The Edelman Privacy Risk Index reveals that privacy risks are at an all-time high for businesses. It identifies key drivers of privacy risk, such as a company's industry, geographic footprint, and the type of information collected. Fewer than half of surveyed companies effectively manage privacy practices around communications, business operations, and data protection. This leaves many businesses highly susceptible to privacy incidents with potential regulatory, financial, and reputational consequences. The report introduces the Edelman Privacy Risk Index tool to help companies assess and prioritize their privacy risks.
2. BUSINESS LEFT VULNERABLE TO PRIVACY RISK
Privacy risks can have a substantial impact on
business operations and corporate reputation. Edelman’s privacy research shows, for the
Companies face increasing regulation and first time, the main drivers of privacy risk.
potential fines for the misuse and loss of The survey reveals:
sensitive information. If the regulatory pressure
wasn’t enough, not a week goes by without a
Privacy risks are at an all time high, presenting
company or an entire industry in the news for an
a significant challenge for businesses.
alleged privacy violation causing significant harm
to corporate reputation.
Businesses are struggling to manage the
privacy practices that most contribute to risk.
Managing data security and privacy effectively is
essential to businesses today. The growing Operating globally and in financial services
volume and sensitivity of information being and health industries significantly contributes
shared, stored and used is driving demand for to risk.
greater transparency about how it is being
managed and protected.
4. THE CONSEQUENCES OF PRIVACY RISK
The costs are high. Businesses are losing customers and money,
reputations suffer. As a result, the license to operate hangs in the balance.
CUSTOMERS CORPORATE REPUTATION
MONEY BUSINESS DISRUPTION
Edelman GCRM Program | 4
5. DRIVERS OF PRIVACY RISK AND LIABILITY
CONSUMER CONCERN REGULATORY ENFORCEMENT
Three quarters of consumers will stop using an online FTC levels $22.5 million for privacy violation
shop if information was accessed without permission
New proposed EU legislation may include fines up to
2% of annual turnover
Less than half of consumers trust healthcare
organizations to protect info
Edelman DSP Group Study
LITIGATION MEDIA SCRUTINY
Average settlement $2,500 per plaintiff, and
mean attorneys’ fees of $1.2 million
Temple University Beasley School of Law
Edelman GCRM Program | 5
6.
7. INTRODUCING THE EDELMAN PRIVACY RISK INDEX
The Edelman Privacy Risk Index (ePRI) is a global benchmarking study and tool that
measures the top drivers of privacy risk for businesses. The ePRI explores how companies
are managing privacy risk caused by business practices and operations.
• Based on analysis of research from the Ponemon Institute over the last three years
• Analysis of 6,400 individual responses by risk managers, privacy professionals and IT Pros
• 29 countries included in benchmarking and tools
• The research serves as the baseline for an online tool that allows companies to access their
privacy risk against the benchmark
• Indented to be directional NOT diagnostic
8. ELEMENTS OF PRIVACY RISK
The Edelman Privacy Risk Index reveals a lack of preparedness in managing the potential financial and reputational
damage relating to the loss or misuse of personal information. Our survey found companies face significant risk due to its
business profiles and failing to implement strong privacy practices.
BUSINESS PRIVACY
PROFILE: PRACTICES:
WHAT DEFINES HOW YOU Overall
YOUR BUSINESS OPERATE RISK
10. BUSINESS PROFILE
Companies must understand how their business profile contributes to their privacy risk. Those
operating in high risk environments are particularly vulnerable to incidents if they don’t properly
manage privacy practices.
