Five Dimensions of Data Liability

Zach Slayton
Carl Ascenzo
Data

As seen in the media, breaches resulting in data exfiltration and inaccessible data due to ransomware are forms of data loss that are fodder for sensational news. Impacts can include tarnished reputations, loss of clients and revenue, contract penalties, regulator sanctions and a decrease in market capitalization. Although less widely publicized, other forms of data liability can be just as damaging as those caused by data loss and occur in organizations every day.

As we discussed in Part 1 of this series, full data liability addresses the tangible and intangible damages caused not only by data loss but also by failures to ensure appropriate use, sharing, quality and integrity of data.

Let’s review a break-down of these concepts.

1) Data Loss – This is the most cited form of data liability and includes physical loss, unauthorized exfiltration or inability to access data. Loss threats can come from natural hazards, accidents, or deliberate actions. Deliberate threats are villainous, premeditated actions of theft or harm from internal or external actors and are the most publicized. Accidental data loss is actually quite common, frequent, but often goes unnoticed. Regardless of the cause, regulatory sanctions and other consequences are on the rise.

Data loss in the news:  

  • Hurricane Sandy shut down or caused major interruptions to many businesses.
  • Numerous government and healthcare entities have had operations severely impeded by ransomware.  
  • The U.S. government fined Equifax $700M for a breach impacting 150M U.S. consumers.
  • A food conglomerate struck by the NotPeyta cyberattack had a financial loss exceeding $100M.  

2) Using Data – Access to data needs to be limited to those that have a need to know or perform duties, particularly for sensitive data about individuals or intellectual property. An intrinsic characteristic of data is the potential to be used to generate more opportunities than just for the intended process at hand. This has led to the collection of data that is not required for the process at hand but to be used for other purposes.    

Using data for purposes other than what the owner (individual) understood it to be used for is increasingly no longer acceptable.  

Inappropriate data usage in the news:

  • The French Data Protection Agency fined Google $57M for violations of the European Union’s General Data Protection Regulation (GDPR). The finding was for lack of transparency in the collection and handling of user data for personalized advertising.

3) Sharing Data – Organizations share data externally for various legitimate purposes including collaboration, customer service, supply chain dependencies, research, marketing. Organizations are responsible not just for secure transmission of data, but often what happens to it after it has been delivered to the receiving party, which is difficult if not impossible to control.  

Another form of sharing data is selling it to others that may use it for their own benefit. Liabilities associated with selling include the right to sell and sharing the burden of resultant damages.    

Data sharing in the news:

  • The General Data Protection Regulation (GDPR) holds organizations responsible for mishandling of data and gives E.U. citizens stronger control over their personal information. If violations occur the sanctions levied can be severe and have reputational consequences.  
  • In 2019, the U.S. government levied a staggering $5B fine against Facebook for violating its users’ privacy, stemming from the Cambridge Analytica scandal.

4) Data Quality – Data quality addresses whether data is fit for its intended uses. Data quality is more than just accuracy and includes attributes such as relevance and timeliness. Poor data quality leads to incorrect decisions, misleading results and wasted resources among other negative outcomes.  

Data quality in context:

  • Pharmaceutical companies track the expiration date of their therapies to ensure patients receive treatment  while the therapy is still effective. If the company inadvertently assigns an incorrect expiration date to a given dose, the patient receiving the treatment might fail to receive the full benefit of the therapy or worse.  
  • Military and other high-risk operations such as nuclear power plants are critically dependent on both accuracy and timeliness in order to aptly execute offensive and defensive actions.

5) Data Integrity - Data integrity has become expected and more crucial than ever before. Data must be pristine, unchanged, traceable and must represent what it is intended to represent. The design, implementation and operation of systems and procedures which store, process, retrieve and exchange data must ensure integrity of the data it maintains. A concern that is more difficult to control is the integrity of data when it is distributed outside the system of record where it can be unintentionally or purposely changed or corrupted.

Data integrity in context:

  • The FDA requires companies to prove that clinical trial data they submit to obtain drug approval is accurate and unaltered. If the company fails to prove the integrity of trial data, FDA actions can include warning letters, fines and approval delays that can cost a company in both money and reputation.  
  • Another example of integrity is the chain of custody in legal matters where the preservation and protection of digitized data in crime forensics determines if the data is admissible evidence.

When organizations fail to ensure protection and the proper use, sharing, quality and integrity of their data, they put the value of their data assets at risk. As the volume, complexity and access of data increases, so do the potential exposures for adverse events. As exposure to liabilities go up, it jeopardizes the potential net value of data as an asset.  

Next Blog: Data Liability – A Brief History of Data Liability

About the authors:

Zach Slayton is a Founding Partner of Triverus Consulting with over 20 years of experience delivering value to business through technology.

Carl Ascenzo is a Vice President at Triverus Consulting. His career includes leadership positions as a developer, investor, consultant and corporate customer whose current focus is on helping organizations mitigate the severe consequences of data liability.