In the recently reported data breach penalty issue in South Korea, Ewha Women’s University server was hacked and more than 80000 data sets are reported to have been leaked.
According to the University, data was related to the students who had entered the school from 1982-2002 and included names, resident registration numbers, phone numbers, email, home address and school records.
The penalty imposed by the PIPC (Data Regulatory Authority of South Korea” was approximately $250000. The cost of the data compromise was therefore estimated at around $3 per data set.
The penalty was a deterrent for not securing the data and not the value of the data itself. However, we can presume that the penalty should have some reasonable relationship to the value of the asset compromised and the loss cumulatively suffered by the data owners.
Since data protection authorities are accepting “Reasonable Security” as a principle, the data controllers/fiduciaries also should expect that the fines are “Reasonable”.
I am not sure if 20-40 year old student data (University claims that the grading data was not compromised) was worth anything close to the value of the fine. But unfortunately there is no valuation guideline with which we can challenge the fine.
When Indian DPB considers any fine for non compliance of DPDPA, we will be debating in greater depth whether the penalty amount was “Reasonable”.
If we assume that a similar compromise of data had occurred in an Indian University, what would be the value of the data. It would be almost zero. Hence the penalty should be only nominal and should be not more than say Rs 1 per data set lost.
If industry does not move in to develop some norms for data valuation, they will have to face situations where the notional value of data compromised assumed by the DPB may be unrealistically high.
Naavi has been suggesting that every data fiduciary should have a valuation for its data assets and this is one of the requirements under DGPSI. If there was a documentation within the organization that the value of such student data depreciates year after year, there would be some base value to discuss with the regulators under the “Voluntary Undertaking” discussions.
Even the Insurance companies need such valuation guidelines to fix a premium or settle a claim.
I would like readers to check the Data Valuation Standard of India (DVSI) for preliminary concepts of personal data valuation.
In the instant case of an educational institution where students enrol themselves for a course of say 5 years, the data set related to the student may carry one basic value for the duration of the course during which the data gets enriched with the grading, performance, extra curricular achievements etc and finally the certificate of graduation. The value therefore keeps on appreciating through the years until around 2-3 years after graduation after which it should start depreciating. By 20 years the value should be very low and by 40 years assuming that even the working life of the student ends, the value is almost worthless.
The institution can store the data in two sets one containing the demographic data filed at the time of admission (Which is the data compromised in the Ewah case) and the second which represents the data added during the course by the institution (on which it may have some rights of creation). The demographic data does not appreciate and only depreciates right from the first year since the address, email, phone number may all change over a period of time. The grading data may be considered more valuable and also sensitive and it adds year after year until the final graduation certificate and there after it stagnates for some time and start depreciating later.
Hence the personal data valuation system applicable in such cases is complicated but is not beyond our capability of computation.
I urge the industry and the community to start thinking in this direction.
Naavi
