“What is privacy worth?” is a question that executives often ask of their advisers, aides, and staff. This reflects a general confusion about how much companies should spend on privacy.
Executives often find themselves at a loss for certainty when it comes to making decisions about privacy spending. In most companies, privacy staffing and spending is based more on historical staffing and spending levels than on an evaluation of current needs. The truth is that privacy cannot be valued in exclusively financial terms. When clients’ sensitive information is breached, no amount of compensation can fully amend for the damage done and stress caused. The right question is not what privacy is worth, but what level of privacy spending is appropriate.
There are several ways to view privacy: as an investment, as an insurance policy, or as an operational cost based on industry best practices. Each of these perspectives offers some guidance on how much to spend on privacy.
Privacy is an investment
When privacy is seen as an investment, the answer to “how much is privacy worth?” is that it is worth as much as your brand. Privacy is an investment in client relations: clients want to know that you are committed to their privacy and that they can trust you with their information. Privacy is also an investment in the protection of your clients’ information, proportionate to the value of that information. Effective privacy solutions can be a selling point, with initial investment yielding increased client confidence and new opportunities.
Privacy is an insurance policy
If your corporation views privacy as an insurance policy, then the value of mitigating privacy risk is a function of the likelihood that your data could be breached, and the damage that would be caused by a breach. This is comparable to car insurance, which is calculated based on the value of the car and the driver’s safety record. For another insurance comparison, a million dollar home may be worth several thousand dollars in protection, in the form of startup costs for doors and locks, ongoing costs for a home security system, and policing costs paid through property taxes. Just as with physical security, privacy spending is aimed at protecting your most vulnerable and most sensitive assets.
Privacy is an operational cost
For most executives, privacy is seen primarily as an operational cost. Industry best practices offer guidelines for privacy expenditures, which fall into several categories:
- Direct staffing costs: The salaries and benefits of privacy professionals. Industry best practices suggest that companies should have a privacy officer, in addition to one privacy employee for every eight projects, roughly speaking. Generally, each privacy employee can oversee three to ten projects, depending on their size and complexity.
- Assessment costs: Costs associated with third party assessments of your corporation’s information management practices, often with a focus on legal compliance. Companies should usually allow around $50,000 in privacy assessment costs for each new project.
- Other costs:
- Tools or software used to monitor privacy incidents or manage information disclosure
- Legal costs related to reviews of software, hardware or services contracts
- IT security costs related to encryption and other privacy enhancing technologies
In short, corporate privacy spending is usually directed toward several goals: improving public perception, insuring the safety of client information, and establishing industry best practices and legal compliance across the organization. Knowing which of these goals best capture your organization’s objectives will help to guide appropriate and effective privacy spending.