Industry
Headcount/
Geography Size
RISK
Info Collected/
Managed Footprint
11. BUSINESS PROFILE RISK AT A GLANCE
Geography Footprint Industry Headcount/ Info Collected
Size
HIGHEST RISK HIGHEST RISK HIGHEST RISK HIGHEST RISK HIGHEST RISK
• Belgium • Global and Super • Financial • Small- and • Sensitive
• Italy Regional Services Medium-sized Customer
• Spain • Health/Pharma Businesses Information
• Communications
LOWEST RISK LOWEST RISK LOWEST RISK LOWER RISK LOWER RISK
• China • Local • Industrial • Enterprise • Only Employee
• India Automotive
• Brazil • Manufacturing
See appendix for full findings
12. COMPANIES HAVE DIFFERENT STARTING RISKS
Companies in different industries, markets and sizes have different starting points for operational risk.
It’s essential that businesses understand where they stand and take action if they are at high risk.
Company w/ Low Company w/ High
Operational Risk Operational Risk
VS.
Brazil Italy
Manufacturing Health
Local Global
Large enterprise SMB
Collects employee info Collects health and sensitive
customer information
14. PRACTICES THAT DETERMINE RISK
The ePRI identified three pillars and twelve practices that are key indicators of businesses’ ability to
mitigate risk of a data breach, privacy lawsuit or regulatory action.
• My organization is transparent about what it does with employee and customer information.
My organization is quick to respond to privacy complaints or questions from customers and regulators.
Communications • My organization makes a substantial effort to educate employees about privacy and data security.
& Engagement • Employees in my organization understand the importance of privacy and how to protect personal and/or sensitive
information.
• My organization considers privacy and the protection of personal information a corporate priority.
• A high-level executive leads my organization's privacy program and is empowered to make decisions.
• My organization understands global privacy cultural differences.
Business
• My organization strictly enforces all levels of non-compliance with laws and regulations.
Operations
• My organization believes a data breach would adversely affect our reputation and financial position.
• My organization has ample resources to protect employee and customer information.
• My organization is able to prevent and quickly detect the theft or misuse of personal information.
Data Protection • My organization has the expertise and technology to protect personal information.
15. BUSINESSES FALLING SHORT
Fewer than half of those surveyed agreed they effectively manage risk,
leaving them highly susceptible (or exposed) to a privacy incident.
They are failing to:
• Make privacy a priority and devote resources
• Engage their employees
• Embrace transparency
• Manage regulatory concerns
16. COMPANIES LACK RESOURCES AND EXPERTISE
• My organization has the expertise and technology to protect personal information.
Strongly Disagree Strongly Disagree
12% Strongly Agree 14% Strongly Agree
16% 15% COMPANIES AT RISK
Disagree
Agree Disagree
25% Agree
17% 26% 23% 67%
62%
Don't Know Don't Know
30% 22%
• My organization has ample resources to protect employee and customer information.
Strongly Disagree Strongly Disagree
3% 11% Strongly Agree
Strongly Agree COMPANIES AT RISK
Disagree 16%
22%
20%
Disagree
21%
Agree Agree 59%
19% 29%
Don't Know Don't Know
55%
36% 23%
17. COMPANIES FAIL TO PRIORITIZE
• My organization considers privacy and the protection of personal information a corporate priority.
Strongly Disagree Strongly Disagree
7% Strongly Agree 14% Strongly Agree
15% 15% COMPANIES AT RISK
Disagree
20% Disagree
14%
Agree
21%
Agree
25%
64%
59%
Don't Know Don't Know
37% 31%
• My organization believes a data breach would adversely affect our reputation and financial position.
Strongly Disagree Strongly Disagree
6% Strongly Agree 10% Strongly Agree
Disagree 18% COMPANIES AT RISK
19%
14% Disagree
17%
Agree Agree 56%
25% 31%
Don't Know Don't Know 51%
36% 24%
18. COMPANIES FAIL TO ENGAGE EMPLOYEES
Privacy incidents often originate when employees improperly use or accidently expose information. The ePRI found a majority
of companies fail to address the potential risk presented by poor employee education.
• Employees in my organization understand the importance of privacy and how to protect personal and/or sensitive information.
