Despite the efforts of regulatory bodies and the private sector, effective protection of personal data through legislation and business self-regulation efforts remains elusive. Privacy legislation is difficult because the flow of data is difficult to predict. Businesses tend to be ineffective at data protection because, generally, they misunderstand the value of the data they possess. Businesses, therefore, do not invest enough in protecting the undervalued asset and data are not managed to reflect their importance to organizations, individuals, and markets. This paper presents the argument that to understand data properly and to improve privacy protection, data must be valued. The paper also elaborates on major impediments to the valuation of data, as well as advantages of overcoming these impediments. In light of the paucity of both privacy and data valuation studies by accounting scholars, the paper also identifies opportunities for research.
In this commentary, we argue that valuation of personal data by organizations is a key component to address privacy effectively. The reasoning behind our proposition is that the formal valuation of data has the potential to greatly increase organizational data transparency, which will help markets to understand the true value of individual organizations. In turn, stakeholders, in an effort to preserve organizational value, will force organizations to accept and internalize currently externalized economic impacts associated with the under-protection of personal information.
As the use of technology to store, cross-reference, and share data among corporations and governments expands, it becomes easy to discern that the effective protection of personal information through legislation and business self-regulation efforts remains elusive. The number and cost of data security breaches, such as those experienced by Target Corporation in 2013, Sony Pictures Entertainment Inc. and JP Morgan Chase & Co. in 2014, and Anthem Inc., the Internal Revenue Service (IRS), and the Office of Personnel Management (OPM) in 2015, continues to grow (Prosch 2008; PRC 2015; Ponemon Institute 2015). Online ads about something we once purchased barrage our Internet experience. Data brokers, without the consent or knowledge of the individuals preyed upon, compile dossiers of information about them from a variety of online and offline sources (Anthes 2015). As a result, individuals are left to deal with the costs associated with the collection, use, and loss of sensitive data: increased risk of identity theft, potential embarrassment and stigma (Hirsch 2014), and potential civil rights violations (White House 2014a).
Privacy regulation is difficult because data are like water—they flow and ripple in ways that are difficult to predict (Spiekermann 2012). Self-regulation is suboptimal because the tools used to protect data tend to be outdated, leaving organizations hoping that they are able to keep up with the privacy challenges presented by Big Data, the Internet of things, and metadata1 analysis (Weitzner 2015). Many organizations tend to view privacy as a compliance issue instead of a business issue. Management derives what it can from the information it has and regards the privacy issue as a nuisance better left to be fixed by lawyers. That is, despite their critical value, data are not managed to reflect their importance to businesses, consumers, and employees (Bruening, Sotto, Abrams, and Cate 2008).
Prior work has proposed several mechanisms to preserve the privacy that our unprecedented ability to capture, store, and analyze data threatens to erode. One such mechanism is the concept of privacy by design (PbD), developed in the mid-1990s by Dr. Ann Cavoukian, a former information and privacy commissioner of Ontario, Canada. Advanced around the world by data protection authorities, regulators, privacy advocates, and technologists, this concept refers to the philosophy and approach of embedding privacy directly into the design and operating specifications of information technologies and systems (Cavoukian 2011). Others have proposed accountability as a primary mechanism through which society should address the appropriate use of information (Weitzner et al. 2008; CIPL 2009, 2011; OECD 2013). In this regard, if the collection, use, and analysis of information are transparent, then it is possible to determine whether a particular use is appropriate under a given set of rules. As these authors argue, a transparent system enables individuals and institutions to be held accountable for misuse.
In this commentary, we add to the cumulative body of knowledge surrounding the preservation of privacy. We propose that a fundamental root cause of current privacy failure is a lack of formal data valuation. With such a valuation, lawmakers, regulators, and business managers would make better investments in data protection.
Organizations may consider the formal valuation of data to be an endeavor too costly to undertake. We sympathize, and acknowledge the extraordinary complexities of this task. The formal valuation of data, however, has the potential to add great value to all stakeholders. Organizations may discover that data are easier to manage, exploit, and protect when they are treated with the same rigor as other assets shown on the balance sheet (Ladley 2010). Some organizations also may realize that the formal valuation of data creates a higher level of transparency and accountability, which increases the value of the whole organization, fostering more efficient capital markets and causing reductions in the cost of capital (Lev 2001). On a broader scale, formal valuation of data can increase social welfare by making companies more likely to accept and internalize the currently externalized economic effects associated with the under-protection of personal information. Lack of formal valuation and financial statement presentation may also mean that markets are significantly under-informed about the true value of individual enterprises. Under these assumptions, the development of models that, step-by-step, will enable corporations to recognize or disclose this crucial asset on financial statements is long overdue.
The remainder of this article is organized as follows. Section II outlines the potential effect of valuation to foster privacy by placing the relationship between data and personal data into perspective. Section III addresses why data should be considered an intangible asset requiring valuation, and provides arguments that explain the current lack of data valuation attempts. In Section IV, we advocate for a paradigm change in accounting, leading to the formal requirement of data valuation to be presented on the financial statements. Section IV also presents multiple areas through which valuation is likely to affect privacy. Section V outlines broad categories representing future opportunities for research. Section VI presents our conclusions.
