PCI standards which is very prescriptive. There is also no pre-approval prior to anyone storing or processing data. The explosion in large data breaches discloses the state of protection, or lack of protection. The truth is many companies who are storing personal data should not be allowed to store this data. If we had a proper licensing model for personal data they would never be licensed. Instead they should contract with third parties who specialize in the protection of personal data and take security seriously just like the payment card industry has done.

This model is in place for many other industries, such as doctors, drug stores, airlines, certain manufacturing all need licenses prior to starting operations. Why don’t we insist that before any company can capture personal data it needs to be licensed? Of course this would mean a lot more auditing and investment in technology to protect this sensitive data but is that a bad thing? Clearly the current system isn’t working and something has to change.

If your company contracts with third parties to perform some of your data storage or processing operations, why don’t you consider a licencing model for those third parties to adhere to – many of the large breaches originated from third party suppliers, so they do present a great risk to your organisations security. ISO27001:2013 and PCI V3 require that you manage your third parties, using a very formal licening model in addition to other legal protection can help.