edelman privacy risk index 2012
DESCRIPTION
Der Edelman Privacy Risk Index℠ ist eine globale Studie zum Thema Datensicherheit und Datenschutz. Für die Studie wurden die Angaben von 6.400 Datenschutz- und Datensicherheitsverantwortlichen in Unternehmen aus 29 Ländern von der unabhängigen Forschungseinrichtung Ponemon Institute ausgewertet.TRANSCRIPT
EDELMAN PRIVACY RISK INDEX POWERED BY PONEMON
Privacy risks can have a substantial impact on
business operations and corporate reputation.
Companies face increasing regulation and
potential fines for the misuse and loss of
sensitive information. If regulatory pressure isn’t
enough, not a week goes by without a company
or an entire industry in the news for an alleged
privacy violation, causing significant harm to
corporate reputation.
Managing data security and privacy effectively is
essential to businesses today. The growing
volume and sensitivity of information being
shared, stored and used is driving demand for
greater transparency about how it is being
managed and protected.
BUSINESS LEFT VULNERABLE TO PRIVACY RISK
Edelman’s privacy research shows, for the
first time, the main drivers of privacy risk.
The survey reveals:
Privacy risks are at an all-time high, presenting
a significant challenge for businesses.
Businesses are struggling to manage the
privacy practices that most contribute to risk.
Operating globally and in financial services
and health industries significantly contributes
to risk.
PRIVACY RISK AT AN ALL-TIME HIGH
THE CONSEQUENCES OF PRIVACY RISK
The costs are high. Businesses are losing customers and money,
reputations suffer. As a result, license to operate hangs in the balance.
CUSTOMERS CORPORATE REPUTATION
MONEY BUSINESS DISRUPTION
DRIVERS OF PRIVACY RISK AND LIABILITY
REGULATORY ENFORCEMENT
FTC levels $22.5 million for privacy violation
Proposed EU legislation may include fines up to 2% of annual turnover
LITIGATION
Average settlement $2,500 per plaintiff, and
mean attorneys’ fees of $1.2 million
Temple University Beasley School of Law
MEDIA SCRUTINY
CONSUMER CONCERN
Three quarters of consumers will stop using an online
shop if information was accessed without permission
Less than half of consumers trust healthcare
organizations to protect information
Edelman DSP Group Study
INTRODUCING THE EDELMAN PRIVACY RISK INDEX
• Based on analysis of research from the Ponemon Institute over the last three years
• Analysis of 6,400 individual responses by risk managers, privacy professionals and IT Pros
• 29 countries included in benchmarking and tools
• The research serves as the baseline for an online tool that allows companies to access their
privacy risk against the benchmark
• Intended to be directional NOT diagnostic
The Edelman Privacy Risk Index (ePRI) is a global benchmarking study and tool that
measures the top drivers of privacy risk for businesses. The ePRI explores how companies
are managing privacy risk caused by business practices and operations.
ELEMENTS OF PRIVACY RISK
The Edelman Privacy Risk Index reveals a lack of preparedness in managing the potential financial and reputational
damage relating to the loss or misuse of personal information. Our survey found companies face significant risk due to
business profile and failing to implement strong privacy practices.
BUSINESS
PROFILE:
WHAT DEFINES
YOUR BUSINESS
PRIVACY
PRACTICES:
HOW YOU
OPERATE Overall
RISK
WHAT DEFINES
YOUR BUSINESS
BUSINESS PROFILE Companies must understand how their business profile contributes to their privacy risk. Those
operating in high risk environments are particularly vulnerable to incidents if they don’t properly
manage privacy practices.
Footprint Info Collected/
Managed
Headcount/ Size Geography
Industry
RISK
BUSINESS PROFILE RISK AT A GLANCE
Footprint Headcount/ Size
Geography Industry
HIGHEST RISK
• Belgium
• Italy
• Spain
HIGHEST RISK
• Financial
Services
• Health/Pharma
• Communications
HIGHEST RISK
• Global and Super
Regional
HIGHEST RISK
• Small- and
Medium-sized
Businesses
Info Collected
HIGHEST RISK
• Sensitive
Customer
Information
LOWEST RISK
• China
• India
• Brazil
LOWEST RISK
• Industrial
Automotive
• Manufacturing
LOWEST RISK
• Local
LOWER RISK
• Enterprise
LOWER RISK
• Only Employee
See appendix for full findings
COMPANIES HAVE DIFFERENT STARTING RISKS
Company w/ Low
Risk Profile
Brazil
Manufacturing
Local
Large Enterprise
Collects employee info
Company w/ High
Risk Profile
Italy
Health
Global
SMB
Collects health and sensitive
customer information
Companies in different industries, markets and sizes have different starting points for operational risk.