Strongly Disagree
Strongly Disagree
6% Strongly Agree 17% Strongly Agree
16% 15% COMPANIES AT RISK
Disagree
23%
Agree Disagree Agree
20% 24% 25% 64%
60%
Don't Know Don't Know
35% 20%
• My organization makes a substantial effort to educate employees about privacy and data security.
Strongly Disagree Strongly Disagree
10% Strongly Agree 17% Strongly Agree
15% 14% COMPANIES AT RISK
Disagree
Agree
25% Agree
16% Disagree
21% 69%
24%
65%
Don't Know Don't Know
35% 23%
19. COMPANIES ARE NOT TRANSPARENT OR RESPONSIVE
Despite new laws around the world calling for greater notice and consent before collecting consumer information and increased
media scrutiny, companies struggle to be transparent and respond to complaints.
• My organization is transparent about what it does with employee and customer information.
Strongly Disagree Strongly Disagree
5% Strongly Agree 6% Strongly Agree
18% 16% COMPANIES AT RISK
Disagree
Disagree
24%
30%
Agree Agree 60%
22% 28%
Don't Know 56%
Don't Know
26%
25%
My organization is quick to respond to privacy complaints or questions from customers and regulators.
Strongly Disagree Strongly Disagree
11% Strongly Agree 11% Strongly Agree
15% COMPANIES AT RISK
18%
Disagree
23% Agree Disagree
19% 29% Agree 65%
21%
61%
Don't Know Don't Know
31% 21%
20. COMPANIES ARE LAX ON REGULATORY COMPLIANCE
Many companies struggle to comply with increasingly evolving regulatory requirements around the globe.
• My organization strictly enforces all levels of non-compliance with laws and regulations.
Strongly Disagree Strongly Disagree
13% Strongly Agree 16% Strongly Agree
18% 17% COMPANIES AT RISK
Disagree
20% Agree Disagree
Agree
17% 23%
23% 65%
Don't Know Don't Know
61%
31% 22%
• My organization understands global privacy cultural differences.
Strongly Disagree
Strongly Disagree
5% Strongly Agree 16% Strongly Agree
16% 14% COMPANIES AT RISK
Disagree
29%
Agree Disagree Agree
18% 24% 25%
66%
61%
Don't Know Don't Know
32% 22%
22. WHERE TO START
1 UNDERSTAND: Use the ePRI tool to better understand your company’s privacy risk. Share results with
key stakeholders in legal, communications and technology to get consensus of risk.
2 PRIORITIZE: Armed with understanding, an enterprise now has a powerful directional lens to evaluate its
privacy program. Smart organizations will prioritize the weakest elements of their privacy DNA (under-
performing practices) with consideration for their potential impact on enterprise effectiveness.
3 ACTIVATE: Work cross-company on programs to improve at-risk privacy practices. Consider how
communications, legal/risk and technology leaders can collaborate on solutions.
23. UNDERSTAND YOUR RISK: ePRI TOOL
Leverage the ePRI Tool
to better understand your
risk and how your
practices relate to the
benchmark.
24. PRIORITZE: RISKY PRACTICES
My organization considers privacy and the
protection of personal information a corporate priority.
Priority #1
Determine and
explore deficient My organization has the expertise and technology
to protect personal information
privacy practices
Priority #2
most contributing
to corporate risk
My organization is transparent about what it does
with employee and customer information.
