CIO and CISO

Privacy Leader

Marketer and Brand Manager

Blog

Consumer Influences on Most Trusted for Privacy
March 4, 2010
FoxBusiness.com called the other day asking if we might be interested in talking about our annual Most Trusted Companies for Privacy study. Permalink

Use What Works to Create a Culture of Privacy
December 20, 2009
I was in an industrial facility recently and noticed large banners on the walls proclaiming “12 Years without a Safety Incident. Permalink

Training Is the Strongest Link
December 10, 2009
Today we held a RIM College event featuring three noted experts in corporate privacy training programs -- namely, Dean Forbes (Merck), Bob Posch (Merck) and John Block (Media Pro). Permalink

Home » Blog » Mike Spinney's Blog » 

RSS Feed

RSS Feed RSS Feed

Mike Spinney's Blog

Consumer Influences on Most Trusted for Privacy

March 4, 2010

FoxBusiness.com called the other day asking if we might be interested in talking about our annual Most Trusted Companies for Privacy study. Always eager to promote our research (the Institute, after all, produces the most interesting privacy and information security research in the land), I said yes. It’s a busy time for us – Larry was knee-deep in RSA, and I was scheduled to give a talk on privacy in online social networking – but we made arrangements for me to make a brief stop in Hartford, Connecticut where I would do a remote live shot.
 
The producer passed along a brief overview of the topics that hosts Chris Cotter and Tracy Byrnes wanted to discuss, so I arrived early and got myself ready in the green room, anticipating what questions might be asked and practicing pithy responses (as well as keeping my hands from their usual wild gesticulations). Wired for the interview, a producer in New York told me I was up next and the fun began.
 
As a privacy professional who is immersed most days in issues related to information security and data breach, I had given a lot of thought to how our findings might relate to the public’s concerns about becoming the victims of credit fraud and identity theft, but it became clear early on that Cotter and Byrnes, besides being professional journalists asking good business questions, were regular folks who had a more common interest in the subject.
 
Byrnes, for example, commented on the “kooky” idea of Google providing satellite imagery of her home and the abundance of information entered into that popular search engine each day. Then came the question I hadn’t considered: how did Weight Watchers end up on our list of twenty most trusted brands?
 
It was at that moment that it struck me that our annual Most Trusted Companies for Privacy survey is as much about American consumer culture as it is about brand trust. We are a people obsessed by weight, and in spite of study after study showing Americans to be growing heavier and heavier, we are nevertheless in search of ways to shed those pounds, to the point where a brand like Weight Watchers can achieve broad enough saturation to not only eclipse our threshold for consideration, but make the top twenty. I quip that this may say something about the growing corpulence of the American population, but there’s truth to that notion.
 
Each year since our benchmark 2005 study there are changes to the list that are a clear reflection of events or trends affecting consumers.
 
  • In 2006, even as major data breaches were becoming regular headline fodder, investment firm Charles Schwab made the list, possibly a reflection of their groundbreaking campaign of guaranteeing investor funds against any theft caused by the company’s negligence.
  • In 2007, at the height of the real estate bubble, Countrywide made the list, likely driven by that company’s aggressive position in the mortgage industry. Many consumers took advantage of Countrywide’s services to purchase homes and investment properties. There was reason for trust and optimism, but the company was beset by financial troubles later that year and in 2008 scandal rocked the company. Bank of America agreed to purchase the company in 2008, but it is unlikely that Countrywide would have made the list because…
  • In 2008, with the collapse of the markets, many financial services firms suffered on our Most Trusted list. Bank of America, which acquired troubled Countrywide, fell off and other firms dropped significantly. Meanwhile Facebook, which had become a mainstream brand, made its debut having shown itself to be responsive to consumer concerns over privacy missteps with its Beacon advertising platform. Conversely Google, which had made the list the two previous years, failed to make the top twenty in 2008 most likely because of questions related to a public debate over search data retention and Street View imagery.
  • In 2009 Google made its return, but Facebook dropped off, a seemingly obvious response to outcry over changes to the service’s privacy and security settings which drew harsh criticism from many consumer advocates, but which forced users to address the issue in order to participate. The timing for Facebook was poor in terms of this survey – which launched while the kerfuffle was at its peak – but as I said on Fox, that transparent approach to privacy and the company’s typical responsiveness to public comment will, I believe, serve it well in the long run.
 
