Ahead of the curve on some of these issues. Peter who funds itif . Daniel we have a full set of funders from corporate donors, individuals that support our think tank. We work on a lot of different issues, so we get support from those interested, everything from i. T. Issues to biotech and energy. Peter so for our purposes here, is it fair to say that large Silicon Valley corporations are part of your funding operation . The googles and facebooks of the world . Daniel absolutely. I think these companies were all early supporters because they were interested in the idea of how do we proceed quickly and innovation. Peter you are the director of itifs center for data innovation, which is what . Daniel we have a Research Center focused on these issues around data. I think for a long time, policymakers realize they had a few different levers of government. They could tax things. They could spend money. They could regulate things. Part of it was to say you can think about how you collect and use data with the government. You should have smart policy around data to drive different goals you might have. If you want to see cures for cancer, improve education, one way is Strategic Policy around data. Peter do you find that federal agencies are well staffed when it comes to Data Protection and data officers . Daniel were getting there. One of the first issues we focused on was the open Government Data act, which weve been working on for five years. It finally passed this year. Part of it required federal agencies to have a chief data officer. They have a requirement of doing this by july and putting out who they selected by august 2. When i last checked this, there were four agencies that still hadnt done it, but most of them had. That is a significant amount of progress. Now you have agencies paying attention to what data theyre releasing, but also what data they collect and how they manage it. Peter so the purpose of the open Government Data act is . Daniel to make Government Data for use by the public, corporations, individuals, and also to require agencies to be strategic in how they manage data. Peter the other half of that is the data they collect. Daniel thats right. Peter what are they collecting about us . What do federal agencies know about us . Daniel to be clear, the open Government Data act, all Government Data, whether its weather data, corporate data, or individual data. If its individual data, they are likely not going to be releasing it, but they are going to have to track it. Different agencies do different things. Some collect everything from Health Information on veterans to Educational Data about individuals applying for grants to information about commercial transactions that still have personally identifying information in their. Re. Peter do you believe, and maybe this is a remote question that doesnt matter, but should those agencies be allowed to share data between themselves, be it tsa sharing with Social Security, et cetera . Or should they be stove piped information . Daniel i think theres a certain data we do want to protect and keep confidential. For example, one of the reasons people generally are trusting the irs, even though they might not like it, they know the irs isnt going to take the data and turn it over to the department of justice to start a fishing expedition. I think some of those privacy safeguards are incredibly important. That said, we do see a lot of problems with stove piping and in government. For example, theres a halfdozen dozen or more statistical agencies in the United States trying to figure out how is the economy working . Answer some basic questions about that. And then those agencies arent able to share data. The end up coming up with different answers. They are not able to combine data for better analyses. And they face significant challenges. Thats a problem because is wasting government resources, taxpayer dollars, and less optimal outcomes. One of the challenges is Government Agencies are starting to figure out how to get data from the private sector. Sometimes the private sector has better data. How can we use that data in helpful ways, but still treat this data confidentially or treat it confidentially but still share it across some agencies for specific purposes. Peter what do you think the issues are that people would be concerned about of the government getting data thats currently held by a private entity . Daniel i think a lot of people have rightful concerns about government intrusion in their personal lives. Weve had very strong privacy safeguards that protects what government can do in that space. That said, as we enter this new era of much more private sector data collection, theres a question of can we do more . Let me give you a concrete example. You have a company like adp, that does Data Processing for payroll across america. Theyre going to know every time a Company Submits their payroll what the state of the economy is. They can see what changed from the weeks before. They can see if there are fewer workers out there. They can see these types of changes in realtime. Thats information that can be useful for policymakers as they respond to potential downturn in the economy, or to respond when they are thinking about what should Monetary Policy be. I think its a very legitimate question to say, can we have the longestablished protections of how we want to treat citizens, while recognizing that the government doesnt always have the best data . And maybe we need to go to the private sector for that. Peter on a different note, perhaps a darker note, should equifax be allowed to share their data with the federal government . Some people would be very uncomfortable with that. Daniel yeah, so equifax is an example of a company thats had a lot of challenges and a lot of americans are upset with, and probably a lot of americans