My organization is quick to respond to consumers’
and regulators’ privacy complaints
Priority #3
25. ACTIVATE CROSS-ORGANIZATION PRIVACY TEAM
BUSINESS: Proper collection, use and storage of
information. Embrace Privacy by Design
Invest in privacy
LEGAL/GOV AFFAIRS: Compliance with local laws
practices and in all the geographies of operation
programing to
improve INFORMATION TECHNOLOGY: Technology systems
to prevent and recover from a data incident
performance
COMMUNICATIONS: Employee engagement,
stakeholder engagement, data breach
communications
26. FIRST STEP: CONVENE PRIVACY WORKSHOP WITH
EDELMAN
OUTCOMES
Customized
Edelman and our Privacy Risk Privacy
partners can meet with Snapshot Program
you to help explore and Roadmaps
prioritize areas of
privacy risk
Internal
Privacy
Integration
Playbooks
27. EDELMAN SERVICES
EDELMAN AND OUR PRIVACY PARTNERS CAN HELP
WITH SYSTEMS INTEGRATION
COMMUNICATIONS AUDIT POLICY/LEGAL
Security and privacy Reputation and Policy analysis and
message development communications audit navigation
Internal communications Privacy risk assessment Active regulatory and
and employee engagement policymaker engagement
Communications team
integration Litigation communications
Influencer and competitive
mapping Customer and market Influence policy outcomes
research
Privacy and security Coalition building and
response management Crisis protocols grassroots support
Data breach training and
simulations
Thought leadership and
executive positioning
30. GAP IN CONSUMER TRUST
Our survey, Privacy & Security: The New Drivers of Brand, Reputation and Action, shows a significant gap between
the importance of privacy to consumers and the amount they trust companies to protect it.
92% Importance of privacy and security in each industry (global)
84% Trust in each industry to protect personal information (global)
78% 77%
69% 69%
63%
51% 50% 50%
48%
43%
37%
33%
27%
23%
12% 12% 11%
9%
6%
Finance Online Medical & Government Social Technology News & Media Automotive Food & Gaming Utilities*
Shopping & Healthcare Networking Grocery
Retail
Q7. How important is your privacy and security when doing business with the following industries? *NOTE: Utilities not included as a response code
Q8. Which industry do you trust most to adequately protect your personal information? Please select the top three industries.
Edelman GCRM Program | 30
31. CONSUMERS ATTRITION DUE TO PRIVACY
Consumers will leave services if personal information was accessed without permission.
Costing negligent companies a significant in potential business.
Consumers Likely to Switch Providers or Stop Using Services Entirely if Personal Information was
Accessed Without Permission (Global)
80% 79% 77% 75% 75%
67% 67% 65% 63%
59%
55% 55% 54%
50%
Base: All respondents (Global n=4,050)
Q9. For the following types of companies, if your personal information was accessed without your permission, how likely would you be to switch to a different provider
or stop using these services entirely, if they did have personal information on you? Please use a scale of 1-5, where 1 is “not at all likely” and 5 is “very likely.”
32. REGULATORY ACTION IN UNITED STATES
All Federal agencies with jurisdiction over privacy are significantly increasing
enforcement and rhetoric about privacy violations by companies.
Google pays $22.5 million to settle FTC charges
it misrepresented privacy assurances.
BlueCross BlueShield of Tennessee (BCBST)
fined $1.5 million for 2009 data breach.
SEC requires publicly traded companies to disclose
data breaches citing the issue is a substantial
business risk.
33. A NEW REGIME IN THE EU
EU institutions are currently discussing far-ranging proposals to modify and
substantially overhaul the Union’s patchwork of 27 data protection regimes to
create a new, single Europe-wide regime.
If approved in the current format, the new regime would radically change the
obligations of data controllers, strengthen competences of Data Protection
Authorities (DPAs) and increase the rights of individuals.
The current regulation draft foresees fines for non-compliance of up to 2% of
annual turnover. The impact of this would be global.
34. ASIA NOT FAR BEHIND
Many countries in Asia are creating new privacy laws similar to those in place in Europe
and United States, imposing fines for data breaches and more stringent privacy
standards.
India: Passed Information Technology Rules (2011)
Singapore: Personal Data Protection Act (2012)
Hong Kong: Amended Personal Data Ordinance (2012)
APEC Region: APEC Privacy Framework
35. LITIGATION ON THE RISE
“NebuAd Settles Lawsuit Over Behavioral “Lawsuit Claims Microsoft, McDonald’s,
Targeting Test – MediaPost Mazda & CBS Used Ads as Cover for
Data Mining”
– Network World
Average settlement $2,500 per
plaintiff, and mean attorneys’
fees of $1.2 million – Temple
University Beasley School of Law
“Facebook sued for
$15 billion over alleged privacy
infractions” – CNET
36. CRITICAL MEDIA
Companies face an increasingly critical and vocal media environment, creating a significant potential for
reputational damage.
