Personally identifiable information of customers and employees is being exposed ? frequently and repeatedly ? potentially putting hundreds of thousands of individuals at risk and exposing organizations to increased liability, according to a new survey report by Deloitte & Touche LLP (Deloitte & Touche) and the Ponemon Institute LLC. In the survey, a shocking 85 percent of privacy and security professionals in North America acknowledge that a reportable data breach occurred within their organization in the last year.
More than 800 North American privacy and security professionals responded to the online survey by Deloitte & Touche and the Ponemon Institute LLC, which was conducted to better understand the emerging privacy function. The survey analyzes the roles, activities and time allocation preferences of these professionals, as well as their organizational status and relationships.
Among the survey's key findings:
Reportable privacy breaches are occurring often ? and repeatedly ? within organizations.
* 85 percent of privacy and security professionals surveyed had a reportable breach within the past 12 months
* 63 percent of privacy and security professionals surveyed had multiple reportable privacy breaches ? between 6 and 20 breaches ? in the past year
Privacy and security professionals are locked into reactive mode, spending more time fighting fires and struggling to take a more proactive stance.
* Only slightly more than 7 percent of privacy and security professionals' time is allocated to employee training
* A total of 10 percent of privacy and security professionals' time is allocated to establishing an incident response team, management reporting and conducting root-cause analysis
* More than 50 percent of the time of privacy and security professionals is spent on more reactive and tactical activities such as remediation of operational vulnerabilities and responding to incidents in real-time
High percentage of breaches, insufficient resources focused on protecting personally identifiable information, and the potential harm to organizations clearly show this is a strategic risk requiring senior management attention.
* Close to 20 percent of privacy and security professionals are spending their time notifying consumers and stakeholders of a data breach. Both privacy and security professionals feel that ideally they should be spending less than 5 percent of their incident response time on notification
The privacy function is immature.
* Governance (63.5 percent) and policy development (70.6 percent) are areas where companies are furthest along in their program
* Operational processes, risk assessment framework and training programs all indicated a significantly lower adoption rate at 45?55 percent. Measurable controls are less than 30 percent
* Slightly less than 30 percent of privacy and security professionals indicated that an enterprise-wide privacy and data protection training program was recurring annually, semiannually or quarterly
* More than 50 percent of privacy and security professionals surveyed stated that privacy and security training occurred only once (slightly more than 35 percent) or on an "ad hoc" (15 percent) basis, suggesting that these programs are still very immature
* Only 23.2 percent of privacy and security professionals surveyed indicated the existence of a change management process to respond to developments that impact privacy in the organization
Privacy and security professionals, despite their different reporting structures, are coming to agree on strategic requirements necessary to effectively address personal data breaches.
* Privacy and security professionals surveyed agreed their time allocation should be increased among the following activities:
o Employee training
o Root-cause analysis
o Reporting to management
Organizations can learn more about the emerging privacy function, and get a full copy of the new "Enterprise@Risk: 2007 Privacy & Data Protection Survey" report by downloading the attachment below.
Enterprise@Risk:2007 Privacy and Data Protection Survey (1445 KB)
Contact us for more information
Last Updated: December 12, 2007
Source: Deloitte LLP - United States (English)