Company Memo: We Can’t Protect Consumer Data
To avoid a public-relations nightmare, companies rely on privacy risk assessments and audits and invest in security awareness training sessions for staff.
Less than one-third of survey respondents are “very” confident in their enterprise’s ability to ensure the privacy of its sensitive data.
More than half do not think consumers today should feel confident that enterprises are adequately protecting their personal information (PI).
Reputation decline: 80%, Legal action: 62%, Regulatory action: 60%. Unfavorable press coverage: 58%
Two-thirds said the primary metric to measure their company’s effectiveness on privacy governance is the number of breaches/incidents experienced, while nearly half cite the number of privacy complaints received from customers/clients.
75% said their organization’s use of privacy policies, procedures, standards and other management approaches is mandatory, while 19% indicate this is “recommended.”
46% said their company will perform a privacy risk assessment to monitor the effectiveness of its privacy program, while about two out of five said their organization will perform a privacy self-assessment and/or undergo a privacy audit.
Nine out of 10 said their organization has assigned someone to be accountable for privacy, with the Chief Information Security Officer or Chief Security Officer most likely to oversee this (within 23% of companies).
76% said their company provides privacy awareness training to staff.
Certified Information Systems Auditor (CISA): 51%, Certified Information Systems Security Professional (CISSP): 36%, Certified Information Security Manager: (CISM): 34%
Complexities of global legal/regulatory landscape: 49%, Lack of clarity on the mandate, roles and responsibilities: 39%, Absence of a privacy strategy and implementation road map: 37%