Here’s a chart of the results of our Must Trusted Companies for Privacy survey over the last five years. What conclusions can you draw? Let us know.
 

Publication year
2010
2009
2008
2007
2006
 
Date field work completed
Dec 2009
Nov 2008
Dec 2007
Dec 2006
Oct 2005
Five Year Average
American Express
1
1
1
1
2
 1.2
IBM
2
3
3
8
7
 4.6
Johnson & Johnson
3
5
6
14
14
 8.4
Hewlett Packard
4
6
16
4
5
 7.0
E-Bay
5
2
8
5
1
 4.2
US Postal Service
6
6
7
7
6
 6.4
Procter & Gamble
7
7
9
3
3
 5.8
Amazon
8
4
5
2
4
 4.6
Nationwide
8
9
9
NR
NR
 8.7
USAA
9
11
15
20
NR
 13.8
WebMD
10
13
12
NR
NR
 11.7
Intuit
11
12
19
NR
NR
 14.0
Apple
12
8
NR
NR
NR
 10.0
Disney
12
16
15
20
11
 14.8
Google
13
NR
10
10
NR
 11.0
Verizon
14
17
NR
NR
NR
 15.5
Charles Schwab
15
10
2
12
NR
 9.8
Facebook
NR
15
NR
NR
NR
 15.0
US Bank
15
19
17
NR
14
 16.3
Weight Watchers
16
NR
20
13
19
 17.0
Yahoo
17
14
4
6
NR
 10.3
FedEx
18
18
NR
NR
NR
 18.0
Dell
20
20
13
8
10
 14.2
Walmart
20
NR
NR
NR
NR
 20.0
AT&T
20
NR
NR
NR
NR
 20.0
AOL
NR
16
4
6
NR
 8.7
ELoan
NR
20
11
16
17
 16.0
Countrywide
NR
NR
14
NR
NR
 14.0
Bank of America
NR
NR
18
NR
12
 15.0

 
*Please note that publication year is always one year later than field work year because of the timing of field research.
NR denotes not ranked in the top 20 in the given year.

Posted by Mike Spinney at 8:35 pm
Permalink Add Comment (0 Comments)

Use What Works to Create a Culture of Privacy

December 20, 2009

I was in an industrial facility recently and noticed large banners on the walls proclaiming “12 Years without a Safety Incident.” I also saw certificates honoring individual employees who had eclipsed certain thresholds without a time-lost safety event.

 
It struck me that this is the kind of simple program that privacy and compliance officers can use as a model to create a “culture of privacy” throughout the entire employee community and instill a basic awareness of each employee’s responsibility to protect sensitive information. Such programs would be relatively simple and inexpensive to implement because the model has already been used successfully for decades by safety officers to educate and reward employees for demonstrating effective safety practices in their jobs. A quick look around the organization reveals other programs that can be replicated by privacy and compliance officers. Human resources executives, for example, already offer training and awareness programs to prevent sexual harassment or various forms of discrimination.
 
What’s the difference between these initiatives and similar programs for privacy and information security?  Why are these things not being done for the purposes of preventing a data breach? In a word: Lawsuits.
 
If someone slips and falls and hurts their back on the job because of unsafe conditions, there’s a good chance a lawyer’s going to come looking for a paycheck.  If a female employee attracts unwelcome attention from a boorish executive, there’s a good chance a lawyer’s going to come looking for a paycheck. If someone feels they were denied a job, raise, or other benefit because of the color of their skin, lifestyle choice, religious practice, disability or what have you, there’s a good chance a lawyer’s going to come looking for a paycheck – and rightly so.  These are negligent or unethical business practices that need to be addressed.
 
