This article appears in

the February 2010 issue of

The journal of
high-performance business

Information Technology

 ow secure is
H
your confidential data?
By Alastair MacWillson

 company’s approach to data protection and privacy should be

A
more than legally compliant. It must be a core part of both the
organization’s business value proposition and its culture, as well
as global in scope. Here’s how it’s done.
 Data protection has quietly passed
a tipping point. Although some
leading organizations—especially
in Europe and North America—have
made significant strides in securing
sensitive data, many other enter-
prises are slowly awakening to the
reality that they are lagging in their
data protection efforts.
Confidential data—including custom-
er information, business plans and
financials—has become one of every
organization’s most important assets.
Yet technology advancements, new
business models and increasingly
sophisticated and globally intercon-
nected business processes have out-
paced not only regulations designed
to ensure the privacy and protection
of personal and other data but also
many organizations’ own ability to
effectively secure sensitive business
information.
The resulting shortcomings, in
critical areas ranging from em-
ployee training to technology
infrastructure, have made orga-
nizations in both the private and
public sectors extremely vulner-
able to security breaches and the
misuse of sensitive data, even as
awareness of data privacy and pro-
tection issues has increased among
business leaders, regulators and
consumers. And there’s more at
stake for these organizations than
regulatory fines; as several high-
profile data breaches over the past
1. Trust
There is a notable difference between organizations’ intentions regarding
data privacy and how they actually protect it. This discrepancy creates
an uneven trust landscape, which makes it particularly difficult for those
doing business to trust that their data is being used by their counterparties
in accordance with their expectations.
Although approximately 70 percent
of business respondents in our
2
Outlook 2010
survey agreed that organizations
Number 1 have an obligation to take reason-
few years have shown, reputations
and businesses can be ruined by
inadvertent disclosures of custom-
er or other confidential data.
As the volume of data businesses
collect, store and analyze increases
exponentially, many executive
teams find themselves in a precari-
ous position: They can no longer
assure customers that their personal
information is safe from misuse.
“No matter how good a company is
[at protecting data], there’s always a
possibility that information will leak
out,” says Larry Ponemon, chairman
and founder of the Ponemon Insti-
tute, a US privacy and information
security research group. “Companies
can never say the data they collect
about you is perfectly secure. But
they can be good at managing or
mitigating the risk.”
Intentions versus reality
Given the importance of the issue,
Accenture set out to study the cur-
rent state of corporate data protection
and privacy. In two separate global
surveys, we polled 5,500 business
leaders and more than 15,000 adult
consumers in 19 countries. Our
objective was to understand how
perceptions about data protection and
privacy—from both business leaders
and individuals—inform and influ-
ence data protection practices. Our
research revealed important findings
in five key areas.
able steps to secure consumers’
personal information, there were
several inconsistencies in their
stated obligations about doing so.
 For example, 45 percent of the
business respondents were unsure
about or actively disagreed with
granting customers the right to
control the type of information
that is collected about them, while
47 percent were unsure about or
disagreed with customers having a
right to control how this informa-
tion is used. Nearly half did not
believe it was important to limit the
collection and sharing of sensitive
personal customer information,
protect consumer privacy rights,
prevent cross-border transfers of
personal information to countries
2. Accountability
A majority of companies have lost sensitive personal information,
the biggest causes of which are internal errors and other things the
company could potentially control. This suggests that accountability
for and ownership of sensitive data are not being properly addressed
in many organizations.
Fifty-eight percent of business
respondents said their company
had lost sensitive personal infor-
mation, and nearly 60 percent of
those who’d had a breach said that
data loss is a recurring problem.
Thirty-one percent of those busi-
nesses said they’d had three or
more instances of data loss in the
previous 24 months.
Among these companies, the biggest
causes of data loss are internal—
problems presumably well within
their ability to detect and correct.
Business or system failure (57 per-
cent) or employee negligence or errors
(48 percent) were cited most often
as the source of the breaches; cyber
crime was cited as a cause of only
18 percent of the security breaches.
These findings belie common
assumptions that external forces
are the biggest threats to privacy
and security. But they are con-
3
Outlook 2010
sistent with reports of major
Number 1 breaches caused by employee error.
with inadequate privacy laws, and
prevent cyber crimes against con-
sumers and data loss or theft.
There are several possible expla-
nations for this inconsistency,
including industry differences
in the approach to data protection,
cultural or regional differences,
the lack of organizational account-
ability for security policy, and the
fact that some companies focus
on meeting compliance targets
rather than on orchestrating a
comprehensive data protection and
privacy program.
In one case, a mobile phone opera-
tor lost a disk containing data on
17 million customers; in another,
a European government’s national
tax office mistakenly sent out CDs
containing confidential information
about nearly 4 million people to
the country’s newspapers, radio
stations and television stations.
There are several contributing
factors to these internal vulner-
abilities, none of them outwardly
malicious but all of them troubling.
They include insufficient training,
inadequate controls and incomplete
mapping of internal data flows (see
sidebar, page 5).
Ongoing innovation in areas such as
data storage and mobility are com-
pounding the challenge. Portable
devices are getting smaller, can hold
more data, and can seamlessly con-
nect to servers, networks and other
portable devices, literally putting
more power—and more data—into the
hands of individual users.
 “People expect absolute, almost
immediate access to anything they
want at any time,” says privacy
expert Ponemon. “That requires
security to be nearly invisible.
Anytime that security requires you
to wait is unacceptable to people;
many will try to avoid the delay.
The right data protection pro-
cesses, controls and technologies
can help prevent this situation in
the first place, providing effective
security that enables business pro-
ductivity, rather than hampers it.”

