The rising value of information and the law's response
As the value of information rises so does the importance of information security law.
This is according to David Luyt, associate at Michalsons, who was speaking at the ITWeb Security Summit 2018 in Midrand.
"We are in this information economy now where the stuff you are holding is not just ones and zeros anymore that don't matter, they are bits of valuable currency that people are trying to get their hands on. Whether it's a bitcoin which corresponds to real world monetary value; or a profile on a customer; or a lead in some sort of marketing or credit bureau database. There is a tangible monetary value to these things and we need to understand that," he said.
"Information is worth something, it generates value in the same way that your equipment and your premises have value in terms of the price or the rental cost you pay for them, or your employees have value to you."
He said that this feeds into the idea that information is the oil of the 21st century.
"When we know what our information is worth to us, we know how we have to protect it; and when we know what our most valuable information is, we know what we have to protect the most," he said.
As the value of data has risen, there has been a shift towards more specific information security law around the world.
This is evident in the imminent implementation of Europe's General Data Protection Regulation (GDPR) which comes into force today (25 May). At the same time, the UK has updated its Data Protection Act and South Africa is preparing for the commencement of the Protection of Personal Information Act (POPIA).
"Data protection is something that has existed in various laws for years. Globally it is mostly based on a directive from 1995 which was implemented in places like the UK in 1998 with their Data Protection Act; in SA, a lot of our legislation from FAIS [Financial Advisory and Intermediary Services Act] to things like the National Credit Act have got slight information security obligations in them," Luyt added.
When we know what our information is worth to us, we know how we have to protect it.David Luyt, associate at Michalsons
However he said that with the passing of new data protection laws like POPIA in SA and GDPR in the EU, we are seeing specific information security obligations coming into force that apply across industries.
How to quantify the value of information?
Luyt advised businesses to quantify the value of their information by identifying their own theory of value. He said this can be a theory-based appraisal or professional estimate but what should not be forgotten is the subjective value of that information.
"When we look at data protection laws, we can see that is more and more what the law is pushing us towards, this idea of empathy and understanding what things are like in someone else's shoes," he said.
"So it's to put yourself in the shoes of your data subject and realise that if you know everything about their medical history as a health care provider or if you know everything about their credit and financial life as a credit bureau there is a lot of value to that person in that information; and if it gets out there they could be victims of harm. They could be prejudiced, they could be victims of identity theft and fraud.
"We just need to think back to the master deeds breach of last year where the details of pretty much anyone who ever bought property in South Africa got leaked onto the open Internet and it became open season for anyone who wants to commit identity theft against South Africans because there were ID numbers and everything there," he added.