As more and more policymakers and elected officials in the U.S. and around the world try to flex their regulatory muscles on cybersecurity and privacy, calls for a citizen data dividend or punitive data tax are getting louder, while the practical ways of achieving this grow more tenuous. The mechanics of this approach, however, much like the general lack of technology literacy on display by many lawmakers, is that the item they want to tax, data the world’s first limitless asset, currently has no generally accepted valuation methods from an accounting point of view. How then do you tax, track, let alone pay dividends on such an amorphous object as data and personal information?
Punitive approaches such as the imposition of privacy fines under Europe’s General Data Protection Regulation, GDPR, are much easier to implement and have no linear correlation to the value of data nor to the economic harm caused to an affected party. The models being spoken of today for example by presidential hopeful Senator Amy Klobuchar (D-Minn.), who has called for a data tax on technology companies or errant operators who breach fragmented U.S. privacy standards. To the approach being floated by California’s Governor, Gavin Newsom on a citizen’s data dividend, all labor under the weight of no universally accepted approach to value data. Where there is a lack of harmonization, a race to the bottom ensues as operators’ exploit growing information security and privacy arbitrage, much as companies seek tax havens and complex international structures to avoid financial friction. This would certainly produce serious unintended consequences from the moves to regulate and contain technology firms and the growing economic dependency on data in economic value creation.
As a result, these models and regulatory pathways sound right and might be politically expedient, as they are borne from the fallacious comparison that data is the new oil. Therefore, data can not be regulated, fined and rewarded in the form of taxation or dividends as its carbon hungry physical “twin.” Data is about as likely a digital twin of oil, as a toaster is a mechanical twin of a quantum computer. Simply put, nary the twain shall meet and these comparisons smack not only of on a lack of understanding of how data works and is monetized, but how it interplays in a system as complex as the global economy. Indeed, the lack of harmonization on these issues is not only amplifying trans-Atlantic rifts on trade and integration, it is also present in the federated U.S. system as certain states such as New York advance cybersecurity and privacy rules, while others (and certainly the Federal Government) play catch up. Meanwhile, the cost and complexity of compliance grows, while consumers and small businesses bear the brunt and taxpayers serve as a financial backstop when systemic relationships fail. Add to this fragmentation the fact that some industries, such as banking and healthcare, have higher compliance and cybersecurity maturity expectations, while all industries fall prey to this risk and their exposure to lax third-party relationships that shift the risk on paper, but not in reality.
Unquestionably the U.S. like the rest of the world needs to have a serious public policy conversation about data, technology, consumer privacy and the growing specter of systemic cyber threats. However, the kneejerk reaction to merely tax data and consumer privacy failures as if there was a linear relationship is not only flawed, it will further skew the already twisted set of incentives that reign in this domain. Contrary to widely held beliefs, this approach will also add to the regulatory and operating complexity of the real engines of economic growth, small to medium-sized enterprises (SMEs), who not only power the economy, they are now expected to operate with the same cyber hygiene (and potential data penalty profile) as the largest, most well-endowed companies in the market. Rather, public policy leaders should work to shore up unhedged cyber risk and eroding privacy standards through the creation of risk-sharing mechanisms akin to how bank depositor guaranty structures, such as the FDIC, shored up confidence in banking from fears of bank runs.
What the data dividend and taxation conversation gets right is the fact that for far too long an asymmetrical and centralized system, such as consumer credit agencies like Equifax, have monetized people’s private information, while socializing losses when breaches occur. In Equifax’s case, the release of more than 150 million personally identifiable records, nearly the size of the U.S. workforce, was akin to a data oil spill, however, oil can be physically gathered and contained, whereas this data release cannot. The linear financial model at play in these types of data breaches reveals the limitations of basic math, whether to apply a penalty or a dividend. Incidentally, this is the same calculus that holds true in the burgeoning cyber insurance market (notwithstanding some recent strains in trust), where each data record or person is assigned a remediation cost, including consumer notification, legal fees, among others. Typically, this adds up to between $75 to $150 per exposed record, but the affected consumer is no better off, turning to the costlier alternative of law suits and class-action activities. Would a payment of $75 per affected party in the Equifax breach make the person better off in the long term? Probably not, especially since the world’s dominant identity system rides on unchanging alphanumeric rails and the identity theft exposure in these cases will last a lifetime.
For data taxation and dividends to be functionally paid and correlated to the value derived in business systems from personal information, the relationship would have to be lifelong, mirror the risk exposure, which is how actual dividends for stocks (as an example) are issued in publicly traded companies. The concept of a risk-reward adjusted marketplace hinges on universally accepted valuation methods for which data and “idiosyncratic” information inside companies does not currently enjoy. Indeed, this lack of quantifiable data valuation is not only a problem for public policy and systemic risk management as this intangible area goes unchecked, it is also a problem for the massive buildup of currently unhedged financial risk. In this vein, data performs much like capital liquidity in the banking system under stress scenarios. You only know how much it is worth and how little you have in store (and where correlations lie) when there is a line of customers asking for their deposits back. Herein the lessons of the 2008 financial crisis should come back to haunt us, as systemic risk has found a new host in massive technology companies and in systemically important firms and sectors, such as payroll processing or consumer credit bureaus, hiding in plain sight.
For public policy leaders to form sensible strategies about how to regulate and contain unchecked cyber and privacy risks, they must first begin to understand what sandbox they are playing in. If the CEOs and boards of the world’s largest companies are struggling to contain the genies they let out of the bottle, how can we expect a coterie of backward-looking and digitally uninformed policymakers armed with limited, linear and analog public policy tools to catch an issue that evolves according to Moore’s law? Add in the effects of a public that is largely inured to cyber risks, uncaring about their personal cyber hygiene and largely indifferent and apathetic about social engineering at scale, and it is unclear whether the appetite and the wherewithal are in place to move the needle of these critically important public policy issues. Until then, time would be better spent studying the issue and building harmonized national and international consensus, rather than reaching for the carrots and sticks of taxation and dividends.