What are companies spending to comply with the privacy and data protection regulations imposed by HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley and the California Security Breach Notification Act? And, is the level of spending an indication of the concern companies have about a potential privacy breach?
An IBM-sponsored study conducted by Ponemon Institute surveyed 44 U.S.-based multinational organizations, revealing that while privacy protection is growing in importance for businesses, investments in privacy initiatives are significantly lower when compared to other corporate compliance initiatives. For example, the study shows that 95% of respondents feel that their organizations spend less on privacy than on environmental initiatives.
Furthermore, spending on privacy protection increased noticeably the further along organizations were in the implementation process. Spending on privacy initiatives among the organizations surveyed varied from approximately $500,000 to about $22 million annually. This difference can be attributed to the varying stages of respondents' implementation.
The companies surveyed fell into one of three implementation stages: the early, or planning and architecture stage; the middle, or launch and implementation stage; and the late, or operational and maintenance stage. Analysis of the study and the subsequent results revealed that companies in the early stage spend an average of about $3.9 million; companies in the middle stage spend an average of $6 million; companies that have reached the late stage spend an average $14 million. Direct and indirect privacy costs incurred by companies at different levels of program maturity are shown in the bar chart below.
Among those surveyed, the majority of companies were in the early stage. These organizations should anticipate significant increases in spending as their privacy programs move forward. Spending increases are a result of such late-stage activities as running employee training sessions, performing self-assessments, conducting independent audits, securing vendor relationships and obtaining Web site certification.
Findings show that program spending increases markedly as companies advance from early stage activities, such as planning and strategy, to later stage activities that emphasize program execution and delivery. Also note that privacy costs increase faster within direct- versus indirect-cost categories. This suggests that as the corporate program matures, more dedicated resources are applied to formal privacy compliance activities.
Additional study findings:
- As company privacy initiatives progress, spending is expected to increase approximately 355% from early to late stages.
- According to industry classification, technology companies appear to incur the highest privacy costs. Transportation and hospitality companies appear to spend the least on privacy initiatives, as compared to other industry groups. Companies in heavily regulated industries, such as financial services and health care, appear to spend within the middle range.
- Ten percent of the companies surveyed are using privacy enabling technologies that directly enhance compliance or mitigate business risk.
- The majority of respondents believe that spending increases are needed to achieve adequate levels of compliance. And, that as privacy becomes a more mature area of corporate compliance, there will be a subsequent rise in financial investment in technologies that will protect data and decrease risk.
Most of the respondents believe that privacy expenditures will increase in the next one to three years, and 80% believe that privacy-enabling technologies will be the single most important area for program improvement over the next three to five years.
About the author
Larry Ponemon is chairman and founder of the Ponemon Institute, an organization focused on the development of privacy audits, privacy risk management and ethical information management. For more information about the IBM & Ponemon Institute Cost of Privacy Study, please contact Ponemon Institute.