Several weeks ago I started a series of blog posts introducing five different types of data valuation business processes. The diagram below depicted each process:
During this series of posts I highlighted some of the research findings discovered by Dr. Jim Short (San Diego Supercomputer Center). Jim and I have been studying the industry as part of a joint research project. One interesting output of the research is the variety of ways valuation is currently occuring in the industry. For example, data valuation can occur....
- ...during Mergers and Acquisitions. One recent example is LinkedIn's acquisition of Lynda.com, which was primarily fueled by Lynda.com's video assets.
- ...as part of asset valuation during a bankruptcy. One salient example is the bankruptcy proceedings of Caesar's Palace.
- ...when a company attempts to generate additional revenue from their data assets. A great example of a company that turned data into revenue is 23andMe.
- ...in response to a company receiving a payment for the sale of a data asset. Tesco's sale of dunnhumby is a good example.
In this post I'd like to focus on a fifth form of valuation: data insurance. This form of valuation is particularly interesting to me for two reasons:
- It requires a 3rd party (the insurer) to perform a value assessment as well as a risk assessment.
- IT infrastructure and related tools can play a large role in this form of valuation because of the relationship between risk assessment and data protection.
Dr. Short has performed interviews indicating that the data insurance market is growing quickly into a multi-billion dollar opportunity for insurers. There are many use cases to study in this field; I chose a local use case from a recent Boston Globe article that mentions an example of an insurer (Liberty Mutual) and insured (TJX).
The title of the article was More Firms Buying Insurance for Data Breaches. In addition to mentioning insurers like Liberty Mutual, it listed a number of companies that have undergone high profile breaches, such as Sony, TJX, Target, and South Shore Hospital. Specifically, the article stated the following:
When hackers broke into TJX Cos., the owner of TJ Maxx and Marshalls, and stole about 46 million customer credit and debit card numbers, the Framingham company estimated the breach would cost it at least $180 million. The breach of Sony Corp.’s video game online network in 2011 led to the theft of names, addresses, and credit card data belonging to about 100 million users. The hit to Sony: an estimated $171 million.
For TJX, an estimate of 180 million dollars on 46 million records means that each customer entry had a value of over $4 per record. If an insurer had come into the company before the breach and attempted to create a policy that would provide renumeration, how would the value be calculated? It's a difficult problem to solve, especially for breaches. The article also went on to quote Ponemon institute:
The average cost of a data theft in 2012 was $188 per customer account, according to a recent study by the Ponemon Institute, a Michigan-based independent research center focused on privacy and information security. While the mega-breaches tend to grab headlines, more common data losses involve fewer than 100,000 customer records. But even these smaller breaches can be costly, averaging $5.4 million in 2012.
Sales of Liberty Mutual cyber-insurance policies, according to the article, jumped 30 percent from 2013 to 2014.
This ongoing data valuation research is yielding a set of recommendations that suggest five strategies for corporations to Architect for Value.
I've also spent a good deal of time blogging about the phases of building IT architectures that support automated valuation frameworks.
Please contact me if your corporation would be interested in learning more about the topic of data valuation.