Go to Original Article
The ‘data party’ era of enterprises indiscriminating, collecting, storing and selling users’ personal information is coming to an end, according to BigID.
A New York-based startup, BigID was formed in 2015 with the goal of improving enterprise data management and protection in the age of GDPR and the California Consumer Privacy Act (CCPA). The company, which won the 2018 Innovation Sandbox Contest at RSA Conference, recently raised $50 million in Series C funding. Now BigID is expanding its mission to help enterprises better understand and control their data amid new privacy regulations.
BigID co-founder and chief product officer Nimrod Vax talks with SearchSecurity about how new regulations have effectively ended the data party. He also discusses BigID’s launch, its future and whether data protection is getting easier or harder.
Editor’s note: This interview has been edited for length and clarity.
How was BigID founded?
Nimrod Vax: Dimitri [Sirota, CEO] and I were the company’s two founders. At my last kind-of real job I was head of the identity product line at CA, and at the time CA acquired Dimitri’s company, Layer 7 Technologies. That’s how we met, so we got to work together on challenges of customers around identity management and security. After we left CA, at the time, there was a big surge of breaches of personal information through incidents like the Ashley Madison scandal and LinkedIn and Twitter. And what was really surprising about those breaches was that they were breaches of what you would think is very sensitive information. It wasn’t nuclear plans or anything; it was really just lists of names and addresses and phone numbers, but it was millions and billions of them. The following year, there were four billion personal records stolen. And the question that we asked ourselves was that with all of these security tools that are out there, why are these breaches still happening? And we learned that data protection tools that were available at the time and even today were not purposely built to protect and discover and manage personal information. They were really very generic and were not built for that. And also, these scandals kind of raised visibility and awareness of privacy. The legislation has picked up and we have GDPR coming and later CCPA, so we’ve identified the opportunity to help software organizations address those needs and meet the requirements of these regulations.
What does BigID do?
Vax: BigID’s aim is to help organizations better understand what data they store about their customers and in general, and then allow them to take action on top of that and comply with regulations and better protect the data and better manage it to get more value out of the data. In order to do that, BigID is able to connect all data sources. We have over 60 different connectors to all the things you could even think about that you may have in an IT organization. All of the relational databases, all of the unstructured data sources, semistructured data, big data repositories, anything in AWS, business applications like SAP, Salesforce, Workspace, you name it. We connect to anything, and then search for and classify the data. We first and foremost catalog everything so you have a full catalog of all the data that you have. We classify that data, and tell you what type of data that is — where do you have user IDs? Where do you have phone numbers? We help to cluster it, so we can find similar types of data without knowing anything about the data; just knowing the content that’s similar to other data that helps cluster it. Our claim to fame is our ability to correlate it. We can find Social Security numbers whose Social Security number it is and that allows you to distinguish between customer data, American data, European resident data, children or adult information, and also being able to know who’s data it is for access rights and who to notify regarding a breach.
The solution is specifically built on premises, but it’s a modern enterprise software. It’s completely containerized and documented for containers. It automatically scales up and down and doesn’t require any agents on the endpoint; it connects using open APIs, and we don’t copy the data — we just house the data and that’s important because we don’t want to create a security problem. We also don’t want to incur a lot of additional storage.
And lastly, and I think this is very important, the discovery layer is all exposed to a well-documented set of APIs so that you can query that information and make it accessible to applications, and we build applications on top of that.
We’re obviously generating more and more user data every single day. Does data protection and data governance become exponentially harder as time goes on? And if so, how do you keep up with that explosion of user data?
Vax: One of the problems that led to BigID was the fact that organizations now have the knowledge and technology that allow them to store unlimited amounts of data. If you look at big data repositories, it’s all about storing truckloads of data; organizations are collecting as much as they can and they’re never deleting the data. That is a big challenge for them, not only to protect the data but even to gain value from the data. Information flows into the organization through so many different channels — from applications, from websites and from partners. Different business units are collecting data and they’re not consolidating it, so all the goodness of the ability to process all that data comes with a burden. How do I make more use of that data? How do I consolidate the data? How do I gain visibility into the data I own and have access to? That complexity requires a different approach to data discovery and data management, and that approach first requires you to be big data native; you need to be able to run in those big data repositories natively and not have to stream the data outside like the old legacy tools; you need to be able to scan data at the source, at the ingestion point, as data flows into these warehouses. What we recently introduced [with Data Pipeline Discovery] is the ability to scan data streams in services like Kafka or [AWS] Kinesis so as the data flows into those data lakes, we’re able to classify that data and understand it.
