Today’s most valuable currency is data. Breaches, information operations, analytics and behavior recognition are all driven by data and the desire to possess it, regardless of what those who possess it want to do with it. We set out to answer the question “What kind of data costs the most in a breach?” As it happens, that’s a complicated question. We’ll need to factor in many variables depending on the specifics of your business.

Want to generate some revenue? You need some data to create a business plan, develop intellectual property and conduct a sales campaign. Want to commit a crime? Lock up some data, hold it for ransom and prey on the emotions of the owner. Want to stir up some geopolitical tensions? Manipulate some code to disrupt an industry.

Every one of these acts comes downstream from data generation, regardless of its origin or type: personal information, health information, intellectual property, financial – you name it, the list goes on and on.  

Think about it: if you have no data, there is likely no cost to you. Conversely, without data, you can’t generate a return, honest or illicit. Therefore, it’s important to remember the life cycle of data, from inception to destruction. The steps along the life cycle allow you to determine what the costs of a breach may be to you. 

Read the Report

What Determines Value?

In the movie “Indiana Jones and The Raiders of the Lost Ark,” Indy’s nemesis, Belloq, pulls out a pocket watch and says: “It’s worthless. Ten dollars from a vendor in the street. But I take it, I bury it in the sand for a thousand years, it becomes priceless … like the Ark. Men will kill for it. Men like you and me.” 

In this case, the value of the pocket watch is derived from the passage of time and its anticipated future scarcity. Those factors drive value.

If you are not looking at factors that drive value, you will likely misappropriate the value of the data you could lose during a breach, in either direction (too high or too low). Within your operation, value may be derived through customer data, trade secrets, policy documents or business plans. Figuring out that value is a crucial first step. 

Don’t miss this boat. Everything downstream will likely be incorrect if the initial valuation is incorrect. 

Who Determines Value?

Another key factor drives value: who is setting it? The exact same data set may be of extreme value to you, but utterly meaningless to me. After all, one person’s trash is another person’s wealth. Keep in mind a third party may be setting the price, too. For example, a regulator might deem certain types of data to hold some inherent or increased value (or risk). Depending on which industry you operate in, you may be bound by it. In your mind, you may not see the data as valuable. However, a governing agency may state that if you want to do business in this field you need to protect that data. 

What is the Value to You?

Of course, personal data has been a big juicy target for most of the major breaches recorded, but whether it has been the most costly is unknown. Many of the organizations that suffered these breaches are still up and running today. Larger groups can generally replace some personnel who take the fall and reach a settlement, even when millions of records are involved. But a smaller company, which may be responsible for less data being breached, has a greater likelihood of going out of business if there are disruptions to cash flows or legal bills it can’t cover. That’s just one more factor that drives valuation.

In the end, you cannot determine the cost of a breach without knowing the drivers that determine value. And that is only the first step. 

What’s in Your Vault?

Assume for a moment that you have been able to determine, with high confidence, what drives value. Now, the important action item is knowing if you hold that valuable data. Think of these three states:

  • Known knowns: I know what type of data I hold, and I know where it is.
  • Known unknowns: I know what type of data I hold, but I don’t know where it is.
  • Unknown unknowns: I don’t know what type of data I hold, so I can’t know where it is.

See the problem? Data discovery and classification are very important to find the cost of a breach. There are multiple proactive steps you can take if you have determined value, classification and location. Here is just a small list of some of the benefits: 

  • You can plan your infrastructure and architecture around data requirements, such as jurisdictional requirements, provenance, residence, segmentation compliance and so on.
  • It is easier to follow requirements for encryption standards, access controls and group policies.
  • You have access to response actions and requirements, and financial disclosures versus personal health information disclosures. Remember, part of the cost of a breach is the expertise you will require to respond. You might need a privacy lawyer, a Securities and Exchange Commission specialist or somebody familiar with regulations.
  • Gain the ability to perform risk quantitative calculations. (For example, if I hold this type of data in this region, and it is breached and I lose x amount of records, the anticipated cost will be y.)
  • Be aware of backup and restoration needs, which will drive recovery strategy planning.

Simply put, you cannot determine the impact – or the cost – of a breach unless you know what factors feed into that. But once you do, your downstream actions end up being a whole lot easier. 

Who Discovers and Maintains What’s in the Vault?

If there was ever a team game for data classification and handling, it is data discovery and maintenance. The legal, finance and R&D teams may tell you what is valuable and what is a liability to hold or if lost. The security and developer teams may tell you how and where to protect the valuable data. The risk, resilience and incident response teams will likely be the ones who tell you what has been impacted by the breach. The infrastructure and compliance teams may be the ones determining what needs to be off-boarded, destroyed or maintained, both as a natural course of business and as data storage comes at its own cost.

What does it all mean? Simple: know your business. There is no single sweeping answer here. Just like ‘the best food’ is the food you like best, the most costly data is the type that is most costly to you. 

More from Data Protection

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

How the CCPA is Shaping Other State’s Data Privacy

Privacy laws are nothing new when it comes to modern-day business. However, since the global digitization of data and the sharing economy took off, companies have struggled to keep up with an ever-changing legal landscape while still fulfilling their obligations to protect user data. The challenge is that there is no one-size-fits-all solution regarding data privacy's legal requirements. Depending on the location and jurisdiction, data privacy laws can vary significantly in terms of scope and enforcement. But while the laws…