EDELMAN PRIVACY RISK INDEX POWERED BY PONEMON

Privacy risks can have a substantial impact on

business operations and corporate reputation.

Companies face increasing regulation and

potential fines for the misuse and loss of

sensitive information. If regulatory pressure isn’t

enough, not a week goes by without a company

or an entire industry in the news for an alleged

privacy violation, causing significant harm to

corporate reputation.

Managing data security and privacy effectively is

essential to businesses today. The growing

volume and sensitivity of information being

shared, stored and used is driving demand for

greater transparency about how it is being

managed and protected.

BUSINESS LEFT VULNERABLE TO PRIVACY RISK

Edelman’s privacy research shows, for the

first time, the main drivers of privacy risk.

The survey reveals:

Privacy risks are at an all-time high, presenting

a significant challenge for businesses.

Businesses are struggling to manage the

privacy practices that most contribute to risk.

Operating globally and in financial services

and health industries significantly contributes

to risk.

PRIVACY RISK AT AN ALL-TIME HIGH

THE CONSEQUENCES OF PRIVACY RISK

The costs are high. Businesses are losing customers and money,

reputations suffer. As a result, license to operate hangs in the balance.

CUSTOMERS CORPORATE REPUTATION

MONEY BUSINESS DISRUPTION

DRIVERS OF PRIVACY RISK AND LIABILITY

REGULATORY ENFORCEMENT

FTC levels $22.5 million for privacy violation

Proposed EU legislation may include fines up to 2% of annual turnover

LITIGATION

Average settlement $2,500 per plaintiff, and

mean attorneys’ fees of $1.2 million

Temple University Beasley School of Law

MEDIA SCRUTINY

CONSUMER CONCERN

Three quarters of consumers will stop using an online

shop if information was accessed without permission

Less than half of consumers trust healthcare

organizations to protect information

Edelman DSP Group Study

INTRODUCING THE EDELMAN PRIVACY RISK INDEX

• Based on analysis of research from the Ponemon Institute over the last three years

• Analysis of 6,400 individual responses by risk managers, privacy professionals and IT Pros

• 29 countries included in benchmarking and tools

• The research serves as the baseline for an online tool that allows companies to access their

privacy risk against the benchmark

• Intended to be directional NOT diagnostic

The Edelman Privacy Risk Index (ePRI) is a global benchmarking study and tool that

measures the top drivers of privacy risk for businesses. The ePRI explores how companies

are managing privacy risk caused by business practices and operations.

ELEMENTS OF PRIVACY RISK

The Edelman Privacy Risk Index reveals a lack of preparedness in managing the potential financial and reputational

damage relating to the loss or misuse of personal information. Our survey found companies face significant risk due to

business profile and failing to implement strong privacy practices.

BUSINESS

PROFILE:

WHAT DEFINES

YOUR BUSINESS

PRIVACY

PRACTICES:

HOW YOU

OPERATE Overall

RISK

WHAT DEFINES

YOUR BUSINESS

BUSINESS PROFILE Companies must understand how their business profile contributes to their privacy risk. Those

operating in high risk environments are particularly vulnerable to incidents if they don’t properly

manage privacy practices.

Footprint Info Collected/

Managed

Headcount/ Size Geography

Industry

RISK

BUSINESS PROFILE RISK AT A GLANCE

Footprint Headcount/ Size

Geography Industry

HIGHEST RISK

• Belgium

• Italy

• Spain

HIGHEST RISK

• Financial

Services

• Health/Pharma

• Communications

HIGHEST RISK

• Global and Super

Regional

HIGHEST RISK

• Small- and

Medium-sized

Businesses

Info Collected

HIGHEST RISK

• Sensitive

Customer

Information

LOWEST RISK

• China

• India

• Brazil

LOWEST RISK

• Industrial

Automotive

• Manufacturing

LOWEST RISK

• Local

LOWER RISK

• Enterprise

LOWER RISK

• Only Employee

See appendix for full findings

COMPANIES HAVE DIFFERENT STARTING RISKS

Company w/ Low

Risk Profile

Brazil

Manufacturing

Local

Large Enterprise

Collects employee info

Company w/ High

Risk Profile

Italy

Health

Global

SMB

Collects health and sensitive

customer information

Companies in different industries, markets and sizes have different starting points for operational risk.

It’s essential that businesses understand where they stand and take action if they are at high risk.

