This weeks peter on the communicators, we want to introduce you to daniel castro. Groupstro, what is that and what do you do . Daniel well, im with a think tank. We focus on innovation, generally. Were interested in seeing innovation move forward. Peter can you give an example of that what you are in favor of . Daniel 10 years ago, we werent talking about artificial intelligence. Theres this new wave of automation. But we were thinking about the policies we would need to get there. We try to help policymakers get ahead of the curve on some of these issues. Peter who funds i tif . Daniel we have a full set of funders from corporate donors, individuals that support our think tank. We work on a lot of different issues, so we get support from those interested, everything from i. T. Issues to biotech and energy. Peter so for our purposes here, is it fair to say that large corporationsy are part of them . Daniel absolutely. I think these companies were all early supporters because they were interested in the idea of how do we proceed quickly and innovation. Peter you are the director of the center for data innovation, which is what . Daniel we have a Research Center focused on these issues around data. I think for a long time, policymakers realize they had a few different levers of government. They could tax things. They could spend money. They could regulate things. Part of it was to say you can think about how you collect and use data with the government. You should have smart policy around data to drive different goals you might have. If you want to see cures for cancer, improve education, one way is Strategic Policy around data. Peter do you find that federal agencies are well staffed when it comes to Data Protection and data officers . Daniel were getting there. One of the first issues we focused on was the over meant open Government Data hack, which weve been working on for five years. It finally passed this year. Part of it required federal agencies to have a chief data officer. They have a requirement of doing this by july and putting out who they selected by august 2. This, therechecked were four agencies that still hadnt done it, but most of them had. Now you have agencies paying attention to what data theyre releasing, but also what data they collect and what data they manage. Peter so the purpose of the open Government Data act is . Daniel to make Government Data for use by the public, andorations, individuals, also to require agencies to be strategic in how they manage data. Peter the other half of that is the data they collect. Daniel thats right. Peter what are they collecting about us . Daniel to be clear, the open Government Data act, all Government Data, whether its weather data, corporate data, or individual data. If its individual data, they are likely not going to be releasing it, but they are going to have to track it. Different agencies do different things. Some collect Health Information on veterans to Educational Data about individuals applying for grants to information about commercial transactions that have identified personally identifying information in their. Peter do you believe, and maybe this is a remote question that doesnt matter, but should those agencies be allowed to share data between themselves, be it tsa sharing with Social Security, et cetera . Or should they be stove piped information . Daniel i think theres a certain data we do want to protect and keep confidential. One of the reasons people generally are trusting the irs, even though they might not like it, they know the irs isnt going to take the data and turn it to the department of justice. I think some of those privacy safeguards are incredibly important. Oft said, we do see a lot problems with stove piping and government. For example, theres a halfdozen dozen or more statistical agencies in the United States trying to figure out how is the economy working . Answer some basic questions about that. And then those agencies arent able to share data. The end up coming up with different answers. They are not able to combine data for better analyses. And they face significant challenges. Thats a problem because is wasting government resources, taxpayer dollars, and less optimal outcomes. One of the challenges is Government Agencies are starting to figure out how to get data from the private sector. Sometimes the private sector has better data. How can we use that data in helpful ways, but still treat this data confidentially or treated confidentially but still share it across some agencies for specific purposes . Peter what do you think the issues are that people would be concerned about of the government getting data thats currently held by a private entity . Peter i think daniel i think a lot of people have rightful concerns about government intrusion in their personal lives. Weve had very strong privacy safeguards that protects what government can do in that space. That said, as we enter this new era of much more private sector data collection, theres a question of can we do more . Let me give you a concrete example. You have a company like adp, that does Data Processing for payroll across america. Theyre going to know every time a Company Submits their payroll what the state of the economy is. They can see what changed from the weeks before. They can see if there are fewer workers out there. They can see these types of changes in realtime. Thats information that can be useful for policymakers as they respond to potential downturn in the economy, or to respond when they are thinking about what should Monetary Policy be. I think its a very legitimate question to say, can we have the longestablished protections of how we want to treat citizens, while recognizing that the government doesnt always have the best data . And maybe we need to go to the private