Facebook sued for mass UK data protection failureby
As Facebook faces a mass privacy claim for another data protection failure, data continues to be valued as the new oil. Bill Mew sets out to define the literal value data.
A collection of priceless artworks will have a significant nominal value. But only at auction will you find its physical value. You could monetise the collection by charging admission for an exhibition exhibiting, but any income will be offset by security and insurance.
In an era where data is depicted as the ‘New Oil’, it is undoubtedly among an organisation’s most valuable assets. However, its value is nominal unless valued as part of M&A negotiations, at which point it depends on how much someone is willing to pay for it.
And in the meantime, you face the cost of managing and protecting it – with overheads like data security, compliance and cyber insurance.
Mass legal action against Facebook for data protection failure
In what the UK Information Commissioner’s Office (ICO) described as “a very serious data incident”, Facebook had permitted thisisyourdigitallife app to harvest the personal information, not only from the users of the app, but also from all their Facebook friends – none of whom had given consent.
Facebook’s clear failure to protect its users’ data will put the focus on damage value suffered by clients and the data compromised.
This is a relatively new area for litigation. In a test case, Which? director Richard Lloyd brought a case against Google, which was initially thrown out by the High Court. This was then overturned on appeal. Lloyd versus Google consequently established the principle that personal data had value and that clients could bring a representative action for damages in the event of its misuse or loss (effectively the loss of control of their personal data).
The Supreme Court will have the final say on this case in April, and if the ruling is upheld (as expected), it could open the flood gates to many further similar claims.
What is data worth as an asset?
There are volumes of management theories assigning competitive advantage to data driven organisations over their counterparts, but few prescribe an exact value to data. Data is only as useful as the insights that can be gained from it and this may be subjective and dependent on context.
Production or financial data can be used to refine processes and increase efficiency. Customer data can be used to gain insight into customer buying behaviour and can also be used to calculate a LifeTime Value (LTV) for each customer. LTV, however, describes the potential value of the business with the customer and not the actual value of any data held that directly relates to the customer. Value can also be ascribed to other intangible assets like brands in terms of loyalty and awareness - so why not to data as well.
As AI becomes more widely adopted, there will not only be value inherent in algorithms as intellectual property (IP), but also in the underlying data volumes as assets. Such IP needs to be protected as much as any work of art as does the related data that it depends on.
It is only worth what people are willing to pay for it
Value will ultimately be assessed during any M&A process, but could well also be distorted during this very process. The addressable market for the combined organisation may well increase the value of customer data or you may be able to provide a broader set of products or services to each client thus increasing LTV. At the same time though product lines may be merged and brands eliminated.
What is data worth as a liability?
If data is the new oil, then it needs to be handled with care. While valuable when contained, it can be expensive to clear up if there is an oil spill. In this respect, it may be more like nuclear fuel – to be handled with extreme care, because if spilt it can result in catastrophe.
While regulatory sanctions for cyber incidents have been far lower than expected – both BA and Marriott had the ICO fines slashed. Reputational damage and litigation remain significant risks – both BA and Marriott have had claims lodged against them.
The Supreme Court ruling in the Lloyd versus Google case is expected to rule on whether a “uniform per capita” amount of compensation can be awarded for the “loss of control” of personal data. This would have implications for organisations like Google and Facebook whose business models are built on exploiting data.
It may well also have implications for firms that don’t, although there will be a difference between those that were careless or negligent and those that acted responsibly and complied with their obligations, but were simply unfortunate to be hacked. Exactly what the level of such compensation will depend on the exact circumstances in each case.
If you find yourself in the unfortunate position of facing a data privacy claim then your ability to refute accusations of carelessness or negligence will depend on decisions and actions that you are taking right now.
You will need to be able to answer tough questions:
What cybersecurity protections you put in place and whether these were independently tested? You will need to justify how risks were evaluated and why you believed that cyber protection and detection measures were appropriate and adequate.
What training and rules you provided to staff and how these rules were enforced? You will need to show how seriously data protection was taken across your organisation.
What privacy and security policies you applied and whether you had sought independent expert advice? Seeking expert advice is a key requirement in the ICO guidance and other ISO regulations.
Whether you tested your systems and your ability to respond to incidents with proper immersive simulation exercises? You must have a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational cybersecurity measures
Whether all of this was delegated by senior management or whether they were actively involved? Board members, who could be individually liable, will need to show that they discharged their responsibilities appropriately.
Even organisations with a cybersecurity strategy and ISO 27001 certification have had breaches and have faced class-action lawsuits. Regulators will require evidence that risks had been properly evaluated and that reasonable processes and defences were not only in place, but that they had also been tested.
As you consider your risk appetite – see these 15 data Privacy Day tips to help you do so – think about how you might defend your decisions and actions in court, because one day you may need to do so. And legal action isn’t only being taken against organizations, decision makers and board members are being held individually liable too.
If data is indeed your greatest asset then why would senior management not be actively involved in its protection? And if a cyber incident could turn it into an enormous potential liability then why would they not be equally interested in making sure that there is a well-developed and well-tested cybersecurity strategy that could form the basis for any legally defensible narrative - if necessary.
You might also be interested in
Founder and CEO of CrisisTeam.co.uk (SiliconANGLE global Startup of the Week – May 2019), an elite team of experts in incident response, cyber law, reputation management and social influence that help clients minimize the impact of cyber incidents. Previous cloud strategist at UKCloud (the...