Safest Places On the Web

Computerworld - The security breaches at ChoicePoint Inc. and LexisNexis Group have us all asking the same questions: Where is my data safe? And how do I know? These are the questions I recently set out to answer, and I found some surprising results.

First, the bad news. There still isn't one widely recognized seal of approval that says a company has top-notch privacy and security. The padlock symbol on your Web browser means the session is encrypted, and Web security seals such as ScanAlert Inc.'s "Hacker Safe" mark say the Web site is protected against all known vulnerabilities. But these methods don't address the broader, organizational security practices at issue in the ChoicePoint and LexisNexis incidents.

So how do we know where our data is safe? The best answer I found is this: We need to look for privacy policies that address the Safe Harbor privacy principles negotiated by the U.S. Department of Commerce and the European Union. Why? Because these principles represent best practices in privacy and security, and companies that publicly commit to them are at great legal risk if they don't adhere to them. A solid privacy policy is our best guarantee of data safety.

So which companies meet this criterion? I reviewed the privacy policies of the top 50 most-visited Web sites—as measured by Jupiter Research—and the Forbes 100 largest companies in the world. It's an admittedly small sample, so I also asked Truste and my privacy professional counterparts in other organizations for their recommendations.

What did we find? This is where the surprises sprang up. (See accompanying charts.)

The largest U.S. companies are better than their European counterparts about including the European privacy principles in their online privacy notices. The EU considers the U.S. an "inadequate" destination for personal data, but you couldn't tell it by reading corporate privacy policies. Among the Forbes 100, U.S. companies comply with an average of 3.9 of the seven EU Safe Harbor principles, compared with 2.3 for EU companies.

Another surprise was the mediocre scores of the privacy policies on the most-visited U.S. Web sites. Visitors to these popular sites apparently aren't deterred by their general lack of strong privacy commitments. The typical top-50 site posts a privacy notice that addresses only 4.4 of the EU Safe Harbor principles.

I wasn't surprised that the companies with the strongest privacy policies are concentrated in the financial and technology industries, where profits depend on consumer trust in data privacy. Seventeen of the top 20 sites hail from these sectors.

I also wasn't surprised that several companies outside the Forbes Global 100 made the final list. It's easier for a smaller company to consistently enforce a strong privacy policy than for a large corporation operating in several markets and jurisdictions to do so.