Given the array of threats and vulnerabilities that persist in modern information technology, data security and privacy have become competitive differentiators in today’s marketplace. They provide foundational building blocks for successful and ethical business practices, and they increase customer trust and loyalty over time.
Let’s talk about Personally Identifiable Information (PII). According to the National Institute of Standards and Technology (NIST), “If you collect it, you must protect it.” PII data breaches are defined as inappropriate disclosures, whether lost, stolen, or compromised, and whether the breach was intentional or accidental.
A quick look at the most recent data breach reporting, however, reveals that many companies are failing to protect their clients’ PII. According to Pew Research Center surveys, 70% of Americans say their PII is less secure over time, 81% say the risks of PII collection outweigh its benefits, 81% say they have little to no control over PII collection, and 75% say there should be more government regulation.
Recent Data Breach Statistics
- IBM: In 2020, 80% of breaches included customer PII, customer PII was the data type most often lost or stolen, the average cost per PII record was $150, and the average total cost of a data breach in the US was $8.64 million.
- Accenture: Cybercriminals rapidly monetize stolen PII for synthetic identity fraud, and/or threaten to release PII as part of an extortion campaign. The remote nature of the pandemic workforce has made PII theft easier.
- Equifax: This 2017 data breach exposed the PII of 147 million people. The global settlement has risen to $425 million. Claims may be filed until 2024, and Equifax is offering free credit reports until 2026.
The Traditional Approach is Failing
Information security (InfoSec) is hard because there are so many facets that it is difficult to get them all right. Requisite defenses include firewalls, endpoint protection, access control, encryption, audit history, network monitoring, incident response, multi-factor authentication (MFA), and the principle of least privilege. But even when your InfoSec is tight, your network could mistakenly expose a decryption key, an employee might fall for a social-engineering trick, or a trusted insider could simply walk out the door with your crown jewels.
The tough security environment, plus rapidly evolving legislation and regulation related to sensitive information and data breaches, have put network defenders in a difficult situation. And many companies trying a “do it yourself” or DIY approach to InfoSec find that the costs quickly outweigh the benefits.
Revolutionary Solution: Zero DataTM
There is a new and better approach to corporate InfoSec called “Zero Data.” It is based on the idea that it is possible to benefit from sensitive information without having to store or secure it. And the idea that when data thieves and hackers break into your house, there are simply no jewels to steal.
With Zero Data, sensitive data (such as PII or PCI) is instantly converted to synthetic data, which if lost or stolen is meaningless to cybercriminals. This InfoSec strategy allows your company to gather, store, and operate on sensitive information without being responsible for its security or liability. With Zero Data, your company never even has to see the original PII, unless you specifically ask for it.
Zero Data is very much in the spirit of one of the hottest trends in information security: zero trust. The security focus of zero trust has shifted away from the network perimeter to application and data security, and has a more privacy-oriented philosophy that includes a more expansive understanding of vulnerabilities, threats, and sensitive information. A much wider range of information falls into this new definition, to include not only PII and customer data but also intellectual property and employee data.
Zero DataTM Benefits
The Zero Data approach to information security offers many benefits, because PII is never captured, stored, or shared. Your developers do not have to become security or compliance experts. You retain control of your data. You achieve the same business outcomes, without the risk or liability of securing sensitive information.
Here are some of the primary benefits:
- Reduce compliance scope
- Reduce business risk
- Retain data value
- Transfer liability to a security partner
- Save money
- Go to market faster
- Operate on synthetic data just like original data
- Simplify application development
- Simplify compliance audits
- Avoid legal trouble
- Avoid a PR disaster
VGS Case Study: Gem
Gem offers companies an easy way to connect cryptocurrency to their applications. However, because hackers love to target sensitive financial and PII data, Gem wanted to add an extra layer of security. Gem partnered with VGS to create a proxy layer on top of their in-house security system, and created a defense-in-depth infrastructure to help keep its customers safe. Now, when data is entered into the Gem widget, it flows through VGS first, where sensitive information is redacted and replaced with an alias (an advanced form of token).
VGS successfully partnered with Gem despite a complex environment that encompasses various payment methods, more than 2000 cryptocurrencies, and over 20 exchanges in different legal jurisdictions. According to Gem CEO and Founder Micah Winkelspecht, “We work in an industry that is a super-target,” and “I want to make sure we're doing everything we possibly can to secure our customers’ data.” Having VGS as a dedicated security proxy provides an “extra layer of protection I needed to actually sleep at night.”
Stay Ahead of the Game
One of the most important benefits of adopting a Zero Data strategy is that it is far easier for your company to keep up-to-date with a rapidly evolving regulatory environment. The US Federal Data Privacy Framework began with the Privacy Act of 1974, but shows no sign of slowing down (see our recent posts on Virginia’s new data privacy law and Brazil’s version of GDPR).
The risk of storing and securing PII is more significant than other types of sensitive data, because there are clear ramifications for physical security, human rights, political freedom, and personal reputation. Therefore, companies are required to protect PII from unauthorized use, access, modification, disclosure, and sharing. On paper, PII should be stored in locked cabinets, transported only to authorized locations, and destroyed with cross-cut shredding. In electronic format, it should be encrypted at rest, encrypted in transit, and available only to authorized users.
Solution to a Catch-22
We are in a Catch-22. Customers must provide their PII in order to obtain goods and services online. Businesses must leverage customer PII for normal business operations. However, most companies are simply not equipped to store and secure PII, because there are too many security threats and vulnerabilities. Recent data breach statistics prove this point.
The good news is that your company does not need to collect or retain PII in order to leverage its value. With a Zero Data approach to InfoSec, you can still have the benefits of PII without being responsible for its security costs and business risks. Today, data security and privacy are the hallmarks of a mature company, and they offer a significant competitive advantage in today’s marketplace.
VGS is the pioneer of Zero DataTM. Partner with us to dramatically improve your data security and scope of compliance. To learn more, please visit www.verygoodsecurity.com.