VS.

PRIVACY PRACTICES

PRACTICES THAT DETERMINE RISK The ePRI identified three pillars and twelve practices that are key indicators of businesses ability to

mitigate risk of a data breach, privacy lawsuit or regulatory action.

Communications

& Engagement

Business

Operations

Data Protection

• My organization believes a data breach would adversely affect our reputation and financial position.

• My organization has ample resources to protect employee and customer information.

• My organization is able to prevent and quickly detect the theft or misuse of personal information.

• My organization has the expertise and technology to protect personal information.

• My organization considers privacy and the protection of personal information a corporate priority.

• A high-level executive leads my organization's privacy program and is empowered to make decisions.

• My organization understands global privacy cultural differences.

• My organization strictly enforces all levels of non-compliance with laws and regulations.

• Employees in my organization understand the importance of privacy and how to protect personal and/or sensitive

information.

• My organization makes a substantial effort to educate employees about privacy and data security.

• My organization is transparent about what it does with employee and customer information.

My organization is quick to respond to privacy complaints or questions from customers and regulators.

BUSINESSES FALLING SHORT

Fewer than half of those surveyed agreed they effectively manage risk,

leaving them highly susceptible (or exposed) to a privacy incident.

They are failing to:

• Make privacy a priority and devote resources

• Engage their employees

• Embrace transparency

• Manage regulatory concerns

COMPANIES LACK RESOURCES AND EXPERTISE

Approximately 2 out of 3 companies do

NOT have the expertise and technology

to protect personal information

Over half do not have the resources

needed to protect the information they

collect

COMPANIES FAIL TO PRIORITIZE

Believe a data breach would not adversely

impact company reputation

Do not consider privacy and protection of personal

information a corporate priority

Don't have a high level executive managing privacy

programs

60%

61%

53%

COMPANIES FAIL TO ENGAGE EMPLOYEES

2 out of 3 companies surveyed do not proactively

educate employees on privacy and security issues

Privacy incidents often originate when employees improperly use or accidently expose

information. The ePRI found a majority or companies fail to address the potential risk

presented by poor employee education.

Over half (57%) of companies think their

employees do not understand the importance

of security and privacy

COMPANIES ARE NOT TRANSPARENT OR

RESPONSIVE

Despite new laws around the world calling for greater notice and consent before collecting consumer

information and increased media scrutiny, companies struggle to be transparent and respond to

complaints.

Over half of the organizations surveyed (57%)

are not transparent about what they do with

personal information collected

And 61% say they are not quick to respond to

customer privacy complaints

COMPANIES ARE LAX ON REGULATORY

COMPLIANCE

Many companies struggle to comply with increasing and evolving regulatory requirements

around the globe.

6 out of 10 companies (61%) do not strictly

enforce compliance regulations

MANAGING PRIVACY RISK

WHERE TO START

UNDERSTAND: Use the ePRI tool to better understand your company’s privacy risk. Share results

with key stakeholders in legal, communications and technology to get consensus of risk.

PRIORITIZE: Armed with understanding, an enterprise now has a powerful directional lens to evaluate its

privacy program. Smart organizations will prioritize the weakest elements of their privacy DNA (under-

performing practices) with consideration for their potential impact on enterprise effectiveness.

ACTIVATE: Work cross-company on programs to improve at-risk privacy practices. Consider how

communications, legal/risk and technology leaders can collaborate on solutions.

1

3

2

UNDERSTAND YOUR RISK: ePRI TOOL

Leverage the ePRI Tool

to better understand your

risk and how your

practices relate to the

benchmark.

PRIORITZE: RISKY PRACTICES

My organization has the expertise and technology

to protect personal information.

My organization considers privacy and the

protection of personal information a corporate priority.

My organization is quick to respond to consumers’

and regulators’ privacy complaints.

Determine and

explore deficient

privacy practices

most contributing

to corporate risk.

Priority #1

Priority #2

Priority #3

My organization is transparent about what it does

with employee and customer information.

ACTIVATE CROSS-ORGANIZATION PRIVACY TEAM

BUSINESS: Proper collection, use and storage of

information. Embrace Privacy by Design.

LEGAL/GOV AFFAIRS: Compliance with local laws

in all the geographies of operation.

INFORMATION TECHNOLOGY: Technology systems

to prevent and recover from a data incident.

COMMUNICATIONS: Employee engagement,

stakeholder engagement, data breach

communications.

