CIO and CISO

Privacy Leader

Marketer and Brand Manager

Blog

Privacy Professionals Should Share the Wealth
August 16, 2010
I guest-blogged for anti-ID theft crusader John Sileo’s web site this week and thought I’d re-post here for readers of the Ponemon. Permalink

Legislating Social Privacy
July 30, 2010
There’s a great deal of talk these days about privacy and social media. Specifically, services like Google, Facebook, Twitter, and other popular social networking platforms are coming under increased scrutiny over their privacy policies and data sharing practices. Permalink

When Privileged Access is no longer a Privilege
July 19, 2010
I just read an interesting multi-part investigative report in the Washington Post about how intelligence gathering – and the bureaucracy that has risen since September 11, 2001 to facilitate the harvest and analysis of that information – has spun beyond the federal government’s control, not to mention its ability to make use of the sheer abundance of information. Permalink

Home » Blog » Dr. Ponemon's blog » The Road to Data Breach is Paved with Good Intentions » 

RSS Feed

RSS Feed RSS Feed

The Road to Data Breach is Paved with Good Intentions

April 19, 2010

We recently completed some new research with Accenture in which we were surprised to find that, in spite of all the attention being paid to data protection, and in spite of new and updated data protection regulations, complacency is beginning to settle in among many companies.

 
Yes, I said complacency.
 
Oh, don’t get me wrong: most organizations have good intentions with regard to data protection, but we all know where the road paved with good intentions leads.
 
Here are two key findings we learned through the new study:
 
·         Although 70 percent of both organizations and individual respondents agreed that organizations should secure individuals’ personal information, disclose how they use it and deal with the ramifications of losing it, nearly half were ambivalent about granting individuals control over their personal information, did not place a high priority on several critical aspects of consumer privacy and did not believe typical privacy practices were important.
 
·         While 58 percent of organizations experienced at least one security breach in the past two years, 31 percent did not. The group that had no breaches displayed some substantial differences in attitudes and policies regarding data privacy and protection. In particular, they demonstrated the belief that individuals have substantial rights to manage, correct and control their personal information and to understand how such information is being used. They also were more likely to feel a stronger obligation to uphold data privacy and protection, and to have policies that make the protection of sensitive data a high priority. Furthermore, organizations with no breaches tend to take a stricter view of appropriate uses of personal information—for instance, being far less likely to believe it is appropriate to sell personal data for profit.
 
This suggests a strong correlation between an organization’s level of respect for an individual’s personal data and the likelihood that the organization will suffer a data breach.
 
By establishing an environment within an organization that encourages employees to see data as an extension of the customer and not merely something owned by the company, thereby fostering the development of a “culture of caring,” data privacy and information security programs become more effective.
 
To download a copy of the report, please visit the Accenture website.

Posted by Dr. Larry Ponemon at 12:25 pm


Add Comment (3 comments)
Tags:

Comments

April 19, 2010 2:21pm Lynette

We need to move toward adopting the idea of what will keep a customer's respect. Quality service / products + protecting customer's best interest = customer loyalty.

May 4, 2010 2:01pm Don Turnblade

Dollars and cents can illustrate the good sense that caring for the customer cares fore one's own business. If 31% of companies had no breach in the last two years. The average rate of breaches per two years is 2.2 or 1.1 per year. If the average cost of a breach is 6.75 Million USD in cleanup, legal fees and customer churn. Then, average lack of security costs 7.5 Million / yr. Using Garner's rule of thumb, that IT should cost 8% of revenue and Information Security 5% of that. Then, only organizations with 1.8 Billion / yr of Annual Revenue can absorb these average breach costs. In short, adopting effective Information Security practices will shrink liability insurance costs as well build up a good name in the eyes of one's paying customers. By my numbers there are good reasons that Privacy laws are popping up like popcorn. Business is creating a externality cost to its customers by not securing their data.

(Mr) -  June 18, 2010 6:04pm Don Turnblade

The breach free rate of 31% over two years has to change. To get data breach costs back to the level they need to be, we need breach free odds per year more on the order of 92.6% per year. To do that, we need more than adopting the practices of low breach companies, we need near mistake proof processes for sensitive information. Even a company with 21 staffers would need a mistake rate per person would need to be below 0.4%. For large companies it would need to be even smaller.