sector for that. Peter on a different note, perhaps a darker note, should equifax be allowed to share their data with the federal government . Some people would be very uncomfortable with that. Daniel yeah, so equifax is an example of a company thats had a lot of challenges and a lot of americans are upset with, and probably a lot of americans didnt even know that company to her three years ago. Then two or three years ago. Then theres this massive data breach. I think thats a problem. On, a lot of what we rely for companies to have good data practices is market behavior and companies basically respond to the market. So, if im happy when theres a target data breach, i can no longer show the target. If im not happy when theres an equifax breach, theres not a lot i can do about that. Thats a problem. There are Certain Companies collecting data about individuals where consumers dont have a significant amount of control because they dont have a direct commercial relationship with them. I think theres a legitimate question to ask about what government oversight is appropriate and even when that data should be available. Peter what does a company like equifax currently know about us . Daniel theyre trying to collect data on peoples data histories peoples credit histories. Any loans you taken out, any mortgages youve had, that kind of information. And then there going to maket available to other companies that are looking to assess your credit. Peter well, in other words, theyre selling our information. Daniel theyre monetizing it. The reason i would be hesitant to say selling it, they say if i sell you my car, i dont have my car anymore and you have that car. When these companies are monetizing data, they are not turning that data over to somebody else. Theyre just giving you an answer about this. This person has good credit or is a high risk or low risk. Theyre not necessarily sharing that banking information with other entities. Peter is that a good system . Daniel there are parts of it that worked really well. The parts that work well, we get credit. Its easy to open a of credit. You can have this a new line of credit. You can have this information. We can get corrections made to wrong information. I think the problem we have in this space, theres a few, one is that each state sets its own laws around these requirements around things like credit freezes. And so, there are mechanisms in place to make this world safer. You can freeze your credit. You can unlock it. In some states, thats expensive to do. And thats a problem. Basically, you have to pay these companies to secure your information. That is fundamentally wrong and should be changed. Thats something that should be changed statebystate. Peter we americans tend to be trusting people until were not. And then when a breach like the eckel Fitch Equifax breach, or the capital one breach, we get a little antsy about our personal information being out there, dont wait . Daniel i think we do. Peter is there a solution . Is it a fine . Is it new legislation . Daniel i think what we have now isnt working. People are getting fed up with heres another data breach. Sometimes theres no penalty at all, as we saw with the equifax breach. There was an announcement that you could get 10 years of free getit monitoring or you can 125. 125 andu ask for that everyone else does, theres only a small pot of money and you might end up with five dollars or something less. I dont think the systems working today. Is byy we can change it looking at what people are going after. The reason theres all these data breaches is because attackers are going after certain types of information. The valuable information is Social Security numbers. Its viable because you can use it to commit fraud. The question, can we make that data less valuable . It thing we could do is make so its illegal to use Social Security numbers for identification and verification purposes outside Social Security. This is something the Social Security numbers were never intended to do. It even says on the card, this is not for identification purposes. Thats something that could be a requirement. No bank could open account using a Social Security number. Another thing we can do, and if we did that, to be clear, the reason for stealing this information would go away. You dont have a tax on data if the data is invaluable anymore. Fixingng else could be what happens after a data breach. You get this offer for free credit monitoring. Ive had five to six offers of free credit monitoring. I dont need more free credit honoring. In fact, there are services that offer free credit monitoring. Capital one offer that before the heck. When they say that, they are not doing anything different. And veterans, because of a new change in policy, will have free credit monitoring. So, no one needs more free credit monitoring. What we need are other things. One recommendation, is after a data breach, instead of offering free credit monitoring, they are offered a menu of options. For example, a free year of a Password Management Service so they can have better password management. They might get a secure token so when they want to log into an account, they have better security, multifactor identification. They might be able to get a secure electronic id, and we can create a new market for Security Services that doesnt exist because people dont want to spend a lot of money in this space and theres not a market until people are willing to do that. If we start making it that whenever theres a data breach, we take once set forward in securing online identity, that would mean we are getting closer to something more secure each time instead of this situation we are in now where we have a new data breach, people roll their eyes and wait six months for the next one. Peter we