IT valuation of PII data shows huge variations

News by Grace Johansson

US security professionals value their personally identifiable information more than twice as much as their UK counterparts, according to a new report.

US security professionals value their personally identifiable information more than twice as much as their UK counterparts, according to a new report.

Today Trustwave released the “Value of Data Report,” a sponsored research report conducted by Quocirca. This global study includes a survey of 500 information technology (IT) decision makers in the United States, Canada, United Kingdom, Australia and Japan, examining attitudes towards the value of confidential data including: personally identifiable information (PII), payment card data, intellectual property (IP) and email.

US professionals value their PII data more than twice as much as their UK counterparts: The average per capita value (PCV) of PII in the US is US$ 1,820 (£1,364) versus US$ 843 (£632) in the UK. Different levels of importance are placed on different data types such as PII, IP, payment card data and email: PII (47.4 percent) is given a higher priority than IP (27.6 percent), followed by payment card data (18.4 percent) and with corporate email (6.6 percent) coming last.

Dramatic differences exist between values placed on PII data by attackers, security professionals, insurers and regulators: The mean PCV placed on a PII record by cyber-criminals is US$ 39 (£29) compared to US$ 1,198 (£897) by IT professionals, US$ 3,211 (£2,406) for insurers and US$ 8,118 (£6,082) for regulators. Industry sector influences the type of data that is given highest priority: Healthcare and hospitality sectors prioritise PII data with an average score of 3.5 and 3.4 out of 4, while industrial and IT/Communications companies rank IP as most important at 3.0 and 2.9 out of 4.

Shareholder data and patient data are the most valuable data types: Shareholder data is most highly valued by IT professionals at more than US$1,700 (£1,273) per record, followed by patient records with a mean value of more than US$ 1,500 (£1,123) and consumer data at just more than US$1,000 (£749) per record - lowest ranked are contractors at just less than US$600 (£449) per record.

Patient data is the most rigorously risk assessed: Nearly 80 percent of organisations seeing patients as their prime data subject said they had carried out a comprehensive risk assessment, more than for any other data subject. In the UK, where healthcare is largely controlled by the government through the National Health Service (NHS), this rose to 90 percent and in the US, where regulation is tight through Health Insurance Portability and Accountability Act (HIPAA), to 85 percent.

Certain types of PII are much less assessed in terms of risk: Contractors' and suppliers' individual PII data is less rigorously assessed than other types of PII, such as patient data. Forty five percent of companies holding contractors' private data and 42 percent holding suppliers' data failed to conduct comprehensive risk assessments of the data. Corporate security and risk professionals massively over-estimate the value of PII data for sale on the black market: Overall criminal resale values for PII on the black market are less than five percent of the value that enterprise security professionals estimate them to be worth. For a payment card record, security managers over-estimate by 60 times the actual criminal values of data for sale on the black market. For a single banking record, it is 2,000 times.

Trustwave vice president of security research Ziv Mador said in a press statement, “Today, data is one of the most valuable commodities possessed by any business. Whether that data belongs to the organisation itself, its employees, suppliers or customers, it has a duty to protect that data to best of its ability. Companies that fail to accurately value their data are unlikely to make the right decisions regarding the level of cyber security investments to protect that data and are those most likely to fall short of regulations, such as the upcoming European Union General Data Protection Regulation (GDPR) coming into effect in 2018. Businesses should look to the managed security services business model so that they have the confidence that full data risk vigilance is applied to all types of confidential and valuable data by specialists in the industry.”

Bob Tarzey, senior security analyst at Quocirca and principal author of the study said, "Data is transforming businesses in the early 21st century in the same way electricity did at the start of the 20th. For nearly all businesses their PII and IP are essential assets that are enticing targets for criminals, those storing payment card data are the most tempting target. Data subjects, are becoming more aware of the value their data has to the businesses they deal with and are less forgiving when things go wrong. However, even as one data breach is eclipsed by another in the eye of the press, the regulators will continue to investigate the most serious as they are invested with more powers and the clout to issue ever greater fines.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews