How to fight cybercrime without compromising consumer privacy

March 27, 2015

Andreas Baumhof

In light of the recent executive order on cybersecurity by President Obama, now is a better time than ever to address online security and privacy.

The order urges private sector companies to share data surrounding threats and cybersecurity data. Collecting an unreasonable amout of personal information will lead to what my colleague, Alisdair Faulkner, calls a "privacy Pearl Harbor.” Threat-intelligence sharing is necessary, but only to a certain extent — businesses must make sure that reasonable security is not an unreasonable privacy invasion.

How can businesses effectively share threat information and effectively protect against cybercrime threats without compromising consumer privacy? Following are three best practices:

1. Maintain a reasonable amount of digital identity verification

Verifying one’s location or phone number when using a banking app is perfectly reasonable. However, some businesses, including ride-sharing services and major banks, have access to information about your entire location and activity history each time you use the app, which is an unreasonable privacy invasion and beyond what is necessary for security measures.

2. Leverage anonymized shared intelligence and context-based authentication

At a minimum, industries operating online should self-enforce standards for controlling access to customer data from both insider and outsider theft without invading privacy. Context-based authentication establishes trust for each account login based on fully anonymous user identity, device usage, geolocation, behavior and other factors without compromising consumer identity or privacy.