© 2001 andersen. all rights reserved. andersen u.s. privacy study how 75 u.s. companies fare...

© 2001 Andersen. All rights reserved.

Andersen U.S. Privacy Study How 75 U.S. Companies Fare Against Emerging Privacy Standards

July 2001

© 2001 Andersen. All rights reserved. 2

Andersen U.S. Privacy Study Outline

Introduction• The increasing need for privacy

• Two approaches to privacy

• The E.U. Directive on Data Protection

• The U.S. response -- Safe Harbor

• Relevance to U.S. multinational companies

Andersen U.S. Privacy Study• Objective

• Companies selected

• Tests conducted

Results• Summary

• Findings overall

• Findings by industry

• Findings by industry and principle

• Conclusions

• Implications

• Next Steps

Andersen solutions


IntroductionThe increasing need for privacy

• The collection, use, and protection of personal information is of growing concern to consumers worldwide.

• The increasing pace of worldwide commerce and information sharing raises the importance of privacy and data protection.

• Pressure is increasing for companies conducting business worldwide to measure up to emerging minimum standards of privacy.

• U.S. companies may become competitively disadvantaged if they fail to meet worldwide minimum privacy standards.


Introduction Two approaches to privacy

The E.U. and U.S. have different approaches to privacy

• The E.U. takes a rigorous approach and guarantees citizens protection and control of personal data through the E.U. Directive on Data Protection (“the Directive”).

• The U.S. does not guarantee citizens a “right to privacy” and has addressed privacy largely through self-regulation and industry- specific legislation.

• A reconciliation between these two divergent approaches was needed for worldwide commerce to continue uninterrupted.


Introduction The E.U. Directive on Data Protection

Highlights of the Directive include:

• The E.U. Directive on Data Protection, adopted October 1995, is the model after which E.U. member state data protection laws are created.

• The Directive’s intent is to enable the continued free flow of personal data among E.U. member states as well as outside the E.U. while upholding the privacy of E.U. citizens.

• The Directive protects personal data transferred outside of the E.U. by prohibiting the transfer unless the recipient has been found to have “adequate” data protection.

• The adequacy determination is made by the E.U.


Introduction The U.S. response - Safe Harbor

• In response to the Directive, the Safe Harbor program was established to allow U.S. companies to meet E.U. data protection requirements.

• Safe Harbor defines seven privacy principles as a way to achieve the adequacy requirements of the Directive.

• There are many ways of complying with the Directive; Safe Harbor is only one of them.

• Safe Harbor applies only to companies under the jurisdiction of the U.S. FTC and U.S. DoT.

• U.S. companies not eligible for Safe Harbor must still meet the requirements of the Directive.


Introduction Relevance to U.S. multinational companies

• A temporary “stand-still” on enforcement of the Directive was established to grant U.S. companies time to implement privacy.

• It was put forth that the “stand-still” would be re-assessed mid 2001.

• U.S. companies that meet the Directive’s requirements can:

– Remain competitive in a global market

– Protect their reputation and brand

– Maintain customer loyalty

– Avoid fines, penalties and potential litigation

– Minimize disruptions to business operations


Andersen U.S. Privacy Study Objective

• To assess and benchmark 75 U.S. multinational companies against emerging worldwide privacy and data protection standards.

• In the absence of a single standard, the Safe Harbor principles were selected as representative criteria for the study.


Andersen U.S. Privacy Study Companies selected

The study included 75 companies:

• Fortune 500 and medium- sized U.S. companies

• Companies that collected data from E.U. citizens via a Web site

• Well-known leaders in their respective industries

• Represent $ 1.7 trillion USD in annual revenues

• Identities of the companies are confidential

There were 15 companies in each of

5 industry sectors:

• Financial services

• Retail

• Technology

• Telecom/Media/Entertainment

• Travel & leisure


Andersen U.S. Privacy Study Tests conducted

Notes:

1) All tests conducted were of a non-intrusive nature.

