Is Data-Sharing Really Our Future?
November 12th, 2015
A lot has been written about data–sharing and consortiums. And while I support data-sharing and think that doing so in most instances makes sense to financial services firms and others – including their customers – I want to think through with you some of the continued problems associated with this activity. While this topic will continue to impact the financial services industry for many years to come I have recently concluded that despite some tremendous progress in information-sharing, the advantages of data sharing often continue to be hampered or outweighed by concerns around privacy, data protection, and international data transfer agreements.
- The Safe Harbor Changes: The recent suspension of the 15-year-old Safe Harbor arrangements poses risks to how firms think about data transfers and data-sharing from an internal point of view. As of this writing, new alternative mechanisms and arrangements are being considered; and yet despite this flurry of activity to reach a new resolution, the very fact that this situation has occurred brings data-sharing and the movement of data front and center to the attention of the Board of Directors and top C-level leadership. Previously, this topic was one that mainly concerned the IT team and perhaps the Legal Department and Investor Relations.
- The OPM Data Breach: This past summer’s OPM Data Breach has proven to be extremely bad press for US government initiatives to share data within the US financial services sector. Unfortunately, it is not the first such breach. But perhaps even more unfortunate is the fact that this incident raises the specter of an American financial institution (or another party in the private sector) not wanting to trust public sector information security readiness and data protection capabilities. What would you say to such a firm that does willingly want to share data with a US government agency/department, but is being pressured from internal security, legal, and audit teams – and perhaps even by board members and shareholders – not to do so due to the possible risks of a wide-scale government data breach? How is the firm to reconcile this, especially if the sharing is not legally mandated?
- Snowden’s Shadow: The Edward Snowden revelations will, I believe, cast an extremely long shadow across the data-sharing landscape for perhaps a generation. While perhaps slightly tangential to the notion of data-sharing within a sector and/or a given country, it’s important to remember that Snowden’s revelations have truly freaked some people out and made them unwilling to consider sharing arrangements that they might have been open to in the past. Moreover, the UK’s current debate surrounding its “Draft Investigatory Powers Bill” will probably only heat up as technology firms push back against potentially being forced to hand over data, and even decryption keys, to UK intelligence services.
- Data Rationalization & Management: Most organizations are still unclear what format to use for their data, how to share date, how to protect the data, and what to do in instances in which some firms are using oodles more data (read: “Big Data”) while others stuck way back in 2013 (sarcasm applied please!) are not. There just isn’t a consistent point of view on data anymore! That being said, it is important to point out that there has been tangible progress made with the STIX (the Structured Threat Information eXpression) language, TAXII (the Trusted Automated eXchange of Indicator Information) standard, and CybOX (the Cyber Observable eXpression), all of which will facilitate sharing tremendously.
To conclude, I’m going to go out on a limb here. I think it’s only a matter of time before a privacy-focused client of an American or European financial services firm attempts to sue the firm to prevent it from being involved in data-sharing. I’m no lawyer, but this sort of an argument would be a natural outgrowth of the recent Safe Harbor case and would simply demonstrate precisely how deep the lack of trust goes between certain groups and elements within the financial services industry. Significant data-sharing is probably many years away, but it still feels to me that people are addressing this issue more than ever before, which is fundamentally a good thing.