The Value of Your Personal Data – A Credit Card Number and $5 Will Buy a Cup of Coffee

Hi Everyone!  I apologize that it has been awhile since I have written.  We at Arpeggio have been fortunate to be busy the last few weeks and sometimes duty calls and requires me to push the writing aside for a bit.  Please don’t stop keeping us busy!  As it happens, we are in the eye of a hurricane of producing great client outcomes, so it provides me with the opportunity to write on a subject I have wanted to touch on for awhile – the value of personal data.

Personal data is the lifeblood of our existence, or so we are told.  When companies suffer a data breach, it’s headline news.  The status of secure (or insecure) sensitive emails is a central issue in the 2016 Presidential election.  In a bizarre cycle of history, Russian hackers have apparently compromised the information security of the Clinton campaign, casting Vladimir Putin as the 21st century’s G. Gordon Liddy, and the Internet as a virtual Watergate Hotel.  You can’t make this stuff up.

Identity theft is the cat burglary of the 21st century.  Whereas ordinary burglaries and thefts are down, due to a combination of greatly improved home and auto security (how do you hot wire a car with no key?) and the fact that many of the goods we prize are virtual, identity theft and theft of personal data has taken the place of physical theft, with data criminals ranging from dumpster divers and mailbox robbers looking for personal data by stealing discarded documents, to increasingly sophisticated phishing scams, to hackers who are safely outside of U.S. criminal jurisdiction, and probably with state backing, in at least some cases.

Amidst all of these threats, we are told to protect our information with measures ranging from playing Twister in front of an ATM so that the guy behind you can’t see your PIN, to choosing (and somehow committing to memory) online passwords that today are probably more complex than the nuclear launch codes were 20 years ago, to restricting your phone communications to using emojis, (I can’t wait for the day when I can sign a car lease with an emoji – maybe one that looks like Rich Uncle Pennybags having to pay the Poor Tax of $15.) to purchasing identity/credit monitoring services, to making sure that you only conduct online business over a wired Internet connection.  So, for those 18 people out there with Ethernet jacks in your home, you’re good (ok ok, there is Powerline technology, which I actually do use, but I’m the only one I know who does).  And if you want medical information about a family member – well, you might as well try to hack into the Federal Reserve.

In this context, it’s a fair question to ask, “Just how much is my personal data worth?”  Is it really worth the hassle (and cost) to protect it?  Well, I can’t comment on black market data, but what I can do is examine the penalties paid by companies who’s customer data was exposed.  At least, that tells us what the government thinks the data is worth.

Interestingly, according to data from Ponemon Institute and IBM, data breaches are accomplished according to the following breakdown – 50% due to criminal activity, 23% due to employee error, and 27% due to IT system glitches.

As I’m sure you are aware, medical record security is of great concern to medical providers, to insurance companies, to human resource departments.  Just how valuable is that medical data in the government’s eyes?  Here is a summary of high profile medical data breaches in recent years:

Organization Fine #/Records Value/Record Cause of Action
Alaska Department of Health and Human Services  $1,700,000  501  $3,393.21 Hard drive containing patient information was stolen from an employee’s car
Wellpoint  $1,700,000  612,402  $2.78 Hacked for social security numbers and demographic data
Concentre Health Services  $1,730,000  870  $1,988.51 Stolen unencrypted laptop with patient data
Cignet Health Center  $4,300,000  41  $104,878.05 Denied legitimate requests for patient records
NY Presbyterian Hospital/Columbia University  $4,800,000  6,800  $705.88 Insecure server due to employee error left patient data searchable by Google
Advocate Healthcare  $5,500,000  4,000,000  $1.38 Numerous HIPAA violations
Oregon Health & Science University  $2,700,000  3,000  $900.00 Failure to conduct risk analyses
Mississippi Medical Center  $2,750,000  10,000  $275.00 Gave out unencrypted laptop because someone asked to borrow it
North Memorial Healthcare of Minnesota  $1,550,000  9,500  $163.16 Failed to implement system-wide risk analysis
Triple-S Management Corp  $36,800,000  70,000  $525.71 Mailed letters to customers with their Medicare numbers visible on the outside.