2) A seventh principle, Onward Transfer, was omitted as we were unable to perform any tests due to the non-intrusive approach.

Principle Nature of Assessment

Notice Review of privacy policy on Web site

Choice Review of privacy policy on Web site

Security Review of security measures for encryption of personal information and the authentication mechanism

Data Integrity Review of relevance of personal information collected on Web site

Access Telephone or email request for access to, amendments to and erasing of personal information

Enforcement Review of stated complaints and resolution procedures on the Web site or by telephone


Results Summary

As a whole, studied companies did not meet privacy standards

• Not one company passed all 6 principles

• Only 2 of 75 companies passed 5 principles

• Eight companies passed only one principle

Of the privacy principles studied, lowest scores were consistently

found in:

• Enforcement

• Notice

• Access

• Security


Results Findings overall

Percent of Studied Companies Meeting Principles

Findings: The best scores were in Choice and Data Integrity, respectively. Significant opportunity for improvement is possible in Enforcement, Notice, Access and Security.

Enforcement (assurance of compliance)

Notice (individuals informed before use/disclosure of data

Choice (option to opt out)

Security (protection of personal data)

Data integrity (relevance of purpose for use of data)

Access (user ability to amend or erase data)

80%

46%

74%

34%

25%

5%


Findings: Compared with other industries, Financial Services earned the highest score on the issue of Choice (opt out), but it lagged behind on Data Integrity and Security. In the area of Choice, all 15 companies in the Study stated the purposes data would be used for; however, only 27 percent stated the user's right to withhold consent.

Percent of Studied Financial Services Companies Meeting Principles

Results Findings by industry: Financial services







92%

27%

47%

50%

7%

20%


Findings: Of the industries studied, Retail scores were among the lowest, in Notice, Access and Enforcement. On the other hand, the industry scored near the high end on Choice, Data Integrity and Security. Retail scored highest among all industries in ensuring security of personal data entered and transmitted.

Results Findings by industry: Retail

Percent of Studied Retail Companies Meeting Principles







86%

71%

80%

0%

13%

0%


Findings: Compared with other industries, the Technology companies studied enjoyed the most consistency in their scores. On the other hand, only a third of Technology companies were found to follow Notice, Security and Enforcement standards. Technology companies scored higher than other industries in Access and Enforcement principles.

Results Findings by industry: Technology

Percent of Studied Technology Companies Meeting Principles







80%

27%

80%

60%

33%

13%


Findings: Though some companies fared well, of the five industries studied, the Telecom/Media/ Entertainment sector had the lowest average scores, though they did scored highest in Data Integrity and above average in Access.

Percent of Studied TME Companies Meeting Principles

Results Findings by industry: Telecom/Media/Entertainment







58%

33%

83%

40%

7%

13%


Findings: Travel & Leisure enjoyed the highest average scores compared to the other industries studied, though marks were low in Enforcement and Access. The industry scored highest among all in Notice with 47 percent meeting requirements. The industry also scored highest among all industries in Security.

Results Findings by industry: Travel & Leisure

Percent of Studied Travel & Leisure Companies Meeting Principles







86%

73%

80%

47%

20%

0%


Notice

Results Findings by industry and principle: Notice

An organization must inform individuals before using information for a purpose other than originally intended or before otherwise disclosing information.

Financial Services Companies

Retail Companies Travel & Leisure Companies

Technology Companies

Telecom/Media/Entertainment

Cross-Industry View

2013

47

33

13

25

0102030405060708090

100

FS RET T&L TECH TME CIV

Per

cen

t


Choice

Results Findings by industry and principle: Choice

An organization must offer individuals a clear opportunity to opt out (or opt in) if information is to be disclosed to a third party or used for a purpose incompatible with original stated purpose.

9286 86

80

58

80

0102030405060708090

100


Per

cen

t





Cross-Industry View


Security

Results Findings by industry and principle: Security

Organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.

