The Ponemon-Sullivan Privacy Report includes original columns and a roundup of worldwide privacy news. It’s the best way to keep up with Ponemon Institute Research and Bob Sullivan’s opinions. Keep informed, sign up here.
We are pleased to present The State of Privacy and Data Security Compliance study conducted by Ponemon Institute and sponsored by Sophos. The purpose of the study is to determine if various international, federal and state data security laws improve an organization’s security posture. What is the value of compliance and does it correlate with the value of the compliance effort?
With the plethora of new privacy and data security regulations, we believe it is time to ask whether regulations help or hinder an organization’s ability not only to protect sensitive and confidential information assets, but to be competitive in the global marketplace. Further, how difficult is it to be in compliance, who is the typical person or functional leader accountable for compliance? What is the value to the organization? Finally, what differences (if any) exist in security practices between compliant and non-compliant organizations?
We surveyed 528 IT and security practitioners (referred to as respondents) who are involved in their organization’s data security efforts, which can include responsibility for the technologies that support compliance efforts and managing and/or auditing legal and regulatory requirements.
Sixty-seven percent of all respondents say they have at least an adequate knowledge about the many U.S. states, federal and international privacy and data security laws that their organizations are required to comply with today. More than 52 percent of respondents are at or above the manager levels with an average of almost 10 years experience in the IT or security fields.
Our sample of respondents was bifurcated into two groups – namely, 52 percent who reported their organizations have achieved substantial compliance with privacy and data security laws and 48 percent who admit their organizations have not achieved substantial compliance with all applicable laws.
Respondents in both the compliant and non-compliant groups represent various vertical industries, including financial services, retail, technology, healthcare and many others. Based on the results of our study, compliance with privacy and data security regulations appears to have a very favorable impact on an organization’s security posture.
Specifically, the probability of a data breach occurrence that required notification to breach victims decreased by almost one-half as a result of better compliance efforts. Furthermore, organizations achieving a higher level of compliance reap a financial gain as measured by the reduction in cost associated with data breach. Respondents in the compliant group believe the top two technologies that give them an advantage in managing risks are data loss protection and encryption of laptops and desktops.
Compliance also makes a difference in the attitudes and beliefs of respondents about their organization’s security compliance efforts.Accordingly, respondents in the compliance group believe they are more likely to achieve the following benefits:
Improves their organization’s relationship with key business partners.
Today we held a RIM College event featuring three noted experts in corporate privacy training programs -- namely, Dean Forbes (Merck), Bob Posch (Merck) and John Block (Media Pro). Our focus is: what are leading companies doing to achieve awareness and knowledge about privacy and data protection requirements?