Humans have been collecting data since the dawn of time. As far back as 5000 B. C. ancient Mesopotamians made advancements in counting, money, auditing and writing – forming much of the basis for disciplines such as modern-day accounting plus other types of data and its recording. In 2400 B.C. Babylon established libraries to gather large quantities of data and represents our first attempts at mass data storage. It’s also likely that the first data loss precautions were put in place to prevent the unauthorized removal of documents from those libraries.  

A recent article estimated that 90% of all data that exists was created in the last two years and that humans generate 2.5 quintillion bytes of data every day. The staggering volume of and digital access to data and the ease by which it flows creates challenges in ensuring the appropriate use of data today.  

As mentioned in the second installment of this series, Data Liability Protection considers five distinct dimensions: Data Loss, Using Data, Sharing Data, Data Quality and Data Integrity. Each one of the dimensions has liability consequences particularly as it relates to the privacy of individuals data and intellectual property.

Notable, Modern-Day Data Protection Moments in History

In 1890, two prominent U.S. lawyers wrote “The Right to Privacy” which appeared in the Harvard Law Review. This influential article asserted that privacy was necessary for freedom. It was the first major article to advocate the right to privacy of certain personal information.  

Minimal advances were made until the middle of the 20th century when in 1948, the Universal Declaration of Human Rights included the right to privacy as being fundamental. This was followed by the U.S. Freedom of Information Act in 1967 and Privacy Act of 1974 addressing data privacy, access and security. As computers began to be used for government purposes at this time, these addressed potential abuses by the government in handling private information, including social security numbers.

Increases in computing power throughout the latter half of the 20th century drove extreme growth in our ability to collect, process and share data. As businesses found new ways to use data to drive revenue, the privacy of individuals often suffered. Piracy of digitally stored intellectual property also became a concern. This led to a series of legislative solutions designed to first establish guiding principles and more recently to create strict rules with severe penalties for organizations found to have violated these rules.

• In 1980 the global Organization for Economic Co-operation and Development issued guidelines on data protection.

• In Europe, the Data Protection Directive was created in 1995, the Directive on Privacy and Electronic Communications adopted in 2002 and the General Data Protection Regulation approved in 2016.  

• In the U.S., federal regulations include the Health Insurance Portability Act 1996, Gramm-Leach-Bliley Act 1999, and some states have in enacted their own regulations with the most recent being New York 2017 and California 2020.  

• Other countries continue to introduce new regulations at a growing rate.

In 1890 the authors of “The Right to Privacy” were unaware of future advances in technology such as computers, digital storage and the internet, and the challenges these advances would impose on data liabilities.

For instance, today a government agency can take pictures of your license plate for automated toll collection on the highway. Using a series of pictures, the speed of the vehicle along its journey can be determined. That information could be shared with law enforcement to issue speeding tickets or with insurance companies to determine risk-based insurance premiums. Most state governments in the United States have created policies defining that automated toll collection is ok but sharing that data for other purposes is a privacy violation. Government agencies must manage the data liability inherent in collecting license plate pictures or be in violation of their own policies. 

For a long time, data liability went largely unnoticed but over the past several years concerns have grown to reach a breaking point. Government regulations covering data privacy and other data-related liabilities are expanding to address those concerns and to establish a minimum acceptable baseline to which organizations must strive to comply. On top of that minimum standard, organizations must manage data liability concerns to the extent that is appropriate for their industry and expectations of their customers or they will be subject to financial, legal and reputational losses.  

As the velocity of regulations and compensatory damages continue to increase, executives, boards, managers, staff and business partners must substantially increase their level of attention on data liability to adequately meet the demands of both legislative and de facto standards Increasing regulatory requirements and fiduciary responsibilities are accelerating the need to act now. Failing to do so may result in incidents that at best are embarrassing but at worst can have catastrophic and potentially irreversible consequences including lost value and threats to the viability of the organization as a going concern.  

Given the challenges facing organizations with respect to data liability, the question is not if or when data liability incidents will occur, but rather what kinds, how many and how damaging. It is up to the organization’s leadership to recognize these challenges and take proactive steps to address the risks associated with data liability to continue to maintain the value of their organization’s data assets. 

