|
|
Authority:
Risk Guidance:
Control Guidance:
|
Relevance:
Background Facts:
- a think tank issues a study based upon 3 separate U.S. consumer surveys.
Relevance to Business Activities:
- data governance considerations:
- privacy sensitivity:
- privacy sensitivity generally:
- low - 6%; and
- medium - 15%; and
- high - 79%.
- privacy sensitivity - health:
- privacy sensitivity - health:
- low - 15%;
- medium - 17%; and
- high - 68%.
- those with the highest income ranked the health data elements as more sensitive than those with a lower income;
- age was predictive of privacy sensitivity, with those in the 45-65 category being the most sensitive; and
- a higher education level was predictive of a lower sensitivity to health privacy.
- privacy sensitivity - financial:
- privacy sensitivity - financial:
- low - 5%;
- medium - 5%; and
- high - 90%.
- age was the only factor that was predictive of financial privacy sensitivity, with the 45-65 group being the most sensitive.
- privacy sensitivity - social media:
- privacy sensitivity - social media:
- low - 18%;
- medium - 24%; and
- high - 58%.
- younger respondents were not significantly less concerned about social media privacy than other age-ranges.
- demographics and privacy protective behavior:
- do people read other documents:
- do respondents read the terms and conditions for websites they visit:
- have respondents read the agreement for any credit cards they have:
- yes - 58%;
- no - 21%; and
- respondent has no credit cards - 21%.
- comparison of review of documents as a percentage:
- has respondent read the lease or contract for purchasing or leasing their car - 66%;
- has respondent read the agreement for any credit cards they have - 58%;
- does respondent read the terms and conditions for websites they visit - 54%;
- health care privacy policy review - 52%;
- review of financial privacy policies - 44%;
- ISP privacy policy review - 32%; and
- cable company privacy policies - 25%.
- conclusions:
- some clear patterns emerge in respondents' self-reported sensitivity and privacy protective behaviors:
- age is one of the most relevant factors to predict both, but it is not a linear relationship:
- the 46-65 age range is consistently the most privacy sensitive and protective group.
- education levels were:
- where relevant to sensitivity, inversely related; and
- clearly inversely related to privacy protective behavior.
- income had relevance to predicting privacy protective behavior in the sense that higher income individuals were generally less likely to read privacy policies;
- consumers appear to be making choices about what agreements or policies they review:
- the sensitivity of the information covered by the policy appears to influence the level of consumer review of these policies.
- how can this information can help companies and consumers better understand privacy issues:
- consumers are actively making choices about what privacy policies they review:
- the categorical statement that "consumers do not read privacy policies" does not appear to be accurate.
- companies can likely impact their brand in a positive way when they examine their customer base on a demographic basis and try and promote privacy in a positive way:
- certain demographic segments are more concerned about certain forms of privacy; and
- this data can serve as the beginning of a roadmap to brand improvement on privacy.
- consumers are likely not as careful as many would hope regarding their own privacy practices:
- particularly regarding:
- carrying their Social Security cards;
and
- the failure to shred PII.
- this does not directly correlate to companies’ obligations, but that data may be relevant in assessing businesses risk judgments regarding data disclosure and data destruction.
- whether a company is choosing to implement an information governance program, or Privacy by Design, this research represents the beginning of a roadmap for both types of programs:
- consumers' attitudes and patterns regarding privacy protective behavior offer important insights as companies:
- attempt to design privacy into their products and services; or
- implement governance regimes that implement best practices.
- use of social security numbers considerations:
- demographics and privacy protective behavior:
- social security cards:
- do respondents carry their social security card in their wallet:
- under 18-25 carried there social security card less than older groups, which:
- were more privacy sensitive than the youngest group.
- security - technical, administrative and physical safeguards considerations:
- demographics and privacy protective behavior:
- virus protection:
- do respondents take steps to protect their computer from viruses and other security threats:
- older respondents take steps more often than younger respondents.
- password habits:
- do respondents used information such as their mother's maiden name, their birth date or the last 4 digits of their social security number:
- verification of the identity of businesses:
- do respondents take steps to verify the identity and legitimacy of businesses that asked for PII:
- the 66+ age group is most likely to verify this information (90%).
- secure storage of PII:
- do respondents keep PII in a secure location in their home:
- deposit of mail:
- do respondents deposit mail in a secure location:
- yes - 15%;
- no - 63%; and
- sometimes - 22%.
- data management - destruction considerations:
- demographics and privacy protective behavior:
- shredding of information:
- do respondents shred documents before throwing them away (e.g. receipts, copies of credit applications, insurance forms, physician statements, checks and bank statements, or expired credit cards):
- age was predictive in this category:
- in the 45-65 age group:
- 64% shred;
- 11% do not shred; and
- 31% sometimes shred.
- privacy notice considerations:
- demographics and privacy protective behavior:
- review of financial privacy policies:
- do respondents read the privacy policies they received from their bank, credit card company, or other financial institution:
- yes - 445;
- no - 12%;
- some of them - 445;
- respondent is unaware whether they receive privacy policies - 0%; and
- respondent has not received any such policies - 0%.
- education level was inversely predictive:
- 54% of people without a college degree read these policies; and
- 39% of individuals with a college or graduate degree read these policies.
- health care privacy policy review:
- do respondents read the privacy policies they receive from their health care providers:
- yes - 52%;
- no - 12%;
- some of them - 35%;
- respondent is unaware whether they receive such policies - 1%; and
- respondent has not received any such policies - 1%.
- as with financial privacy, income and education were inversely predictive of whether people read privacy policies:
- 56% of middle income respondents read these policies; and
- 41% of upper income respondents had read them.
- the 46-65 group has the highest reported level of privacy policy review.
- cable company privacy policies:
- do respondents read the privacy policies they receive from their cable companies:
- yes - 25%;
- no - 35%;
- some of them - 31%;
- respondent is unaware of these privacy policies - 3%; and
- respondent has not received any such policies - 5%.
- income and education level were inversely proportional to whether people reviewed these policies:
- 52% of upper income respondents did not review the policies; and
- 40% of those with a college or graduate degree did not review the policies.
- internet service provider ("ISP") privacy policy review:
- do respondents read the privacy policies they received from their ISP:
- yes - 32%;
- no - 35%;
- some of them - 27%;
- respondent is unaware of these privacy policies - 3%; and
- respondent has not received any such policies - 3%.
- income and education were inversely predictive:
- 48% of upper income respondents do not review the policies; and
- 39% of respondents with a college or graduate degree do not review them.
Source Document:
http://www.laresinstitute.com/wp-content/uploads/2011/09/Demographics-Study.pdf