When Ransomware terrorists know the value of data why not Accountants?

Data was called “Oil” because it was recognized as having immense value to the business. There are organizations where data is a by product and there are also organizations where data is the finished product.

Whenever a ransomware attacker demands a ransom of Rs 10 lakhs or Rs 100 crores, he has a perception of a value for the data. Most often the companies agree to pay the extortion amount which vindicates the value placed on the data by the attackers. Some companies may look at the “Opportunity Cost” of not agreeing to pay the extortion after which the attackers may release the data in the dark web. Some attackers actually auction the data in the dark web or sell it at a fixed price and there are people who are willing to buy.

According to international studies value of data in the dark web may vary if it is a simple name and e-mail data vs sensitive data like finance data or health data. If a data set is current with verified information and contains data such as credit card information with CVV, the value of each set of data could be substantial .

In the recent case of NCLT declaring Net4India as “Insolvent”, it was obvious that the judges had not  recognized the value of data in the possession of the company before declaring it “Insolvent”.

Even companies who ought to know the value of data because they earn their income by processing data, often find that they are unable to take adequate security measures because the CISO or DPO is unable to convince the CFO that a certain investment is required to build compliance competency.

One of the solutions that Naavi has been demanding for a long time is that Accountants should find a way of bringing the value of data in to the balance sheet of the Company. In case the judges at NCLT had seen a Net4India balance sheet with a Data asset value of say Rs 100 crores, they would have perhaps not issued an insolvency order at all.

The accounting community today has a method for valuing Trademark, Copyright or Patent normally on the bases of “Net Present Value” of the benefits that an asset may provide over a period of next 5-10 years. Accountants value Fixed Assets with a “Depreciation” which is a reflection of the period for which an asset remains productive.

Some times, assets are valued on the basis of cost of acquisition, cost of production, market value and such other means.

Most of such valuations are not accurate. They are based on assumptions and often understate the asset value as in the case of Public Sector enterprises sitting on large tracts of land or over state the value as in the case of high tech product companies whose products have a short life time but costs may get spread out over a longer period. We see an investment company faces a sharp fall in their assets when the monsoon is delayed or a favourite political party loses an election and none of the accountants can explain why the P/E ratio of one company is only 4 or 5 where as another company have 10 times the P/E ratio.

Despite these uncertainties in valuation,  accountants still have agreed upon a valuation system, tax authorities accept certain valuation principles, Merger and Acquisition specialists strike billion dollar deals based on their valuation of tangible and intangible assets and the show goes on.

Many times the value of assets as we find in a balance sheet is on a “Going Concern” basis and the moment the organization is recognized as “Sick” the value of assets plummet.

It is therefore strange that when we speak of “Value of Data” being shown in the books of account, some accountants think it is a bizarre thought and refuse to be drawn even into a discussion.

FDPPI (Foundation of Data Protection Professionals in India) has taken the first significant step in trying to convince accountants and corporate managers by including a standard and supporting implementation specifications in the “PDPSI” framework (Personal Data Protection Standard of India framework for assessment of compliance of data protection regulations in an enterprise).

The implementation specification no 6 of the PDPSI framework states

6. Data Valuation and Accounting

The organization shall adopt a policy of assigning a financial value to the inventory of data and provide visibility to the data asset in the books of account.

The implementation specification further suggests

The value of data may be brought into the books based on a scientific valuation method or on a provisional basis and reported as a special reserve or as a Contra entry (both an asset and liability separately)

The Visibility of the valuation of data as an asset shall be extended to both personal and non-personal data.

Many managements may wonder why  a PDPSI audit has to comment on the data valuation policy of the Company.

But the most important reason why the “Bringing the Data Value” into the books of account is to provide “Visibility” to the asset which needs to be protected and harnessed.  If Data at some value is visible in the Manager’s dash board on a continuous basis, then it is more likely that the decision makers in the company will realize that they need to do some thing about it.  What is not visible is likely to be de-prioritized.  When the Company knows that it had a data of Rs 100 cores last quarter and it has jumped to Rs 200 crores this quarter, they will certainly ask a question to the DPO about the implications of the change in the data value.

Some accountants quickly jump and say this will enable fraudulent overvaluation of assets and therefore risky.

But what we are suggesting to start with, is that while all of us try to find an acceptable method of valuation, let the data value be represented as a “Contra Value” where it does not increase either the assets or liabilities nor  even create a “Special Reserve” as we do in the case of valuation of intangible assets such as “Goodwill” or “Trade Mark”. There is no case for accountants to refuse this suggestion so that all advantages of “Visibility” is realized without the risk of inappropriate reporting of profits.

After agreeing to bring a notional value of the data into the books of accounts, we can continue to fine tune the valuation by adopting a combination of

a) Cost based valuation

b) Market value based valuation

c) Computation of Net present value of future revenue generation

d) Accounting appreciation and depreciation based on logical factors

etc.

FDPPI has started a dialogue with the industry and has also set up an internal working group to take this concept to other industry associations.

We welcome Chartered Accountants, Chartered Valuers, Cost Accountants and other professionals to join hands with FDPPI to develop an acceptable system of valuation so that India can lead the world in this respect.

It is however realized that the solution to this problem does not lie in extending the valuation methods presently used by the industry because Data is an Asset Class which is unlike the movable or immovable assets or the actionable claims. It can neither be classified clearly with other known types of asset classifications like “Tangible” and “Intangible assets” .

I draw the attention of some of the thoughts the undersigned has already expressed through these columns such as the “Theory of Data” where we discussed the “Additive Value Hypothesis” of data.

We also enclose a distinct note on the topic which is available here.  I request professionals to go through these papers and start contributing their thoughts. We would like students to debate this in their respective institutions and come up with innovative thoughts.

But it is essential to realize that the valuation methodology of data has to be led by “Data Professionals” and FDPPI therefore takes the lead to develop a proper guidance in this regard which we can take to other forums.

FDPPI has created an internal working group in this regard and would soon be working on an industry level working group across the industry to ensure that there will be a larger participation of professionals.

Naavi

(Comments welcome)

 

Print Friendly, PDF & Email

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.