Michael Chertoff, formerly secretary of the Department of Homeland Security and now at the helm of risk-management and security consulting firm Chertoff Group, said today he believes that U.S. data regulation will end up taking a page from European data privacy laws by giving citizens greater ability to control what companies do with their data.
Speaking at the Gartner Security and Risk Management Summit, Chertoff discussed the ever-increasing proliferation of consumer data, and policy outcomes arising from that including the European Union’s adoption in 2016 of the General Data Protection Regulation (GDPR). The GDPR gives consumers a measure of control over their personal data, and restricts the export of personal data outside the EU.
“We’re going to get that” in the U.S., he said of GDPR-style rules that offer consumers more rights to control the data they create.
Popular demand for such regulation, Chertoff explained, stems from the vast amounts of consumer data collected by private companies that make it “quite possible to have a granular view of everything you do.” Depending on how that data ends up being used – by insurance companies or employers, for instance –“that’s a surveillance state like George Orwell’s 1984.”
In the bigger policy picture, “the focus has to change from ‘hide the data,’ which ain’t going to work, to ‘controlling the data,’” Chertoff said.
“We need to think carefully about what control you have over your information,” he said, adding that companies dealing in online data collection and use “are starting to acknowledge there should be some regulation about how data is used.”
The prevailing business model of companies offering “free” online services such as social media in exchange for scooping up customer data also needs to be reexamined, Chertoff suggested. He said companies that enjoy a “monopoly” position in the market due to “network effects” should also offer for-pay services that don’t involve any data collection at all.
On the subject of cybersecurity generally, Chertoff said organizations need to focus both on increasing “defense in depth” while also accepting that they will be attacked by cyber adversaries. The key outcome, he said, is to minimize the impact of such attacks.
“When I explain it like that … people feel empowered,” he said. “They feel like, ‘Hey I can do this,’ because I don’t have to be perfect.”
Chertoff said ongoing efforts to improve user authentication technologies could also go a long way toward improving security. Part of that development could be multi-factor pairings that include not only biometric data, but also more subtle behavioral data including the rhythm of keystrokes and “other mental cues that the machine can pick up,” he suggested.