Computerworld - There are some very positive trends in corporate privacy and data-protection practices, according to the Ponemon Institute's recently completed 2005 Benchmark Study of Corporate Privacy Practices. However, there are also gaps that could trip up the best-intentioned company when faced with a breach.
The study, which looks at 68 organizations based in North America, focuses on eight issues: privacy policy, communications and training, privacy management, data security methods, privacy compliance, choice and consent, global standards, and redress. It was sponsored by Vontu Inc. and conducted with support from the International Association of Privacy Professionals.
On a positive note, 56% of the respondents now attempt to integrate information security and privacy activities. This is a 10% increase from 2003. Admittedly, this integration is often defined as a loose rather than a formal program of integration and alignment.
More than 80% of responding companies stated that they have privacy or data-protection strategies, and 70% conduct an inventory of personal data that's collected, used, shared and stored to assess compliance risk areas.
More companies are using technologies such as encryption, firewalls and antivirus software to protect sensitive data. Between 2003 and 2005, there was a 19% increase in the use of encryption in the transfer of employee records. A smaller but growing number of companies appear to be using privacy technologies as part of their compliance programs.
While these practices help companies mitigate security breach risks, according to our study, only 31% of companies have instituted a formal notification procedure in the event of a privacy crisis. In addition, there has been no substantive improvement in the number of companies that have redress mechanisms for consumers who have complaints or questions about a company's commitment to protect their personal information. In our 2003 survey, 32% of companies reported having a redress process, and in 2005, it was 33%.
Trust is fragile
Our institute conducts several nationwide studies of consumers each year that seek to determine which companies are most trusted for privacy and data protection. In our Most Trusted Companies for Privacy Survey conducted in 2004 and 2005, we asked consumers to list the companies that they believed to be "most trusted" and "least trusted" for honoring privacy commitments.
We thought it would be interesting to look at the rankings of 14 organizations that reported a data-security breach during 2005. For purposes of confidentiality, the names of these companies haven't been disclosed. All of these companies were ranked on the "most trusted" list in both the 2004 and 2005 surveys. We wanted to
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
