Survey says more attention being paid to data privacy, but still a ways to go

PwC released results of 2013 data privacy survey late last year, which pointed to increased communication, but also continuing struggles to meet compliance and regulation requirements

Data privacy has gotten its fair share of attention these days, what with the high-profile data breaches that have taken place in recent months. Fittingly, PricewaterhouseCoopers released the results of its 2013 data privacy survey late last year, in which the 370 participants represented both board level members responsible for oversight of privacy programs within their organization and practitioners involved in day to day operations.

[Major attacks on retailers cast spotlight on higher security cards]

While some of the statistics were reassuring and showed that data privacy is growing in importance, it would appear that there's still a ways to go before it gets the amount of attention it deserves.

For instance, one of the many statistics indicated that the majority of respondents considered consumer privacy a "medium priority." By PwC's definition, this means that it's a business concern that gets "some attention."

That being said, what the statistics did not necessarily indicate is that a lot depends on the sector being discussed, said Carolyn Holcomb, a partner and leader in PwC's Risk Assurance Data Protection and Privacy Practice. Different areas like the financial and healthcare sectors clearly prioritize consumer privacy more than others. One example Holcomb gave was B2B companies that are, in essence, not part of the front line like retailers are.

"People in [sectors like financial or healthcare] will tell you that privacy is among their top 10 risks," said Holcomb. "It's when you expand that to other sectors that don't collect as much consumer information that you don't see as high of a risk."

But it's difficult to deny that privacy awareness isn't quite where it should be. Study results said that 47 percent of board members felt that while they were aware of privacy issues, they weren't aware of the impact they have on their organization (while an additional 13 percent said that they weren't even aware of the issues at all).

One possible reason for the lack of awareness is that, according to the study, 54 percent of board members admitted to relying on internal communications rather than one-on-one meetings to stay informed on privacy issues.

[Security risk in Starbucks app a wakeup call for consumers]

"Some of that is still related to a lack of education. Board education still has a way to go," said Holcomb in reference to the lack of face-to-face meetings. "Board members still aren't sure what they're missing. It goes back to that confusion that security and privacy are the same, so they see a security presentation and think they don't need anything else."

Naturally, the unfortunate implication here is that more often than not, board members may not be aware of the impact privacy risks might have on their companies. "There might be a privacy risk, but they'll think, 'We have a lawyer, we have a privacy policy, so everything must be okay,'" said Holcomb. "There's a lack of understanding of the risk."

[The processes and tools behind a true APT campaign: Overview]

Regardless of how companies perceive the importance of privacy on the whole, they do seem to be, at the very least, discussing it more. The study results indicated that while the majority of respondents – 39 percent – were only discussing privacy issues at the board level annually, the number of companies that are discussing them more frequently wasn't far behind. That number is on the rise year over year according to Holcomb, with 23 percent of respondents saying that they discuss privacy issues quarterly.

"We've seen a big difference in how companies look at privacy versus security," said Holcomb. "Privacy is still up and coming. The boardrooms are really just starting to catch on and saying that security and privacy are different, and that [they] need to focus on privacy."

And in the long run, this obviously stands to benefit the company. As Holcomb points out, as both the company and board members become more educated on what exactly privacy means, they're beginning to keep the promises that they make to their consumers.

"The question is, if you put out a privacy notice and tell [consumers] what you're going to do or not do with their data, are you keeping those promises?" said Holcomb. "By getting additional information, companies are now better understanding the risks." Armed with better understanding, board members are becoming more focused on what their privacy notices say and what changes are coming about in their companies. This leads towards what Holcomb referred to as "privacy by design" and determining whether they are designing privacy into their products/services and whether it is done upfront.

"Now they're making sure the front end is in sync with the backend," said Holcomb.

This, according to Holcomb, is the key to an effective approach to privacy policies. Many organizations have a privacy notice out upfront, but they also need to be aware of what the backend systems are doing.

[Target-like attack unlikely agianst small retailers]

"There needs to be a governing structure of people that are looking at that linkage, communicating it to the board, and a program in place that is keeping that linkage tight all that time so you don't have a privacy problem," said Holcomb.

If the study results are any indication, avoiding those "privacy problems" appears to be a number one priority. The survey concluded that compliance and governance are "top of mind" for most board members, which would suggest, at face value, that this perhaps is limiting the scope of some companies' privacy policy as they just try to tick off the next box. But coming in a very close second place was "enhancing trust in brand" and many companies are now trying to focus on both.

[Why I did it: Former hacker Mitchell Frost explains his motivation]

"The big focus today is how to take all the compliance requirements and try to streamline them," said Holcomb. "58 percent of the respondents said [that their strategy is] both compliance and brand maintenance. Compliance is important and yeah, you maybe check the box, but you're also focused on privacy because you want to protect your brand and build trust with your consumers."

That desire to streamline was made apparent in the survey results, as the majority of practitioners (57 percent) cited streamlining and improving the efficiency of their existing processes as a higher priority than expanding their programs. Again, it would be tempting to think that this may be indicative of a dismissive attitude towards privacy, but Holcomb insists this is not the case.

"It's just gotten overwhelming when you look at compliance in all the different areas where a company needs to comply," said Holcomb. "Companies need to figure out which technology, which group of people, which governance programs they need to cover all of these compliances, including privacy. It's not an attitude towards privacy specifically, it's that the list has gotten so long. It makes it quite a challenge for companies to comply all with time with all requirements."

Holcomb pointed out that the US does not have a federal privacy law; rather, we have state and sectorial laws, which make building a privacy compliance program very complex since it depends on where consumers, not the headquarters, reside. This, of course, means that once all of the consumers are accounted for, the laws become numerous and complicated.

"So having a compliance program to even meet the privacy regulations is challenging," said Holcomb.

That's why specialized roles, like chief privacy officers, are rising in prominence. Though that statistics indicated that the most common executive title held by privacy leaders is still General Counsel at 32 percent, chief privacy officer came in second at 24 percent. Though handling privacy issues was once a responsibility of CSOs, they are becoming decreasingly responsible – only 8 percent said that CSOs were their privacy leaders – as the more specialized players step into their roles.

[New DOJ rules do not solve privacy issues in government data grab]

"[Being a privacy leader] is becoming more of a legal function," said Holcomb. "They have to coordinate with the security teams and others in the organization. The role is being given to someone, generally a lawyer, who is focused on the laws. But they also need to look at the people, processes, and technologies, so there's a lot of internal coordination. You need a cross-functional team."

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)