Regarding the CCPA, how much impact do you think it will have on how enterprise data is governed?
Nimrod VaxCo-founder, BigID
Vax: We’re seeing that effect already, and it goes back to the data party that’s been happening in the past five years. There’s been a party of data where organizations have collected as much data as they wanted without any liabilities or without any guardrails around them. Now with the CCPA and GDPR, they are bringing that additional layer of governing. You can still collect as much information as you want, but you need to protect it. You have obligations to the people from whom you are collecting the data, and that brings more governance to the data process. Now organizations need to be much more careful about that. The organization needs to have more visibility into the data not because it’s good to have it but because we have to have it for the regulations; you can’t protect, you can’t govern, and you can’t control what you don’t know, so that’s the big shift in the approach that CCPA brings to the table. Organizations are already getting prepared for that. We’re already seeing the effect that organizations are taking it very seriously and they don’t want to be the first ones to be dinged by the regulation. It’s not even the financial impact. It’s more reputational impact they are concerned about; nobody wants to be on the board of shame of the CCPA. They want to send a message to their customers that they care about privacy — not that they’re careless about it. I think that’s the big impact that we’re seeing.
What do the next 12 months look like for the company?
Vax: We’re growing rapidly both in product and in staff and in general — I think we’re about 150 people now. Last year, I think we were less than 30. We’re continuing to grow, and that growth is in two areas: on the product side and on extending to additional audiences. We are continuing to invest in our core discovery capabilities. We’re also building more apps. We’re going to solve more difficult problems in privacy and security and governance. We’re also extending to new audiences. Today, we are primarily focusing on building solutions or offerings for developers so that they can leverage our API and building process. For the next area, we are focusing on putting built-in privacy into the applications seamlessly with zero friction.
Go to Original Article
When it comes to personal data exposed in a breach, assessing the value of that data for class actions lawsuits is more of an art than a science.
As interest in protecting and controlling personal data has surged among consumers lately, there have been several research reports that discuss how much a person’s data is worth on the dark web. Threat intelligence provider Flashpoint, for example, published research last month that said access to a U.S. bank account, or “bank log,” with a $10,000 balance was worth about $25. However, the price of a package of personally identifiable information (PII) or what’s known as a “fullz” is much less, according to Flashpoint; fullz for U.S. citizens that contain data such as victims’ names, Social Security numbers and birth dates range between $4 and $10.
But that’s the value of personal data to the black market. What’s the value of personal data when it comes to class action lawsuits that seek to compensate individuals who have had their data exposed or stolen? How is the value determined? If an organization has suffered a data breach, how would it figure out how much money they might be liable for?
SearchSecurity spoke with experts in legal, infosec and privacy communities to find out more about the obstacles and approaches for assessing personal data value.
John Yanchunis leads the class action department of Morgan & Morgan, a law firm based in Orlando, Fla., that has handled the plaintiff end for a number of major class action data breach lawsuits, including Equifax, Yahoo and Capital One.
The 2017 Equifax breach exposed the personal information of over 147 million people, and resulted in the credit reporting company creating a $300 million settlement fund for victims (which doesn’t even account for the hundreds of millions of dollars paid to other affected parties). Yahoo, meanwhile, was hit with numerous data breaches between 2013 and 2016. In the 2013 breach, every single customer account was affected, totaling 3 billion users. Yahoo ultimately settled a class action lawsuit from customers for $117.5 million.
When it comes to determining the value of a password, W-2 form or credit card number, Yanchunis called it “an easy question but a very complex answer.”
“Is all real estate in this country priced the same?” Yanchunis asked. “The answer’s no. It’s based on location and market conditions.”
Yanchunis said dark web markets can provide some insight into the value of personal data, but there are challenges to that approach. “In large part, law enforcement now monitors all the traffic on the dark web,” he said. “Criminals know that, so what are they doing? They’re using different methods of marketing their product. Some sell it to other criminals who are going to use it, some put it on a shelf and wait until the dust settles so to speak, while others monetize it themselves.”
As a result, several methods are used to determine the value of breached personal data for plaintiffs. “You’ll see in litigation we’ve filed, there are experts who’ve monetized it through various ways in which they can evaluate the cost of passwords and other types of data,” Yanchunis said. “But again, to say what it’s worth today or a year ago, it really depends upon a number of those conditions that need to be evaluated in the moment.”