But until recently, no lawyer had successfully extracted a paycheck from a company because of negligence leading to a data breach… but as my recent blog post points out, I think 2010 is the year that dynamic will change.

Posted by Mike Spinney at 12:03 pm
Permalink Add Comment (0 Comments)

The Value of a Clear Moral Compass

July 31, 2009

Here’s a brazen bit of breachery from the Miami Herald.

It’s a neat little proposition: for a flat monthly fee, a data broker (of sorts) acquires medical records from a hospital employee and passes them through to a personal injury lawyer for a fee plus a percentage of his lawsuit earnings.
Apparently the scheme went on for two years before the hospital employee blabbed about it. Luckily for Miami-area residents, someone with a clearer moral compass recognized the crime and told authorities.
This isn’t all that different from the revelation that UCLA Medical Center employees were abusing their access privileges to snoop the files of celebrity patients, either for their own amusement or to pass info along to the tabloids.
While both stories are a reminder of the serious threat posed by malicious insiders, the Jackson Memorial case offers another lesson: don’t overlook the importance of personal ethics in your security strategy.
We have no information about the security and ID/access management technologies in place at Jackson Memorial, and we don’t know if the person who tipped the police was a co-worker. But we do know that someone who knew right from wrong had the moral courage to do the right thing when confronted with information related to misconduct.
Good, consistent training and an ongoing awareness campaign – along with a visible example set from the top down –  can have a positive effect on your company’s overall security program (and at a very reasonable cost). We cannot emphasize enough the importance of creating a security-conscious culture within every organization.

Posted by Mike Spinney at 8:36 am
Permalink Add Comment (0 Comments)

The Profession of Privacy

July 8, 2009

I just completed an article for and upcoming edition of the IAPP newsletter Privacy Advisor on some of the things that are influencing the profession of privacy.  I won't give away too much of it here, except to say that I got some great input from a number of prominent folks and think I managed to capture some valuable insight.  Bottom line: be strategic and resist marginalization.  As privacy professionals, we bring (or we should bring) much more than compliance to the table when data security and management being discussed.

When I finished my draft, I realized I had collected a few nuggets that might be of value to folks just getting started or considering a career focused on privacy.  Here's a quick synopsis of areas that can help a privacy pro enhance their influence:

Physical Security – an emphasis on the security of digital assets often results in a diminishment of the role physical security plays in the overall data security picture.
Intellectual Property – Understanding how organizations manage and protect intellectual property can help to better manage and protect personally identifiable information. And shouldn’t you consider PII IP anyway?
Technology Trends – Technical innovation is a moving target, but keeping on top of trends and understanding their impact on security can help a company avoid learning the hard way. Yesterday’s collaborative platform is today’s cloud computing is tomorrow’s unknown. Don’t let the pressure to innovate impair sound data management judgment.
Social Networking – Blogs, LinkedIn, Facebook, Twitter… these utilities and many others are not going away. Understand their benefits and risks and you’ll be better prepared to think strategically about how your company can safely utilize them in today’s business arena.
Interdepartmental Collaboration – Talk with your colleagues in human resources, marketing, legal, IT, facilities management, and other departments to learn their role in data privacy, security, and management, and offer yourself as a resource.
Identify Cost Benefits – Identify and quantify the ways your efforts are helping to save money and make those calculations part of your dialog with management.

Posted by Mike Spinney at 4:25 pm
Permalink Add Comment (0 Comments)

It's Not Fish Ye're Buying, It's Men's Lives

June 30, 2009

It's not fish ye're buying, it's men's lives. 