Invest in privacy

practices and

programming to

improve

performance.

FIRST STEP: CONVENE PRIVACY WORKSHOP

WITH EDELMAN

Edelman and our

partners can meet with

you to help explore and

prioritize areas of

privacy risk.

Customized

Privacy

Program

Roadmaps

Privacy

Playbooks

Privacy Risk

Snapshot

Internal

Integration

OUTCOMES

EDELMAN SERVICES

AUDIT COMMUNICATIONS POLICY/LEGAL

• Reputation and communications audit

• Privacy risk assessment

• Communications team integration

• Customer and market research

• Crisis protocols

EDELMAN AND OUR PRIVACY PARTNERS CAN HELP

WITH SYSTEMS INTEGRATION

• Security and privacy message development

• Internal communications and employee engagement

• Influencer and competitive mapping

• Privacy and security response management

• Data breach training and simulations

• Thought leadership and executive positioning

• Policy analysis and navigation

• Active regulatory and policymaker engagement

• Litigation communications

• Influence policy outcomes

• Coalition building and grassroots support

•

•

CONTACT

WEB:

Datasecurity.edelman.com

Edelman.com/expertise/practices/data security & privacy

TWITTER:

@EdelmanDSP

CONTACT:

Pete Pedersen, Global Chair, Technology

Pete.Pedersen@edelman.com

Ben Boyd, Global Chair, Corporate

Ben.Boyd@edelman.com

APPENDIX I

LANDSCAPE RESEARCH

GAP IN CONSUMER TRUST Our survey, Privacy & Security: The New Drivers of Brand, Reputation and Action, shows a significant gap between

the importance of privacy to consumers and the amount they trust companies to protect it.

92%

84%

78% 77%

69%

63%

50% 50%

43%

37%

69%

33%

51% 48%

12%

27%

12% 9% 11%

6%

23%

Finance OnlineShopping &

Retail

Medical &Healthcare

Government SocialNetworking

Technology News & Media Automotive Food &Grocery

Gaming Utilities*

Importance of privacy and security in each industry (global)

Trust in each industry to protect personal information (global)

Q7. How important is your privacy and security when doing business with the following industries? *NOTE: Utilities not included as a response code

Q8. Which industry do you trust most to adequately protect your personal information? Please select the top three industries.

Consumers will leave services if personal information was accessed without permission,

costing negligent companies significantly in potential business.

CONSUMERS ATTRITION DUE TO PRIVACY

Consumers Likely to Switch Providers or Stop Using Services Entirely if Personal Information was

Accessed Without Permission (Global)

80% 79% 77% 75% 75% 67% 67% 65% 63%

59% 55% 55% 54%

50%

Q9. For the following types of companies, if your personal information was accessed without your permission, how likely would you be to switch to a different

provider or stop using these services entirely, if they did have personal information on you? Please use a scale of 1-5, where 1 is “not at all likely” and 5 is “very

likely.”

Base: All respondents (Global n=4,050)

REGULATORY ACTION IN UNITED STATES

Google pays $22.5 million to settle FTC charges

it misrepresented privacy assurances.

BlueCross BlueShield of Tennessee (BCBST)

fined $1.5 million for 2009 data breach.

SEC requires publicly traded companies to disclose

data breaches citing the issue is a substantial

business risk.

All Federal agencies with jurisdiction over privacy are significantly increasing

enforcement and rhetoric about privacy violations by companies.

A NEW REGIME IN THE EU

EU institutions are currently discussing far-ranging proposals to modify and

substantially overhaul the Union’s patchwork of 27 data protection regimes to

create a new, single Europe-wide regime.

If approved in the current format, the new regime would radically change the

obligations of data controllers, strengthen competences of Data Protection

Authorities (DPAs) and increase the rights of individuals.

The current regulation draft foresees fines for non-compliance of up to 2% of

annual turnover. The impact of this would be global.

ASIA NOT FAR BEHIND

India: Passed Information Technology Rules (2011)

Singapore: Personal Data Protection Act (2012)

Hong Kong: Amended Personal Data Ordinance (2012)

APEC Region: APEC Privacy Framework

Many countries in Asia are creating new privacy laws similar to those in place in Europe

and the United States, imposing fines for data breaches and more stringent privacy

standards.

