Earlier today, Accenture announced the results of a survey of 5,500 business leaders and 15,500 adult consumers in 19 countries. The results indicate that what companies say they do to protect sensitive data differs from what they actually do. Consider these survey results:
- 73% of business respondents say they have adequate data security policies to protect sensitive personal data, but 58% have had at least one data breach during the past two years where sensitive data was lost/stolen
- 70% agreed that organizations have an obligation to protect sensitive personal data, but 45% were unsure or disagreed to give customers control over what customer data is collected, and
- 47% were unsure or disagreed to give customers control about how the customers' sensitive data is used
- Sensitive customer information includes items such as, but not limited to: name, address, date of birth, race, National ID/Social Security number, and medical history
Are these business executives serious? I want to talk with the executives at 30% of organizations that believe they don't have an obligation to protect sensitive customer information. What twisted logic supports this conclusion by executives?
I also want to talk with the 45% of executives were are unsure or disagree to give customers control over what customer data is collected. What twisted logic supports this conclusion by executives?
I also noticed that the wording of the survey included data security policies and not processes and systems. There is a difference. A paper-only corporate policy is not the same as an implemented system and employee training sessions. Having only a toothless policy is not real data security. It is asking to be judged based on intentions and not based on actual behaviors.
More survey results I found disturbing:
- 47% did not believe it was important or very important to limit the collection of sensitive personal customer information
- 46% did not believe it was important or very important to limit the sharing of sensitive personal customer information
- 47% did not believe it was important or very important to protect consumer privacy rights
- 47% did not believe it was important or very important to prevent cross-border transfers of personal information to countries with inadequate privacy laws
- 48% did not believe it was important or very important to prevent cyber crimes against consumers
Geez. These results define executives who don't care about data security. The finding aboout cross-border transfers of personal information is particularly troublesome when you consider the risks of offshore outsourcing and the offshore outsourcing activities by the major credit reporting agencies. You can download the complete Accenture survey report (2.4 MB, PDF format).
The survey also found differences in attitudes and behavior between organizations that had data breaches during the past two years and those that didn't. Organizations that didn't experience data breaches had a better understanding of where sensitive customer information was archived within their organization, and more likely felt obligated to control who had access to sensitive personal data.
When I read survey results like this, it tells me that executives need to be forced (e.g., regulation) what to do to protect customers' sensitive personal data because they won't do it on their own. It doesn't matter if it is poor ethics, or a rush to make money.