Scottish author and poet Sir Walter Scott is said to have uttered those words in reference (and reverence) to the toil and sacrifice made by commercial fishermen in an age when harvesting the ocean’s bounty was an even greater risk than portrayed by the popular television show Deadliest Catch. 
The phrase came to mind recently while conducting interviews with a number of prominent privacy professionals for an article that will run in a future edition of the IAPP’s Privacy Advisor newsletter. Discussions centered on current economic, technological, and cultural influences on the roles privacy professionals play in their individual organizations. 
Just as Sir Walter Scott acknowledged that the mundane purchase of a fish at market involved so much more than an exchange of money, so must today’s corporations acknowledge and address their stewardship of personally identifiable information. 
Whether that information pertains to employees, customers, or prospects, it’s not data ye’re storing, it’s people’s lives.

Posted by Mike Spinney at 9:56 am
Permalink Add Comment (1 Comments)

Why You Need a Social Media Policy: A Case Study

May 15, 2009

Many companies are struggling with how best to integrate social media into their day-to-day business activities.  Some have taken a Draconian position, forbidding employees from engaging in social networking and blocking access to sites like Facebook, MySpace, and Twitter.  Some have fully embraced the concept and allow -- even encourage -- their employees to participate in the online social scene with all gusto.  Others have taken the time to consider both the benefits and risks and have established rules for online engagement.

The latter approach seems to be the exception.  Upcoming Ponemon research will shed some light on that subject, but a recent situation at the New York Times illustrates what can happen when there is a disconnect between what an employer wants and what an employee believes.

According to a story in the New York Observer, a number of Times reporters attending an internal staff meeting related to nytimes.com business strategy decided to tweet some of what went on in the meeting -- information Metro editor Jodi Rudoren, said should not be shared with outsiders. In an ironic twist, the Observer reports that the event took place the day before a Tmes training session entitled, "How Reporters & Editors Use Twitter."

With the previous day's tweeting in mind, Times columnist Bill Keller opened the Twitter session by offering some pointed words, asking that Times employees use "common courtesy" before tweeting anything heard or overheard internally, saying that a "zone of trust" was needed if candor was to prevail.

Let's learn from the Times.  Leaving the security sensitive information to the best judgment of employees without first establishing clear boundaries and expectations, is a recipe for disaster.  Social media can be a tremendously useful tool for many businesses, but as we privacy professionals should well know, the risks must first be understood and addressed with sound policies, education, and enforcement if we are to help maintain informational integrity.

Posted by Mike Spinney at 9:38 am
Permalink Add Comment (1 Comments)

Gambling with Laptop Security

April 27, 2009

In recent weeks the Ponemon Institute has issued two studies related to the risks inherent with poor laptop computer security. The first of these studies, conducted in partnership with Dell, looked into the business risk of poor laptop security. Media coverage of the report seemed to focus on a handful of interesting findings related to laptop use and abuse, and included the percentage of computers found to have various types of inappropriate content as well as the number of laptops damaged by spills (34%), drops (28%), unprotected travel (25%), or frustrated users (13%). The following week we released a study in partnership with Intel detailing the various costs inherent with losing a laptop computer. Media coverage of that study seemed to focus on the bottom-line average cost of nearly $50,000 for each incident. Of that figure, the average cost of the lost hardware accounted for just over $1,500. What was overlooked in all the coverage was the apparent failure of organizations – in spite of the overwhelming evidence – to grasp that the value of data stored on a laptop computer represents the greatest risk to the company. In the Dell study, 49% of those responding to the survey thought the laptop computer was of greater (34%) or equal (15%) value when compared to the cost of the lost data. In other words, despite all the costs that come with a data breach (such as: investigation and forensics, customer support and potential credit monitoring subscriptions, legal services, marketing and communications, customer and opportunity loss), half of all companies see their biggest risk as the price of a $1,500 replacement computer. Clearly we are still at a point in the data security cycle where the emphasis has to be on basic education and awareness. While there are many organizations that understand the risks and that have progressive and effective data security programs underway, there are still far too many who simply don’t get it – or don’t want to get it. Perhaps they’ve incorrectly calculated that doing nothing will save them more over time than investing in training and preventative measures. That’s a poor gamble – one that can put the company and the financial well being of individuals at stake.

Posted by Mike Spinney at 9:55 am
Permalink Add Comment (3 Comments)