The cost of privacy safeguards

By Larry Ponemon 18 Mar 2004 | Security Wire Perspectives

Digg This!     StumbleUpon     Del.icio.us

What are companies spending to comply with the privacy and data protection regulations imposed by HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley and the California Security Breach Notification Act? And, is the level of spending an indication of the concern companies have about a potential privacy breach?

An IBM-sponsored study conducted by Ponemon Institute surveyed 44 U.S.-based multinational organizations, revealing that while privacy protection is growing in importance for businesses, investments in privacy initiatives are significantly lower when compared to other corporate compliance initiatives. For example, the study shows that 95% of respondents feel that their organizations spend less on privacy than on environmental initiatives.

More privacy resources Read about the role of the CPO in facilitating privacy policies. Learn about the security controls needed when collecting personal information.

Furthermore, spending on privacy protection increased noticeably the further along organizations were in the implementation process. Spending on privacy initiatives among the organizations surveyed varied from approximately $500,000 to about $22 million annually. This difference can be attributed to the varying stages of respondents' implementation.

The companies surveyed fell into one of three implementation stages: the early, or planning and architecture stage; the middle, or launch and implementation stage; and the late, or operational and maintenance stage. Analysis of the study and the subsequent results revealed that companies in the early stage spend an average of about $3.9 million; companies in the middle stage spend an average of $6 million; companies that have reached the late stage spend an average $14 million. Direct and indirect privacy costs incurred by companies at different levels of program maturity are shown in the bar chart below.

Among those surveyed, the majority of companies were in the early stage. These organizations should anticipate significant increases in spending as their privacy programs move forward. Spending increases are a result of such late-stage activities as running employee training sessions, performing self-assessments, conducting independent audits, securing vendor relationships and obtaining Web site certification.

Findings show that program spending increases markedly as companies advance from early stage activities, such as planning and strategy, to later stage activities that emphasize program execution and delivery. Also note that privacy costs increase faster within direct- versus indirect-cost categories. This suggests that as the corporate program matures, more dedicated resources are applied to formal privacy compliance activities.

Additional study findings:

Most of the respondents believe that privacy expenditures will increase in the next one to three years, and 80% believe that privacy-enabling technologies will be the single most important area for program improvement over the next three to five years.

About the author
Larry Ponemon is chairman and founder of the Ponemon Institute, an organization focused on the development of privacy audits, privacy risk management and ethical information management. For more information about the IBM & Ponemon Institute Cost of Privacy Study, please contact Ponemon Institute.

Tags: Financial services compliance best practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us