‍About the authors:

Carl Ascenzo is a Vice President at Triverus  Consulting. His career includes leadership positions as a developer, investor, consultant and corporate customer whose current focus is on helping organizations mitigate the severe consequences of data liability.

Zach Slayton is a Founding Partner of Triverus Consulting with over 20 years of experience delivering value to business through technology.

As seen in the media, breaches resulting in data exfiltration and inaccessible data due to ransomware are forms of data loss that are fodder for sensational news. Impacts can include tarnished reputations, loss of clients and revenue, contract penalties, regulator sanctions and a decrease in market capitalization. Although less widely publicized, other forms of data liability can be just as damaging as those caused by data loss and occur in organizations every day.

As we discussed in Part 1 of this series, full data liability addresses the tangible and intangible damages caused not only by data loss but also by failures to ensure appropriate use, sharing, quality and integrity of data.

Let’s review a break-down of these concepts. 

1) Data Loss – This is the most cited form of data liability and includes physical loss, unauthorized exfiltration or inability to access data. Loss threats can come from natural hazards, accidents, or deliberate actions. Deliberate threats are villainous, premeditated actions of theft or harm from internal or external actors and are the most publicized. Accidental data loss is actually quite common, frequent, but often goes unnoticed. Regardless of the cause, regulatory sanctions and other consequences are on the rise. 

Data loss in the news:  

• Hurricane Sandy shut down or caused major interruptions to many businesses.

• Numerous government and healthcare entities have had operations severely impeded by ransomware. 

• The U.S. government fined Equifax $700M for a breach impacting 150M U.S. consumers.

• A food conglomerate struck by the NotPeyta cyberattack had a financial loss exceeding $100M.

2) Using Data – Access to data needs to be limited to those that have a need to know or perform duties, particularly for sensitive data about individuals or intellectual property. An intrinsic characteristic of data is the potential to be used to generate more opportunities than just for the intended process at hand. This has led to the collection of data that is not required for the process at hand but to be used for other purposes.     

Using data for purposes other than what the owner (individual) understood it to be used for is increasingly no longer acceptable.  

Inappropriate data usage in the news:

• The French Data Protection Agency fined Google $57M for violations of the European Union’s General Data Protection Regulation (GDPR). The finding was for lack of transparency in the collection and handling of user data for personalized advertising.

3) Sharing Data – Organizations share data externally for various legitimate purposes including collaboration, customer service, supply chain dependencies, research, marketing. Organizations are responsible not just for secure transmission of data, but often what happens to it after it has been delivered to the receiving party, which is difficult if not impossible to control.  

Another form of sharing data is selling it to others that may use it for their own benefit. Liabilities associated with selling include the right to sell and sharing the burden of resultant damages.    

Data sharing in the news: 

• The General Data Protection Regulation (GDPR) holds organizations responsible for mishandling of data and gives E.U. citizens stronger control over their personal information. If violations occur the sanctions levied can be severe and have reputational consequences. 

• In 2019, the U.S. government levied a staggering $5B fine against Facebook for violating its users’ privacy, stemming from the Cambridge Analytica scandal.

4) Data Quality – Data quality addresses whether data is fit for its intended uses. Data quality is more than just accuracy and includes attributes such as relevance and timeliness. Poor data quality leads to incorrect decisions, misleading results and wasted resources among other negative outcomes.  

Data quality in context: 

• Pharmaceutical companies track the expiration date of their therapies to ensure patients receive treatment  while the therapy is still effective. If the company inadvertently assigns an incorrect expiration date to a given dose, the patient receiving the treatment might fail to receive the full benefit of the therapy or worse. 

• Military and other high-risk operations such as nuclear power plants are critically dependent on both accuracy and timeliness in order to aptly execute offensive and defensive actions.