It’s essential that businesses understand where they stand and take action if they are at high risk.
VS.
PRIVACY PRACTICES
PRACTICES THAT DETERMINE RISK The ePRI identified three pillars and twelve practices that are key indicators of businesses ability to
mitigate risk of a data breach, privacy lawsuit or regulatory action.
Communications
& Engagement
Business
Operations
Data Protection
• My organization believes a data breach would adversely affect our reputation and financial position.
• My organization has ample resources to protect employee and customer information.
• My organization is able to prevent and quickly detect the theft or misuse of personal information.
• My organization has the expertise and technology to protect personal information.
• My organization considers privacy and the protection of personal information a corporate priority.
• A high-level executive leads my organization's privacy program and is empowered to make decisions.
• My organization understands global privacy cultural differences.
• My organization strictly enforces all levels of non-compliance with laws and regulations.
• Employees in my organization understand the importance of privacy and how to protect personal and/or sensitive
information.
• My organization makes a substantial effort to educate employees about privacy and data security.
• My organization is transparent about what it does with employee and customer information.
My organization is quick to respond to privacy complaints or questions from customers and regulators.
BUSINESSES FALLING SHORT
Fewer than half of those surveyed agreed they effectively manage risk,
leaving them highly susceptible (or exposed) to a privacy incident.
They are failing to:
• Make privacy a priority and devote resources
• Engage their employees
• Embrace transparency
• Manage regulatory concerns
COMPANIES LACK RESOURCES AND EXPERTISE
Approximately 2 out of 3 companies do
NOT have the expertise and technology
to protect personal information
Over half do not have the resources
needed to protect the information they
collect
COMPANIES FAIL TO PRIORITIZE
Believe a data breach would not adversely
impact company reputation
Do not consider privacy and protection of personal
information a corporate priority
Don't have a high level executive managing privacy
programs
60%
61%
53%
COMPANIES FAIL TO ENGAGE EMPLOYEES
2 out of 3 companies surveyed do not proactively
educate employees on privacy and security issues
Privacy incidents often originate when employees improperly use or accidently expose
information. The ePRI found a majority or companies fail to address the potential risk
presented by poor employee education.
Over half (57%) of companies think their
employees do not understand the importance
of security and privacy
COMPANIES ARE NOT TRANSPARENT OR
RESPONSIVE
Despite new laws around the world calling for greater notice and consent before collecting consumer
information and increased media scrutiny, companies struggle to be transparent and respond to
complaints.
Over half of the organizations surveyed (57%)
are not transparent about what they do with
personal information collected
And 61% say they are not quick to respond to
customer privacy complaints
COMPANIES ARE LAX ON REGULATORY
COMPLIANCE
Many companies struggle to comply with increasing and evolving regulatory requirements
around the globe.
6 out of 10 companies (61%) do not strictly
enforce compliance regulations
MANAGING PRIVACY RISK
WHERE TO START
UNDERSTAND: Use the ePRI tool to better understand your company’s privacy risk. Share results
with key stakeholders in legal, communications and technology to get consensus of risk.
PRIORITIZE: Armed with understanding, an enterprise now has a powerful directional lens to evaluate its
privacy program. Smart organizations will prioritize the weakest elements of their privacy DNA (under-
performing practices) with consideration for their potential impact on enterprise effectiveness.
ACTIVATE: Work cross-company on programs to improve at-risk privacy practices. Consider how
communications, legal/risk and technology leaders can collaborate on solutions.
1
3
2
UNDERSTAND YOUR RISK: ePRI TOOL
Leverage the ePRI Tool
to better understand your
risk and how your
practices relate to the
benchmark.
PRIORITZE: RISKY PRACTICES
My organization has the expertise and technology
to protect personal information.
My organization considers privacy and the
protection of personal information a corporate priority.
My organization is quick to respond to consumers’
and regulators’ privacy complaints.
Determine and
explore deficient
privacy practices
most contributing
to corporate risk.
Priority #1
Priority #2
Priority #3
My organization is transparent about what it does
with employee and customer information.
ACTIVATE CROSS-ORGANIZATION PRIVACY TEAM
BUSINESS: Proper collection, use and storage of
information. Embrace Privacy by Design.