II. THE IMPORTANCE OF DATA VALUATION FOR PRIVACY
To understand why valuation of data may have a strong effect on the preservation of privacy, it is necessary to visualize not only that the amount of data in all industries is increasing rapidly, but also that most of this increase constitutes personal information.
According to Turner, Reinsel, Gantz, and Minton (2014), two-thirds of the digital data in existence in 2013 were created and captured by consumers and workers. They also predict that, by 2020, the digital universe will reach 44 zettabytes. Although many of these data may not be considered personal information at the time of collection, the rapid evolution of information technologies is enabling businesses and governments to collect and efficiently analyze these data to learn far more than what people anticipate (White House 2014b). Under many circumstances, data that at some point may have been considered de-identified can be used for re-identification of individuals. As an example, in 2006, America Online (AOL Inc.) decided to release a collection of web search queries considered to be fully anonymized. Yet, reporters from The New York Times used these queries to show that even when names and other personal information are stripped from Big Data sets, it often is possible to re-identify a specific person (Barbaro and Zeller 2006). More recently, to provide a quantitative assessment of the likelihood of re-identification from financial data, de Montjoye, Radaelli, Singh, and Pentland (2015) used an anonymized data set containing three months of credit card transactions for 1.1 million users in 10,000 stores in an Organisation for Economic Co-operation and Development (OECD) country. These authors find that only four spatiotemporal points are needed to re-identify 90 percent of individuals. They also show that knowing transaction prices increases the risk of re-identification by 22 percent. Academics, government bodies, and industry leaders, therefore, increasingly acknowledge that the distinction between personal information (PI) and non-PI is diminishing (FTC 2012) and that a wider interpretation of what constitutes personal information is warranted (Schwartz and Solove 2011). The Federal Trade Commission (FTC 2012) accordingly issued recommendations in 2012 for businesses and policymakers on how to protect consumer privacy. The framework proposed by the FTC applies to data that, while not yet linked to a particular consumer, computer, or device, may reasonably become so. The position of the FTC on this issue effectively turns most data collected by organizations into personal information.
Currently, the evolving nature of our understanding about what constitutes personal information is being tested by the Electronic Frontier Foundation (EFF) in a petition filed with the Federal Trade Commission (FTC) on December 1, 2015. In this document, the EFF requests that the FTC investigate the privacy practices of Google for Education. In particular, the complaint alleges that Google is “engaged in collecting, maintaining, using, and sharing student personal information in violation” (Cardozo and Cope 2015) of the Student Privacy Pledge that Google signed in January 2015. The Student Privacy Pledge states that information that is both collected and maintained on an individual level and is linked to personally identifiable information constitutes student personal information. Further, the EFF argues that aggregating and anonymizing student personal information does not change the private nature of the data or the fact that they are associated with identifiable student accounts at the time they are collected (Barr and Dwoskin 2015).
Internationally, decisions by parliaments, courts, and regulators have already acknowledged the evolving nature of the vast amount of data that increasingly are considered personal. First, on March 27, 2015, in the Vidal-Hall vs. Google Inc. case, the England and Wales Court of Appeal held that personal information is any information that allows a company to identify an individual based on its matching or aggregation with other information in its possession, regardless of whether the company, in fact, matches or aggregates (Vidal-Hall v. Google Inc. 2015).2 Second, in relation to the complaint laid against Telstra Corporation Limited by Ben Grubb, the Privacy Commissioner of Australia indicated on May 1, 2015, that to the extent that metadata enable to ascertain an individual's identity, metadata constitute personal information (OAIC 2015).3 Third, the Telecommunications (Interception and Access) Act 1979 of Australia (as amended by the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015) deems certain metadata relating to telecommunications such as source, destination, date, time, and type of a communication to be personal information (Federal Register of Legislation 2015, §187AA and 187LAA).4
Given the large proportion of data that constitutes personal information, their formal recognition and/or disclosure is likely to be beneficial for corporations, capital markets, and societies as a whole. By valuing their data, organizations are better able to properly manage the information life cycle (Silburn and Ezingeard 2008) and implement appropriate mechanisms that, among other goals, effectively preserve privacy. Data valuation may not only change how organizations think about their data and how they use them (Mayer-Schönberger and Cukier 2013), but may also alter those to whom businesses grant access. These effects may in turn enable and motivate companies to invest in systems, processes, and technologies more suitable to the proper preservation of privacy.
III. CONDITIONS GIVING RISE TO LACK OF DATA VALUATION
According to accounting conceptual frameworks and standards developed in the United States (FASB 1985, 2010) and internationally (IASC 1998), data—the asset that by many accounts is at the heart of the business model of many companies (Spiekermann 2012)—meet all necessary criteria to be classified as an intangible asset. Data are a resource that lacks physical substance, are distinguishable from goodwill, and have a probable future economic benefit that is obtained or controlled by a particular entity as a result of past transactions or events. Nevertheless, as happens with other intangible assets, uncertainty about the existence and timing of data's future benefits has led the accounting profession to exclude data lacking explicit acquisition cost from presentation on financial statements. Furthermore, when acquisition costs are involved, they must be expensed when incurred.
