How do a credit freeze and format-preserving encryption share a similar best-practice approach to protect your data?
Like many ordinary consumers in recent days, I’ve been asking the same question:
How best to defend my identity online, given the news of another “mega-breach” compromising my personal data?
On one hand, we can appreciate businesses are using personal details to enable more customized products and services that meet our needs. Brand loyalty and efficiency can be appreciated from the business side. But of course, sensitive data in the wrong hands due to a security breach, then used for malicious purposes, damages our reputation and can result in real financial losses. Clearly many of us want more control and responsibility to avoid these risks!
While we can still debate whether the Internet—open by design—makes sense to simplify communications, no one debates that security must go hand in hand when sharing highly-sensitive information, such as our credit rating tied to our identities. Yet, here we are still today catching up to the commercial, monetization impact of online finances, where bad actors want to tap into online vulnerabilities to steal our money.
Putting the freeze on…
So over the last few days I’ve been researching what to do about potential identity theft that can be used to compromise my credit. And the solution kept coming back to the same conclusion: freeze your reporting with all three credit bureaus. (There you go; I hope I saved you some time.)
It turns out, this is the only approach close to a sure bet, concluded by many industry experts. But wait a sec—why aren’t we already doing this by design? In other words, shouldn’t we, the consumer, be always in a position to personally authorize—at all times—which third parties have permission to access and use our data? You see this already in most other applications—for example, new businesses require your consent to use your data when you sign up for online services. You get email verification requests when opting in to communications or you check a box on a form with all the usual fine print when joining a new online retail site. You get the picture.
So why don’t we always operate “frozen” unless we (data owners) enable permission? Shouldn’t this be the norm?
It turns out, the credit bureaus are potentially catching up to what we’ve already been seeing with our customers using Voltage for data security. It’s becoming more typical than not where companies are using encryption to keep data in a “semi-frozen” state by using format-preserving encryption. The magic is in the “format preserving” approach that adds the much-needed chill on your data!
Imagine if your social security number and other personal elements lost in the latest breach were to be de-identified in such a way that kept the data usable to authorized applications, but meaningless if breached outside of the business using it. “Format-preserving” enables contextual use cases. A social security number, partially masked (***-**-5678) combined with a de-identified name such as mine (“Ueigah Sbyqkoxd”) allows a specific application to use this information as a surrogate or partial surrogate. In this example, an application allowed to un-encrypt my name could still maintain masking over my SSN, making my data only usable in a helpdesk application to verify my identity during a phone conversation. But the combined info would remain de-identified (or, “frozen”) when used, moved or stored throughout other systems.
This is becoming much more common, especially in big data analytics, payments security applications that handle your credit card information, and similar solutions to simply keep the data de-identified, at all times. Essentially this allows only relevant applications, systems or the users to “unfreeze” the data if absolutely necessary. In most cases, the data can persist in its format-encrypted state as the norm, unlocked on a limited basis.
Where is security headed long-term to protect your personal privacy?
The legacy of relying solely on firewalls, application access controls, and system-level security has evolved to incorporate data-centric security as fundamental to maintaining protection of personal privacy data. Each new mega-breach underpins the need to focus on the data itself, enabling it to flow between applications and systems, inside or outside an organization, safely—de-identified unless for authorized use.
So while the need to freeze credit may be an inconvenience, it does also offer a best-practice blueprint for how to treat personal data in general—privacy by design, kept in a protected state at a data field level, unless absolutely required to be unlocked for use.