While there is a wide range of per-patient values, they do seem to coalesce at under $1,000 per record.  A range of $500/$1,000 per record looks plausible.  One uncontrolled variable here is nature of the action.  Several of these actions were not breaches, but rather the discovery of inadequate protection against such breaches.  Perhaps those fines are discounted to those that would be imposed if an actual breach had occurred?  It’s hard to say.  Indeed, the largest fine per person by far was levied on a company that failed to give out data when it should have.  Still, just going by the numbers, the $500-$1,000 figure looks decent.  If your patient data was exposed, you likely aren’t going to get a lawsuit lottery ticket.  Of course, to companies, the information looks different because when data is exposed, its typically more than one customer who is at risk.

What about financially-related data?  Is personal financial data worth more or less than, or the same as medical data?  Here are a few data points (all of these were criminal breaches):

Organization Fine/Settlement #/Records Value/Record
TerraCom, Inc. and YourTel America, Inc.  $10,000,000  305,000  $32.79
TJ MAXX  $64,900,000  70,000,000  $0.93
Heartland Payment Systems  $109,100,000  130,000,000  $0.84
Home Depot  $19,500,000  50,000,000  $0.39
Sony  $15,400,000  77,000,000  $0.20
Target  $10,000,000  110,000,000  $0.09

These were all major data breaches in the last few years and, as you can see, the fines or damages per record is a mere pittance.  Granted, all the lawsuits have as yet to be settled, but, given the history, it’s hard to see these numbers go up significantly.  As far as the law is concerned, medical data is far more precious than credit card numbers.  I don’t know if that is right- or wrong-headed, but the data suggests it is reality.

Why so little value per record?  In addition to the fact that there may yet be more damages tallied, I think other elements are in play.  1.  The retail financial system depends on people believing their credit cards are absolutely secure and all players will do everything to make sure that no consumer is harmed by a breach.  If not, and people start using cash for all purchases, you’ll see a sharp contraction in consumer spending (since on-the-spot borrowing goes out the window), which will hurt retailers, consumer product manufacturers, and the card issuers far more than absorbing some bad credit card charges.  2. Sufficient backup security protocols are in place that it’s not all that easy to run up big charges on stolen credit card numbers.  

According to the 2016 Ponemon Institute/IBM report previously mentioned, the total cost of a data breach to the data holder is estimated at $221/stolen or lost record, on average. Most of those costs are accounted for by remediation costs.  Costs to fix the broken door, as it were, build a newer, stronger fence, and install better locks and alarms.  Given the relatively punitive costs versus the cost to fix the systems, one has to wonder if the fixes are overkill.  Why pay $200+ dollars to protect a record that is worth less than a buck?  The answer is reputation and confidence.  Lots of people lose if people lose faith in credit/debit cards.  Trillions of dollars of economic activity are at stake.  In effect, if a consumer data record has a value of $1, there is perhaps $200 of goodwill attached to it.  I suspect this is why the fines have been relatively low and there has been limited litigation success.  The government and the courts know that the financial motivation to protect these records is already colossal.  Further punishment is unlikely to create yet more motivation.  The success rates of class action lawsuits by consumers themselves are mixed (at best) and the law is unclear as to who bears ultimate responsibility for customer data security.

So, if your data has been breached, and you’re thinking you’re about to hit a big, legal payday, don’t quit your job just yet.  For all the agitation and fear-mongering, your personal data, especially financial, just isn’t worth that much.  But you can still use your debit card to buy that cappuccino.

It's only fair to share...Email this to someoneShare on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInShare on Reddit

One Comment

  1. Given our litigious society, and the fact that these leaks were not intentional (as far as we know),I think the fines are adequate. As you said, the hit on their goodwill is large…albeit we are no longer shocked when it happens…..so our reaction is muted.

    The email issue within the 2016 presidential race was an intentional one, as that person (we’ll leave politics out of this) knew what they were doing, and didn’t follow common sense (that’s the FBI talking, not me). That is where ‘goodwill” should take a huge hit.

Leave a Reply

Your email address will not be published. Required fields are marked *