recently talked to kate mancini of cnbc. She has a new book out. Its about hacking. Writes, it she doesnt sound like sitting behind our little passwords in our personal computers is really a good defense. Its true,l, absolutely. And one of the things shocking to a lot of people, is that for logging into their bank account, thats often less secure than their email. I know a lot of people that use to factor notification for their email. They have to prove its them before they login. When they log into their bank, its just password 123 and theyre in. Thats a huge problem. Thats where we can make progress, by making it so consumers have more options. And requirements in these regulated industries, for example banks. You need to be moving faster towards better security. Peter when you see and read about what happened with capital one, who were you surprised at the scenario . Daniel well, the actual attack that happened were still getting all the details but it was bluntly, a configuration error. They made a mistake that was a mistake that could have been caught. It was a mistake. Mistakes happen. But ats not an excuse the end of the day, these types of things do happen. It shouldnt have, but it did. They were actually doing a lot of things right. For example, they had a bug value program, one of the best things a company can do. We will pay anyone who can find a problem with the system. You find it, let us know and theres money in it for you. That actually helped them tracking down this particular problem and resolving it. They were doing other things that were right. They didnt have outdated systems. They moved forward. They had a really big mistake. Ofts why theres a lot analysis that will have to go into that one to see what went wrong. Companies that never invested insecurity. Gettings why they get things right. Capital one probably did a reasonable investment. They just made mistakes. And thats something consumers are going to have to recognize. These excise data breaches are going to continue to happen. But what can we do about the data so its less valuable when it does . Peter how did you get into this line . Daniel my background is information security, so ive been interested in these issues for a while. But i recognize you need, to have policymakers understand these issues, too, otherwise you dont end up with good outcomes for consumers. Peter are the sophistications of the attacks and our Protection Systems growing exponentially . Daniel i dont know if id say exponentially, but they are growing. The sophistication of these attacks show that the attackers are using significant resources and theyre very complex. A lot of these involve significant amount of dedication to find the problem and exploit it. But the problem is its really easy, once you find that way into the system and get all that data and start making a lot of money off it on these black markets, where you can sell identities and credit cards. Thats part of the problem. We need to have really good cyber Law Enforcement of these types of crimes to make it so if you commit these crimes, youll actually go to jail. A lot of foreign attackers are getting away with these things very easily, and thats a problem, too. Capital one happened to be here in the nonstates, but thats in the United States, but thats not always how it plays out. Peter in a digital world, borders are muddy, arent they . Daniel they are and thats why the these are international issues. This is a global issue. We need to move away from this idea we can secure just the United States or just u. S. Consumers or businesses. If we want to address information security, its a global problem and we need to be thinking about global solutions, as well. Its not enough to think that were going to have this relative security where the u. S. Is going to be saved and we can take down our adversaries. Peter in a recent article on your website, Information Technology at the innovation foundation, you coauthored an article, the cost of an unnecessarily stringent data privacy law, one of the Key Takeaways i want you to expound on. Federal legislation mirroring key provisions of the European Unions general Data Protection regulation, or californias Consumer Protection act could cost the u. S. Economy approximately 122 billion a adult. R 483 per u. S. Daniel yeah, so right now were in the midst of this huge conversation of will we have federal data privacy legislation . Law andope passed their some people are saying, should be copy them . And california passed a law that might be the next for the United States. Are we going to let california set the rules of the road . Are you going to do Something Different . The challenge in this space, it can be very costly to do data privacy. It doesnt mean we shouldnt do it. It means we should be strategic about how we do it. The point of the report was to start taking apart the different components and talk about where the value is for different ones and how we can construct something that provides significant protections to consumers, but keeps the price down. The problem with europe, they move forward with Data Protection, and they dont have the same Silicon Valley the United States has. Interested ine keeping costs down on companies and consumers. They wanted the best privacy money could buy or when money was no cost. In the u. S. , we need to be thinking about how can we get privacy regulation at a good value . Not at any cost because when you think of these terms at any cost, you end up lowering consumer welfare. What we want to see is consumers coming out ahead because they have better privacy, but they still have access to Innovative Products andervices and they are not caught off from things they like using today. Peter what did you mean by Lower Consumer welfare . Daniel if you look at t