3. Regulatory compliance
Many organizations believe complying with existing regulations is sufficient
to protect their data. However, such a mindset is dangerous given the fact
that regulations generally are not sophisticated enough for today’s business
environment. What’s more, the regulations are not consistently or equally
applied across industries and countries.

Although nearly 70 percent of nearly half of these companies have

respondents said they regularly
monitor privacy and data protection
regulatory compliance requirements,
data breaches have nonetheless
occurred in 58 percent of organiza-
tions polled.
Even more intriguing—or worrying—
is the fact that more than two-thirds
of businesses in Europe, where pri-
vacy regulations are most stringent,
admitted that they’d had a data breach
incident in the past 24 months, and
had two or more such incidents.
These findings indicate that simply
complying with existing regulations
and laws is not enough to fully protect
sensitive data. The current spectrum
of regulations clearly cannot account
for all possible problems that could
emerge given the rapidly increasing
volume of data that organizations
collect and the complexity inherent
in how such data is accessed and used
by organizations.

4. Third parties
Companies should be careful about the company they keep. It is crucial
they understand the perspective on and approach to data protection and
privacy taken by their third-party partners.

Fifty-five percent of the companies own data protection and privacy

in our survey outsource the collec-
tion and/or processing of personal
information about customers. Because
safeguarding client information is one
of every company’s most fundamental
and important responsibilities, it is
essential to scrupulously maintain the
trust that forms the cornerstone of
relationships between companies and
their outsourcing providers.
4
Outlook 2010
Companies must conduct a thorough
Number 1 assessment not only of the provider’s
program to ensure that it meets or—
better yet—exceeds their own efforts
but also of its knowledge of and ex-
perience with managing data within
and across national boundaries.
For their part, outsourcing provid-
ers must operate a comprehensive
global client data protection program
that provides a standardized, con-
sistent approach to protecting their
(Continued on page 6)
 Does your company have a data security problem?
Before you answer, consider this: Despite the popular perception that breaches in data
security usually have external causes, the most common culprits are internal, often the
result of business or system failure or employee negligence. Among them:

• Insufficient training programs. Internal education is crucial to set common

standards and practices employees can use to deal with sensitive data. Yet only 56
percent of companies surveyed said it was important or very important to even
have policies about privacy practices.

• Inadequate controls. Often, employees simply have too much access to sensitive
data. For instance, nearly half of the companies in our survey said limiting the
collection and sharing of sensitive personal information was not important, some-
times important or irrelevant. Most telling, just 19 percent of businesses said it
is never acceptable to sell personal information for profit.

• Incomplete mapping of data flow across the organization. As the amount of

sensitive data collected grows exponentially, it is often difficult to track all the
areas in which such data is generated, collected, stored and used. Nearly 30
percent of the companies in our surveys said they either did not know or were
unsure of where personal information about customers and employees resides
within the organization’s IT enterprise.

• Insufficient technology intervention. Human error is inevitable. Yet organizations

are not doing enough to implement technical tools that prevent employees from
taking an action that will compromise an organization’s data security.

