Why the Privacy Crisis is Just the Tip of the Knowledge Asset Crisis

1. Privacy is a much bigger deal now than Scott McNealy ever thought it would be.

Privacy literally went from the basement to the boardroom over the last few years, and is now reportedly the top regulatory concern for general counsels (and boards). Even more importantly, regulatory and compliance issues do not even rise to the top of the privacy and cybersecurity worries, with customer privacy, “unknown and unidentified risks” and “undetected breaches” among the top concerns:

Source of the above two graphs: Grant Thornton LLP 2014 Corporate General Counsel Survey, conducted by American Lawyer Media

2. But privacy will soon be the least of your information risk management worries.

In this post, you will come to see why the apparent privacy crisis is really just the tip of the information risk iceberg. The elevation of privacy concerns parallels and draw on a bigger and longer-term trend: the ever-increasing valuation of databases, trade secrets and IP. We call those knowledge assets.

As you may know, intangible assets generally represent about 3/4 of corporate market value, and knowledge assets generally represent about 2/3 of the value of intangible assets now. Another way to look at that is you have the first quarter of organizational value that is tangible assets, then the intangibles that are brand and employee competencies make up a third of the rest, and that leaves knowledge assets as about 1/2 of the value of all corporate assets:

For many organizations, knowledge assets are already a bigger overall business issue than privacy and cybersecurity are a risk issue. Knowledge assets as a percentage of market value have always varied substantially by industry:

Source: Kevin A. Hassett and Robert J. Shapiro, “What Ideas Are Worth: The Value of Intellectual Capital and Intangible Assets in the American Economy,” Sonecon, September, 2011. Based on 2009 industry data from the Bureau of Economic Analysis. These numbers are of course dynamic; with smart grid, for example, utilities are rocketing upward in percentage of knowledge assets.

The arc of information security has been tracking the increasing focus on knowledge assets. Gone are the days when organizations could treat data security as principally a compliance issue with a privacy regulatory structure such as HIPAA, GLBA, or EU data protection, or regard its principal focus as preventing the disclosure of personal information. Now cybersecurity is driven principally by global cyberthreats, commercial espionage and the lack of a secure internet, and focused on knowledge assets as well as sensitive (e.g., personal) information. Moreover, because now all systems are vulnerable and most systems are infected, the focus must be on resilience and adaptability, detection and response in addition to the former focus on protection. With the bad actors and agents now on the inside, cybersecurity is much more a subtle risk management challenge than a compliance challenge, an area of limited control therefore more suitable than ever for risk transfer through insurance.

3. [Marylin grabs the Massey prenup and tears it] “Darling, you’re exposed!”

Now here is the kicker: Just as your organization begins to recognize the value and vulnerability of its knowledge assets and tries to protect them, your insurer — probably drawing on an exclusion the Insurance Services Office issued in 2013 — is probably in the process of excluding or narrowing all of your coverage of knowledge assets under your comprehensive general liability insurance policy. To make up for that exclusion, they offer you a cyber-risk policy that only covers breaches of personal information, not theft or loss of knowledge assets. Generously, in the chart below, personally-identifiable information (PII) is counted as 10% of corporate market value; that still leaves the vast majority of intangible assets uncovered.

This, friends, is the big bottom of the ‘berg, the big uncovered area of knowledge asset protection that you can now only address through suing your insurer before your policy gets the new exclusion (and it is a good time for that), your own work in information governance and knowledge asset protection (our stock in trade), and manuscripted coverage that will become more standard as demand builds. In upcoming posts, we will share many ideas and lessons learned. But wait, is he going to end for now with one of those stock iceberg images that so dominate big data posts even now, as big data floats, becalmed, in the Trough of Disillusionment of the Hype Cycle? No, it’s, it’s…..