© 2001 Andersen. All rights reserved.
Andersen U.S. Privacy Study How 75 U.S. Companies Fare Against Emerging Privacy Standards
July 2001
© 2001 Andersen. All rights reserved. 2
Andersen U.S. Privacy Study Outline
Introduction• The increasing need for privacy
• Two approaches to privacy
• The E.U. Directive on Data Protection
• The U.S. response -- Safe Harbor
• Relevance to U.S. multinational companies
Andersen U.S. Privacy Study• Objective
• Companies selected
• Tests conducted
Results• Summary
• Findings overall
• Findings by industry
• Findings by industry and principle
• Conclusions
• Implications
• Next Steps
Andersen solutions
© 2001 Andersen. All rights reserved. 3
IntroductionThe increasing need for privacy
• The collection, use, and protection of personal information is of growing concern to consumers worldwide.
• The increasing pace of worldwide commerce and information sharing raises the importance of privacy and data protection.
• Pressure is increasing for companies conducting business worldwide to measure up to emerging minimum standards of privacy.
• U.S. companies may become competitively disadvantaged if they fail to meet worldwide minimum privacy standards.
© 2001 Andersen. All rights reserved. 4
Introduction Two approaches to privacy
The E.U. and U.S. have different approaches to privacy
• The E.U. takes a rigorous approach and guarantees citizens protection and control of personal data through the E.U. Directive on Data Protection (“the Directive”).
• The U.S. does not guarantee citizens a “right to privacy” and has addressed privacy largely through self-regulation and industry- specific legislation.
• A reconciliation between these two divergent approaches was needed for worldwide commerce to continue uninterrupted.
© 2001 Andersen. All rights reserved. 5
Introduction The E.U. Directive on Data Protection
Highlights of the Directive include:
• The E.U. Directive on Data Protection, adopted October 1995, is the model after which E.U. member state data protection laws are created.
• The Directive’s intent is to enable the continued free flow of personal data among E.U. member states as well as outside the E.U. while upholding the privacy of E.U. citizens.
• The Directive protects personal data transferred outside of the E.U. by prohibiting the transfer unless the recipient has been found to have “adequate” data protection.
• The adequacy determination is made by the E.U.
© 2001 Andersen. All rights reserved. 6
Introduction The U.S. response - Safe Harbor
• In response to the Directive, the Safe Harbor program was established to allow U.S. companies to meet E.U. data protection requirements.
• Safe Harbor defines seven privacy principles as a way to achieve the adequacy requirements of the Directive.
• There are many ways of complying with the Directive; Safe Harbor is only one of them.
• Safe Harbor applies only to companies under the jurisdiction of the U.S. FTC and U.S. DoT.
• U.S. companies not eligible for Safe Harbor must still meet the requirements of the Directive.
© 2001 Andersen. All rights reserved. 7
Introduction Relevance to U.S. multinational companies
• A temporary “stand-still” on enforcement of the Directive was established to grant U.S. companies time to implement privacy.
• It was put forth that the “stand-still” would be re-assessed mid 2001.
• U.S. companies that meet the Directive’s requirements can:
– Remain competitive in a global market
– Protect their reputation and brand
– Maintain customer loyalty
– Avoid fines, penalties and potential litigation
– Minimize disruptions to business operations
© 2001 Andersen. All rights reserved. 8
Andersen U.S. Privacy Study Objective
• To assess and benchmark 75 U.S. multinational companies against emerging worldwide privacy and data protection standards.
• In the absence of a single standard, the Safe Harbor principles were selected as representative criteria for the study.
© 2001 Andersen. All rights reserved. 9
Andersen U.S. Privacy Study Companies selected
The study included 75 companies:
• Fortune 500 and medium- sized U.S. companies
• Companies that collected data from E.U. citizens via a Web site
• Well-known leaders in their respective industries
• Represent $ 1.7 trillion USD in annual revenues
• Identities of the companies are confidential
There were 15 companies in each of
5 industry sectors:
• Financial services
• Retail
• Technology
• Telecom/Media/Entertainment
• Travel & leisure
© 2001 Andersen. All rights reserved. 10
Andersen U.S. Privacy Study Tests conducted
Notes:
1) All tests conducted were of a non-intrusive nature.
2) A seventh principle, Onward Transfer, was omitted as we were unable to perform any tests due to the non-intrusive approach.
Principle Nature of Assessment
Notice Review of privacy policy on Web site
Choice Review of privacy policy on Web site
Security Review of security measures for encryption of personal information and the authentication mechanism
Data Integrity Review of relevance of personal information collected on Web site
Access Telephone or email request for access to, amendments to and erasing of personal information
Enforcement Review of stated complaints and resolution procedures on the Web site or by telephone
© 2001 Andersen. All rights reserved. 11
Results Summary
As a whole, studied companies did not meet privacy standards
• Not one company passed all 6 principles
• Only 2 of 75 companies passed 5 principles
• Eight companies passed only one principle
Of the privacy principles studied, lowest scores were consistently
found in:
• Enforcement
• Notice
• Access
• Security
© 2001 Andersen. All rights reserved. 12
Results Findings overall
Percent of Studied Companies Meeting Principles
Findings: The best scores were in Choice and Data Integrity, respectively. Significant opportunity for improvement is possible in Enforcement, Notice, Access and Security.
