While high-profile security breaches and the legal and reputational risks that come with them have made protecting personal data critical area for companies, they may not be doing as well as they think in that department.
According to a study by Accenture and The Ponemon Institute, there's a huge difference between organizations' intentions regarding data privacy and how they actually ensure compliance with it.
While 73 percent of the 5,500 business leaders surveyed believe their organization has adequate policies in place to protect sensitive, personal information, 58 percent have had at least one breach within the past two years, and nearly 60 percent acknowledge data loss as a recurring problem.
"There's a gap between intention and outcome," says Bill Phelps, executive director of Accenture's North American security practice.
It's one companies need to address, says Phelps. "This is an important topic for consumers, and it isn't a theoretical or purely compliance-oriented issue," he says. "The ability of organizations to protect personally identifiable information is directly relevant to customers on an emotional and practical level."
In addition to the potential harm to companies' reputation and customer relationships, a security breach can be costly. The report cites data from The Ponemon Institute which shows the average cost of a security breach to an organization was $6.6 million in 2009, up from $6.3 million in 2007 and $4.7 million in 2006. And that doesn't take into account the cost of possible fines and lawsuits, or the hit to the stock price for public companies.
While 70 percent of organizations agree they have an obligation to take reasonable steps to secure consumers' personal information, the survey shows discrepancies in their commitments to doing so. For instance, 45 percent of respondents were unsure about or actively disagreed with granting customers the right to control the type of information collected about them, while 47 percent were unsure about or disagreed with customers having a right to control how the information is used.
The report recommends three steps to improve data privacy and protection approaches. First, replace data protection and compliance frameworks with a narrow focus on regulatory compliance with a more holistic approach that takes into account all of the ways data is generated and collected.
Second, create a set of global data privacy and protection standards that delineate which data must be protected, set rules for legitimate access to and use of sensitive data, and define how to protect such information.
Third, create a "culture of caring" with regard to data privacy and protection through specific steps: Assign explicit oversight, ownership of and accountability for data privacy and protection across the organization; develop a formal governance program that enables the organization to identify, track, and control where data is generated and how it flows across all areas; evaluate data privacy and protection technologies to confirm they provide the necessary level of protection; build awareness of the importance of data privacy and protection among the workforce and provide employees guidance on handling sensitive data; reexamine data privacy and protection investments to ensure they cover people, process, and technology; ensure business partners have appropriate data privacy and protection safeguards in place, and have formal incident response policies, procedures, and teams.
Compliance Week will provide readers with complete coverage and commentary on the findings in an upcoming edition.
No comments yet