LEGAL/GOV AFFAIRS: Compliance with local laws
in all the geographies of operation.
INFORMATION TECHNOLOGY: Technology systems
to prevent and recover from a data incident.
COMMUNICATIONS: Employee engagement,
stakeholder engagement, data breach
communications.
Invest in privacy
practices and
programming to
improve
performance.
FIRST STEP: CONVENE PRIVACY WORKSHOP
WITH EDELMAN
Edelman and our
partners can meet with
you to help explore and
prioritize areas of
privacy risk.
Customized
Privacy
Program
Roadmaps
Privacy
Playbooks
Privacy Risk
Snapshot
Internal
Integration
OUTCOMES
EDELMAN SERVICES
AUDIT COMMUNICATIONS POLICY/LEGAL
• Reputation and communications audit
• Privacy risk assessment
• Communications team integration
• Customer and market research
• Crisis protocols
EDELMAN AND OUR PRIVACY PARTNERS CAN HELP
WITH SYSTEMS INTEGRATION
• Security and privacy message development
• Internal communications and employee engagement
• Influencer and competitive mapping
• Privacy and security response management
• Data breach training and simulations
• Thought leadership and executive positioning
• Policy analysis and navigation
• Active regulatory and policymaker engagement
• Litigation communications
• Influence policy outcomes
• Coalition building and grassroots support
•
•
CONTACT
WEB:
Datasecurity.edelman.com
Edelman.com/expertise/practices/data security & privacy
TWITTER:
@EdelmanDSP
CONTACT:
Pete Pedersen, Global Chair, Technology
Ben Boyd, Global Chair, Corporate
APPENDIX I
LANDSCAPE RESEARCH
GAP IN CONSUMER TRUST Our survey, Privacy & Security: The New Drivers of Brand, Reputation and Action, shows a significant gap between
the importance of privacy to consumers and the amount they trust companies to protect it.
92%
84%
78% 77%
69%
63%
50% 50%
43%
37%
69%
33%
51% 48%
12%
27%
12% 9% 11%
6%
23%
Finance OnlineShopping &
Retail
Medical &Healthcare
Government SocialNetworking
Technology News & Media Automotive Food &Grocery
Gaming Utilities*
Importance of privacy and security in each industry (global)
Trust in each industry to protect personal information (global)
Q7. How important is your privacy and security when doing business with the following industries? *NOTE: Utilities not included as a response code
Q8. Which industry do you trust most to adequately protect your personal information? Please select the top three industries.
Consumers will leave services if personal information was accessed without permission,
costing negligent companies significantly in potential business.
CONSUMERS ATTRITION DUE TO PRIVACY
Consumers Likely to Switch Providers or Stop Using Services Entirely if Personal Information was
Accessed Without Permission (Global)
80% 79% 77% 75% 75% 67% 67% 65% 63%
59% 55% 55% 54%
50%
Q9. For the following types of companies, if your personal information was accessed without your permission, how likely would you be to switch to a different
provider or stop using these services entirely, if they did have personal information on you? Please use a scale of 1-5, where 1 is “not at all likely” and 5 is “very
likely.”
Base: All respondents (Global n=4,050)
REGULATORY ACTION IN UNITED STATES
Google pays $22.5 million to settle FTC charges
it misrepresented privacy assurances.
BlueCross BlueShield of Tennessee (BCBST)
fined $1.5 million for 2009 data breach.
SEC requires publicly traded companies to disclose
data breaches citing the issue is a substantial
business risk.
All Federal agencies with jurisdiction over privacy are significantly increasing
enforcement and rhetoric about privacy violations by companies.
A NEW REGIME IN THE EU
EU institutions are currently discussing far-ranging proposals to modify and
substantially overhaul the Union’s patchwork of 27 data protection regimes to
create a new, single Europe-wide regime.
If approved in the current format, the new regime would radically change the
obligations of data controllers, strengthen competences of Data Protection
Authorities (DPAs) and increase the rights of individuals.
The current regulation draft foresees fines for non-compliance of up to 2% of
annual turnover. The impact of this would be global.
ASIA NOT FAR BEHIND
India: Passed Information Technology Rules (2011)
Singapore: Personal Data Protection Act (2012)
Hong Kong: Amended Personal Data Ordinance (2012)
APEC Region: APEC Privacy Framework
Many countries in Asia are creating new privacy laws similar to those in place in Europe
and the United States, imposing fines for data breaches and more stringent privacy
standards.
