The Value of Personal Information - IAPP Canada 2011


Published on

The Value of Personal Information - Delivered at the IAPP Canadian Privacy Summit, May 2011

Published in: Business, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The Value of Personal Information - IAPP Canada 2011

  1. 1. The Value of PI (Not π)Constantine Karbaliotis, J.D., CIPP/C/IT Americas Privacy Leader Mercer
  2. 2. Constantine Karbaliotis, Mercer•  Americas Privacy Leader, Chief Privacy Officer for the Americas •  Recently joined Mercer (July 2010), responsible for assisting Mercer in its privacy compliance program •  Previously acted as Symantec’s privacy lead managing its global privacy program •  Nine years consulting experience with small to large law firms, public legal sector as well as other public and private sector organizations •  Eight years experience in managing privacy and providing privacy advice to public and private sector clients •  Practiced law for ten years•  Called to the Bar of the Province of Ontario, 1986•  Certified Information Privacy Professional (2004), Certified Information Privacy Professional/Canada (2006), Certified Information Privacy Professional/IT (2008)
  3. 3. The Value of PI•  Privacy is a human right; but there is also an aspect of ‘trading’ in our own information that makes it an asset, both in individuals’ hands and in the hands of corporations and the public sector•  This dual nature is why we struggle with the notion of trading PI – even when we’ve traded it, we obviously retain an interest
  4. 4. There’s no free lunch• So-called ‘free’ services are premised upon exchanging personal information in exchange for: – Free E-mail – Social networking – News alerts – Travel itineraries – Document sharing and collaboration – Business networking – Photo sharing – Music playlists – Dating sitesThe

  5. 5. The trade in PI •  We routinely exchange data for services, discounts, convenience because companies see value in the information we share about ourselves – we create a substantial footprint electronically every day •  Coming soon to a browser near you: explicit exchanges of PI for money: •  Wall Street Journal: Online Privacy: Would you sell your private information to advertisers?

  6. 6. Why do we care?•  As privacy professionals, the task is often to get organizations to take the charge of managing PI seriously… –  Investments in a tough economy, of staff, technology, effort –  Structuring business processes and implementing policy to foster a privacy-aware culture•  We need to speak the language of business
  7. 7. Two premises •  Personal information in the hands of organizations should be treated and measured as an asset •  Personal information in the hands of individuals is currency, which can be exchanged for goods and servicesThe

  8. 8. Implications for Individuals • Individuals often do not understand the value of the currency they are ‘trading’ on • Our information is tremendously valuable – yet people give passwords up for chocolate • We don’t appreciate the value of the currency we generate until, typically, it is lost, or used in a way we don’t appreciate or expect – until it is devaluedThe

  9. 9. Implications for organizations •  So the question is, if it’s an asset, are organizations treating it the way an asset should be? •  If we have not valued it appropriately, how can it be protected appropriately?The

  10. 10. What if we treated personal information as well as we treated buses…
  11. 11. Alternative measures of value (1)•  Loss value: – $204 per record – $6.75 million per privacy incident • Ponemon Institute, 5th Annual Survey•  “Lawsuit” value: – Recent decision of Federal Court to award $5000 for providing inaccurate data
  12. 12. Alternative measures of value (2)•  What is the value of PI to the enterprise, in terms: –  Customer retention and trust –  Goodwill or intangible asset –  Royal Bank: Privacy accounts for an estimated 14% of overall Brand Value, and 7% of overall Shareholder Value - $679M and $979M respectively (2001)•  Transactional value –  What happens when another entity wants to buy data, e.g. a professional buys another’s practice? –  There are ways to measure the value of such information in terms of retention, revenue, goodwill
  13. 13. Alternative measures of value (3)•  “Meta” value: – Value associated with trends, statistical or aggregated information•  Target value: – Value associated with knowing a particular individual’s buying habits, preferences, interests
  14. 14. Alternative measures of value (4)•  Trade value – What is the value of the service (social networking, e-mail, etc.) being traded for one’s PI? – Alternatively, what is the amount bid for a person’s information to get them to part with it in terms of cash?
  15. 15. Alternative measures of value (5)•  “Trust” value – If it costs a bank $y per loan application done online – versus $x in a bricks-and- mortar setting – The value of trust in using a website means a $x-y savings per transaction… – Conversely, lack of trust means bearing $x-y additional costs unnecessarily
  16. 16. Alternative measures of value (6)•  “Theft” or criminal enterprise value: –  Symantec’s Internet Security Threat Report, vol. XIV
  17. 17. Organizational Implication•  This conversation needs to be with your CFO: – Is this asset valued appropriately? – Protected appropriately? – Insured? – Depreciated?•  With your CIO: – Do we know how PI is managed through its lifecyle?
  18. 18. Policy Implications•  Privacy Notices – Is notice sufficient – or a contract un- read? – Is reasonableness more important? – Is a social contract or bill of rights better to establish a ‘standard contract’?
  19. 19. Implications for Accountability – to the business•  Protecting PI means protecting the currency of individuals from ‘debasement’ of their currency – Data losses, identity theft are all debasing the currency – Individuals lose value of what they hope to trade – Means an loss in asset value to the organization
  20. 20. Conclusions?•  This is not to suggest there is one way to measure the value of PI•  This will vary by the nature of the PI, the business, and its uses•  It does suggest however a persuasive way to get organizations to see management of PI in a different light