Corporations are still failing to deliver on efforts to tighten up information security and consumer privacy, despite all the bad publicity and legal risks that they—and everyone else—are already painfully aware of, according to a new study on the problem.
The report, conducted by Accenture and the Ponemon Institute, surveyed 5,500 business leaders to see how well their intentions for data security match the actual protections they give to personal information such as addresses, birth dates, and Social Security numbers. Bottom line: There’s a big gap between the two, says Bill Phelps, executive director of Accenture’s North American security practice.
For example, 73 percent of respondents said their organization has adequate policies in place to protect such information—but 58 percent also reported having at least one security breach in the last two years, and 60 percent of that group said the breaches weren’t an isolated event.
Phelps
“This is an important topic for consumers, and it isn’t a theoretical or purely compliance oriented issue,” Phelps says. “The ability of organizations to protect personally identifiable information is directly relevant to customers on an emotional and practical level.”
And while most organizations agree they have an obligation to take reasonable steps to secure consumers’ personal information, the survey shows discrepancies in their commitments to doing so. For example, 45 percent of respondents were unsure about or disagreed with granting customers the right to control the types of information collected about them, and 47 percent felt the same about customers having a right to control how the information is used.
Nearly half said limiting the collection and sharing of sensitive personal information was not an important priority, and roughly the same number said the same about data collection’s needed to fulfill legitimate business needs or to protect and secure individuals’ or customers’ personal information. Eight-one percent said it’s acceptable to sell personal information for a profit at least sometimes.
“The results show companies generally don’t take data privacy as seriously as consumers,” Phelps says.
In addition to companies’ legal and regulatory obligations to protect personal data, Phelps says they have compelling business reasons to take privacy seriously, since their customers already do. “There’s a marketing and customer relationship benefit from demonstrating that you place great care around how you treat customer data,” he says.
More to the point, failure to protect consumer data can ruin customer relationships and cost a fortune in the process. The average cost to of a security breach was $6.6 million in 2009, up from $6.3 million in 2007, according to the Ponemon Institute—and that doesn’t include possible fines and lawsuits, or possible hits to the stock price for public companies.
Forsheit
Tanya Forsheit, a partner with the Information Law Group, says most business leaders still don’t view customer data as a company asset. “It has to be as important to protect personal private data as it is to protect other company assets,” she says.
“It has to be as important to protect personal private data as it is to protect other company assets.”
—Tanya Forsheit,
Partner,
Information Law Group
Most corporations do have written policies to that effect, Phelps says, but they’re often “aspirational … They haven’t been translated into appropriate controls and checks in balances.” He says companies “need to look at how well their intentions map to customers’ expectations and to actionable policy and supporting controls and capabilities.”
Staying One Step Ahead
The sheer volume of data companies generate has already made security and privacy a critical issue. Now, however, an explosion of new technologies—cloud computing and online social media in particular—have made it even harder for companies to track where personal private data is stored, increasing the risk of a breach. “Organizations that take advantage of new technologies relinquish a certain amount of control over their data, and there’s a higher probability of a breach when that data is being dispersed far and wide,” Forsheit says.
Even photocopiers can pose a risk. Affinity Health Plan learned that the hard way in April, when CBS News, as part of an investigation, purchased a digital copier once owned by the company from a wholesale warehouse. The copier’s memory contained individual medical records and non-medical documents such as driver’s licenses, Social Security cards, and W-2 forms—requiring Affinity to send a breach notice alerting more than 400,000 people that their personal or medical data may have been compromised.
The Accenture study shows that the most frequent causes of data loss (business or system failure and employee negligence or error) are internal, and therefore companies should be able to detect and correct them. Internal breaches don’t always pose the greatest risk, Phelps says, but organizations can do a better job of “reducing the opportunity for negligence to turn into a real problem.” For instance, while lost laptops are inevitable, steps like encryption can help make such losses inconsequential.
SECURITY BREACHES
A majority of organizations have experienced a security breach—and many have more than one.
A. Did your organization ever lose sensitive personal information?
B. If yes, how often has this occurred in the past 24 months?
Source: Accenture and The Ponemon Institute.
Likewise, John Nicholson, a lawyer with the law firm Pillsbury Winthrop Shaw Pittman, says companies need to focus on employee awareness.
“People generally want to do the right thing, but a lot of people don’t make the connection … between the use of information collected by the company and the privacy commitments they’ve made,” he says. “They don’t check before they use the information that it’s consistent with the policy.”
Another issue: Many organizations don’t clearly define where the oversight for data privacy and protection resides. Responsibility can be fragmented, with chief information, security, or privacy officers all having part of the job, depending on what data and protection requirements are in question. Chief privacy officers are gaining traction, Phelps says, but too often that role lacks teeth.
The CPO often doesn’t have “a big enough stick to push enforcement” and lacks the necessary influence, Phelps contends. The CPO should have the power to set and enforce policy; influence implementation of the budget to invest in training, tools, and controls; and influence IT and marketing functions.
To improve data privacy and protection approaches, the report recommends companies ensure their data protection and compliance frameworks take a holistic approach that encompasses all the ways data is generated and collected, not a narrow focus on regulatory compliance. Companies must have a set of global data privacy and protection standards that delineate which data must be protected, set rules for legitimate access to and use of sensitive data, and define how to protect such information.
Above all, a “culture of caring” about data privacy and protection is critical, Phelps says. “Protecting private information has to be something built in corporate culture from the top down.”
No comments yet