The next Equifax will be even worse — but is preventable, fintech VC says
The only way to prevent the next Equifax might be to appoint a "Data Czar" with far-reaching powers and prowess, a prominent fintech VC says.
“We’ll have to use pretty much every trick that we know in the book and have adult supervision to go along with it," says Sahil Kini, principal at the Bangalore-based venture capital firm Aspada Investments and a self-described technology evangelist.
Data is a "natural resource" and to protect it, he says, regulators must have the tools — and the authority — to enforce "how a company or even the state manages and stores and shares data.”
Kini is working with the Indian government to create the world’s largest biometric ID system via smart cards (think of it as India’s version of digital Social Security cards where fingerprint IDs are used to create a digital identification program).
In an interview with LinkedIn as the Equifax scandal took another turn, Kini offered his best advice for dealing with problems at such scale. Only today CEO Richard Smith joined two other senior executives who decided to "retire" after the big three US credit monitoring agency fell victim to a hack which exposed 143 million financial profiles in an attack that unfolded over several months – and took the company several more to publicly disclose.
This is only the beginning, Kini warns.
"The Equifax breach is just .. a teaser of what's to come, given the amount of data about an individual that has gone online in the past few months," Kini said. "I don't think it will be surprising to see more such incidents happen."
There will be plenty of investigations too, but to seriously make it harder on the next hackers big changes are needed, from the top down.
The following are edited excerpts from a video interview in New York.
LinkedIn: What do you mean when you say data should be protected like a natural resource?
Sahil Kini: “The response to this breach I think will tell us a lot more about the robustness of the system than the breach itself. The only way to address problems like the sort that Equifax’s breach has brought up is to actually treat data as a natural resource that needs to be protected.
“Just like economies have a central bank to manage the flow of currency, or regulators to manage how natural resources are mined and consumed and used, I think data needs to be treated in a similar manner.”
LinkedIn: You say that one solution is the creation of special “data regulators” to oversee data and privacy. How would that work?
Kini: “If we had a data regulator that actually specifies who can collect what data for what purpose — so limitations on collection, sharing, storage and use, and actually enforced those regulations and norms through a technical model.
“Imagine a regulator which is staffed by engineers, and actually sets aside very granular standards on how a company or even the state manages and stores and shares data. And imagine if you could essentially audit compliance of data storage and sharing regulations through an API. This kind of forward-looking regulatory model, particularly as it pertains to data, is going to be very important as we move forward into the 21st century.”
LinkedIn: What should be done to protect privacy?
Kini: “I think protecting people’s data from a regulatory standpoint comes with multiple requirements. Firstly, there needs to be a limitation on collection itself. So who can collect what data for what purpose? There needs to be limitation on sharing and limitation on use. So the moment by definition you’ve limited what can be collected and how it can be used, it reduces the surface of attack.
“The second step would be once you’ve set aside how you can collect data and how you can store data, ensuring that compliance with these standards are enforced by regular audits and regular submissions to the regulator would be key.
“And the third and final step I believe would be in using cutting-edge security standards. So not just encryption but potentially exploring the use of technologies like the blockchain where you have a decentralized ledger and there’s no one honey pot that a set of hackers can attack.
“We’ll have to use pretty much every trick that we know in the book and have adult supervision to go along with it, in the form of regulatory oversight, to make sure that we minimize the number of attacks, while at the same time being cognizant of the fact that in a data driven economy where most things are online, this kind of stuff is only going to be more inevitable as time goes on.”
What do you think about the regulatory requirements to collect and protect data? What should be done to protect consumers and corporations from the next cyberattack? Leave a comment below, or write your own long-form article or short-form post using #EquifaxCyberattack.
CEO @ Tyfone & Payfinia | Digital Banking++
6 年Data protected through encryption, even with block chain crypto, is only as good as how safe the decryption keys are from being cloned. Yet another security article that this basic assumption never gets the attention it deserves.
Business Growth Consultant -- Electrical Industry Leader, Marketing, Operations Optimization, Customer Focus
7 年The system is sick! Archaic and US is far behind in managing data security! Any place you go requests your SSN! If you do not provide it, most doctors and facilities will refuse service! I tried yo change my residence address with Equifax but they requested me to send by mail a copy of my SS card, DL and latest utility bill! This is even though they could verify my identity easily by calling my phone or sending a code by SMS! Meanwhile they continued sending sensitive correspondence to complete strangers at my old address! I put "ask for pic ID" on the back of my credit cards instead of signature but was shocked how many merchants refused to accept the card unless I sign it! Many European an Other international credit cards issuers implemented system that if you buy something, U get instant SMS requesting you confirmation it was your purchase. No US bank wants to do this due to cost - the would rather get insured for unauthorized purchase. I use Shopsafe for buying on line, only few credit cards use this single use card system! Terrible!
ENGINEER CTO, Messenger and Head SERVANT OF ISLAM, Chief Architect NEXT-World MEMBER SUPREME COUNCIL FOR LORD OF THE WORLDS AND HEAVENS
7 年As a former Oracle data czar at Ford Truck Operations I had all my plant floor system scada code in my Oracle database that would get downloaded and executed in realtime ( So it was my teams job to ensure CIA of the data ) Now I don't see a the mention of Technical Services Group that includes SDLC(basically naming conventions and code review) and change control... A good example would be something like Corrections and Transport system in SAP ( now sapgui written in java can be broken, maybe it might be time to revisit old sapgui. ( there goes netweaver Just messing with sap friends )
Technology Executive | Entrepreneur | Inventor | Consultant | Mentor
7 年Its already taking place in Europe with GDPR.
Vice President of Loan Servicing Administration
7 年143 million US citizens and their personal data is now in the hands of criminals. No one in the US government seems to be upset at what has happened to our citizens. All Equifax has done for these people is we will monitor your credit for life.