One of the most notable parts of Mark Zuckerberg’s testimony last week was his indication of Facebook’s openness to being regulated. Traditionally, most industries have been vehemently anti-regulation, instead preferring to “self-regulate” and keep the perceived clumsiness of government out of their businesses. The tech community has been particularly anti-regulation, instead relying on the open market for guidance and accountability. But that era seems to be coming to a close, with even the most sacred regulatory exemptions for tech being called into question. The most notable example of this is GDPR, the European Union’s General Data Protection Regulation.
GDPR puts in place a whole host of measures designed to create accountability for companies that collect large volumes of data, including requirements for an improved security posture across the enterprise, mandatory data breach monitoring and disclosure rules, and severe penalties for non-compliance.
We at Terbium are big fans of GDPR. Not only have we argued that regulation has a strong role to play in ensuring individual privacy and security, but we’ve built our product, Matchlight, entirely around a privacy-protected data fingerprinting technology that is designed to implement exactly the sorts of principles GDPR embodies. For example, GDPR extends liability for data protection to any third party with whom a company shares their data. This means that a company wanting to share their data with, say, a security intelligence firm in order to enable dark web monitoring would be liable should that security firm ever be breached. In our case, since we use data fingerprinting to enable dark web monitoring of customer data without having to ever see or store it, we don’t open up our customers to any increased liability under GDPR!
We continue to think regulation of things like personal data and payment card fraud are a vital part of improving privacy and security across the internet. GDPR is the first major step, but we hope that it serves as a template for other regulatory bodies to follow suit. While we don’t have a lot of hope for federal regulation here in the U.S. in the near future, we are seeing the states step up. GDPR itself was modeled after California’s data breach disclosure laws, and New York State’s Department of Financial Services has new cybersecurity regulations going into effect that achieve a lot of the same ends as GDPR. So there are signs of progress. And in the meantime, we’re going to continue to stay on the cutting edge of privacy and security technologies here at Terbium.