The Value of Personal Information - IAPP Canada 2011
Upcoming SlideShare
Loading in...5
×
 

The Value of Personal Information - IAPP Canada 2011

on

  • 1,648 views

The Value of Personal Information - Delivered at the IAPP Canadian Privacy Summit, May 2011

The Value of Personal Information - Delivered at the IAPP Canadian Privacy Summit, May 2011

Statistics

Views

Total Views
1,648
Views on SlideShare
1,602
Embed Views
46

Actions

Likes
1
Downloads
19
Comments
0

4 Embeds 46

http://spaces.moxiesoft.com 40
http://www.viviangledhill.de 3
http://www.linkedin.com 2
https://spaces-beta.moxiespaces.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

The Value of Personal Information - IAPP Canada 2011 The Value of Personal Information - IAPP Canada 2011 Presentation Transcript

  • The Value of PI (Not π)Constantine Karbaliotis, J.D., CIPP/C/IT Americas Privacy Leader Mercer
  • Constantine Karbaliotis, Mercer•  Americas Privacy Leader, Chief Privacy Officer for the Americas •  Recently joined Mercer (July 2010), responsible for assisting Mercer in its privacy compliance program •  Previously acted as Symantec’s privacy lead managing its global privacy program •  Nine years consulting experience with small to large law firms, public legal sector as well as other public and private sector organizations •  Eight years experience in managing privacy and providing privacy advice to public and private sector clients •  Practiced law for ten years•  Called to the Bar of the Province of Ontario, 1986•  Certified Information Privacy Professional (2004), Certified Information Privacy Professional/Canada (2006), Certified Information Privacy Professional/IT (2008)
  • The Value of PI•  Privacy is a human right; but there is also an aspect of ‘trading’ in our own information that makes it an asset, both in individuals’ hands and in the hands of corporations and the public sector•  This dual nature is why we struggle with the notion of trading PI – even when we’ve traded it, we obviously retain an interest
  • There’s no free lunch• So-called ‘free’ services are premised upon exchanging personal information in exchange for: – Free E-mail – Social networking – News alerts – Travel itineraries – Document sharing and collaboration – Business networking – Photo sharing – Music playlists – Dating sitesThe
Value
of
PI
 4

  • The trade in PI •  We routinely exchange data for services, discounts, convenience because companies see value in the information we share about ourselves – we create a substantial footprint electronically every day •  Coming soon to a browser near you: explicit exchanges of PI for money: •  Wall Street Journal: Online Privacy: Would you sell your private information to advertisers? http://blogs.wsj.com/wsjam/2011/03/08/2773/The
Value
of
PI

  • Why do we care?•  As privacy professionals, the task is often to get organizations to take the charge of managing PI seriously… –  Investments in a tough economy, of staff, technology, effort –  Structuring business processes and implementing policy to foster a privacy-aware culture•  We need to speak the language of business
  • Two premises •  Personal information in the hands of organizations should be treated and measured as an asset •  Personal information in the hands of individuals is currency, which can be exchanged for goods and servicesThe
Value
of
PI

  • Implications for Individuals • Individuals often do not understand the value of the currency they are ‘trading’ on • Our information is tremendously valuable – yet people give passwords up for chocolate • We don’t appreciate the value of the currency we generate until, typically, it is lost, or used in a way we don’t appreciate or expect – until it is devaluedThe
Value
of
PI
 8

  • Implications for organizations •  So the question is, if it’s an asset, are organizations treating it the way an asset should be? •  If we have not valued it appropriately, how can it be protected appropriately?The
Value
of
PI

  • What if we treated personal information as well as we treated buses…
  • Alternative measures of value (1)•  Loss value: – $204 per record – $6.75 million per privacy incident • Ponemon Institute, 5th Annual Survey•  “Lawsuit” value: – Recent decision of Federal Court to award $5000 for providing inaccurate data
  • Alternative measures of value (2)•  What is the value of PI to the enterprise, in terms: –  Customer retention and trust –  Goodwill or intangible asset –  Royal Bank: Privacy accounts for an estimated 14% of overall Brand Value, and 7% of overall Shareholder Value - $679M and $979M respectively (2001)•  Transactional value –  What happens when another entity wants to buy data, e.g. a professional buys another’s practice? –  There are ways to measure the value of such information in terms of retention, revenue, goodwill
  • Alternative measures of value (3)•  “Meta” value: – Value associated with trends, statistical or aggregated information•  Target value: – Value associated with knowing a particular individual’s buying habits, preferences, interests
  • Alternative measures of value (4)•  Trade value – What is the value of the service (social networking, e-mail, etc.) being traded for one’s PI? – Alternatively, what is the amount bid for a person’s information to get them to part with it in terms of cash?
  • Alternative measures of value (5)•  “Trust” value – If it costs a bank $y per loan application done online – versus $x in a bricks-and- mortar setting – The value of trust in using a website means a $x-y savings per transaction… – Conversely, lack of trust means bearing $x-y additional costs unnecessarily
  • Alternative measures of value (6)•  “Theft” or criminal enterprise value: –  Symantec’s Internet Security Threat Report, vol. XIV
  • Organizational Implication•  This conversation needs to be with your CFO: – Is this asset valued appropriately? – Protected appropriately? – Insured? – Depreciated?•  With your CIO: – Do we know how PI is managed through its lifecyle?
  • Policy Implications•  Privacy Notices – Is notice sufficient – or a contract un- read? – Is reasonableness more important? – Is a social contract or bill of rights better to establish a ‘standard contract’?
  • Implications for Accountability – to the business•  Protecting PI means protecting the currency of individuals from ‘debasement’ of their currency – Data losses, identity theft are all debasing the currency – Individuals lose value of what they hope to trade – Means an loss in asset value to the organization
  • Conclusions?•  This is not to suggest there is one way to measure the value of PI•  This will vary by the nature of the PI, the business, and its uses•  It does suggest however a persuasive way to get organizations to see management of PI in a different light