In spite of the shortcomings of financial accounting standards, forward-looking managers embrace the role of management accounting as a strategic business partner and recognize the importance that data play in achieving organizational success (Laney 2012). Anecdotal and academic evidence reveals, however, that for internal reporting purposes, many organizations do not treat data as a valuable organizational asset (Silburn and Ezingeard 2008).5 From an accounting perspective, this is a failure of the profession to embrace its role as enabler and strategic business partner along the information value chain.
The current failure to adequately value data is partly justified, however. It easily can be seen how labor and overhead costs associated with backup, recovery, and storage administration, and costs associated with storage infrastructure, are increasing with the amount of data that organizations collect (Tallon 2010). However, even though under certain circumstances the data valuation process may seem straightforward (Monga 2014; Nash 2015), valuing data separately from the physical equipment on which they are stored and manipulated represents a challenging endeavor, even if data meet all the necessary accounting criteria to be classified as an intangible asset.6
Several factors make this valuation especially problematic. First, a proper data valuation methodology must begin with the identification and classification of data. This step may be difficult not only because data originate from multiple sources (Abrams 2014), but also because data may render the valuation attributes traditionally used (e.g., market value, historical cost) inappropriate at measuring future economic benefits.
Observed and collected data often are considered assets that, when widely available, present no reason for any organization to be willing to pay for them. Accordingly, governments compel and businesses persuade people to provide them with data (e.g., filing a tax return, applying for a loan, paying a bill, making a post on a social network) in exchange for no, or close to no, cash or its equivalent. Similarly, the digital trail that people leave in their wake, including, for example, a person's phone number and phone serial number, the time and duration of a call, and the location of the participants in a call (Becker et al. 2013; Soper 2012), is observed with close to zero cost.7
Second, data collected with a stated purpose are expected to have an intrinsic value for the collecting organization. The full value of data may sometimes remain dormant, however, waiting to be unleashed as additional uses for the data are discovered. Data captured with one purpose or as a necessary byproduct of a purposeful interaction may be used to derive and infer valuable new information (e.g., consumer average spending, susceptibility of a person to a particular disease, life expectancy, credit scores, likelihood of future health outcomes) that, once created, will serve as raw material for future data collected and created by ongoing processing (Abrams 2014). That is, data may develop an option value (Mayer-Schönberger and Cukier 2013) unlikely to be anticipated and difficult to quantify from the onset. To place this situation in context, it is well understood that companies must collect customer data to process transactions. Goods ordered by customers are recorded to process sales and customer financial information is collected to process payment. The explosion of technologies that enable more effective and efficient analysis of vast amounts of data enables organizations to develop secondary uses for these data, however. Using data analytics, companies such as Target can use transactional data to anticipate customer purchase preferences based on changes in past purchase patterns. Using transactional data, companies also can anticipate life-changing events even before the owners of the data know about them (Duhigg 2012).
A third challenge to data valuation is the uncertainty that surrounds the anticipation of future economic benefits resulting from the collection, observation, and generation of data. Data benefits depend on factors such as technologies and human resources currently available to the organization, behavior of customers and competitors, the legal and regulatory environment, and other unknown factors that may increase or decrease the value of the data by limiting the ability of the organization to analyze them and take advantage of them. These factors may determine the capacity of the organization to understand and apply the data beyond their originally intended use, to reuse the data either in isolation or in conjunction with other datasets (data fusion), to determine how data lose their utility over time (data depreciation), and to extract and use byproduct data resulting from people's interactions with the world (data exhaust).
Fourth, predicting the length of time or useful life over which data are suitable to generate profits is complex. This life may be shortened or extended depending on factors such as the nature of the data, competition, technological changes, and human capital.
Data behave like a public good in that enforcing exclusive access to them is difficult, and their use by one company does not reduce their availability to other companies. These characteristics may shorten the anticipated useful life of data by enabling numerous companies to collect personal data from a variety of public and nonpublic sources and resell them to other companies (FTC 2012). After the data are widely available, a use option that at first may seem an exclusive and profitable endeavor can be imitated by the competition. As a consequence, the profitability of using the data diminishes to the point that they no longer represent a unique competitive advantage (CEBR 2013).
Some data may remain unchanged and useful for many years; other data need continuous maintenance to remain relevant. When compared to DNA data, the continuously evolving purchasing preferences of customers have a short lifespan. The useful life of such data can be extended, however, if updated periodically to preserve the accuracy of these preferences. To illustrate, consider the Freestyle soda fountain introduced by the Coca-Cola Company in 2009. The fountain not only enables customers to customize their soft drink according to their preferences, but also provides a means for Coca-Cola to understand how soft drink consumption preferences of customers change over time (Scanlon 2009).
Fifth, challenges to the valuation of data also involve changes in legislation and concerns about online privacy that affect the availability and usability of data. For example, liberalization of data historically held by a selected group (i.e., governments) not only may open opportunities for those interested in building new businesses, creating new products, or rendering new services (Obama 2013), but also may reduce the cost and value of data and the profits resulting from their use.
