A recent study of US and European multinationals calls for improvement in data security practices on both sides of the Atlantic. The study—Benchmark Study of European & U.S. Corporate Privacy Practices—comes at a time when regulatory and compliance legislation is on the rise following a spate of corporate data security breaches. Honeycomb Connect spoke with David Bender head of White & Case's Global Privacy practice who sponsored the study as part of the law firm's annual Global Privacy Symposium. We asked Mr. Bender for his insight on the study and its implications.
The study, which is a response to the trend amongst some U.S. jurisdictions to enact privacy laws based on the EU model, seeks to review privacy practices on both continents and through a comparative analysis shed some light on the issues, says Bender.
US corporations scored higher than their European counterparts in five of the eight areas of focus highlighted by the research, but Bender
“I think more monitoring and the employment of more privacy enhancing technology are two things that might be worth while for European companies to consider.”
believes respondents from both countries fall short when it comes to actual data security. He does point to findings that suggest some U.S. companies succeed in paying attention to the results of privacy programs. “In the US there is more monitoring, more follow-up, more feedback to make sure what is supposed to happen actually happens, rather than just trusting in the process. This focus on auditing sets the U.S. apart from its European counterparts."
The research also refers to the objectives of corporate privacy programs, pointing to a European culture of responsible information use in contrast to control-oriented U.S. companies who often engage in stricter security and are motivated by compliance activities. Bender adds that “in the US there is a concern about losing customers if security is breached and there is public disclosure of it. This is something that has arisen really in the last year and a half since we’ve had an unending parade of security breaches.” Bender thinks the computer industry’s “dirty little secret” is out. “The secret was that there were an awful lot of security breaches and most people were not aware of it because people inside these corporations who were responsible for the breaches felt it in there own interest to keep it hush-hush, sometimes even from others within the company.”
According to Bender it’s this climate of public awareness over security shortfalls and new corporate transparency legislation, that’s raising the profile of security issues, often treated at the CEO level, and forcing companies to consider dedicated privacy departments. “I think the old story that something which is everybody’s job is nobody’s job. Now when you have a number of people who share responsibility it’s too easy for something to fall between the cracks and for things not to get done.”
It is also crucial to ally this sense of ownership with strict monitoring, particularly where third parties are concerned. Bender offers some tips for ensuring business relationships comply with standard data protection practices like a contract with good audit provisions specific to all aspects of the relationship. After all, “whether you look at it across the street or across the ocean, auditing is one good way of monitoring.”
Bender is also a strong believer in privacy training and awareness programs. “I think a company will implement its privacy policies better if it has training and communication to its employees who are responsible for administering those programs.” Tighter privacy policies can offer better customer loyalty and a more secure brand identity.
Perhaps that’s the reason why US companies are more likely to employ information security technologies to protect or safeguard sensitive personal information than European firms who, in the majority, believe they are already well resourced to manage privacy commitments.
“There are a number of privacy-enhancing technologies on the market now that seem to be worthwhile,” says Bender who immediately cites encryption and intrusion detection as technologies that can enhance a company’s privacy infrastructure. “I think more monitoring and the employment of more privacy enhancing technology are two things that might be worthwhile for European companies to consider.” Bender is quick to warn against employing these technologies blindly with no consideration of cost and the practicalities of deployment.
For more findings and to access the full report click here.
Contact the writer with your comments or observations.