How Much Is Data Security Worth?
The SciTech Lawyer, Spring 2019
Personal, financial, and other types of sensitive data have become vital assets at the core of many business models, raising a critical question for organizations maintaining these types of data: How much security is enough? Analysis Group Principals Almudena Arcelus and Brian Ellman and Randal S. Milch, co-chair at the NYU Center for Cybersecurity, address this question in “How Much Is Data Security Worth?” Their article appeared in the Spring 2019 edition of The SciTech Lawyer, the quarterly newsletter of the American Bar Association’s Section of Science & Technology Law.
The authors propose that corporate decision makers take guidance from the world of competition regulation and apply a fact-based “rule of reason” approach to decide when to increase investment in data security. Economic theory suggests that a “rational” firm will enhance data security as long as the cost of the additional security remains less than the probabilistic cost of a breach.
To help organizations make this determination, the article discusses each component of what the authors term the “data security equation”: the cost of incremental security; the probability of a breach; and the cost of a breach. After evaluating a risk-adjusted cost of a data breach, a company can then assess the effectiveness of its data security measures relative to the risks it faces, and develop balanced options for addressing existing or potential weaknesses.