Privacy concerns bring different legislative responses in different parts of the world. In the European Union, privacy is considered a human right, and the concern is with anyone that collects and tracks data. In the United States, the larger concern is government surveillance (Kugler 2015). This attitude tacitly grants U.S. businesses almost unfettered rights over the business cycle of data, leaving data protection mostly as an issue of consumer regulation. As a consequence, the formal U.S. regulatory system is much less restrictive than the European system in terms of what data a business can collect and how such data are treated throughout their life cycle.
Sixth, information-based transactions have become a means to conceal business activity from public disclosure, and thereby from the prying eyes of competitors (U.S. Senate Committee on Commerce, Science, and Transportation 2013; FTC 2014). Lack of transparency makes it impossible to observe data trades, rendering market prices unavailable to establish a baseline to initiate market-base assessments on data value.
Finally, factors such as legal liability, competitive eavesdropping, increased audit fees, and unfavorable changes in regulations may limit the willingness of businesses to present the value of their data on their financial statements. For example, common transactions executed in exchange for customer data, such as everyday grocery sales using loyalty cards, may require review by agencies such as the Internal Revenue Service under the assumption that the customer data collected have a greater value than that which is given in the form of a purchase discount (Laney 2014).
In summary, these factors allegedly constrain the capacity of organizations to reliably and willingly estimate the value of data. This, in turn, gives rise to the false conclusion that the loss of relevance resulting from this omission on financial statements is smaller than the loss of reliability that would result from its inclusion.
IV. BUILDING MOMENTUM FOR DATA VALUATION
In spite of the many challenges cited in the previous section, now is the time to make the paradigm shift proposed in this commentary. Anecdotal evidence shows that a growing discontent exists about how companies and governmental institutions collect, consume, store, and dispose of data to provide services and create business opportunities (U.S. Senate Committee on Commerce, Science and Transportation 2013; Salmon 2015), and there is a general state of anxiety about the security of the data that these institutions possess (Fyffe 2015). Understanding the value of data may be the driver that the market needs to correct these problems.
Accountants and accounting standard setters may be inclined to challenge our position because of the issues that any valuation effort faces. In the era of Big Data, however, it makes no sense for the accounting profession to stay on the sidelines (Katz 2014; Monga 2014). Even more, the accounting profession continuously confronts and overcomes difficult challenges. Zeff (2007), for instance, documents the rather tense relationship between the accounting standard setters and the Securities and Exchange Commission (SEC) in relation to upward revaluations and restatements of nonfinancial assets. He presents evidence showing how the private-sector bodies that established accounting principles from 1934 to the 1970s sought to gain a degree of acceptance for such revaluations and restatements, but were consistently rebuffed by the SEC. Further, in reflecting on his tenure at the FASB, Swieringa (1996) notes that from 1986 to 1995, it took an average of three years to issue a standard, with some standards taking as little as four months and others as much as 12 years. Among the standards that took longer to issue is SFAS No. 106 on postretirement benefits other than pensions (FASB 1990). Swieringa (1996) indicates that the success of SFAS No. 106 was highly dependent on changing the question from whether to recognize and measure the obligation and related cost of postretirement health benefits to how to recognize and measure that obligation and cost. We deem necessary a similar change of perspective regarding the disclosure and recognition of the value of data.
The formal valuation of data, with either recognition or disclosure on the financial statements, likely will foster more efficient capital markets and cause reductions in the cost of capital. This improved efficiency will be the result of a significant reduction of the exaggerated over-valuations and under-valuations normally experienced by businesses today. That is, knowledge about the value of data will empower investors to perform better assessments of their expectations about future organizational cash flows, which, in turn, will contribute to narrow the widening gap between the value of net organizational assets and the market valuation of businesses (Lev 2001; Monga 2014). With widespread access to data valuations, it also will follow that shareholders will be in a better position to assess in a more meaningful way damages caused by unauthorized access. In this regard, Kvochko and Pant (2015) indicate that the data breaches experienced recently by Target; The Home Depot; Sony; Sears; and JP Morgan Chase have had very little impact on these companies' stock prices. They argue that the long- and mid-term effects of lost intellectual property, disclosure of sensitive data, and loss of customer confidence resulting from data breaches currently are difficult to quantify. Therefore, shareholders react to breach news only when the breaches have a direct impact on business operations (e.g., litigation charges) or result in immediate changes to a company's expected profitability. Were the value of data presented to shareholders, however, they could assess the value of the compromised data in the same way that they can assess theft of physical assets.
With greater scrutiny over how organizations ensure the proper custody of their data, shareholders likely will exercise more pressure over the board of directors and management to realize that data represent a major investment and critical resource that are expected to be cared for properly. This value realization, in turn, should affect how the board of directors and management exercise their corresponding fiduciary duties. The board of directors will perform a more thorough oversight over management's handling of data assets, and management will have a strong additional incentive (e.g., job security) to implement a strategic approach to data management that parallels the strategic approach traditionally taken toward the oversight of other organizational assets (e.g., cash, inventory, fixed assets). As a result, organizations will stop externalizing the burden of lax data-related security measures (e.g., privacy harm) under the assumption that, after the data are stolen, their potential for value creation is diminished by legal liability (The Economist 2015), even in the absence of pecuniary damages (Baker 2015).
