Are you a better than average driver? I know I am. In fact, about 80% of people asked in surveys about their driving ability rate themselves as better than average. Of course, it's impossible for the vast majority of people to be above average. But most of us like to think we're doing really well and that it's someone else who is lagging.
People show the same sort of cognitive bias in other areas. For instance, a survey of more than 1,000 Canadian businesses released in February suggests that companies show this kind of unbridled optimism when asked about how well they protect the privacy of customer data. Firms big and small derive significant comfort from the belief that their privacy practices are easily in compliance with applicable laws. Yet the numbers suggest that many companies are just as deluded as the many poor drivers who think they're above average.
The Office of the Privacy Commissioner of Canada commissioned the study, Canadian Businesses and Privacy-Related Issues. It offers a rare glimpse into the privacy practices of businesses of all sizes, painting a detailed picture of how companies across the country perceive privacy protection and their compliance with privacy laws.
The report indicates that 93% of companies store contact information about customers, which would make the vast majority of firms subject to privacy laws. But, in reading the survey results, I was struck by some key disconnects:
- 23% of companies store personal information on portable devices, yet only 44% of these firms encrypt this data
- 96% use passwords, but only 55% require complex passwords—and 27% of these passwords never expire
- 49% have no procedures for protecting data
- 68% of companies don't give their employees any privacy-related training
In sharp contrast, many other companies see privacy protection as very important. Among all the respondents, 39% view privacy protection as a competitive advantage, while 49% rate it as an extremely important objective for their company. Among 47% of companies, compliance efforts have led to improved data security, while 36% of businesses report improved availability of training.
Perhaps the most telling statistic is that 27% of companies say that they have reduced the number of data breaches by adopting better privacy practices. This underscores the fact that companies benefit directly from protecting data properly—this isn't just an exercise in complying with the law.
However, there's one stat that suggests that many firms have an overly rosy view of their data-security situation. Among respondents, 96% report that they have never had a breach affecting personal information. What this suggests to me is not that breaches are very rare—because they are more common than most people realize—but that many companies lack the proper controls needed to monitor and detect breaches. So, even if their customer data has been compromised, these firms have no idea that a breach has occurred.
Companies that aren't properly monitoring and detecting privacy breaches run a big risk if they convey this false sense of security to their customers through disclosures, policies and other statements. If customers believe these reassurances, it can be extremely damaging to a company's reputation if breaches are ever discovered and that trust is broken.
Where does that leave your company? Do you feel, like 10% of this survey's respondents do, that compliance is difficult or perhaps not even applicable to your situation? Do you think that because you haven't detected a breach there has never been one? Are you among the 34% of respondents who believe that complying with privacy laws is easy?
Whichever the case, your company depends on information, be it competitive data, accounting data or customer data. So, I urge you to review the following checklist, see which one of the nine tasks you haven't completed and then, crucially, take the necessary steps so you can place a checkmark in each and every box.
|Protective controls||IT tools & techniques||Physical protection||Policies & procedures|
If you complete this checklist honestly, you'll be able to spot gaps in your data-protection plan and see at a glance where you need to make a stronger commitment. And don't be lulled into a false sense of security once you've checked off most of these nine points. A partially completed list doesn't show that your company's data-protection program is mostly successful, but instead hints that a weak link or two could still be undermining your firm's investment in security and privacy.
The great news is that the gaps are now clearly visible so you can address them specifically and cost-effectively.
Claudiu Popa is a security and privacy-risk advisor, and president and CEO of Informatica Corp. He is also co-author of The Canadian Privacy and Data Security Toolkit (Canadian Institute of Chartered Accountants, 2009) and Managing Personal Information (Reuters, 2012).
More columns by Claudiu Popa