Security breaches
Internal issues—rather than cyber crime or malicious intent—
are the most frequent causes of security breaches.

System or technical glitches 35%

Negligent or incompetent employees 24

Business process failures 22

Cyber crime 18

Malicious employees 13

Negligent or incompetent
11
temporary employees or contractors

Source: Accenture analysis

5
Outlook 2010
Number 1
 Gone missing
More than half of the 5,500 company executives surveyed
report that their company had lost sensitive information.

Did your organization ever lose sensitive

personal information?

Yes
11
No
Can’t recall

31

58%

Source: Accenture analysis

(Continued from page 4) in case of a breach, enforcement

clients’ data. This program should
cover all critical elements of data
protection and privacy, including
employee training, regular moni-
toring and auditing, oversight,
appropriate and timely responses
and discipline for inappropriate
actions, and strong preventive
measures to stop breaches. It must
understand and comply with both
industry regulations and data
privacy laws in the countries in
which it and its client operates.

5. Culture
Companies that exhibit a “culture of caring” with respect to data protection
and privacy are far less likely to experience security breaches.

The 31 percent of business respon- In general, our analysis indicates

dents who said their company had
not experienced even one security
breach in the past two years dem-
onstrated some substantial differ-
ences from the companies that did
lose data, in terms of their attitudes
and policies regarding data privacy
and protection, as well as in what
6
Outlook 2010
they considered acceptable uses of
Number 1 personal data.
that those companies with no
breaches seem to exhibit an overall
“culture of caring” with regard to
sensitive data and a conviction that
they are not owners of such data
but, rather, stewards whose respon-
sibility is to protect and safeguard
that data. These companies tend to
believe that consumers have sub-
stantial rights to manage, correct
 Consumer protection
More than half of the 15,000 adult consumers surveyed believe that customers
have a right to control the information companies collect about them.
Consumers have a right to control information
collected about them and their family.
9
23
17
18
34%
Source: Accenture analysis
and control information collected
about them and to understand how
such information is being used.
Additionally, the “no breach” group
was more likely to feel a stronger ob-
ligation to maintain data protection
and privacy—for instance, by taking
reasonable steps to secure consum-
ers’ personal information, control
who has access to such information,
disclose to consumers how their
personal information is used, and
help consumers if the enterprise loses
their personal information.
In addition, companies with no
breaches tend to have policies that
value the protection of sensitive
data and how such data is used. For
instance, no-breach companies are
more likely than companies that
have had breaches to know where
personal information on customers
and employees resides within the
organization’s IT enterprise (75
7
Outlook 2010
percent versus 66 percent). This
Number 1 understanding enables these orga-
Strongly agree
Agree
Unsure
Disagree
Strongly disagree
nizations to more effectively protect
data across the enterprise.
It is clear that organizations today
have an urgent need to take a more
proactive approach to data protection
and privacy, not only to minimize the
risk of major fines for non-compliance
but also to avoid breaches of sensitive
personal data that can alienate cus-
tomers and destroy brand credibility.
A global standard
Government and corporate leaders
should work together to create a
global standard that is based on a
thorough understanding of the data
privacy and protection ecosystem
and that assigns accountability ap-
propriately across key stakeholders:
organizations, individuals and regu-
lators. The standard should provide
prescriptive guidance on what data
must be protected, who should be
provided access to the sensitive data
under what circumstances, and how
to protect the data based on sensi-
tivity and classification levels.
 At an individual organization level,
enterprises should create a “culture
of caring” with regard to data pro-
tection and privacy. Companies have
shown that this approach is not just
good for compliance; it’s good for
business. “We’ve seen organizations
that have made privacy and data
protection a strategic initiative,”
says Ponemon. “They view privacy
as a way to engage consumers and
increase their reputation and brand
in the marketplace.”
There are six tangible steps com-
panies can take to begin creating
such a culture.
1. Assign ownership of and
accountability for data protection
and privacy. Diffusing responsibility
for data protection and privacy across
multiple functions contributes to an
environment conducive to failures
and breaches. Organizations that want
to become good stewards of sensitive
data should bring the people or func-
tions responsible for specific aspects
of protection and privacy—technology,
policies, procedures, regulations and
laws—together to ensure that the orga-
nization approaches these issues in a
comprehensive and coordinated way.
In some cases, it may make sense
to establish a data protection and
privacy council, comprising stake-
holders from across the business, to
oversee how sensitive data is man-
aged and used and to ensure contin-
uous improvement of the enterprise’s
security posture.
2. Develop a more effective and
comprehensive governance program
for data privacy and protection. A
robust and comprehensive data pro-
tection and privacy governance pro-
gram can help an organization clearly
delineate how data is collected, stored,
managed and used, as well as who is
allowed to access and use which data.
8
Outlook 2010
3. Evaluate current data protection
Number 1 and privacy technologies to confirm
that the necessary level of protection
is being provided. Because today’s
computer incident-response technolo-
gies often do not generate adequate
insights from prior breaches—thus
impairing proactive risk manage-
ment—companies should reevaluate
their installed base of such tools and
consider enhancing or replacing them.
Importantly, because technology
alone does not prevent potential infor-
mation loss, it must work in concert
with a data governance framework
and standards.
4. Build a consistent level of
awareness of the importance of
data protection and privacy among
the workforce. It is increasingly
important for organizations to cre-
ate more comprehensive and robust
workforce education and training
programs that give all employees a
consistent and common understand-
ing of the organization’s established
data protection and privacy policies
and procedures and specific guidance
on how to adhere to them.
5. Reexamine data protection
and privacy investments. Few
organizations have a true enterprise
view of their security investments.
This not only prevents them from
understanding the “true cost”
of security, but it also keeps them
from being able to reallocate in-
vestments as necessary to areas of
high priority. An organization should
have a balanced investment in data
protection and privacy, considering
all key aspects of the issue: people,
process and technology.
6. Choose business partners
with care. Partner with companies
that take equal or greater care
with data. Rigorously assess their
knowledge, practices and experi-
ence in managing sensitive data
across organizational and national
boundaries in accordance with local
privacy laws and industry regula-
tions. Remember: You are judged by
the company you keep.
 Tallying the true cost of security breaches
In the United States alone, more than 339 million records containing sensitive personal
information have been involved in security breaches since January 2005. Such
breaches can have serious implications.