As data are used to drive all aspects of a business, information assets must be managed in accordance with laws that are far broader than those regulating privacy and information security. In addition, businesses frequently engage vendors in other countries to perform essential business functions. Compliance with laws related to data protection, however, has become increasingly complex as organizations collect, use, store, and disseminate data across many jurisdictions for wide-ranging purposes. By fostering the strategic management of data, valuation will facilitate legal compliance and minimize risk in a cost-effective manner (Bruening et al. 2008). Even more, by properly treating data and, therefore, personal information, companies will cultivate a relationship with consumers and employees based on trust, transparency, accountability, and innovation that will keep customers happy and legislators at bay.
The strategic approach to data management derived from data valuation should help organizations to contain costs and generate new opportunities while managing risks. There is no question that the overall investment of organizations in moving and storing data is substantial. Not all data are equal, however. Understanding the value of data allows organizations and stakeholders to comprehend the interplay of market forces that shape information costs. For example, by determining how much additional profit or market share a firm could gain from using the data, or how much could be lost in legal penalties or foregone profits if information is inaccessible, organizations can define an appropriate service level (Glazer 1993). For critical data, decisions about infrastructure utilization should be driven by service reliability, availability, security, redundancy, response time, maintainability, and scalability. In contrast, management of noncritical data should be influenced by low-cost investment criteria.
Greater transparency through published valuation also is likely to have an effect on which data are seen as critical. It appears that some companies treat as noncritical data, some personal information that individuals would consider to be critical. In other words, poor transparency in the absence of formal valuation could be creating economic externalities by placing additional risk on other parties to meet or manage at their own expense. Further, poor transparency potentially may limit the mid- to long-term value realization of these data for these companies. Attempts to continuously ignore these externalized risks threatens the functional capability of these data to directly or indirectly maintain or generate additional revenues and to reduce costs, including the costs resulting from the externalized economic impacts associated with their under-protection.
Formal valuation also is likely to affect decisions about which data are considered critical if it results in the market gaining a greater understanding of the current value of potential future uses of the data, and the data that are derived from it. When stakeholders know the value of the organizational data, they can understand that data management costs are affected not only by the growing volumes of new and existing data, but also by the value of the information distilled from these data to the organization. Having organizations account for the value of their data will enable shareholders to understand that as the information value rises, it is increasingly difficult to contain data management costs because a sizeable proportion of those costs constitutes a quasi-insurance premium against data loss or corruption (Tallon 2010). With this knowledge, we would expect shareholders to limit stock price declines related to increases in data management costs.
The value of data and the adoption of a strategic asset investment perspective will help to build the confidence necessary both within the organization and with the public to enable and encourage the development of innovative uses of data. Companies must put responsible, integrated internal protections and practices in place and provide reasonable assurance that the data maintained by the organization are accurate, reliable, readily accessible, and not being used in ways detrimental to individuals. Data valuation will shape decisions to assure that this critical resource is available only when needed and only to the appropriate personnel. In this way, not only will personal information be more secured, but also there will be greater support from all stakeholders for further developments in Big Data. Valuation will help companies avoid the competitive cost of being either reckless in their use of data or too reticent about experimenting with new data collection and using technologies and practices. Organizations also will recognize that after competition has access to their data, their cash flow proposition decreases, which, in turn, will restrict data sharing across organizations.
V. OPPORTUNITIES FOR RESEARCH
Privacy-related issues increasingly are becoming the focus of attention of all members of societies. In the United States, the involvement of the accounting profession has been led by the American Institute of Certified Public Accountants (AICPA) that, jointly with CPA Canada, has created the Generally Accepted Privacy Principles (GAPP). In academia, information systems and computer science researchers have taken a leading role in the study of privacy (Pavlou 2011; Smith, Dinev, and Xu 2011; Bélanger and Crossler 2011). In management, books have been published on topics such as information management (Ladley 2010) and records management (Smallwood 2013). However, with notably a few exceptions, accounting researchers have remained on the sidelines. One exception, Prosch (2008), discusses GAPP as a way to manage and reduce privacy risk. Others have investigated the consistency of privacy standards used in privacy audits across different auditors and jurisdictions (Toy and Hay 2015). Kauffman, Lee, Prosch, and Steinbart (2011) explore consumer information privacy issues and review prior literature. Similarly, Boritz and No (2011) review prior information privacy literature related to e-commerce, and Hong, Vaidya, and Wang (2014) review the literature on the applications of privacy-preserving techniques to supply change collaboration. Further, information privacy has been reviewed in the context of risks related to cloud computing (Alali and Yeh 2012), and researchers have studied the importance of different types of consumer privacy concerns related to location-based services on behavioral intentions to disclose (Raschke, Krishen, and Kachroo 2014). Finally, Morris, Kleist, Dull, and Tanner (2014) proposed an electronic market for secure information sharing. In this market, data are available based on requirements declared by information providers and consumers.