GM's Boneheaded Security Tops
Privacy Mistake With Boardroom
OnStar Agendas
Facebook Complies with
EU Data Protection Law,
Apple moves to quell Dumps Facial
Path privacy gaffe Recognition
Privacy Concerns
Affect Purchase Questions for Amazon on
Decisions Privacy and the Kindle Fire
38. BY GEOGRAPHY
The ePRI found operating in Europe presents the most privacy risk, likely due recent policy developments
and a significant cultural expectation of privacy.
50.9 58.7
NORTH EUROPE
AMERICA 41.1
MIDDLE
EAST
42.7
ASIA-
PACIFIC
40.2
LATIN
AMERICA
39. RISK IN SPECIFIC MARKETS
There are significant differences between the most and least risky countries. The eleven countries with
the highest privacy risk are located in the European Union with many developing nations presenting lower
risk.
Belgium 68.6
Italy 65.2
Netherlands 64.1
Spain 62.5
France 59.2
Germany 59.1
Sweden 58.7
Poland 56.5
Denmark 56.3
Norway 55.0
Ireland 54.8
New Zealand 54.7
Australia 54.2
Canada 53.8
Argentina 53.3
United Kingdom 53.0
Russian Federation 50.4
Hong Kong 50.0
United States 48.1
Japan 43.2
Israel 42.2
United Arab Emirates 41.2
Saudi Arabia 39.7
Singapore 38.7
Mexico 37.9
Korea 37.2
China (PRC) 32.0
India 31.3
Brazil 29.3
- 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0
40. CORPORATE FOOTPRINT INTRODUCES RISK
Adding significant complexity to geographic concerns is the risk presented by
operating in multiple markets.
Local
80.0 The company primarily operates in one country
70.0 66.8
58.3 Regional
60.0
The company operates in two or more countries primarily
50.0 in one region
39.0
40.0 36.0
Super regional
30.0 The company operates in multiple countries in two or
20.0
more regions
10.0
Global
- The company operates in all regions around the world
Local Regional Super regional Global
41. INDUSTRY BENCHMARK DRIVEN BY DATA
Industries that collect the most sensitive information about customers present the most significant privacy risk. There is a
significant drop off in privacy risk for organizations that don’t collect significant amounts of information online.
Financial services 79.3
Health & pharma 78.3
Communications 66.0
Airlines 62.8
Professional services 61.0
Public sector 58.8
Education & research 56.5
Transportation 56.3
Hospitality 55.0
Energy & utilities 55.0
Technology & software 53.8
Retail (Internet) 52.0
Retail (conventional) 44.5
Consumer products 44.3
Services 39.5
Entertainment & media 32.8
Agriculture 32.3
Industrial 27.5
Automotive 24.0
Manufacturing 20.8
- 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0
42. BY COMPANY SIZE
Smaller organizations have substantially higher privacy risk than larger organizations. This can potentially be
explained by larger organizations typically having more resources to devote to managing privacy risk.
However, large organizations still face risks, often due to having a significant amounts of information and
increased regulatory attention.
501 to 1,000 59.5
Less than 500 57.5
1.001 to 5,000 50.3
5,001 to 10,000 46.5
More than 75,000 45.8
25,001 to 75,000 45.8
10,001 to 25,000 44.8
- 10.0 20.0 30.0 40.0 50.0 60.0 70.0
43. BY INFORMATION COLLECTED
The volume and sensitivity of data collected significantly influences privacy risk.
Types of personal information stored:
Customer with PII Customer without PII
Employee Consumer (targeted customer)
Citizen (government use) Patient (health records)
Student Shareholder/investor