The Value of Personal Information - Delivered at the IAPP Canadian Privacy Summit, May 2011

1. The Value of PI
(Not π)
Constantine Karbaliotis, J.D., CIPP/C/IT
Americas Privacy Leader
Mercer

2. Constantine Karbaliotis, Mercer
• Americas Privacy Leader, Chief Privacy Officer for the Americas
• Recently joined Mercer (July 2010), responsible for assisting Mercer in
its privacy compliance program
• Previously acted as Symantec’s privacy lead managing its global
privacy program
• Nine years consulting experience with small to large law firms, public
legal sector as well as other public and private sector organizations
• Eight years experience in managing privacy and providing privacy
advice to public and private sector clients
• Practiced law for ten years
• Called to the Bar of the Province of Ontario, 1986
• Certified Information Privacy Professional (2004), Certified
Information Privacy Professional/Canada (2006), Certified
Information Privacy Professional/IT (2008)

3. The Value of PI
• Privacy is a human right; but there is also
an aspect of ‘trading’ in our own
information that makes it an asset, both in
individuals’ hands and in the hands of
corporations and the public sector
• This dual nature is why we struggle with
the notion of trading PI – even when
we’ve traded it, we obviously retain an
interest

4. There’s no free lunch
• So-called ‘free’ services are premised upon
exchanging personal information in exchange
for:
– Free E-mail
– Social networking
– News alerts
– Travel itineraries
– Document sharing and collaboration
– Business networking
– Photo sharing
– Music playlists
– Dating sites
The Value of PI 4

5. The trade in PI
• We routinely exchange data for services,
discounts, convenience because companies see
value in the information we share about ourselves
– we create a substantial footprint electronically
every day
• Coming soon to a browser near you: explicit
exchanges of PI for money:
• Wall Street Journal: Online Privacy: Would you sell
your private information to advertisers?
http://blogs.wsj.com/wsjam/2011/03/08/2773/
The Value of PI

6. Why do we care?
• As privacy professionals, the task is often
to get organizations to take the charge of
managing PI seriously…
– Investments in a tough economy, of staff,
technology, effort
– Structuring business processes and
implementing policy to foster a privacy-aware
culture
• We need to speak the language of
business

7. Two premises
• Personal information in the hands of
organizations should be treated and
measured as an asset
• Personal information in the hands of
individuals is currency, which can be
exchanged for goods and services
The Value of PI

8. Implications for Individuals
• Individuals often do not understand the
value of the currency they are ‘trading’ on
• Our information is tremendously valuable –
yet people give passwords up for chocolate
• We don’t appreciate the value of the
currency we generate until, typically, it is
lost, or used in a way we don’t appreciate
or expect – until it is devalued
The Value of PI 8

9. Implications for organizations
• So the question is, if it’s an asset,
are organizations treating it the way
an asset should be?
• If we have not valued it
appropriately, how can it be
protected appropriately?
The Value of PI

10. What if we treated personal information as
well as we treated buses…

11. Alternative measures of value
(1)
• Loss value:
– $204 per record
– $6.75 million per privacy incident
• Ponemon Institute, 5th Annual Survey
• “Lawsuit” value:
– Recent decision of Federal Court to
award $5000 for providing inaccurate
data

12. Alternative measures of value
(2)
• What is the value of PI to the enterprise, in
terms:
– Customer retention and trust
– Goodwill or intangible asset
– Royal Bank: Privacy accounts for an estimated 14% of
overall Brand Value, and 7% of overall Shareholder
Value - $679M and $979M respectively (2001)
• Transactional value
– What happens when another entity wants to buy data,
e.g. a professional buys another’s practice?
– There are ways to measure the value of such
information in terms of retention, revenue, goodwill

13. Alternative measures of value
(3)
• “Meta” value:
– Value associated with trends, statistical
or aggregated information
• Target value:
– Value associated with knowing a
particular individual’s buying habits,
preferences, interests

14. Alternative measures of value
(4)
• Trade value
– What is the value of the service (social
networking, e-mail, etc.) being traded
for one’s PI?
– Alternatively, what is the amount bid for
a person’s information to get them to
part with it in terms of cash?

15. Alternative measures of value
(5)
• “Trust” value
– If it costs a bank $y per loan application
done online – versus $x in a bricks-and-
mortar setting
– The value of trust in using a website
means a $x-y savings per transaction…
– Conversely, lack of trust means bearing
$x-y additional costs unnecessarily

16. Alternative measures of value
(6)
• “Theft” or criminal enterprise value:
– Symantec’s Internet Security Threat Report,
vol. XIV

17. Organizational Implication
• This conversation needs to be with
your CFO:
– Is this asset valued appropriately?
– Protected appropriately?
– Insured?
– Depreciated?
• With your CIO:
– Do we know how PI is managed through
its lifecyle?

18. Policy Implications
• Privacy Notices
– Is notice sufficient – or a contract un-
read?
– Is reasonableness more important?
– Is a social contract or bill of rights
better to establish a ‘standard contract’?

19. Implications for Accountability
– to the business
• Protecting PI means protecting the
currency of individuals from
‘debasement’ of their currency
– Data losses, identity theft are all
debasing the currency
– Individuals lose value of what they hope
to trade
– Means an loss in asset value to the
organization

20. Conclusions?
• This is not to suggest there is one
way to measure the value of PI
• This will vary by the nature of the PI,
the business, and its uses
• It does suggest however a
persuasive way to get organizations
to see management of PI in a
different light