The Value of Personal Information - IAPP Canada 2011

The Value of PI (Not π)

Constantine Karbaliotis, J.D., CIPP/C/IT Americas Privacy Leader

Mercer

•  Americas Privacy Leader, Chief Privacy Officer for the Americas •  Recently joined Mercer (July 2010), responsible for assisting Mercer in

its privacy compliance program •  Previously acted as Symantec’s privacy lead managing its global

privacy program •  Nine years consulting experience with small to large law firms, public

legal sector as well as other public and private sector organizations •  Eight years experience in managing privacy and providing privacy

advice to public and private sector clients •  Practiced law for ten years

•  Called to the Bar of the Province of Ontario, 1986 •  Certified Information Privacy Professional (2004), Certified

Information Privacy Professional/Canada (2006), Certified Information Privacy Professional/IT (2008)

Constantine Karbaliotis, Mercer

The Value of PI

•  Privacy is a human right; but there is also an aspect of ‘trading’ in our own information that makes it an asset, both in individuals’ hands and in the hands of corporations and the public sector

•  This dual nature is why we struggle with the notion of trading PI – even when we’ve traded it, we obviously retain an interest

• So-called ‘free’ services are premised upon exchanging personal information in exchange for:

– Free E-mail – Social networking – News alerts – Travel itineraries – Document sharing and collaboration – Business networking – Photo sharing – Music playlists – Dating sites

TheValueofPI 4

There’s no free lunch

The trade in PI

•  We routinely exchange data for services, discounts, convenience because companies see value in the information we share about ourselves – we create a substantial footprint electronically every day

•  Coming soon to a browser near you: explicit exchanges of PI for money:

• Wall Street Journal: Online Privacy: Would you sell your private information to advertisers? http://blogs.wsj.com/wsjam/2011/03/08/2773/

TheValueofPI

Why do we care?

•  As privacy professionals, the task is often to get organizations to take the charge of managing PI seriously… –  Investments in a tough economy, of staff,

technology, effort – Structuring business processes and

implementing policy to foster a privacy-aware culture

•  We need to speak the language of business

Two premises

• Personal information in the hands of organizations should be treated and measured as an asset

• Personal information in the hands of individuals is currency, which can be exchanged for goods and services

TheValueofPI

• Individuals often do not understand the value of the currency they are ‘trading’ on

• Our information is tremendously valuable – yet people give passwords up for chocolate

• We don’t appreciate the value of the currency we generate until, typically, it is lost, or used in a way we don’t appreciate or expect – until it is devalued

8TheValueofPI

Implications for Individuals

Implications for organizations

• So the question is, if it’s an asset, are organizations treating it the way an asset should be?

•  If we have not valued it appropriately, how can it be protected appropriately?

TheValueofPI

What if we treated personal information as well as we treated buses…

Alternative measures of value (1)

• Loss value: – $204 per record – $6.75 million per privacy incident

• Ponemon Institute, 5th Annual Survey

•  “Lawsuit” value: – Recent decision of Federal Court to

award $5000 for providing inaccurate data


•  What is the value of PI to the enterprise, in terms: –  Customer retention and trust –  Goodwill or intangible asset –  Royal Bank: Privacy accounts for an estimated 14% of

overall Brand Value, and 7% of overall Shareholder Value - $679M and $979M respectively (2001)

•  Transactional value –  What happens when another entity wants to buy data,

e.g. a professional buys another’s practice? –  There are ways to measure the value of such

information in terms of retention, revenue, goodwill


•  “Meta” value: – Value associated with trends, statistical

or aggregated information • Target value:

– Value associated with knowing a particular individual’s buying habits, preferences, interests


• Trade value – What is the value of the service (social

networking, e-mail, etc.) being traded for one’s PI?

– Alternatively, what is the amount bid for a person’s information to get them to part with it in terms of cash?


•  “Trust” value – If it costs a bank $y per loan application

done online – versus $x in a bricks-and-mortar setting

– The value of trust in using a website means a $x-y savings per transaction…

– Conversely, lack of trust means bearing $x-y additional costs unnecessarily


•  “Theft” or criminal enterprise value: –  Symantec’s Internet Security Threat Report,

vol. XIV

Organizational Implication

• This conversation needs to be with your CFO: – Is this asset valued appropriately? – Protected appropriately? – Insured? – Depreciated?

• With your CIO: – Do we know how PI is managed through

its lifecyle?

Policy Implications

• Privacy Notices – Is notice sufficient – or a contract un-

read? – Is reasonableness more important? – Is a social contract or bill of rights

better to establish a ‘standard contract’?

Implications for Accountability – to the business

• Protecting PI means protecting the currency of individuals from ‘debasement’ of their currency – Data losses, identity theft are all

debasing the currency – Individuals lose value of what they hope

to trade – Means an loss in asset value to the

organization

Conclusions?

• This is not to suggest there is one way to measure the value of PI

• This will vary by the nature of the PI, the business, and its uses

•  It does suggest however a persuasive way to get organizations to see management of PI in a different light