How privacy costs impact infrastructure |
 |
By Larry Ponemon, Contributing Writer
15 Mar 2004 | SearchSecurity.com |
|
|
Privacy protection is growing in importance because of new regulations and fear of costly fines and lawsuits. But, companies with IT safeguards over individual data can still have poor privacy policies and business practices that undermine that technology, according to a new survey.
|
| For more information |
|
Click here for Best Web Links on privacy regulations.
Or click here this Ask the Expert: "Can a company be liable for security statements made in its Web privacy policy."
Or see this column on copyright and privacy issues for Web sites. |
|
|
|
|
Ponemon Institute recently completed an IBM-sponsored study that focused on the processes and costs required to ensure privacy protection for a company's partners, customers and employees. Executives responsible for privacy programs within 44 leading multinational corporations were surveyed and spend, on average, about $5 million per year to manage privacy risk -- with annual corporate budgets ranging between $500,000 to more than $22 million.
Survey results show the following:
- Today, privacy enabling technologies represent a very small part of the total budget for a company's privacy program (less than 10%). However, the study finds that many companies believe the implementation of new technologies will become the most important part of privacy management activities over the next two to three years.
- IT and data management professionals were most interested in privacy preference management tools or applications that track information flows with respect to secondary use, sharing and retention. Other enabling technologies of interest today include data management tools that lessen the insider problem, especially the illegal transfer or malicious abuse of sensitive personal data.
- Privacy programs appear to be least effective when they aren't closely integrated with information security, corporate compliance or human resources programs. In short, privacy requires more than sound IT management practices; it requires effective procedures, people, process and policy.
- Privacy programs that appear to be the most effective are baked into the business management process rather than an off-shoot of the IT or information security function. The least effective programs are those that exist in as a "silo" function wherein key policies are separate from core business and IT decisions.
- The most effective privacy initiatives have specialized in-house programs that aim to teach IT professionals about specific privacy and data management requirements that impact the business. An important first line of defense are well-trained IT and security professionals that can identify a privacy breach at an early stage (or in advance of a blow-up).
- Heavily regulated industries, such as health care and financial services, aren't the biggest spenders when it comes to privacy programs. Technology companies appear to spend the most on privacy risk management to protect their branding with customers and consumers.
DR. LARRY PONEMON is chairman and founder of the Ponemon Institute, an organization focused on the development of privacy audits, privacy risk management and ethical information management. For more information about this study, please click here to contact the Ponemon Institute by e-mail.
|
|
|
|