27

71 73

2733

46

0102030405060708090

100


Per

cen

t





Cross-Industry View


Data Integrity

Results Findings by industry and principle: Data integrity

Personal information must be relevant for the purposes for which it is used. Data needs to be accurate, complete and current.

47

80 80 80 8374

0102030405060708090

100


Per

cen

t





Cross-Industry View


Access

Results Findings by industry and principle: Access

Individuals must have access to personal information about them that an organization holds. The individual must be able to correct, amend or delete that information where it is inaccurate, unless the burden or expense of providing access is disproportionate to the risks to the individual’s privacy.

50

0

20

60

4034

0102030405060708090

100


Per

cen

t





Cross-Industry View


Enforcement

Results Findings by industry and principle: Enforcement

Effective privacy protection must include mechanisms for assuring compliance; recourse for individuals where privacy is breached; and consequences for the company breaching the Principles. Sanctions must be sufficiently rigorous to ensure compliance.

70 0

20

7 5

0102030405060708090

100


Per

cen

t





Cross-Industry View


Results Conclusions

• U.S. multinational companies in the study do not meet emerging worldwide privacy standards.

• Because the study results were derived from non-intrusive tests, it is likely that there are additional privacy challenges that organizations must overcome.


Results Implications

• Assuming the studied companies are representative of their industries, most U.S. companies would not be considered compliant with the Directive.

• Impending enforcement of the Directive will increase business risk for U.S. multinational companies.

• Companies that meet privacy and data protection standards will be better prepared to:

– Improve competitive posture in a global market

– Protect their reputation and brand

– Maintain customer loyalty

– Avoid fines, penalties and potential litigation

– Minimize disruptions to business operations


Results Next steps

• Establish privacy goals and objectives responsive to opportunity as well as business risks and considering the:

– Need to comply with minimum legal and regulatory requirements

– Impact of privacy on public image and reputation

– Potential to be the best among competitors in a global market

• Perform an analysis of the current situation vis-à-vis the privacy goals and objectives

– Measure against a worldwide standard

– Assess both online and offline privacy risks

• Take action to improve privacy and data protection

– Begin with high-visibility, easily-remedied issues described in the study

– Follow-up with infrastructure changes as required


Assure

Andersen solutions

ImplementDiagnose

Our privacy services combine multiple disciplines and skills to help clients safeguard customer loyalty and remain competitive in a global market.

• Program office

• Policies and practices

• Changes to technical/ security architecture, business processes and systems

• Management re: compliance with policies, practices, laws and regulations (including control self-assessment)

• Third parties re: policies and practices

• Workshops to develop awareness

• Analyses of business risks and needs

• Development of strategy, goals and objectives

• Compliance program and complaint-taking processes

• Agreements with third party data processors

• Web-based training platform and content


Legal Notice

The information contained in this study is for general guidance on matters of interest only. The application and impact of laws can vary widely based on the specific facts involved. Given the changing nature of laws, rules and regulations, there may be omissions or inaccuracies in information contained in this document.

The information is provided with the understanding that the authors and publishers are not herein engaged in rendering legal, accounting, tax, or other professional advice and services, and should not be used as a substitute for consultation with professional advisers.

While we have made every attempt to ensure that the information in this study has been obtained from reliable sources, Andersen is not responsible for any errors or omissions, or for the results obtained from the use of this information. All information in this study is provided "as is", with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this information, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, merchantability and fitness for a particular purpose. In no event will Andersen, its related partnerships or corporations, or the partners, agents or employees thereof be liable to you or anyone else for any decision made or action taken in reliance on the information in this study or for any consequential, special or similar damages, even if advised of the possibility of such damages.

Certain information in this study may refer to third parties over whom Andersen has no control. We make no representations as to the accuracy or any other aspect of information provided by these parties.

© 2001 andersen. all rights reserved. andersen u.s. privacy study how 75 u.s. companies fare...

Documents

privacy of

directive safe harbor

importance of privacy

privacy principles

data protection requirements

data protection highlights

adequate data protection

emerging privacy standards