5) Data Integrity - Data integrity has become expected and more crucial than ever before. Data must be pristine, unchanged, traceable and must represent what it is intended to represent. The design, implementation and operation of systems and procedures which store, process, retrieve and exchange data must ensure integrity of the data it maintains. A concern that is more difficult to control is the integrity of data when it is distributed outside the system of record where it can be unintentionally or purposely changed or corrupted. 

Data integrity in context:

• The FDA requires companies to prove that clinical trial data they submit to obtain drug approval is accurate and unaltered. If the company fails to prove the integrity of trial data, FDA actions can include warning letters, fines and approval delays that can cost a company in both money and reputation. 

• Another example of integrity is the chain of custody in legal matters where the preservation and protection of digitized data in crime forensics determines if the data is admissible evidence.

When organizations fail to ensure protection and the proper use, sharing, quality and integrity of their data, they put the value of their data assets at risk. As the volume, complexity and access of data increases, so do the potential exposures for adverse events. As exposure to liabilities go up, it jeopardizes the potential net value of data as an asset.  

Next Blog: Data Liability – A Brief History of Data Liability

‍About the authors:

Carl Ascenzo is a Vice President at Triverus  Consulting. His career includes leadership positions as a developer, investor, consultant and corporate customer whose current focus is on helping organizations mitigate the severe consequences of data liability.

Zach Slayton is a Founding Partner of Triverus Consulting with over 20 years of experience delivering value to business through technology.

In today's world, data is the lifeblood of many organizations. Data is a valuable asset that helps many organizations thrive. As the value of data increases so do the risks associated with data. If left unchecked, the damages caused by inappropriate storage, handling and accountability of data can create significant business liabilities that outweigh the positive value that data otherwise brings. This trend has pushed us across the tipping point and brought us to a new age of data liability.

Historically, organizations have viewed data as an asset, focusing mostly on how data enhances an organization’s mission. This makes sense as data enables discovery and provides insights, leading to innovations and growth. Most of the focus on protecting data has been on avoiding data loss. Media attention and organizational effort has focused on topics such as security breaches, ransomware and other villainous scenarios. Data protection strategies often center on locking down the borders and keeping the bad guys out. While this is important, it is only the beginning.

In the age of data liability, organizations must address many more nuanced and sophisticated challenges such as the appropriate use, sharing, quality and integrity of data. Failures in these areas can lead to catastrophic business impacts including massive financial penalties through regulatory sanctions and contractual remedies, exposure of intellectual property causing irreparable harm, disrupted operations and significant brand damage. The impact of these liabilities can lead to potentially irreversible consequences and may even threaten the viability of the organization as a going concern.

One way to think about this is to think of data as entries on a balance sheet. If data is an asset and the risks associated with data are liabilities then we can call the balance of these two the net value of data to an organization.

As liabilities increase the net value goes down or even negative. As the organization implements strategies to reduce data liability, the net value of the asset goes up and data continues to help the organization succeed .

Unfortunately many organizations have given data liability little attention or investment even though many industry trends continue to the drive up the data liability risk. Additional outsourcing requires more sharing with partners. The use of cloud and Software-as-a-Service means volumes of sensitive data are stored outside the corporate network. Increases in remote working models and bring your own device lead to many more interactions with less manageable systems. With all of these factors and more driving up data liabilities, it is less a question of “if” an issue will occur but more a question of “how often” and “how bad will it be.”

To offset these risks, executive leadership, boards, managers, staff and business partners must take a proactive approach and substantially increase their level of attention and investment to Data Liability Protection (DLP). Through effective DLP strategies and focused attention, organizations can reduce their exposure to data liabilities and maintain a positive net value of their data and continue to leverage data to their advantage.

This series will explore these concepts in more detail and make recommendations for organizations on how to better protect themselves from data liabilities and to optimize the positive net value of their data.

Read more: Five Dimensions of Data Liability

About the authors:

Carl Ascenzo is Founder of Information and Cyber Management LLC with a career of leadership positions as a developer, investor, consultant and corporate customer whose current focus is dedicated to helping organizations mitigate the severe consequences of data liability.

Zach Slayton is a Founding Partner of Triverus Consulting with over 20 years of experience delivering value to business through technology.