New Developments

Companies Put Personal Data at Risk

Organizations are often and repeatedly exposing their customers' and employees' personally identifiable information (PII), thus putting thousands of individuals at risk, according to a recent Deloitte & Touche LLP study conducted in partnership with the Ponemon Institute, a privacy and information management research firm. Now in its second year, the Enterprise@Risk: 2007 Privacy and Data Protection Survey (PDF, 1.37 MB) provides information on the roles, activities, and time allocation preferences of more than 800 privacy and security professionals in North America as well as their organizational status and reporting relationships to better understand the emerging privacy function.

Specifically, respondents described actual versus ideal time spent on activities and requirements to effectively manage and protect personal data in their organization. As the study found, 85 percent of privacy and security professionals surveyed acknowledged having at least one reportable data breach of PII during the last 12 months and 63 percent admitted having multiple reportable data breaches during the same period. As a result, privacy and security professionals continue to spend most of the privacy-focused time on incident response and have relatively little time to spend on more proactive activities, such as strategy, training, and root-cause analysis.

"Frankly, I'm shocked by the high percentage of PII data breaches we're seeing occur within organizations," says Rena Mears, Deloitte global and U.S. privacy and data protection leader. "It's clear that both privacy and security professionals are caught in a reactive cycle and they agree on the need to move to a more proactive stance."

Other key findings include:

• A little more than 7 percent of a professional's time is allocated to employee training, while 10 percent is allocated to establishing an incident response team, management reporting, and conducting root-cause analysis.
• Resource allocation associated with notification activities was found to be a significant hidden cost of privacy and data protection activities in the organizations represented in the study. The percentage of incidence-related time spent notifying stakeholders is the second highest among incident-related activities as reported by survey respondents.
• While 61 percent indicated that their organization has processes in place to identify and assess the impact of new regulations, only 23 percent reported a change management process was in place to respond to developments that impact privacy.
• Due to the dichotomy between the management and protection of PII and the distributed nature of the privacy function, reporting structures varied greatly for privacy and security professionals. An analysis of primary reporting structures indicates that 76 percent of privacy professionals report to the chief information officer, 38 percent report to the general counsel, and 21 percent report to the compliance manager.
• Despite significant technical advances, most organizations are still too dependent on point solutions. For example, 55 percent of organizations are implementing some type of encryption, with 37 percent currently encrypting data at rest and in motion.

"The astonishingly high rate of data breaches is undermining public trust in both commercial and governmental organizations and points to an urgent need for privacy and security to be elevated as a coordinated, strategic imperative within all organizations," comments Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. "Our research suggests that privacy and security are still largely reactive, siloed functions; this mindset needs to change immediately if we are to stem the swelling tide of data breaches plaguing consumers and enterprises."

To download the full survey results, visit the Deloitte Web site.

Site Search: