We all use the term “Data is an Asset” and many companies have structured their business around data analytics. But very few companies have developed a method with which we can value the data and represent it in our disclosed financial accounts.
Whenever a data breach is reported, we speak in terms of the number of data sets lost and the nature of data lost such as whether they contain financial data, health data, credit card information, biometrics, or e-mail address or mobile number etc. But we often forget to say the financial value of data that was compromised. Also we donot know how to calculate the depreciation in the value of the data asset on account of its compromise of confidentiality or exfiltration and re-sale to another competitor.
In ransomware cases, we have a “Ransom demand” which is an indication of how much a thief is expecting as the value of the data he has stolen. When the same data is made available on the dark web, we get another value perception the data set.
When confronted with a ransom demand, many members of the Board of Directors may be surprised to know that there was actually so much of valuable data within their organization worth stealing and being bought and sold in the dark web.
For example, in the recent Air India-SITA PSS data breach, 45 lakh full data sets that contained the Name, Date of birth, Contact Information, Passport information, ticket information, frequent flyer data and credit card data (without CVV) were supposed to have been lost or compromised.
In the Jubilant Foods (Domino’s Pizza), 18 crore order information and 1 crore credit card data consisting of information such as Name, Mobile Number, E Mail address, location, payment data etc were supposed to have been lost. In the dark web these were offered for sale for Rs 4.5 crore.
According to this Forbes Article PrivacyAffairs.com created an index of the averge prices for a range of specific products in the Digital Chor bazaar called Dark Web. According to this report, a full set of data was valued at $1010, online banking log ins cost an average of $40, credit card data about $14 to 30. There was also a difference in the value of credit cards of different countries. For example US credit card data was valued at $17 while Israeli credit card data was valued at $65.
There are many data breach statistical surveys where data breaches have been valued from the perception of the loss suffered by an organization on account of the data breach. According to a detailed survey of dataprivacymanager.net,and the Ponemon data breach report the average cost per data lost was $150/-
Does this mean that the cost of 45 lakh data lost by Air India-SITA PSS was around Rs 4725 crores as per Ponemon study or around Rs 33000 crores as per Forbes report?.
There are also studies which look at the total data sets owned by companies like Facebook or Google and compare it with the market capitalization and try to arrive at a valuation of data elements owned by them.
While we may not come to an agreement on the amount over this wide range, all of us agree that there has been a loss which could be substantial.
It is time for us to therefore think of some method through which we can bring a value of data to the balance sheet of a company so that there is “Visibility” to the value of the data owned.
In every balance sheet view, the directors should recognize that there is data asset in the company worth a few thousand crores and they need to keep asking questions of the operating executives how is this asset protected and beneficially used.
Coming from the Banking background, the undersigned is used to seeing “Contra” entries in the balance sheet of Banks where “Contingent Liabilities” are represented both on the asset side and the liabilities side. In such representation we have no impact on the profit of the organization but there is a value in the balance sheet as an asset or liability that everyone can see. If a Bank has signed guarantees worth say Rs 100 crores, it is a liability that may arise at some point of time in future and hence has to be represented as a liability. But it may also never arise because the contingency may not fructify or is recoverable from the client. So a contra entry is shown as an asset.
I had once worked out an entire Broking Software architecture based on the financial principle of double entry book keeping with each stage of processing such as order booking, order execution, delivery of security etc in terms of liability and asset transactions so that the liability in progress gets reflected in the books of account.
Presently therefore I have tried to develop a methodology for valuation of data and bringing it to the books of account. The methodology tentatively called “Naavi’s Data Valuation Model” tries to suggest a method for valuing Personal data for the purpose of bringing it to the balance sheet.
Some time back the undersigned discussed the “Theory of Data” in which the difficulty of assigning ownership for “Value Addition” to data during the life cycle of its processing was discussed as “Additive value hypothesis” . On a similar consideration the Naavi’s Data Valuation method contains some suggestions on how personal data can be valued. It is a paper under development and the first version of the same is available here.
FDPPI has constituted a Special Working Group to discuss the suggestions and the PDP Codes Committee of FDPPI will develop a code of practice that will guide organizations on a method of valuation. It may be recalled that PDPSI framework for audit of PDP-CMS (Personal Data Protection Standard of India framework for audit of Personal Data Protection Compliance Management System) adopts a model implementation specification that requires provision of visibility to the value of data held by an organization.
When the report is finalized it will be released for comments from the public. In the meantime, comments based on the Naavi’s initial suggestions are welcome.
While an acceptable method of absolute valuation has to come from an organization such as the ICAI, individual organizations can take their decisions on bringing out approximate representations either as contra entries in the balance sheet or as accountant’s foot note to the audit report or at least as a part of the Director’s report. PDPSI tries to drive companies towards this.
In particular, we invite the views of the Chartered Accountants and the office bearers of ICAI in this regard.