Hi Everyone! I apologize that it has been awhile since I have written. We at Arpeggio have been fortunate to be busy the last few weeks and sometimes duty calls and requires me to push the writing aside for a bit. Please don’t stop keeping us busy! As it happens, we are in the eye of a hurricane of producing great client outcomes, so it provides me with the opportunity to write on a subject I have wanted to touch on for awhile – the value of personal data.
Personal data is the lifeblood of our existence, or so we are told. When companies suffer a data breach, it’s headline news. The status of secure (or insecure) sensitive emails is a central issue in the 2016 Presidential election. In a bizarre cycle of history, Russian hackers have apparently compromised the information security of the Clinton campaign, casting Vladimir Putin as the 21st century’s G. Gordon Liddy, and the Internet as a virtual Watergate Hotel. You can’t make this stuff up.
Identity theft is the cat burglary of the 21st century. Whereas ordinary burglaries and thefts are down, due to a combination of greatly improved home and auto security (how do you hot wire a car with no key?) and the fact that many of the goods we prize are virtual, identity theft and theft of personal data has taken the place of physical theft, with data criminals ranging from dumpster divers and mailbox robbers looking for personal data by stealing discarded documents, to increasingly sophisticated phishing scams, to hackers who are safely outside of U.S. criminal jurisdiction, and probably with state backing, in at least some cases.
Amidst all of these threats, we are told to protect our information with measures ranging from playing Twister in front of an ATM so that the guy behind you can’t see your PIN, to choosing (and somehow committing to memory) online passwords that today are probably more complex than the nuclear launch codes were 20 years ago, to restricting your phone communications to using emojis, (I can’t wait for the day when I can sign a car lease with an emoji – maybe one that looks like Rich Uncle Pennybags having to pay the Poor Tax of $15.) to purchasing identity/credit monitoring services, to making sure that you only conduct online business over a wired Internet connection. So, for those 18 people out there with Ethernet jacks in your home, you’re good (ok ok, there is Powerline technology, which I actually do use, but I’m the only one I know who does). And if you want medical information about a family member – well, you might as well try to hack into the Federal Reserve.
In this context, it’s a fair question to ask, “Just how much is my personal data worth?” Is it really worth the hassle (and cost) to protect it? Well, I can’t comment on black market data, but what I can do is examine the penalties paid by companies who’s customer data was exposed. At least, that tells us what the government thinks the data is worth.
Interestingly, according to data from Ponemon Institute and IBM, data breaches are accomplished according to the following breakdown – 50% due to criminal activity, 23% due to employee error, and 27% due to IT system glitches.
As I’m sure you are aware, medical record security is of great concern to medical providers, to insurance companies, to human resource departments. Just how valuable is that medical data in the government’s eyes? Here is a summary of high profile medical data breaches in recent years:
|Organization||Fine||#/Records||Value/Record||Cause of Action|
|Alaska Department of Health and Human Services||$1,700,000||501||$3,393.21||Hard drive containing patient information was stolen from an employee’s car|
|Wellpoint||$1,700,000||612,402||$2.78||Hacked for social security numbers and demographic data|
|Concentre Health Services||$1,730,000||870||$1,988.51||Stolen unencrypted laptop with patient data|
|Cignet Health Center||$4,300,000||41||$104,878.05||Denied legitimate requests for patient records|
|NY Presbyterian Hospital/Columbia University||$4,800,000||6,800||$705.88||Insecure server due to employee error left patient data searchable by Google|
|Advocate Healthcare||$5,500,000||4,000,000||$1.38||Numerous HIPAA violations|
|Oregon Health & Science University||$2,700,000||3,000||$900.00||Failure to conduct risk analyses|
|Mississippi Medical Center||$2,750,000||10,000||$275.00||Gave out unencrypted laptop because someone asked to borrow it|
|North Memorial Healthcare of Minnesota||$1,550,000||9,500||$163.16||Failed to implement system-wide risk analysis|
|Triple-S Management Corp||$36,800,000||70,000||$525.71||Mailed letters to customers with their Medicare numbers visible on the outside.|
While there is a wide range of per-patient values, they do seem to coalesce at under $1,000 per record. A range of $500/$1,000 per record looks plausible. One uncontrolled variable here is nature of the action. Several of these actions were not breaches, but rather the discovery of inadequate protection against such breaches. Perhaps those fines are discounted to those that would be imposed if an actual breach had occurred? It’s hard to say. Indeed, the largest fine per person by far was levied on a company that failed to give out data when it should have. Still, just going by the numbers, the $500-$1,000 figure looks decent. If your patient data was exposed, you likely aren’t going to get a lawsuit lottery ticket. Of course, to companies, the information looks different because when data is exposed, its typically more than one customer who is at risk.
What about financially-related data? Is personal financial data worth more or less than, or the same as medical data? Here are a few data points (all of these were criminal breaches):
|TerraCom, Inc. and YourTel America, Inc.||$10,000,000||305,000||$32.79|
|Heartland Payment Systems||$109,100,000||130,000,000||$0.84|
These were all major data breaches in the last few years and, as you can see, the fines or damages per record is a mere pittance. Granted, all the lawsuits have as yet to be settled, but, given the history, it’s hard to see these numbers go up significantly. As far as the law is concerned, medical data is far more precious than credit card numbers. I don’t know if that is right- or wrong-headed, but the data suggests it is reality.
Why so little value per record? In addition to the fact that there may yet be more damages tallied, I think other elements are in play. 1. The retail financial system depends on people believing their credit cards are absolutely secure and all players will do everything to make sure that no consumer is harmed by a breach. If not, and people start using cash for all purchases, you’ll see a sharp contraction in consumer spending (since on-the-spot borrowing goes out the window), which will hurt retailers, consumer product manufacturers, and the card issuers far more than absorbing some bad credit card charges. 2. Sufficient backup security protocols are in place that it’s not all that easy to run up big charges on stolen credit card numbers.
According to the 2016 Ponemon Institute/IBM report previously mentioned, the total cost of a data breach to the data holder is estimated at $221/stolen or lost record, on average. Most of those costs are accounted for by remediation costs. Costs to fix the broken door, as it were, build a newer, stronger fence, and install better locks and alarms. Given the relatively punitive costs versus the cost to fix the systems, one has to wonder if the fixes are overkill. Why pay $200+ dollars to protect a record that is worth less than a buck? The answer is reputation and confidence. Lots of people lose if people lose faith in credit/debit cards. Trillions of dollars of economic activity are at stake. In effect, if a consumer data record has a value of $1, there is perhaps $200 of goodwill attached to it. I suspect this is why the fines have been relatively low and there has been limited litigation success. The government and the courts know that the financial motivation to protect these records is already colossal. Further punishment is unlikely to create yet more motivation. The success rates of class action lawsuits by consumers themselves are mixed (at best) and the law is unclear as to who bears ultimate responsibility for customer data security.
So, if your data has been breached, and you’re thinking you’re about to hit a big, legal payday, don’t quit your job just yet. For all the agitation and fear-mongering, your personal data, especially financial, just isn’t worth that much. But you can still use your debit card to buy that cappuccino.