didnt even know that company two or three years ago. Then theres this massive data breach. I think thats a problem. One, a lot of what we rely on for companies to have good data practices is market behavior and companies basically respond to the market. So, if im unhappy when theres a target data breach, i can no longer show the target. If im not happy when theres an equifax breach, theres not a lot i can do about that. Thats a problem. There are Certain Companies collecting data about individuals where consumers dont have a significant amount of control because they dont have a direct commercial relationship with them. I think theres a legitimate question to ask about what government oversight is appropriate and even when that data should be available. Peter what does a company like equifax currently know about us . Daniel theyre trying to collect data on peoples credit histories. They are going to collect personal identifiable information, where you live, security Social Security number, any loans you taken out, any mortgages youve had, that kind of information. And then there going to make it available to other companies that are looking to assess your credit. Peter well, in other words, theyre selling our information. Daniel theyre monetizing it. The reason i would be hesitant to say selling it, they say if i sell you my car, i dont have my car anymore and you have that car. When these companies are monetizing data, they are not necessarily turning that data over to somebody else. Theyre just giving you an answer about this. This person has good credit or is a high risk or low risk. Theyre not necessarily sharing all of that banking information with other entities. Peter is that a good system . Daniel there are parts of it that work really well. The parts that work well, we get credit. Its easy to open a new line of credit. Easy to buy a car at the dealer because you can have this information. We also have pretty good protections in place. Information,rong we can get corrections made to it. I think the problem we have in this space, theres a few, one is that each state sets its own laws around these requirements around things like credit freezes. And so, there are mechanisms in place to make this world safer. You can freeze your credit. You can unlock it. In some states, thats expensive to do. And thats a problem. Basically, you have to pay these companies to secure your information. I think of that type of system is fundamentally wrong and should be changed. That is something that should be changed statebystate. Peter we americans tend to be trusting people until were not. And then when a breach like the equifax breach, or the capital one breach, we get a little antsy about our personal information being out there, dont wait . E . Daniel i think we do. Peter is there a solution . Is it a fine . Is it new legislation . Where do we go . Daniel i think what we have now isnt working. People are getting fed up with the announcements of heres another data breach. Sometimes theres no penalty at all, as we saw with the equifax breach. There was an announcement that you could get 10 years of free credit monitoring or you can get 125. If you asked for that 125 and everyone else does, theres only a small pot of money and you might end up with five dollars or something less. I dont think the systems working today. I think there are ways to change it. One way we can change it is by looking at what people are going after. The reason theres all these data breaches is because attackers are going after certain types of information. The valuable information is Social Security numbers. That is only valuable because you can use it to commit fraud. The question, can we make that data less valuable . One thing we could do is make it so its illegal to use Social Security numbers for identification and verification purposes outside Social Security. This is something the Social Security numbers were never intended to do. It even says on the card, this is not for identification purposes. They stopped printing that, but thats something that could be a done. That could be a requirement. No bank could open account using a Social Security number. Another thing we can do, and if we did that, to be clear, the reason for stealing this information would go away. You dont have a tax on data if the data is invaluable anymore. Something else we could do is fix what happens after a data breach. You get this offer for free credit monitoring. Ive had five to six offers of free credit monitoring. I dont need more free credit monitoring. In fact, there are services that offer free credit monitoring. Capital one offered free monitoring before the hack. When they say that, they are not doing anything different. And veterans, because of a new change in policy, will have free credit monitoring. So, no one needs more free credit monitoring. What we need are other things. One recommendation, is after a data breach, instead of offering free credit monitoring, they are offered a menu of options. For example, they might get a free year of a Password Management Service so they can have better password management. They might get a secure token so when they want to log into an account, they have better security, multifactor identification. Multifactor authentication. They might be able to get a secure electronic id, and we can create a new market for Security Services that doesnt exist because people dont want to spend a lot of money in this space and theres not a market until people are willing to do that. If we start making it that whenever theres a data breach, we take one big step forward in securing online identity, that would mean we are getting closer to something more secure each time instead of this situation we are in now where we have a new data breach, people roll their eyes and wait six months for the next one. Peter we