When it comes to personal data exposed in a breach, assessing the value of that data for class actions lawsuits is more of an art than a science.
As interest in protecting and controlling personal data has surged among consumers lately, there have been several research reports that discuss how much a person's data is worth on the dark web. Threat intelligence provider Flashpoint, for example, published research last month that said access to a U.S. bank account, or "bank log," with a $10,000 balance was worth about $25. However, the price of a package of personally identifiable information (PII) or what's known as a "fullz" is much less, according to Flashpoint; fullz for U.S. citizens that contain data such as victims' names, Social Security numbers and birth dates range between $4 and $10.
But that's the value of personal data to the black market. What's the value of personal data when it comes to class action lawsuits that seek to compensate individuals who have had their data exposed or stolen? How is the value determined? If an organization has suffered a data breach, how would it figure out how much money they might be liable for?
SearchSecurity spoke with experts in legal, infosec and privacy communities to find out more about the obstacles and approaches for assessing personal data value.
The legal perspective
John Yanchunis leads the class action department of Morgan & Morgan, a law firm based in Orlando, Fla., that has handled the plaintiff end for a number of major class action data breach lawsuits, including Equifax, Yahoo and Capital One.
The 2017 Equifax breach exposed the personal information of over 147 million people, and resulted in the credit reporting company creating a $300 million settlement fund for victims (which doesn't even account for the hundreds of millions of dollars paid to other affected parties). Yahoo, meanwhile, was hit with numerous data breaches between 2013 and 2016. In the 2013 breach, every single customer account was affected, totaling 3 billion users. Yahoo ultimately settled a class action lawsuit from customers for $117.5 million.
When it comes to determining the value of a password, W-2 form or credit card number, Yanchunis called it "an easy question but a very complex answer."
"Is all real estate in this country priced the same?" Yanchunis asked. "The answer's no. It's based on location and market conditions."
Yanchunis said dark web markets can provide some insight into the value of personal data, but there are challenges to that approach. "In large part, law enforcement now monitors all the traffic on the dark web," he said. "Criminals know that, so what are they doing? They're using different methods of marketing their product. Some sell it to other criminals who are going to use it, some put it on a shelf and wait until the dust settles so to speak, while others monetize it themselves."
As a result, several methods are used to determine the value of breached personal data for plaintiffs. "You'll see in litigation we've filed, there are experts who've monetized it through various ways in which they can evaluate the cost of passwords and other types of data," Yanchunis said. "But again, to say what it's worth today or a year ago, it really depends upon a number of those conditions that need to be evaluated in the moment."
David Berger, partner at Gibbs Law Group LLP, was also involved in the Equifax class action lawsuit and has represented plaintiffs in other data breach cases. Berger said that it was possible to assess the value of personal data, and discussed a number of damage models that have been successfully asserted in litigation to establish value.
One way is to look at the value of a piece of information to the company that was breached, he said.
"In other words, how much a company can monetize basically every kind of PII or PHI, or what they are getting in different industries and what the different revenue streams are," Berger said. "There's been relatively more attention paid to that in data breach lawsuits. That can be one measure of damages."
Another approach looks at the value of an individual's personal information to that individual. Berger explained that this can be measured in multiple different ways. In litigation, economic modeling and "fairly sophisticated economic techniques" would be employed to figure out the market value of a piece of data.
Another approach to assessing personal data value is determining the cost of what individuals need to do to protect themselves from misuse of their data, such as credit monitoring services. Berger also said "benefit-of-the-bargain" rule can also help; the legal principle dictates that a party that breaches a contract must pay the victim of the breached contract an amount in damages that puts them in the same financial position they would be in if the contract was fulfilled.
For example, Berger said, say a consumer purchases health insurance and is promised reasonable data security, but if the insurance carrier was breached then "[they] got health insurance that did not include reasonable data security. We can use those same economic modeling techniques to figure out what's the delta between what they paid for and what they actually received."
Berger also said the California Consumer Privacy Act (CCPA), which he called "the strongest privacy law in the country," will also help because it requires companies to be transparent about how they value user data.
"The regulation puts a piece on that and says, 'OK, here are eight different ways that the company can measure the value of that information.' And so we will probably soon have a bunch of situations where we can see how companies are measuring the value of data," Berger said.
The CCPA will go into effect in the state on Jan. 1 and will apply to organizations that do business in the state and either have annual gross revenues of more than $25 million; possess personal information of 50,000 or more consumers, households or devices; or generates more than half its annual revenue from selling personal information of consumers.
Security and privacy perspectives
Some security and privacy professionals are reluctant to place a dollar value on specific types of exposed or breached personal data. While some advocates have pushed the idea of valuing consumer's personal data as a commodities or goods to be purchased by enterprises, others, such as the Electronic Frontier Foundation (EFF) -- an international digital rights group founded 29 years ago in order to promote and protect internet civil liberties -- are against it.
An EFF spokesperson shared the following comment, with part of which being previously published in a July blog post titled, "Knowing the 'Value' of Our Data Won't Fix Our Privacy Problems."
"We have not discussed valuing data in the context of lawsuits, but our position on the concept of pay-for-privacy schemes is that our information should not be thought of as our property this way, to be bought and sold like a widget. Privacy is a fundamental human right. It has no price tag."
Harlan Carvey, senior threat hunter at Digital Guardian, an endpoint security and threat intelligence vendor, agreed with Yanchunis that assessing the value of personal data depends on the circumstances of each incident.
"I don't know that there's any way to reach a consensus as to the value of someone's personally identifiable data," Carvey said via email. "There's what the individual believes, what a security professional might believe (based on their experience), and what someone attempting to use it might believe."
However, he said the value of traditionally low-value or high-value data might be different depending on the situation.
"Part of me says that on the one hand, certain classes of personal data should be treated like a misdemeanor, and others like a felony. Passwords can be changed, as can credit card numbers; SSNs cannot. Not easily," Carvey said. "However, having been a boots-on-the-ground, crawling-through-the-trenches member of the incident response industry for a bit more than 20 years, I cringe when I hear or read about data that was thought to have been accessed during a breach. Even if the accounting is accurate, we never know what data someone already has in their possession. As such, what a breached company may believe is low-value data is, in reality, the last piece of the puzzle someone needed to completely steal my identity."
Jeff Pollard, vice president and principal analyst at Forrester Research, said concerns about personal data privacy have expanded beyond consumers and security and privacy professionals to the very enterprises that use and monetize such data. There may be certain kinds of personal data that can be extremely valuable to an organization, but the fear of regulatory penalties and class action lawsuits are causing some enterprises to limit the data they collect in the first place.
"Companies may look at the data and say, 'Sure, it'll make our service better, but it's not worth it' and not collect it all," Pollard said. "A lot of CISOs feel like they'll be better off in the long run."
Editor's note: This is part one of a two-part series on class action data breach lawsuits. Stay tuned for part two.
Security news director, Rob Wright, contributed to this report.