LITIGATION ON THE RISE

“Lawsuit Claims Microsoft, McDonald’s,

Mazda & CBS Used Ads as Cover for

Data Mining” – Network World

Average settlement $2,500 per

plaintiff, and mean attorneys’

fees of $1.2 million – Temple

University Beasley School of Law

“NebuAd Settles Lawsuit Over Behavioral

Targeting Test” – MediaPost

“Facebook sued for

$15 billion over alleged privacy

infractions” – CNET

CRITICAL MEDIA

Privacy Concerns

Affect Purchase

Decisions

Security Tops

Boardroom

Agendas

Facebook Complies with

EU Data Protection Law,

Dumps Facial

Recognition

Companies face an increasingly critical and vocal media environment, creating a significant potential for

reputational damage.

GM's Boneheaded

Privacy Mistake With

OnStar

Apple moves to quell

Path privacy gaffe

Questions for Amazon on

Privacy and the Kindle Fire

APPENDIX II

EDELMAN PRIVACY RISK INDEX

BY GEOGRAPHY

The ePRI found operating in Europe presents the most privacy risk, likely due to recent policy

developments and a significant cultural expectation of privacy.

41.1 MIDDLE

EAST

58.7 EUROPE

42.7 ASIA-

PACIFIC

40.2 LATIN

AMERICA

50.9 NORTH

AMERICA

RISK IN SPECIFIC MARKETS

There are significant differences between the most and least risky countries. The eleven countries

with the highest privacy risk are located in the European Union with many developing nations

presenting lower risk.

29,3 31,3 32,0

37,2 37,9

38,7 39,7

41,2 42,2

43,2 48,1

50,0 50,4

53,0 53,3 53,8 54,2 54,7 54,8 55,0

56,3 56,5

58,7 59,1 59,2

62,5 64,1

65,2 68,6

- 10,0 20,0 30,0 40,0 50,0 60,0 70,0 80,0

BrazilIndia

China (PRC)Korea

MexicoSingapore

Saudi ArabiaUnited Arab Emirates

IsraelJapan

United StatesHong Kong

Russian FederationUnited Kingdom

ArgentinaCanada

AustraliaNew Zealand

IrelandNorway

DenmarkPoland

SwedenGermany

FranceSpain

NetherlandsItaly

Belgium

CORPORATE FOOTPRINT INTRODUCES RISK

Local

The company primarily operates in one country

Regional

The company operates in two or more countries primarily

in one region

Super regional

The company operates in multiple countries in two or

more regions

Global

The company operates in all regions around the world

Adding significant complexity to geographic concerns is the risk presented by

operating in multiple markets.

36,0 39,0

58,3

66,8

-

10,0

20,0

30,0

40,0

50,0

60,0

70,0

80,0

Local Regional Super regional Global

INDUSTRY BENCHMARK DRIVEN BY DATA Industries that collect the most sensitive information about customers present the most significant privacy risk. There is a

significant drop off in privacy risk for organizations that don’t collect significant amounts of information online.

20,8

24,0

27,5

32,3

32,8

39,5

44,3

44,5

52,0

53,8

55,0

55,0

56,3

56,5

58,8

61,0

62,8

66,0

78,3

79,3

- 10,0 20,0 30,0 40,0 50,0 60,0 70,0 80,0 90,0

Manufacturing

Automotive

Industrial

Agriculture

Entertainment & media

Services

Consumer products

Retail (conventional)

Retail (Internet)

Technology & software

Energy & utilities

Hospitality

Transportation

Education & research

Public sector

Professional services

Airlines

Communications

Health & pharma

Financial services

BY COMPANY SIZE

Smaller organizations have substantially higher privacy risk than larger organizations. This can potentially be

explained by larger organizations typically having more resources to devote to managing privacy risk.

However, large organizations still face risks, often due to having a significant amounts of information and

increased regulatory attention.

44,8

45,8

45,8

46,5

50,3

57,5

59,5

- 10,0 20,0 30,0 40,0 50,0 60,0 70,0

10,001 to 25,000

25,001 to 75,000

More than 75,000

5,001 to 10,000

1.001 to 5,000

Less than 500

501 to 1,000

BY INFORMATION COLLECTED

The volume and sensitivity of data collected significantly influences privacy risk.

Customer with PII

Employee

Citizen (government use)

Student

Customer without PII

Consumer (targeted customer)

Patient (health records)

Shareholder/investor

Types of personal information stored: