Matt Morton, Consultant and a leader in data privacy, talks about your data net worth and what organizations can do to secure information.
Most of us are familiar with the concept of net worth, which is the sum of an individual’s investments and assets. But have you thought about your data’s net worth? The intrinsic worth of our data ranges from very little, such as benign comments on a social post, to priceless, for family photos and videos. We typically don’t analyze the worth of our personal data but perhaps we should, since many companies (mainly advertisers) as well as criminals actively seek our data and are willing to pay a premium for it.
This year’s Data Privacy Day theme is Personal information is like money. Value it. Protect it. Data Privacy Day was created to help individuals improve their personal data privacy and security, and to inspire organizations to better protect the personal data they handle, with the goal of stemming the tide of breaches and motivating action.
Knowing the Value of Your Data
Your digital identity, consisting of basic elements like name, address, and IP address, is the focal point for data collection. Our online activities leave a digital footprint and contribute to a digital persona, which is then developed into a consumer profile by companies like Amazon, Google, and Facebook.
Data brokers buy and sell our personal information every day. They know the data they are willing to pay for and the expected return. They also price that data for the companies whose products you may (or may not) want.
You should know the value of your data, too. The Financial Times interactive report How much is your personal data worth? provides an interactive tool that that helps you explore the value of your personal data from the view of a data broker. Using this tool, the value of personal data is approximately $0.60 per individual, on average.
Nowhere is the value of data more evident than when viewed through the lens of data breaches. Using data from the Privacy Rights Clearinghouse database, \over the last decade, more than 9,500 breaches exposed approximately 6 billion personal records. According to a Ponemon Institute analysis, the estimated price tag for this number of breaches would equate to nearly $1 trillion of damage that organizations bore.
Much of the data that is stolen in breaches every year ends up on the dark web, with a market value that fluctuates based upon the quality and the current needs of the criminals using it. Thieves may be more interested in surveillance rather than direct financial gain, which is factored into the value of the data as well.
Experian, also a data broker, detailed the current value of data on the dark web in its 2017 Here’s How Much Your Personal Information Is Selling for on the Dark Web report. The list is quite surprising. For example, a Social Security number apparently has less value to criminals than a consumer loyalty
Privacy Regulation Evolution
Privacy Regulation EvolutionThe impact of data loss has become so great that many governments are either increasing their regulatory impacts or better enforcing regulations currently on the books. The European Union passed a sweeping regulation that went into effect in 2018 called the General Data Protection Rule (GDPR). Over $438,365,955.00 (€393 million euros) in fines have been imposed since late 2018, with two of the largest for Google and British Airways.
In the United States, the Federal Trade Commission (FTC) has begun enforcing regulations with unprecedented penalties. Examples of fines have been $1 billion ($500 million direct payout) for the Equifax breach and a whopping $5 billion fine for Facebook for improper sharing of data related to the Cambridge Analytica psychographic tracking system. The United States, which has not had a comprehensive data privacy law, is crafting the Consumer Online Privacy Rights Act, or COPRA, which will adopt many of the principles of other regulations like GDPR and HIPAA.
What Can an Organization Do?
Corporate boards and CEOs now recognize that gaps in data protection, undiscovered breaches, and regulatory violations related to a company’s technology operations can threaten their profitability and stability. The worth of data that organizations hold is increasingly key to an organizations’ plans in today’s dynamic digital environment. Utilizing data to better connect with customers, improve operations, and build employee engagement are all goals of progressive organizations.
But what, specifically, can an organization do to improve their data privacy? Much like security, building a corporate culture with a privacy mindset requires considering privacy in all decisions. And it begins with some basics that need to be addressed:
- Make privacy a key issue at the board level. Boards should be holding their leaders to task on security and privacy. Security has made some inroads but still needs additional work. And privacy is still being understood form the perspective of individuals ownership of your own data.
- Review your organization’s data privacy policy annually and continuously improve your privacy practices. If your organization doesn’t have a data privacy policy, consider writing one or getting someone to help you write it. Make sure the policy is understandable to all stakeholders.
- Build privacy into procurement processes. Consider who owns the data. Are all partners focused on protecting the data? If selecting lower cost providers, it is it being done at the expense of customer privacy?
- Review your data use internally. Are the questions that are being asked of the data worth knowing? Is the data you are capturing and storing really adding value? What should you stop capturing?
- Review the ethical use of data by your organization and its partners. Understanding what constitutes “ethical use” and identifying it within your organization is key to understanding what needs to happen.
- Create a data governance plan or review your existing plan. A data governance plan helps your organization control data access and remain in compliance with internal policies and federal regulations. Does your technology plan support the data governance plan?
- Dedicate an individual to a privacy role. If your organization isn’t large enough to support a specific role, obtain professional consulting to fill your organization’s privacy needs.
- Implement and assess against a privacy framework. The NIST Privacy Framework released in January 2020 is a good example.
- Use encryption. Encrypt your data at rest and as it is transmitted – always.
On Data Privacy Day, let’s commit to becoming more privacy aware. Let’s do a better job of securing our data, and using it in ways that are ethical and aligned with business objectives and our customer’s wishes. As individuals, let’s work to understand our net data worth, and then protect it and value it.
A member of Vantage’s strategic consulting practice, Matt specializes in data privacy, information security, IT management, organizational development, and strategic technology architecture. Contact with Matt via email, LinkedIn, or Twitter