Operationalizing Privacy Protection through Data Capitalization
By Pow Chang | March 16, 2022
Many companies have emerged to provide software-as-a-service (SaaS) in the last two decades. They harvested massive datasets and aggregated the dataset into high-value service products. The primary business model of these data-centric organizations is to design and build a digital platform, where data and information are primary assets to the organization to generate revenue perpetually. These types of data-centric companies such as Facebook, Twitter, Netflix, Amazon have harvested millions of Petabytes of the data subject as such PII (personally identifiable data) data. Since this valuable data collected on their platforms are the assets and tools to generate future cash flow, it is in their best interests to protect these data, furthermore, ensure and comply with privacy regulations such as GDPR and CCPA. Public wants to hold these companies accountable for privacy protection [2], stakeholders would want to have this data be capitalized as tangible assets in the collection and storage process to ensure financial integrity and good data governance.
There are a few plausible reasons for capitalizing PII data in the balance sheet to operationalize data privacy: first, this serves as a proxy for privacy protection; capitalized PII is reflected in the financial statement and subject to scrutinization and auditing process every quarter by professional auditors. In the current practice, companies usually expense out the data acquisition cost even though the data has a significant impact on their future cash flow. Expensing the acquisition cost does not capture the intrinsic value and physical presence of the PII in their book. According to the Ponemon Institute’s 2020 “Cost of Data Breach Study”, the average cost per compromised record for PII is $175 as compared to the Intellectual Property loss of $151 [8]. Capitalized data does not equal replacing data acquisition costs; it adds the tangible asset component to validate the existence of the PII.
Second, there is no practical way to quantify the actual loss and degree of damage in any data breach harms [7]. One good example will be the case of Equifax, on September 7, 2017, Equifax announced that they lost the personal information of over 140 million consumers from its network in a catastrophic data breach [3], including people’s social security numbers, driver’s license numbers, email addresses, and credit card information. Even though Equifax settled the data breach and agreed to pay $1.38 billion, which includes $1 billion in security upgrades. For customers’ data that has been compromised, the customer could be entitled to up to $20,000 claims of damage. However, this claims process puts the onus on the consumer to justify that they deserve that. If Equifax had capitalized PII on its book, this could provide a detailed assessment of damage and budget planning for security technology expenditure to safeguard the PII assets.
Third, since capitalized data is captured in the book, the audit and transparency could prevent any potential poor corporate governance and dishonest culture that nurture severe conflicts of interests or even unethical behavior, such as the case of Facebook – Cambridge Analytica [4]. All the assets are subject to matching their equivalent market value. It could be impaired or appreciated. In either case, the company must have a plausible explanation to adjust and to reflect any incident materially affects the underlying fundamental of its business. For instance, Target paid $18.5M for the 2013 data breach that affected 41 million consumers [5]. This settlement amount could have been much more considerable higher and revealed the millions of consumers’ actual loss if they captured PII records in the financial statement.
There are still many studies to understand the implication of using data capitalization as a proxy for boosting privacy protection. Privacy dimension [6] provides a comprehensive list of privacy dimensions and attributes; this is a framework could define the construct of the data to be capitalized. To operationalize privacy is to protect the vulnerable group and create a fair system, these organizations reap the profit, but customers are the one to bear the cost in the long term. This does not align with the Belmont Report’s Principle of Justice – fairness in distribution [9]. Most data breaches were due to poor internal security control, people factors, overdue patches, and known application vulnerabilities. The cost suffered by the consumer is colossal and could never be adequately estimated unless PII data is capitalized as tangible asset.
References:
[1] https://www.cnbc.com/2019/07/25/how-to-claim-your-compensation-from-the-equifax-data-breach-settlement.html
[2] Nicholas Diakopoulos. Accountability in Algorithmic Decision Making. Communications of the ACM, February 2016, Vol. 59 No. 2, Pages 56-62. https://cacm.acm.org/magazines/2016/2/197421-accountability-in-algorithmic-decision-making/fulltext
[3] https://www.inc.com/maria-aspan/equifax-data-breach-worst-ever.html
[4] https://www.wired.com/story/cambridge-analytica-facebook-privacy-awakening/
[5] https://www.usatoday.com/story/money/2017/05/23/target-pay-185m-2013-data-breach-affected-consumers/102063932/
[6] Deirdre K. Mulligan, C. K. (2016). Privacy is an essentially contested concept: a multi- dimensional analytic for mapping privacy. The Royal Society Publishing, 374.
[7] Solove, D. J. (2005). A Taxonomy of Privacy. GWU Law School Public Law Research Paper No. 129, 477.
[8] https://www.ponemon.org/
[9] The Belmont Report: What is it and how does it relate to today’s clinical trials?
Department of Health, E. a. (1979, 4 18). The Belmont Report.
[10] Pictures source: pixabay.com