I produced the following article along with a colleague How Identity Data Is Turning Toxic For Big Companies.
We wondered what the views are within this community regarding the tipping point between the benefit of holding some types of data and the cost of protecting it.
What is the nudge that forces us to consider other, possibly decentralised, models for processing identity data? What would be the barriers to this move? Or are we getting normalised to the regular occurrences of breach notifications?
It is fair to say that the public perception, of identity data breaches, has become somewhat normalized due to the frequency of media coverage.
However, the financial consequences, not to mention strict regulatory focus, will only intensify over the short-to-medium term.
Wider adoption of peer-to-peer trust models will take time but are a potential part of the solution. At a higher level, a hybrid solution is just as likely to emerge that that may, or may not, be underpinned by a decentralized identity model.
There are a great deal of barriers to overcome.
Most proposed solutions are likely be to avoid the exchange of any identity data as much as possible. The assurance of someone's identity will come from the identifying body. Assurance providers will still have to hold the identity data though so this does not remove the need for secure data practices. During identity registration for example.
Many sectors have been looking at this problem and all of them want to be the key custodian. Who is the correct key custodian? Local Government? Defence? Retail? Utilities? Not an easy question to answer but all have a vested interest in this domain.
You mention the analogy of tokenization but it is wrong to say that it is hard to imagine this theory being applied to the identity problem. Someone still has to hold the data but requests for identity assurance may be reduced to binary answers rather than exchanging the identity information. At least that will reduce the attack surface as less people will hold the data. Technologies based on SAML take a similar approach.
With so many stakeholders; it will prove impossible for all to agree on an individual provider/system. It is extremely difficult to achieve universal standards adoption worldwide. Consider the example of PKI environments; how many certifying authorities are there? Quite a lot. Not to mention that many organisations act as their own assurance provider for closed systems.
The internet is now predicated on data, linked to identity, being an asset. It seems ludicrous to think this will now somehow be abandoned when there is an entire global economy based online.
The realistic goal in the short-term is to reduce the need, for identity data to be exchanged, as much as possible. The people that do hold it should have strong fundamental security practices.
The long-term may provide more radical solutions but it is unlikely to happen overnight.
From my view, the problem is one of impression vs actual profit. To explain, I think we have yet to conclude that the dollar amount we spend on data collection has brought a commensurate return on actual sales etc. More often than not, it seems where the return is realized is on the investment side because the investment community loves big data. Granted, that is a massive generalization, but I think corporate value in these troves of personally identifiable information lies in the concept of being able to know all this stuff about a customer base more than the actual application of it.
In that sense, if you are dealing with a public company trying to woo shareholders, that data will be a lot more valuable than it is to a private company doing the exact same business. Big data has become our "unobtainium" - everyone wants it even if we don't know how to use it.
The real answer to your questions lies in the GDPR's 4 percent fine for a data breach and how long it will be until the US adopts a similar measure. Consider for a moment, Facebook. It may be worth $350 billion, but its ad revenue is only about 10 percent of that (again, value is more attributed to shareholder interest than business model), and its profit just 10 percent of that. In short, if Facebook has a data breach, in any given year it could go from a 1 percent profit (as compared to value) to a 3 percent loss. One can imagine how the resultant fine and negative PR would impact shareholder value and ad sales. Now you have a downward spiral. I think one thing we have seen with is once that slide starts (MySpace, Yahoo, etc.) it doesn't stop.