It is intuitively accepted that when securing or insuring a jewelry store the security expenses and the premiums would be related to the Carat value of the jewels in the store. A fake jewelry store may require a lock and key, while a Harry Winston type store will require various alarms, plexiglass windows, double doors, even an armed security guard maybe.
A similar data asset may be data you own (colloquially referred to as “Intellectual Property”) or data you are entrusted with (e.g. PII, ePHI, DoD CUI, etc.). While a data breach incident is a direct loss in the case of the former, the repercussions of the latter are through enforcement actions like fines, penalties, forensics demands, hours lost, legal resources, etc.
The latter is especially onerous and aggravating to customers as many times the data turns out to be something they did not need. If in the past keeping data was a good default practice (perhaps it offered future opportunities – or for archival purposes) – it should no longer be a business default without considering the risks. Sometimes the irony of being penalized for data is bleak: as it was with AMCA (AMCA Healthcare Data Breach Could Set a New Precedent for Health IT Security – CPO Magazine) a collection agency faced fines: instead of recovering some dues from people who do not pay their medical bills – instead they had to pay fines and face multiple lawsuits.
It is the difference between the business and technology. As technologists we focus on the reducing the risk-to-the-data. We build barriers, detectors, locks, check points, etc. We try to identify holes “we call vulnerabilities (or exploits).
The customers rarely cares. But when a vulnerability is exploited, they care. They care because of the risk-in-the-data.