Erosion of shareholder value. Research has found that a stock price typically
drops by approximately 5 percent after a breach of confidential information is
made public. A separate study showed that companies announcing an Internet
security breach lost approximately 2.1 percent of their market value in the two
days following the announcement of the events—an average loss of $1.65 billion
in market capitalization per incident.

Loss of trust. The Ponemon Institute, a US privacy and information security research
firm, estimates that approximately 3.6 percent of a company’s customers stop doing
business with the company after a security breach. The churn rate is even higher in
certain industries, including health care and financial services.

Organizations are becoming more reliant than ever on data to run their busi-
ness. But as the amount of data grows, policies and approaches for ensuring
the safety and confidentiality of that information are falling behind. Compa-
nies need a more comprehensive approach to data privacy and protection, one
that closes the gaps between business strategy, risk management, compliance
reporting and IT security.

A company’s approach to data protection and privacy should be more than

legally compliant—it should be a core part of both the organization’s business
value proposition and its culture. It should also be global in scope. All
employees must understand this “culture of caring” and that they are
accountable for safeguarding information. And as organizations innovate
around new business models and technology to gain or maintain competitive
edge, they must be equally aggressive in innovating around the data security
issues that these advancements introduce.

9
Outlook 2010
Number 1
 About the author

Alastair MacWillson is the global managing director of Accenture’s Security group

and works with clients worldwide on issues relating to enterprise security, data and
information security, cyber security, risk management and privacy. He has 18 years
of experience in security and technology consulting and has advised major companies
and governments worldwide on strategy, standards practices and technology. Dr.
MacWillson, who has written many articles and papers on security, is a regular
presenter on security and risk at major industry conferences. Prior to moving into
consulting, Dr. MacWillson spent 16 years with the UK Foreign Service and enjoyed
postings in the Middle East, Moscow and Washington, DC. He is based in London.

alastair.macwillson@accenture.com

Outlook is published by Accenture.

© 2010 Accenture.
All rights reserved.

The views and opinions in this article

should not be viewed as professional
advice with respect to your business.

Accenture, its logo, and

High Performance Delivered
are trademarks of Accenture.

The use herein of trademarks that may

be owned by others is not an assertion
of ownership of such trademarks by
Accenture nor intended to imply an
association between Accenture and the
lawful owners of such trademarks.

For more information about Accenture,

please visit www.accenture.com

10
Outlook 2010
Number 1