The Actuarial Approach to Data Privacy

Not long ago I was conversing with a person in charge of information security at a Fortune 500 company. We were discussing his hosted data center. I knew from work that I had done for this company that the data center service provider was taking no special precautions to protect highly sensitive data. The primary reason for this was because the service provider didn’t know which data were sensitive. The data center managers had received no information from the company that identified the sensitive data or where it was located. When I pressed the security officer on why this hadn’t been done so that the sensitive data could be encrypted, his answer was, “This is an outsourced service. We trust their employees.”

My next question was the obvious one: “Why are this service provider’s employees any more trustworthy than the employees found at any other company?” His answer was unsatisfactory: “As an outsourcing company, they are liable to screen their employees appropriately.”

While his answer may be correct if the data security game is ultimately about winning the finger-pointing competition, it is clearly a violation of what I call the “Actuarial Rule of Data Privacy”. Actuarial science is all about the probability, based on empirical data, of what will happen within a certain population of people. Typically, of course, actuarial science is applied in the insurance industry and by providers of pension benefits.

The application of actuarial science is way overdue in the realm of data security practices. A simple question like “how many data centers with 50 or more employees have experienced a compromise of sensitive data by one of those employees in the past three years” would be truly useful information. Having this data, information security officers would be able to apply actuarial reasoning to their cost / risk / benefit calculations, helping them to provide a meaningful, defensible basis for their data security decisions.

But the most important contribution of an actuarial approach to data protection would be a shift from the typical conversation of “what if” there were a data breach to the empirically-based “what are the chances that a breach will occur in the next X number of years”. They key difference being that the actuarial approach always reveals that the probability is greater than zero. And therefore, so is the cost of doing nothing to protect your data against even the most thoroughly vetted employees.