The Value of Personal Information - IAPP Canada 2011
The Value of PI (Not π)Constantine Karbaliotis, J.D., CIPP/C/IT Americas Privacy Leader Mercer
Constantine Karbaliotis, Mercer• Americas Privacy Leader, Chief Privacy Officer for the Americas • Recently joined Mercer (July 2010), responsible for assisting Mercer in its privacy compliance program • Previously acted as Symantec’s privacy lead managing its global privacy program • Nine years consulting experience with small to large law firms, public legal sector as well as other public and private sector organizations • Eight years experience in managing privacy and providing privacy advice to public and private sector clients • Practiced law for ten years• Called to the Bar of the Province of Ontario, 1986• Certified Information Privacy Professional (2004), Certified Information Privacy Professional/Canada (2006), Certified Information Privacy Professional/IT (2008)
The Value of PI• Privacy is a human right; but there is also an aspect of ‘trading’ in our own information that makes it an asset, both in individuals’ hands and in the hands of corporations and the public sector• This dual nature is why we struggle with the notion of trading PI – even when we’ve traded it, we obviously retain an interest
There’s no free lunch• So-called ‘free’ services are premised upon exchanging personal information in exchange for: – Free E-mail – Social networking – News alerts – Travel itineraries – Document sharing and collaboration – Business networking – Photo sharing – Music playlists – Dating sitesThe Value of PI 4
The trade in PI • We routinely exchange data for services, discounts, convenience because companies see value in the information we share about ourselves – we create a substantial footprint electronically every day • Coming soon to a browser near you: explicit exchanges of PI for money: • Wall Street Journal: Online Privacy: Would you sell your private information to advertisers? http://blogs.wsj.com/wsjam/2011/03/08/2773/The Value of PI
Why do we care?• As privacy professionals, the task is often to get organizations to take the charge of managing PI seriously… – Investments in a tough economy, of staff, technology, effort – Structuring business processes and implementing policy to foster a privacy-aware culture• We need to speak the language of business
Two premises • Personal information in the hands of organizations should be treated and measured as an asset • Personal information in the hands of individuals is currency, which can be exchanged for goods and servicesThe Value of PI
Implications for Individuals • Individuals often do not understand the value of the currency they are ‘trading’ on • Our information is tremendously valuable – yet people give passwords up for chocolate • We don’t appreciate the value of the currency we generate until, typically, it is lost, or used in a way we don’t appreciate or expect – until it is devaluedThe Value of PI 8
Implications for organizations • So the question is, if it’s an asset, are organizations treating it the way an asset should be? • If we have not valued it appropriately, how can it be protected appropriately?The Value of PI
What if we treated personal information as well as we treated buses…
Alternative measures of value (1)• Loss value: – $204 per record – $6.75 million per privacy incident • Ponemon Institute, 5th Annual Survey• “Lawsuit” value: – Recent decision of Federal Court to award $5000 for providing inaccurate data
Alternative measures of value (2)• What is the value of PI to the enterprise, in terms: – Customer retention and trust – Goodwill or intangible asset – Royal Bank: Privacy accounts for an estimated 14% of overall Brand Value, and 7% of overall Shareholder Value - $679M and $979M respectively (2001)• Transactional value – What happens when another entity wants to buy data, e.g. a professional buys another’s practice? – There are ways to measure the value of such information in terms of retention, revenue, goodwill
Alternative measures of value (3)• “Meta” value: – Value associated with trends, statistical or aggregated information• Target value: – Value associated with knowing a particular individual’s buying habits, preferences, interests
Alternative measures of value (4)• Trade value – What is the value of the service (social networking, e-mail, etc.) being traded for one’s PI? – Alternatively, what is the amount bid for a person’s information to get them to part with it in terms of cash?
Alternative measures of value (5)• “Trust” value – If it costs a bank $y per loan application done online – versus $x in a bricks-and- mortar setting – The value of trust in using a website means a $x-y savings per transaction… – Conversely, lack of trust means bearing $x-y additional costs unnecessarily
Alternative measures of value (6)• “Theft” or criminal enterprise value: – Symantec’s Internet Security Threat Report, vol. XIV
Organizational Implication• This conversation needs to be with your CFO: – Is this asset valued appropriately? – Protected appropriately? – Insured? – Depreciated?• With your CIO: – Do we know how PI is managed through its lifecyle?
Policy Implications• Privacy Notices – Is notice sufficient – or a contract un- read? – Is reasonableness more important? – Is a social contract or bill of rights better to establish a ‘standard contract’?
Implications for Accountability – to the business• Protecting PI means protecting the currency of individuals from ‘debasement’ of their currency – Data losses, identity theft are all debasing the currency – Individuals lose value of what they hope to trade – Means an loss in asset value to the organization
Conclusions?• This is not to suggest there is one way to measure the value of PI• This will vary by the nature of the PI, the business, and its uses• It does suggest however a persuasive way to get organizations to see management of PI in a different light