Regulatory intervention isn’t enough for digital identity and management

In the last several years, we have seen various privacy and cybersecurity legislation at the state level in New York, South Carolina, Illinois and California, designed to take a stance against rampant data breaches and other cyber threats.

New York implemented the DFS Cybersecurity Regulation in 2017, which provides a framework for financial services organizations to strengthen their cyber defenses. Illinois passed the Illinois Personal Information Protection Act that not only protects a wide range of personal data, including biometrics.  South Carolina passed the South Carolina Department of Insurance Data Security Act, a law specific to safeguarding cyber protections in the insurance industry. And California passed the California Consumer Privacy Act of 2018, a regulation that will affect the way all companies handle personal data.

{mosads}While these regulations are a step in the right direction, they are not enough. Here’s why and what should be done.

Limited regulations can’t undo what’s been done

Only four states have taken initiatives to implement laws. Even if California is among them — a state home to nearly 40 million people — that still leaves out the rest of the country. The recent Adidas breach is a good example of a bad situation — it affected Americans across the country who shopped on Adidas’ website, and there was no law that could have helped everyone. Another big issue is that a lot of these laws and regulations do not go into effect immediately and there is a lack of multi-industry regulations. The California law, for example, will not be enforced until 2020.  Some laws impacts all industries, but others do not — and, unfortunately, fraud is industry agnostic. These limited regulations also cannot adequately resolve the situation we are currently in — erase any previous damage, or protect someone who has already been exposed to a breach.

And the people agree. Data breaches have become so common that an increasing amount of people are catching a deadly case of data breach fatigue, a term created by researchers from Iowa State University’s Ivy College of Business. Research surrounding the phenomenon has uncovered common attitudes shared by consumers relating to how much importance they place on signing up for identity theft protection and changing passwords. The consensus? Breaches happen so frequently that consumers do not care enough to make these changes to protect themselves. As a result, they are unaware of the fraudsters and hackers who are running an underground economy and trading in their identity information. And then the question — does it matter anyway when the solutions that are supposed to be protecting us, such as Lifelock with their most recent incident, are themselves exposed?

Simply, the standard approach and actions that are being taken are not enough to solve the real problem – the lack of digital identity standards that keep up with the real cyber threats we are facing. There seems to be no connection between the protection of personal data and the regulations for cybersecurity protection. The link between the stolen personal data and the social engineering techniques that fraudsters are using to penetrate computer networks and access user accounts is well-established. Yet, the frameworks to truly protect personal data and assets that are being discussed at a policy level are extremely vague and don’t address the real threats that we face.

So what is the answer?

Digital identity as a means for protecting data

Calling our personally identifiable information valuable is an understatement. Hackers are becoming increasingly advanced by the minute, and traditional passwords and security questions no longer suffice. In order to stay ahead of hackers and avoid future data breaches, we must implement universal, industry-wide measures that incorporate user-based authentication measures for an increased level of accountability for data management. Biometrics, a digital representation of an individual’s unique physical or behavioral features, can be specifically tied back to a person, as opposed to device, location, user analytics or other signals that have been used traditionally to try to ascertain the identity of a person behind an online session.

The behavioral biometrics modality in particular is very interesting to prevent fake accounts as it analyzes user interactions with a device, and can ascertain the use of stolen or made up identities even if no user profile exists. Post-login, inside authenticated sessions, where 100 percent of fraud takes place, behavioral biometrics identifies anomalies in known user behaviors, in real-time, looking at things like hand-eye coordination, pressure, cognitive choices and more. In an age of digital transformation, this has significant appeal as all of this is done passively in the background without disrupting the user experience.

So back to the regulatory hodge-podge and approach that legislators are taking. A comprehensive view would acknowledge that identity-proofing techniques are broken. Our reliance on static data to verify identity when records are available for a little as $.50 on the dark web only perpetuates the problem. We have laws governing breaches — most of them focus on notifying consumers and penalizing companies for not notifying users on the purpose for collection. But the truth is, the cat is out of the bag and the regulations should really focus on what to do now — how to protect consumers whose records have been stolen, redefining digital identity and being specific on the remedies that should be taken to protect against the real threat. Otherwise, compliance becomes a matter of checking boxes and not dealing with the real issue.

Frances Zelazny is vice president of BioCatch, a cybersecurity company that delivers behavioral biometrics to protect users and data. She provided testimony last year to the New York State Assembly’s banking committee on cybersecurity threats facing the U.S. financial industry.