Eighty-five percent of privacy and security professionals acknowledge a reportable data breach occurred within their organizations in the last year; 63 percent report multiple data breaches

NEW YORK, December 11, 2007 — Personally identifiable information (PII) of customers and employees is being exposed -- frequently and repeatedly – potentially putting hundreds of thousands of individuals at risk and exposing organizations to increased liability, according to a new survey by Deloitte & Touche LLP (“Deloitte”) and the Ponemon Institute LLC.

A shocking 85 percent of privacy and security professionals in North America surveyed acknowledged having at least one reportable data breach of PII within their organizations during the last 12 months, according to the “Enterprise@Risk: 2007 Privacy & Data Protection Survey.” More alarming is the fact that 63 percent acknowledged multiple reportable data breaches occurred within their organizations during the same period. As a result, privacy and security professionals continue spending most of their privacy-focused time on incident response and relatively little time on more proactive activities, such as strategy, training and root cause analysis.

More than 800 North American privacy and security professionals responded to the online survey sponsored by Deloitte and the Ponemon Institute, which was conducted to better understand the emerging privacy function.  The survey, now in its second year, analyzed the roles, activities and time allocation preferences of dedicated privacy and security professionals, as well as their organizational status and reporting relationships. Specifically, respondents were asked to describe actual versus “ideal” time spent on activities and requirements to effectively manage and protect personal data in the enterprise.

“Frankly, I’m shocked by the high percentage of PII data breaches we’re seeing occur within organizations. This survey provides insight into the scale of the problem and how enterprises are struggling to respond. It’s clear that both privacy and security professionals are caught in a reactive cycle, and they agree on the need to move to a more proactive stance,” said Rena Mears, Deloitte global and U.S. privacy and data protection leader. 

Mears, added, “When you analyze the data in the survey and understand the level of resources focused on the issue in the organization, as well as the potential for harm to the enterprise through regulatory enforcement or brand impact, its clear this is a strategic risk that requires the attention of senior management.”

"The astonishingly high rate of data breaches is undermining public trust in both commercial and governmental organizations and points to an urgent need for privacy and security to be elevated as a coordinated, strategic imperative within all organizations," said Dr. Larry Ponemon, chairman and founder, Ponemon Institute.  "Our research suggests that privacy and security are still largely reactive, siloed functions; this mindset needs to change immediately if we are to stem the swelling tide of data breaches plaguing consumers and enterprises."

Additional key findings and analysis include:

• Only slightly more than 7 percent of a professional’s time is allocated to employee training and no more than 10 percent is allocated to establishing an incident response team, management reporting and conducting root cause analysis.
• Resource allocation associated with notification activities alone could be a significant hidden cost of privacy and data protection within the enterprise. The percentage of incidence-related time spent notifying stakeholders is the second highest among incident-related activities reported by survey respondents.
• While 61 percent indicated their organization has processes in place to identify and assess the impact of new regulations, only 23 percent reported a change management process in place to respond to developments impacting privacy.
• Due to the dichotomy between the management and protection of PII and the distributed nature of the privacy function itself, reporting structures varied greatly for privacy and security professionals. An analysis of primary reporting structures indicates privacy professionals report most often to the General Counsel (38 percent) or Compliance (21 percent). According to respondents, security professional’s reporting structure is concentrated at the CIO (76 percent).
• Despite significant technical advances, most organizations are still too dependent on standalone point solutions. For example, most enterprises (55 percent) are implementing some type of encryption; with 37 percent currently encrypting both data at rest and data in motion.

The survey pointed out a couple of realities. The privacy function is siloed between legal and compliance on one hand, and IT security on the other hand. The privacy program itself is still immature. And, there does not appear to be real integration with the risk function and business processes of the enterprise. Until that integration occurs, it is likely that privacy incidents and reportable data breaches will continue.

There is, however, some good news coming out of the survey, and that is the attitudes of security and privacy professionals are converging.

“The good news for the emerging privacy function is that privacy and security professionals are coming to agreement on the strategic requirements necessary to effectively address the issues associated with privacy and data protection.” said Mears. “The future rests with continued effort toward building a strong and complete privacy program supported by end to end technology solutions.”

About the Survey
“Enterprise@Risk: 2007 Privacy & Data Protection Survey” is available on the the Deloitte Web site at www.deloitte.com/us/privacyfunction. Rena Mears and Larry Ponemon are available to discuss the results of the survey. Please contact Dan Mucisko at 973-683-6063 or Dan Bingham at Hill & Knowlton at 212-885-0510 to schedule an interview.

Survey methodology
The research was conducted utilizing a Web-based survey instrument, administered to both the privacy and security professionals. Respondents had significant experience, specialization and credentials in either privacy or information security fields.

About Deloitte
As used in this document, ‘Deloitte’ means Deloitte & Touche LLP, a subsidiary of Deloitte & Touche USA LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte & Touche USA LLP and its subsidiaries.

About Ponemon Institute

The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.