As Criminals Target Elders And Retirees For Fraud And Identity Theft, Several Resources Emerge
Survey: Data Security at Hospitals Is Poor

Survey: What Executives Say About Data Security Versus What They Do

Earlier today, Accenture announced the results of a survey of 5,500 business leaders and 15,500 adult consumers in 19 countries. The results indicate that what companies say they do to protect sensitive data differs from what they actually do. Consider these survey results:

  • 73% of business respondents say they have adequate data security policies to protect sensitive personal data, but 58% have had at least one data breach during the past two years where sensitive data was lost/stolen
  • 70% agreed that organizations have an obligation to protect sensitive personal data, but 45% were unsure or disagreed to give customers control over what customer data is collected, and
  • 47% were unsure or disagreed to give customers control about how the customers' sensitive data is used
  • Sensitive customer information includes items such as, but not limited to: name, address, date of birth, race, National ID/Social Security number, and medical history

Are these business executives serious? I want to talk with the executives at 30% of organizations that believe they don't have an obligation to protect sensitive customer information. What twisted logic supports this conclusion by executives?

I also want to talk with the 45% of executives were are unsure or disagree to give customers control over what customer data is collected. What twisted logic supports this conclusion by executives?

I also noticed that the wording of the survey included data security policies and not processes and systems. There is a difference. A paper-only corporate policy is not the same as an implemented system and employee training sessions. Having only a toothless policy is not real data security. It is asking to be judged based on intentions and not based on actual behaviors.

More survey results I found disturbing:

  • 47% did not believe it was important or very important to limit the collection of sensitive personal customer information
  • 46% did not believe it was important or very important to limit the sharing of sensitive personal customer information
  • 47% did not believe it was important or very important to protect consumer privacy rights
  • 47% did not believe it was important or very important to prevent cross-border transfers of personal information to countries with inadequate privacy laws
  • 48% did not believe it was important or very important to prevent cyber crimes against consumers

Geez. These results define executives who don't care about data security. The finding aboout cross-border transfers of personal information is particularly troublesome when you consider the risks of offshore outsourcing and the offshore outsourcing activities by the major credit reporting agencies. You can download the complete Accenture survey report (2.4 MB, PDF format).

The survey also found differences in attitudes and behavior between organizations that had data breaches during the past two years and those that didn't. Organizations that didn't experience data breaches had a better understanding of where sensitive customer information was archived within their organization, and more likely felt obligated to control who had access to sensitive personal data.

When I read survey results like this, it tells me that executives need to be forced (e.g., regulation) what to do to protect customers' sensitive personal data because they won't do it on their own. It doesn't matter if it is poor ethics, or a rush to make money.

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Charles Jeter

Thanks for the tip. Reading it now.

This fits really well with some existing data we've been looking at from the consumer awareness side. Rockin' fast article.

Charles over at SOEC

Teri Johnson

Great article! You might also want to do an article on how many financial institutions feel they aren't responsible (nor do they care) what malware is on customers' computers.

We've talked to them for almost 2 years and nothing has changed even though industry experts keep saying a lot of the theft is due to undetectable malware on a computer which hands over login creditials when doing online banking.

Financial institutions want people to believe and continue to be fooled that obfuscated passwords provide security. NOT TRUE! Any cheap keylogger can grab that information. They want to continue ignor this problem because it is be the end of the savings the FIs get from online banking. Easier to do nothing and let people put their funds at risk than to be honest about what they can and cannot secure.

Keep up the research!

Teri Johnson

Something else to think about...

What is disturbing about your article as it related to the executive thoughts about the importance of the collection of private information is, these same executives hold other companies feet to the fire on collecting and securing information.

George

Teri:
Thanks for the comments. A consumer can easily evaluate how responsible a retailer or financial institution considers their site by reading the Terms & Conditions and Privacy policies at the firm's web site. In a prior blog post, I looked at the T&C's for Mint.com:

http://ivebeenmugged.typepad.com/my_weblog/2008/12/is-mint-dot-com-safe-and-secure.html

That seems to be a good example of what you are talking about.

George
Editor
http://ivebeenmugged.typepad.com

The comments to this entry are closed.