Enforcement (assurance of compliance)
Notice (individuals informed before use/disclosure of data
Choice (option to opt out)
Security (protection of personal data)
Data integrity (relevance of purpose for use of data)
Access (user ability to amend or erase data)
80%
46%
74%
34%
25%
5%
© 2001 Andersen. All rights reserved. 13
Findings: Compared with other industries, Financial Services earned the highest score on the issue of Choice (opt out), but it lagged behind on Data Integrity and Security. In the area of Choice, all 15 companies in the Study stated the purposes data would be used for; however, only 27 percent stated the user's right to withhold consent.
Percent of Studied Financial Services Companies Meeting Principles
Results Findings by industry: Financial services
Enforcement (assurance of compliance)
Notice (individuals informed before use/disclosure of data
Choice (option to opt out)
Security (protection of personal data)
Data integrity (relevance of purpose for use of data)
Access (user ability to amend or erase data)
92%
27%
47%
50%
7%
20%
© 2001 Andersen. All rights reserved. 14
Findings: Of the industries studied, Retail scores were among the lowest, in Notice, Access and Enforcement. On the other hand, the industry scored near the high end on Choice, Data Integrity and Security. Retail scored highest among all industries in ensuring security of personal data entered and transmitted.
Results Findings by industry: Retail
Percent of Studied Retail Companies Meeting Principles
Enforcement (assurance of compliance)
Notice (individuals informed before use/disclosure of data
Choice (option to opt out)
Security (protection of personal data)
Data integrity (relevance of purpose for use of data)
Access (user ability to amend or erase data)
86%
71%
80%
0%
13%
0%
© 2001 Andersen. All rights reserved. 15
Findings: Compared with other industries, the Technology companies studied enjoyed the most consistency in their scores. On the other hand, only a third of Technology companies were found to follow Notice, Security and Enforcement standards. Technology companies scored higher than other industries in Access and Enforcement principles.
Results Findings by industry: Technology
Percent of Studied Technology Companies Meeting Principles
Enforcement (assurance of compliance)
Notice (individuals informed before use/disclosure of data
Choice (option to opt out)
Security (protection of personal data)
Data integrity (relevance of purpose for use of data)
Access (user ability to amend or erase data)
80%
27%
80%
60%
33%
13%
© 2001 Andersen. All rights reserved. 16
Findings: Though some companies fared well, of the five industries studied, the Telecom/Media/ Entertainment sector had the lowest average scores, though they did scored highest in Data Integrity and above average in Access.
Percent of Studied TME Companies Meeting Principles
Results Findings by industry: Telecom/Media/Entertainment
Enforcement (assurance of compliance)
Notice (individuals informed before use/disclosure of data
Choice (option to opt out)
Security (protection of personal data)
Data integrity (relevance of purpose for use of data)
Access (user ability to amend or erase data)
58%
33%
83%
40%
7%
13%
© 2001 Andersen. All rights reserved. 17
Findings: Travel & Leisure enjoyed the highest average scores compared to the other industries studied, though marks were low in Enforcement and Access. The industry scored highest among all in Notice with 47 percent meeting requirements. The industry also scored highest among all industries in Security.
Results Findings by industry: Travel & Leisure
Percent of Studied Travel & Leisure Companies Meeting Principles
Enforcement (assurance of compliance)
Notice (individuals informed before use/disclosure of data
Choice (option to opt out)
Security (protection of personal data)
Data integrity (relevance of purpose for use of data)
Access (user ability to amend or erase data)
86%
73%
80%
47%
20%
0%
© 2001 Andersen. All rights reserved. 18
Notice
Results Findings by industry and principle: Notice
An organization must inform individuals before using information for a purpose other than originally intended or before otherwise disclosing information.
Financial Services Companies
Retail Companies Travel & Leisure Companies
Technology Companies
Telecom/Media/Entertainment
Cross-Industry View
2013
47
33
13
25
0102030405060708090
100
FS RET T&L TECH TME CIV
Per
cen
t
© 2001 Andersen. All rights reserved. 19
Choice
Results Findings by industry and principle: Choice
An organization must offer individuals a clear opportunity to opt out (or opt in) if information is to be disclosed to a third party or used for a purpose incompatible with original stated purpose.
9286 86
80
58
80
0102030405060708090
100
FS RET T&L TECH TME CIV
Per
cen
t
Financial Services Companies
Retail Companies Travel & Leisure Companies
Technology Companies
Telecom/Media/Entertainment
Cross-Industry View
© 2001 Andersen. All rights reserved. 20
Security
Results Findings by industry and principle: Security
Organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.
27
71 73
2733
46
0102030405060708090
100
FS RET T&L TECH TME CIV
Per
cen
t
Financial Services Companies
Retail Companies Travel & Leisure Companies
Technology Companies
Telecom/Media/Entertainment
Cross-Industry View
© 2001 Andersen. All rights reserved. 21
Data Integrity
Results Findings by industry and principle: Data integrity
Personal information must be relevant for the purposes for which it is used. Data needs to be accurate, complete and current.
47
80 80 80 8374
0102030405060708090
100
FS RET T&L TECH TME CIV
Per
cen
t
Financial Services Companies
Retail Companies Travel & Leisure Companies
Technology Companies
Telecom/Media/Entertainment
Cross-Industry View
© 2001 Andersen. All rights reserved. 22
Access
Results Findings by industry and principle: Access
Individuals must have access to personal information about them that an organization holds. The individual must be able to correct, amend or delete that information where it is inaccurate, unless the burden or expense of providing access is disproportionate to the risks to the individual’s privacy.
50
0
20
60
4034
0102030405060708090
100
FS RET T&L TECH TME CIV
Per
cen
t
Financial Services Companies
Retail Companies Travel & Leisure Companies
Technology Companies
Telecom/Media/Entertainment
Cross-Industry View
© 2001 Andersen. All rights reserved. 23
Enforcement
Results Findings by industry and principle: Enforcement
Effective privacy protection must include mechanisms for assuring compliance; recourse for individuals where privacy is breached; and consequences for the company breaching the Principles. Sanctions must be sufficiently rigorous to ensure compliance.
70 0
20
7 5
0102030405060708090
100
FS RET T&L TECH TME CIV
Per
cen
t
Financial Services Companies
Retail Companies Travel & Leisure Companies
Technology Companies
Telecom/Media/Entertainment
Cross-Industry View
© 2001 Andersen. All rights reserved. 24
Results Conclusions
• U.S. multinational companies in the study do not meet emerging worldwide privacy standards.
• Because the study results were derived from non-intrusive tests, it is likely that there are additional privacy challenges that organizations must overcome.
© 2001 Andersen. All rights reserved. 25
Results Implications
• Assuming the studied companies are representative of their industries, most U.S. companies would not be considered compliant with the Directive.
• Impending enforcement of the Directive will increase business risk for U.S. multinational companies.
• Companies that meet privacy and data protection standards will be better prepared to:
– Improve competitive posture in a global market
– Protect their reputation and brand
– Maintain customer loyalty
– Avoid fines, penalties and potential litigation
– Minimize disruptions to business operations
© 2001 Andersen. All rights reserved. 26
Results Next steps
• Establish privacy goals and objectives responsive to opportunity as well as business risks and considering the:
– Need to comply with minimum legal and regulatory requirements
– Impact of privacy on public image and reputation
– Potential to be the best among competitors in a global market
• Perform an analysis of the current situation vis-à-vis the privacy goals and objectives
– Measure against a worldwide standard
– Assess both online and offline privacy risks
• Take action to improve privacy and data protection
– Begin with high-visibility, easily-remedied issues described in the study
– Follow-up with infrastructure changes as required
© 2001 Andersen. All rights reserved. 27
Assure
Andersen solutions
ImplementDiagnose
Our privacy services combine multiple disciplines and skills to help clients safeguard customer loyalty and remain competitive in a global market.
• Program office
• Policies and practices
• Changes to technical/ security architecture, business processes and systems
• Management re: compliance with policies, practices, laws and regulations (including control self-assessment)
• Third parties re: policies and practices
• Workshops to develop awareness
• Analyses of business risks and needs
• Development of strategy, goals and objectives
• Compliance program and complaint-taking processes
• Agreements with third party data processors
• Web-based training platform and content
© 2001 Andersen. All rights reserved. 28
Legal Notice
The information contained in this study is for general guidance on matters of interest only. The application and impact of laws can vary widely based on the specific facts involved. Given the changing nature of laws, rules and regulations, there may be omissions or inaccuracies in information contained in this document.
The information is provided with the understanding that the authors and publishers are not herein engaged in rendering legal, accounting, tax, or other professional advice and services, and should not be used as a substitute for consultation with professional advisers.
While we have made every attempt to ensure that the information in this study has been obtained from reliable sources, Andersen is not responsible for any errors or omissions, or for the results obtained from the use of this information. All information in this study is provided "as is", with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this information, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, merchantability and fitness for a particular purpose. In no event will Andersen, its related partnerships or corporations, or the partners, agents or employees thereof be liable to you or anyone else for any decision made or action taken in reliance on the information in this study or for any consequential, special or similar damages, even if advised of the possibility of such damages.
Certain information in this study may refer to third parties over whom Andersen has no control. We make no representations as to the accuracy or any other aspect of information provided by these parties.