Personally identifiable information (PII) of customers and employees is being exposed -- frequently and repeatedly – potentially putting hundreds of thousands of individuals at risk and exposing organizations to increased liability, according to a new survey by Deloitte & Touche and the Ponemon Institute LLC.
A shocking 85 percent of privacy and security professionals in North America surveyed acknowledged having at least one reportable data breach of PII within their organizations during the last 12 months, according to the “Enterprise@Risk: 2007 Privacy & Data Protection Survey.” More alarming is the fact that 63 percent acknowledged multiple reportable data breaches occurred within their organizations during the same period. As a result, privacy and security professionals continue spending most of their privacy-focused time on incident response and relatively little time on more proactive activities, such as strategy, training and root cause analysis.
More than 800 North American privacy and security professionals responded to the online survey sponsored by Deloitte and the Ponemon Institute, which was conducted to better understand the emerging privacy function. The survey, now in its second year, analyzed the roles, activities and time allocation preferences of dedicated privacy and security professionals, as well as their organizational status and reporting relationships. Specifically, respondents were asked to describe actual versus “ideal” time spent on activities and requirements to effectively manage and protect personal data in the enterprise.
Additional key findings and analysis include:
- Only slightly more than 7 percent of a professional’s time is allocated to employee training and no more than 10 percent is allocated to establishing an incident response team, management reporting and conducting root cause analysis.
- Resource allocation associated with notification activities alone could be a significant hidden cost of privacy and data protection within the enterprise. The percentage of incidence-related time spent notifying stakeholders is the second highest among incident-related activities reported by survey respondents.
- While 61 percent indicated their organization has processes in place to identify and assess the impact of new regulations, only 23 percent reported a change management process in place to respond to developments impacting privacy.
- Due to the dichotomy between the management and protection of PII and the distributed nature of the privacy function itself, reporting structures varied greatly for privacy and security professionals. An analysis of primary reporting structures indicates privacy professionals report most often to the General Counsel (38 percent) or Compliance (21 percent). According to respondents, security professional’s reporting structure is concentrated at the CIO (76 percent).
- Despite significant technical advances, most organizations are still too dependent on standalone point solutions. For example, most enterprises (55 percent) are implementing some type of encryption; with 37 percent currently encrypting both data at rest and data in motion.
The survey pointed out a couple of realities. The privacy function is siloed between legal and compliance on one hand, and IT security on the other hand. The privacy program itself is still immature. And, there does not appear to be real integration with the risk function and business processes of the enterprise. Until that integration occurs, it is likely that privacy incidents and reportable data breaches will continue.
There is, however, some good news coming out of the survey, and that is the attitudes of security and privacy professionals are converging.
For more information on the Service and Support industry, visit www.Supportindustry.com
No comments:
Post a Comment