The number of data valuation studies is even fewer than those on privacy, with much research being theoretical in nature and without continuity (Glazer 1993; Wilson, Stenson, and Oppenheim 2000; Oppenheim, Stenson, and Wilson 2003a, 2003b, 2004). Prior initiatives to value intangibles seem to have failed because they tried to be all inclusive. In this commentary, we narrow the focus of the valuation process to personal data. In this way, we believe it is possible to ensure the success of our proposition.
The research paucity in this area brings a wealth of possibilities for accounting researchers in different fields of specialization. The research agenda we outline next is intended to encompass a diverse set of research opportunities (RO) organized by major areas.
RO1: Data Identification and Assessment
A logical starting point in our research agenda is the identification and assessment of the data to be included in financial reporting. Several methods have been outlined before in the practitioner-oriented literature (Ladley 2010). Academic researchers must plan studies to rigorously validate the efficiency and effectiveness of these methods. To this end, case studies seem the most appropriate research methodology. In addition, researchers must identify and formally document the issues that may arise when valuation of these data is attempted. For example, there is an extensive body of academic research suggesting that data quality should be an important factor to consider in data valuation models (Neely and Cook 2011). Although behavioral experiments and surveys can be used to empirically test what data quality elements are valued the most by different stakeholders, other methodologies are welcome, depending on context. In this regard, Heinrich and Klier (2015) report on a probability-based currency metric that they expect could be used for integrating different data quality aspects in theoretical frameworks pertaining to the value of information. Further, researchers in this area may want to develop hypotheses to evaluate the relative importance of different data quality characteristics throughout the data life cycle.
Although much has to be said about data valuation from an external reporting perspective, data valuation cannot be dealt with solely through external reporting. Data valuation needs to be managed before it can be reported on, and this requires changes to management accounting systems. We anticipate that accountants will share responsibility for the creation, implementation, and maintenance of the data records to be formally valued by the organization. Studies should be planned to determine how personal data (including metadata) are most appropriately collected, stored, used, and disposed in order to ensure an efficient and effective production of information able to generate high revenue streams. This is especially important when data are expected to provide secondary uses. As data move through the information life cycle and away from the original source, the meaning of the data may change. This evolution in the meaning of the collected data is likely to affect their value. In addition, although some personal data may become more valuable the more they are shared throughout the value chain, the value of other personal data (e.g., metadata) may diminish if known by competitors. To address this contradiction, it is important that research addresses the kinds of data categorizations that are necessary in a world in which data must be valued.
RO2: Valuation Methods
One of the most important areas for researchers is the one that will ensure data are valued at an appropriate level by identifying potential valuation methods. In this regard, Repo (1989) presents a thought-provoking noncomprehensive literature review—an analysis of multiple methods that have been suggested in economics, finance, accounting, and information science with the purpose of valuing information in general. In his study, Repo (1989) acknowledges that most theoretical methods presented have no practical application or lack generalizability beyond a few applications. The author concludes that no single theory seems possible to explain the value of information because “individuals give different values for the same information depending on context” (Repo 1989). In contrast, results in Wyatt (2005) and Hunter, Webster, and Wyatt (2005, 2012) seem a promising start, providing insights about incentives for the recognition of intangibles that could be applicable to personal data. These studies also outline current valuation practices followed by organizations that are committed to value discretionary intangibles. Further, recent efforts have emerged testing methodologies to specifically value personal data on financial reporting. Although these studies do not address the inclusion of personal data on financial statements, they do provide an assessment of different methodologies that could be used to evaluate the discrepancy between a company's market value and its book value (Cauwels and Sornette 2012; Feijóo, Gómez-Barroso, and Voigt 2014).
Research in this area should expand on the work of these authors and target efforts to address questions such as: Can these methods be adapted and become suitable for personal data valuation and inclusion in financial reporting? Should alternative methods be developed for different types of personal data? We believe that initial attempts to address these issues should be theoretical in nature with the development of frameworks that assess whether the extension of previous methodologies is warranted. Similarly, theoretical efforts should be undertaken to assess potential courses of action that may help the data valuation task. That is, it may prove fruitful to explore whether the creation of information exchanges is warranted. However, the costs and benefits related to the creation of such exchanges should be empirically studied with behavioral and archival methodologies similar to those used in accounting and finance to evaluate the market for equity stocks.
Additional research alternatives involve surveys and case studies intended to explore how markets perform valuations of information intensive organizations (e.g., Facebook, Über Technologies Inc., Airbnb) and whether these valuation methodologies can contribute to a standard on data valuation. In addition, research should focus on accounting for personal data under different circumstances. For instance, loyalty card programs are programs put in place by organizations in order to boost sales. Can some of the methods used in prior research be used to value these data? That is, is it possible to value these data in terms of the discounted value of the expected benefits (savings) that such programs are expected to accrue to loyalty members in the foreseeable future? Further, research should assess whether it is reasonable for organizations in different industries to value their personal data using similar methodologies. Should an information intermediary whose core business is the collection and selling of personal data value its database contents in the same way another company would when the data are purchased with the expectation to improve or provide additional goods or services to customers? Should the personal data held by healthcare providers be valued using the same methodology used by retailers?
Finally, when modeling is appropriate, design science research may be well positioned to aid researchers to accomplish these goals. Today, much personal data collection takes place in hopes that it will generate revenues at some point in the future. The creation of models with specifications that enable organizations to better predict the future income generating capacity of the collected data not only can potentially make data valuation more accurate, but also can help organizations to better avoid risks related to the collection of unnecessary data. Certainly, this is a promising area for future research in accounting.
The proper valuation of personal data should also address the production system that is used to transform personal data collected into information products capable of generating income. Research in this area should be tailored to investigate the utilization efficiency and effectiveness of extract-transform-load (ETL) tools. This research should also document best practices for the documentation of the ETL process related to personal data.
RO3: Financial Reporting
Data valuation is abundant with opportunities for research related to the inclusion of data valuations in external financial reports. Given the lack of archival data to facilitate these studies, we expect that initial endeavors in this area will be experimental in nature. However, in time, traditional archival methodologies used in accounting, finance, and economics will be suitable to evaluate the informativeness of personal data ex post. For example, research opportunities are plenty for researchers who are willing to model how data contribute to generate revenue, how data affect market value, how data should be depreciated/amortized, which data should be recognized, and which data should be disclosed. Details about these issues follow.
The information content of financial statements has been studied extensively over the years. In this literature, much criticism has been given to the diminishing informativeness that financial reports have vis-à-vis the wealth of information surrounding organizations (Lev 2003). Fundamental questions to answer in this area are: Does the recognition/disclosure of personal data on financial statements improve the informativeness of financial reports? Do personal data have predictive value over future earnings and cash flows? Is the information content of data superior to the information content of other elements of the financial statements?
Fundamental analysis is aimed at determining the value of corporate securities by a careful examination of key value drivers, such as earnings, risk, growth, and competitive position (Lev and Thiagarajan 1993). In the context of such analysis, the question becomes whether the presence of data valuations in financial statements is a useful additional factor to assess firm value (Ou and Penman 1989). Answering this type of question requires researchers to estimate the incremental value relevance of these new variables over earnings.
Discretionary versus Mandatory Disclosures
The main question in this area gravitates toward the extent to which data valuation disclosures should be discretionary and/or mandatory. The central premise of discretionary disclosures is that entities contemplating disclosure will provide information that is favorable to the entity, and will not disclose information that is unfavorable to the entity (Dye 2001). To the extent that entities are permitted to voluntarily disclose some aspects of their data valuations, one needs to anticipate this behavior and interpret less than full disclosure or outright silence.
Recognition versus Disclosure
Research in this area has long sought to understand in what ways and under what circumstances the distinction between recognition and disclosure matters. In the past, numerous studies report evidence consistent with different market effects between recognition and disclosure (Barth, Clinch, and Shibano 2003). However, what the market effects would be in the presence of data valuations is unknown. Recent studies (Yu 2013; Müller, Riedl, and Sellhorn 2015) find that the value relevance of disclosures and recognition depends on user sophistication and information processing costs. Given the complexities and number of assumptions that we anticipate will be necessary in valuing data, we expect not only that recognition and disclosure both will be part of the data valuation process, but also that additional factors will affect their informativeness. In this context, researchers may want to develop empirical and experimental research that seeks to understand what is the optimal mix and aggregation level of the information recognized and the information disclosed. Researchers also may want to develop experimental studies in which they investigate what are the likely effects, if any, of different types of recognitions and formats of disclosure on capital markets. Finally, in this area, researchers could investigate whether user understanding of disclosed information differs across types of users and firms in different industries, and what are the potential adverse effects (with respect to competitors, capital markets, and legislation) of recognizing or disclosing data valuations.
RO4: Bright ICT Initiative
In 2014, the Association for Information Systems' (AIS) council agreed to adopt the Bright ICT initiative as a way to systematically contribute to the prevention of undesirable activities on the Internet (Lee 2015). An important aspect of this initiative has been the development of a set of principles that constitute the foundation of a framework for a safer Internet while protecting privacy at a reasonable level. In this context, the IS community is called to identify problems and devise solutions for a brighter and safer society. IS researchers can, at least in part, respond to this call by devising research pertaining to the linkage between data valuation and privacy, as anticipated in this commentary. For example, researchers initially could use experiments to explore whether valuation is likely to improve organizations' effectiveness at protecting privacy. Studies could also employ surveys to inquire about discretionary compliance and use of GAPP. Eventually, researchers could develop studies in which archival data are collected to validate whether data valuation has the anticipated benefits presented in this commentary.
Similar to prior studies in which XBRL taxonomies have been assessed for their ability to accommodate financial reporting practices (Bovee, Ettredge, Srivastava, and Vasarhelyi 2002; Bonsón, Cortijo, and Escobar 2009), research questions in this area are tied to the development and evaluation of amendments to the current XBRL specification and its ability to accommodate personal data financial figures. Research in this area should also be directed to understand how companies map each personal data value to an element in the amended standard taxonomy. For cases in which companies fail to find an appropriate tag, archival research should move to uncover the circumstances that push organizations to create new taxonomy elements.
RO6: Internal Controls and Assurance
In the context of data valuation, legal and regulatory compliance with new standards and regulations are likely to increase pressure on management to provide reasonable assurance about the reliability of data representations on financial statements. Accordingly, opportunities for research in this area using surveys or questionnaires are numerous. For example, inquiries can be made into the additional steps taken by management to provide such assurance. Researchers can also inquire about the types of internal controls that are perceived to be best to ensure the quality of these data. It is also important to explore whether controls intended to ensure the quality of personal data differ from controls already implemented to ensure the quality of data related to other assets and whether these controls change over the life cycle of data.
The valuation of data is likely to involve considerable judgment bringing research possibilities for internal and external auditing. In relation to financial reporting, we would expect auditing to be valued for its ability to provide an independent opinion not only about data valuations, but also about the suitability of design and operating effectiveness of internal controls used by management in relation to personal data valuations. Archival research is well suited to investigate whether these predictions materialize.
In addition, it is an open-ended question whether data valuation requirements will involve the development of new auditing standards, or whether current auditing standards are sufficient to build and support auditors' opinions. Understanding how the profession should move forward will require the development of hypothetical scenarios and anticipate how they can be addressed.
The recognition that information is an organizational resource (Black and Marchand 1982) that plays a vital role in the performance of organizations (KPMG/IMPACT 1994) is not new. In the past, authors have argued that information cannot be quantified because its value depends on context and use (Eaton and Bawden 1991). Other authors have argued that the usefulness of defining information as an asset in accounting terms is limited to those companies that sell information, and that its classification as an intangible asset excludes all internally generated information (Oppenheim et al. 2003a). Standard setters also have struggled with the valuation of intangible assets (FASB 2004).
In this article, we acknowledge that we share the concerns of previous efforts to value data. However, we also understand that these efforts cannot be abandoned in an age in which the amount of data on individuals that is collected, used, and analyzed is increasing at an exponential rate, with a correspondingly increased impact on daily lives, and that can now define life and death for many organizations. We identify several factors that make valuation of data and its disclosure difficult to accomplish. Among them are the variety of sources from which data originate, the difficulty of anticipating their option value, the uncertainty of their anticipated future value realization, and the lack of an open information-based market exchange. We also elaborate on the advantages that we think organizations, individuals, and markets will be able to extract from the greater transparency resulting from published valuation efforts. These include not only greater efficiency in capital markets with a corresponding reduction in the cost of capital, but also a reduction in currently externalized costs attached to inadequate data protection mechanisms and data misuse. In addition, we expect that the valuation of data will increase oversight of the board of directors and management, which, in turn, will increase market trust. Greater trust will enable new and innovative uses of data while providing assurance that adequate steps have been taken to protect them.
The road to data valuation and their disclosure is likely to be a lengthy process. This is an endeavor that can succeed only if academics, legislators, standard setters, and organizations choose to undertake it together. Therefore, in this article, we also present several avenues for research.
Metadata—often referred to as data about data—can be defined formally as “structured data about an object that supports functions associated with the designated object” (Greenberg 2003, 1876). For example, invoice number, product code, and credit card number are metadata that capture the purchase activity object for a consumer good.
Notice that on July 28, 2015, the Supreme Court in the U.K. ruled that Google is entitled to appeal whether the Court of Appeal was right to hold that the claimant's claims for misuse of private information are claims made in tort for the purposes of the rules relating to service out of the jurisdiction. The issue under consideration is whether the claimants can be awarded damages for “distress” despite lacking a pecuniary loss (Baker 2015).
Although this ruling was overturned by the Administrative Appeals Tribunal of Australia on December 18, 2015, the broad expectation is that the commissioner will appeal this decision to the federal court.
The Amendment Act is available at: https://www.comlaw.gov.au/Details/C2015A00039/; in particular, it inserts a new Part 5-1A—Data Retention.
We interpret the valuation of data as a purposeful action taken by organizations to ensure that they are seen, and treated, as an asset (Silburn and Ezingeard 2008).
To be recognized as an element of the financial statements, an item also must have a relevant attribute that can be monetarily quantified with sufficient reliability (FASB 1984).
Other examples include data that originate from telematics sensors in vehicles (Allstate Corporation 2015), such as the start and end location of a vehicle's trip, the time of day in which the trip is made, the average and maximum speed during that trip, and the driver's braking habits; data captured by Internet cookies, such as hardware and operating system, shopping preferences, and means and methods used to pay online; data obtained from the use of loyalty cards, such as the name, address, phone number, and buying habits of customers; and data captured using CCTVs in public places, such as drivers' (and passengers') faces, as well as vehicles' license plates.
We are thankful for the valuable comments and suggestions from Roger S. Debreceny (senior editor). We also appreciate the help and advice received from two anonymous reviewers on an earlier version of the manuscript.
Editor's note: Accepted by Roger S. Debreceny.