LITIGATION ON THE RISE
“Lawsuit Claims Microsoft, McDonald’s,
Mazda & CBS Used Ads as Cover for
Data Mining” – Network World
Average settlement $2,500 per
plaintiff, and mean attorneys’
fees of $1.2 million – Temple
University Beasley School of Law
“NebuAd Settles Lawsuit Over Behavioral
Targeting Test” – MediaPost
“Facebook sued for
$15 billion over alleged privacy
infractions” – CNET
CRITICAL MEDIA
Privacy Concerns
Affect Purchase
Decisions
Security Tops
Boardroom
Agendas
Facebook Complies with
EU Data Protection Law,
Dumps Facial
Recognition
Companies face an increasingly critical and vocal media environment, creating a significant potential for
reputational damage.
GM's Boneheaded
Privacy Mistake With
OnStar
Apple moves to quell
Path privacy gaffe
Questions for Amazon on
Privacy and the Kindle Fire
APPENDIX II
EDELMAN PRIVACY RISK INDEX
BY GEOGRAPHY
The ePRI found operating in Europe presents the most privacy risk, likely due to recent policy
developments and a significant cultural expectation of privacy.
41.1 MIDDLE
EAST
58.7 EUROPE
42.7 ASIA-
PACIFIC
40.2 LATIN
AMERICA
50.9 NORTH
AMERICA
RISK IN SPECIFIC MARKETS
There are significant differences between the most and least risky countries. The eleven countries
with the highest privacy risk are located in the European Union with many developing nations
presenting lower risk.
29,3 31,3 32,0
37,2 37,9
38,7 39,7
41,2 42,2
43,2 48,1
50,0 50,4
53,0 53,3 53,8 54,2 54,7 54,8 55,0
56,3 56,5
58,7 59,1 59,2
62,5 64,1
65,2 68,6
- 10,0 20,0 30,0 40,0 50,0 60,0 70,0 80,0
BrazilIndia
China (PRC)Korea
MexicoSingapore
Saudi ArabiaUnited Arab Emirates
IsraelJapan
United StatesHong Kong
Russian FederationUnited Kingdom
ArgentinaCanada
AustraliaNew Zealand
IrelandNorway
DenmarkPoland
SwedenGermany
FranceSpain
NetherlandsItaly
Belgium
CORPORATE FOOTPRINT INTRODUCES RISK
Local
The company primarily operates in one country
Regional
The company operates in two or more countries primarily
in one region
Super regional
The company operates in multiple countries in two or
more regions
Global
The company operates in all regions around the world
Adding significant complexity to geographic concerns is the risk presented by
operating in multiple markets.
36,0 39,0
58,3
66,8
-
10,0
20,0
30,0
40,0
50,0
60,0
70,0
80,0
Local Regional Super regional Global
INDUSTRY BENCHMARK DRIVEN BY DATA Industries that collect the most sensitive information about customers present the most significant privacy risk. There is a
significant drop off in privacy risk for organizations that don’t collect significant amounts of information online.
20,8
24,0
27,5
32,3
32,8
39,5
44,3
44,5
52,0
53,8
55,0
55,0
56,3
56,5
58,8
61,0
62,8
66,0
78,3
79,3
- 10,0 20,0 30,0 40,0 50,0 60,0 70,0 80,0 90,0
Manufacturing
Automotive
Industrial
Agriculture
Entertainment & media
Services
Consumer products
Retail (conventional)
Retail (Internet)
Technology & software
Energy & utilities
Hospitality
Transportation
Education & research
Public sector
Professional services
Airlines
Communications
Health & pharma
Financial services
BY COMPANY SIZE
Smaller organizations have substantially higher privacy risk than larger organizations. This can potentially be
explained by larger organizations typically having more resources to devote to managing privacy risk.
However, large organizations still face risks, often due to having a significant amounts of information and
increased regulatory attention.
44,8
45,8
45,8
46,5
50,3
57,5
59,5
- 10,0 20,0 30,0 40,0 50,0 60,0 70,0
10,001 to 25,000
25,001 to 75,000
More than 75,000
5,001 to 10,000
1.001 to 5,000
Less than 500
501 to 1,000
BY INFORMATION COLLECTED
The volume and sensitivity of data collected significantly influences privacy risk.
Customer with PII
Employee
Citizen (government use)
Student
Customer without PII
Consumer (targeted customer)
Patient (health records)
Shareholder/investor
Types of personal information stored: