Embed Size (px)
Citation preview
Ponemon Institute© Private & Confidential Document. Page 1
Responsible Information ManagementThe Link between Privacy & Trust
Mr. Charles Giordano, Bell Canada and RIM Council Board of Directors
Dr. Larry Ponemon, Ponemon Institute, LLCToronto, November 4, 2005
Ponemon Institute© Private & Confidential Document. Page 2
• Dedicated to advancing responsible information management and privacy practices in business and government.
• The Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations.
Ponemon Institute, LLCMeasuring Trust in Privacy & Security
Ponemon Institute© Private & Confidential Document. Page 3
Following is a partial list of recent research projects conducted by the Institute:
Airline Industry Privacy Trust Survey Annual Privacy Trust Survey Benchmark Study of Corporate Privacy Practices Consumer Perceptions of Internet Advertising Study Consumer Perceptions of Proposed Internet Sales Tax on Individual Privacy Consumer Spam Study Consumer Tracking Survey on Fear of Identity Theft Cross-National Study of Canadian and U.S. Corporate Privacy Practices Customer Information Trust Survey EDS Identity Management Study E-Mail Authentication Survey IBM & Ponemon Institute Cost of Privacy Study Most Trusted Companies for Privacy Study (Canada and U.S.) National Spoofing and Phishing Study National Spyware Study Online Banking Privacy Trust Survey Online Permissions Management Survey Privacy Professional Salary Survey Privacy Trust Survey of U.S. Federal Government Agencies Retail Bank Privacy Trust Survey The Corporate Benchmark Study of the New California Law for Notification of Data Security Breaches Unisys & Ponemon Institute Managed Care Privacy & Data Protection Benchmark Study Unisys & Ponemon Institute Tracking Study on Information Security National Study on Data Security Breach Notification
Ponemon Institute© Private & Confidential Document. Page 4
Responsible Information Management• A ethics-based framework for raising trust and confidence in how
an organization handles, manages, secure sensitive, private
information.
• RIM requires the alignment of key stakeholders’ privacy and data
protection preferences with business process and IT practices
within the organization.
• Key RIM components include: privacy, information security,
confidentiality, data hygiene and IT efficiencies.
Ponemon Institute© Private & Confidential Document. Page 5
Process Management
Performance-based measurement, scorecards, external verification and enabling technologies that mitigate risk (such as perimeter controls, privacy tools, data hygiene applications and so forth
Education & Awareness
Classroom training, facilitated training, and e-learning programs for all employees who handle private, confidential or sensitive personal information
Monitoring
A formal process for identifying privacy and data protection risk and vulnerability areas within core business units, databases and software applications
Communications
Policies, corporate communications, employee handbooks, compliance procedures and crisis management interventions
The RIM Process
Redress & Enforcement
The formal mechanism and due process for responding to customer, employee or the public’s issues and concerns
Ponemon Institute© Private & Confidential Document. Page 6
Who are the RIM Stakeholders?
• Business owners• Information technology• Compliance• Security• Legal• Marketing• Ethics• Auditors• Senior executives
Ponemon Institute© Private & Confidential Document. Page 7
Value Proposition
• RIM practices increase trust and confidence.• RIM practices reduce operational risks associated
with poor data management and handling practices.
• RIM practices make it easier for companies to comply with a rash of information security requirements around the world.
Ponemon Institute© Private & Confidential Document. Page 8
Institute Research Shows
• Consumers expected good privacy and data security practices for both business and government
• Fears about privacy and identity theft are increasing• Trusted organizations earn higher participation rates –
this translates into customer loyalty, lower churn rates and bottom-line profits
• Companies are doing an inadequate job in protecting sensitive personal information
• RIM-risks relating to new technologies are not being managed proactively
Ponemon Institute© Private & Confidential Document. Page 9
Meta Analysis – Basic Findings• Data: Meta results from 11 privacy trust studies in financial service,
health care, pharmaceuticals, airlines, Web retailers and others completed over the past two years.
• Compiled self-reported participation (opt out or opt in) rates from consumer data.
• Determined top 5 (with companies not providing choice removed and replaced by next ranked company that provided choice).
• Determined bottom 5 (with companies not providing choice removes and replaced by next ranked company that provided choice).
• Top banks, retailers, pharma companies, airlines and health care providers are composite scores across 11 different studies.
• Bottom banks, retailers, pharma companies, airlines and health care providers are composite scores across 11 different studies.
• Results are expressed in simple percentage terms.
Ponemon Institute© Private & Confidential Document. Page 10
Analysis of Net Changes in Privacy Permissions over Two Years
-10.0%
-8.0%
-6.0%
-4.0%
-2.0%
0.0%
2.0%
4.0%
Banks Retail Pharma Airline Health
Top Bottom
Note: Net change in opt out between Year 1and Year 2 shows that top ranked companies have relative stability and bottom ranked companies have positive change (increase) in compiled average rates.
Ponemon Institute© Private & Confidential Document. Page 11
What Organizations Can Do Better
• Control vendor relationships (including the use of data brokers and integrators)
• Integrate privacy considerations into the company’s permission management and contract strategy
• Focus on employee awareness and education
• Develop RIM governance process to align culture, incentives and control
• Push accountabilities to business owners and utilize monitoring to ensure RIM practices
• Make privacy, data protection and information security a Board-level issue
• Consider enabling technologies• Consider privacy by design – baking RIM the early phase of a
product or service life cycle.
Ponemon Institute© Private & Confidential Document. Page 12
Barriers to Success
• Management’s complacency and inertia• Need to show positive ROI with qualitative data• Disorganized or slow response to crisis• Compliance mentality• Budget pressure• Focus too narrowly (failure to consider global issues)
Ponemon Institute© Private & Confidential Document. Page 13
For More Information about Ponemon InstituteAnd the RIM Council
Dr. Larry PonemonPonemon Institute, LLC
231.264.5178 (Michigan)