David Berger, partner at Gibbs Law Group LLP, was also involved in the Equifax class action lawsuit and has represented plaintiffs in other data breach cases. Berger said that it was possible to assess the value of personal data, and discussed a number of damage models that have been successfully asserted in litigation to establish value.
One way is to look at the value of a piece of information to the company that was breached, he said.
“In other words, how much a company can monetize basically every kind of PII or PHI, or what they are getting in different industries and what the different revenue streams are,” Berger said. “There’s been relatively more attention paid to that in data breach lawsuits. That can be one measure of damages.”
Another approach looks at the value of an individual’s personal information to that individual. Berger explained that this can be measured in multiple different ways. In litigation, economic modeling and “fairly sophisticated economic techniques” would be employed to figure out the market value of a piece of data.
Another approach to assessing personal data value is determining the cost of what individuals need to do to protect themselves from misuse of their data, such as credit monitoring services. Berger also said “benefit-of-the-bargain” rule can also help; the legal principle dictates that a party that breaches a contract must pay the victim of the breached contract an amount in damages that puts them in the same financial position they would be in if the contract was fulfilled.
For example, Berger said, say a consumer purchases health insurance and is promised reasonable data security, but if the insurance carrier was breached then “[they] got health insurance that did not include reasonable data security. We can use those same economic modeling techniques to figure out what’s the delta between what they paid for and what they actually received.”
Berger also said the California Consumer Privacy Act (CCPA), which he called “the strongest privacy law in the country,” will also help because it requires companies to be transparent about how they value user data.
“The regulation puts a piece on that and says, ‘OK, here are eight different ways that the company can measure the value of that information.’ And so we will probably soon have a bunch of situations where we can see how companies are measuring the value of data,” Berger said.
The CCPA will go into effect in the state on Jan. 1 and will apply to organizations that do business in the state and either have annual gross revenues of more than $25 million; possess personal information of 50,000 or more consumers, households or devices; or generates more than half its annual revenue from selling personal information of consumers.
Some security and privacy professionals are reluctant to place a dollar value on specific types of exposed or breached personal data. While some advocates have pushed the idea of valuing consumer’s personal data as a commodities or goods to be purchased by enterprises, others, such as the Electronic Frontier Foundation (EFF) — an international digital rights group founded 29 years ago in order to promote and protect internet civil liberties — are against it.
An EFF spokesperson shared the following comment, with part of which being previously published in a July blog post titled, “Knowing the ‘Value’ of Our Data Won’t Fix Our Privacy Problems.”
“We have not discussed valuing data in the context of lawsuits, but our position on the concept of pay-for-privacy schemes is that our information should not be thought of as our property this way, to be bought and sold like a widget. Privacy is a fundamental human right. It has no price tag.”
Harlan Carvey, senior threat hunter at Digital Guardian, an endpoint security and threat intelligence vendor, agreed with Yanchunis that assessing the value of personal data depends on the circumstances of each incident.
“I don’t know that there’s any way to reach a consensus as to the value of someone’s personally identifiable data,” Carvey said via email. “There’s what the individual believes, what a security professional might believe (based on their experience), and what someone attempting to use it might believe.”
However, he said the value of traditionally low-value or high-value data might be different depending on the situation.
“Part of me says that on the one hand, certain classes of personal data should be treated like a misdemeanor, and others like a felony. Passwords can be changed, as can credit card numbers; SSNs cannot. Not easily,” Carvey said. “However, having been a boots-on-the-ground, crawling-through-the-trenches member of the incident response industry for a bit more than 20 years, I cringe when I hear or read about data that was thought to have been accessed during a breach. Even if the accounting is accurate, we never know what data someone already has in their possession. As such, what a breached company may believe is low-value data is, in reality, the last piece of the puzzle someone needed to completely steal my identity.”
Jeff Pollard, vice president and principal analyst at Forrester Research, said concerns about personal data privacy have expanded beyond consumers and security and privacy professionals to the very enterprises that use and monetize such data. There may be certain kinds of personal data that can be extremely valuable to an organization, but the fear of regulatory penalties and class action lawsuits are causing some enterprises to limit the data they collect in the first place.
“Companies may look at the data and say, ‘Sure, it’ll make our service better, but it’s not worth it’ and not collect it all,” Pollard said. “A lot of CISOs feel like they’ll be better off in the long run.”
Editor’s note: This is part one of a two-part series on class action data breach lawsuits. Stay tuned for part two.
Security news director, Rob Wright, contributed to this report.
Go to Original Article