recently talked to kate facini of cnbc. She has a new book out. It is called kingdom of lies. Its about hacking. And the way she writes, it doesnt sound like sitting behind our little passwords in our personal computers is really a good defense. Daniel well, its true, absolutely. And one of the things shocking to a lot of people, is that for security logging into their bank account, thats often less secure than their email. I know a lot of people that use two factor notification for their email. They have to prove its them before they login. When they log into their bank, its just password 123 and theyre in. Thats a huge problem. Thats where we can make progress, by making it so consumers have more options. And requirements in these regulated industries, for example banks. If you are a financial institution, you need to be moving faster towards better security. Peter when you see and read about what happened with capital one, were you surprised at the scenario . Daniel well, the actual attack that happened were still getting all the details but it was bluntly, a configuration error on their end. They made a mistake that was a mistake that could have been caught. It was a mistake. Mistakes happen. Thats not an excuse, but at the end of the day, these types of things do happen. It shouldnt have, but it did. They were actually doing a lot of things right. For example, they had a bug value program, one of the best things a company can do. We will pay anyone who can find a problem with the system. You find it, let us know and theres money in it for you. We want to encourage people to find these problems and bring them to us. That actually helped them tracking down this particular problem and resolving it. They were doing other things that were right. They didnt have outdated systems. They moved forward. They had done a lot of things right. They had a really big mistake. Thats why theres a lot of analysis that will have to go into that one to see what went wrong. There are other companies that never invested insecurity. Never invested in security. And thats why they getting get things right. Capital one probably did a reasonable investment. They just made mistakes. And thats something consumers are going to have to recognize. These types of data breaches are going to continue to happen. But what can we do about the data so its less valuable when it does . Peter how did you get into this line of scholarship . Daniel my background is information security, so ive been interested in these issues for a while. But i recognize you need to have policymakers understand these issues, too, otherwise you dont end up with good outcomes for consumers. Peter are the threats and the sophistication of the attacks and our Protection Systems growing exponentially . Daniel i dont know if id say exponentially, but they are growing. The sophistication of these attacks show that the attackers are using significant resources and theyre very complex. A lot of these involve significant amount of dedication to find the problem and exploit it. But the problem is its really easy, once you find that way into the system and get all that data to start making a lot of money off it on these black markets, where you can sell identities and credit cards. Thats part of the problem. We need to have really good cyber Law Enforcement of these types of crimes to make it so if you commit these crimes, youll actually go to jail. You have a lot of foreign attackers are getting away with these things very easily, and thats a problem, too. Capital one happened to be here in the United States, but thats not always how it plays out. Peter in a digital world, borders are muddy, arent they . Daniel they are, and thats why the these are international issues. This is a global issue. We need to move away from this idea we can secure just the United States or just u. S. Consumers or businesses. If we want to address information security, its a global problem and we need to be thinking about global solutions, as well. Its not enough to think that were going to have this relative security where the u. S. Is going to be saved and we can take down our adversaries. We need to think about raising all boats in this scenario. Peter in a recent article on your website, Information Technology at the innovation foundation, you coauthored an article, the cost of an unnecessarily stringent data privacy law, one of the Key Takeaways i want you to expound on. Federal legislation mirroring key provisions of the European Unions general Data Protection regulation, or californias Consumer Protection act could cost the u. S. Economy approximately 122 billion a year, or 483 per u. S. Adult. Daniel yeah, so right now were in the midst of this huge conversation about will we have federal data privacy legislation . It is bring bought about it is being brought about as one, europe passed their law and some people are saying, should be copy them . And california passed a law that might be the next for the United States. Are we going to let california set the rules of the road . Are you going to do Something Different . The challenge in this space, it can be very costly to do data privacy. It doesnt mean we shouldnt do it. It means we should be strategic about how we do it. The point of the report was to start taking apart the different components and talk about where the value is for different ones and how we can construct something that provides significant protections to consumers, but keeps the price down. The problem with europe, they move forward with Data Protection regulation, and they dont have the same Silicon Valley the United States has. They werent interested in keeping costs down on companies and consumers. They wanted the best privacy money could buy or where money was no cost. In the u. S. , we need to be thinking about how can we get privacy regulation at a