Dr. Larry Ponemon of the Ponemon Institute

Call today! 1 866 3 NYMITY

Interview with Dr. Larry Ponemon

November 2004

Terry McQuay, Nymity's President, interview with Dr. Larry Ponemon of the Ponemon Institute reviews the Cross-National Study of Canadian and U.S. Corporate Privacy Practices completed by the Ponemon Institute in cooperation with the Information Privacy Commissioner/Ontario.

Nymity: Larry, please introduce yourself, the Ponemon Institute, and the Cross-National Study of Canadian and U.S. Corporate Privacy Practices, herein call the Study.

Ponemon: Thanks Terry. I am the chairman and founder of Ponemon Institute, which is dedicated to advancing ethical information and privacy management practices in business and government. We do this primarily through research and education. We have conducted more than 40 consumer-based and corporate studies on privacy, information security policy and data protection issues. Previously, I was CEO of Privacy Council. Before that I was global managing partner of compliance risk management at PricewaterhouseCoopers and headed the development of privacy auditing and risk management practices for multinational companies. I also have extensive experience in establishing self-regulatory frameworks for privacy compliance in the U.S., Canada, the E.U., Hong Kong and other nations.

In addition to my work with the Institute, I also serve as an Adjunct Professor of Ethics and Privacy for the CIO Institute at Carnegie Mellon University, a member of the Unisys Corporation’s Security Leadership Institute and the IBM Privacy Council. In addition, I served as an appointed member of the Advisory Committee for Online Privacy for the U.S. Federal Trade Commission.

We were very pleased to collaborate with the Ontario Information & Privacy Commissioner (OIPC) to conduct the first Study that benchmarks the corporate privacy practices of Canadian and U.S. companies. We believe the results of the Study provide a meaningful baseline for measuring and monitoring trends about how organizations in two neighboring but different countries are facing regulatory requirements and creating privacy programs that build trust with their key stakeholders.

Nymity: Why was this Study conducted?

Ponemon: We wanted to better understand the differences—if any--between what Canadian and U.S. companies are doing to achieve privacy programs that protect sensitive personal information about customers, target customers and employees. We also wanted to determine what companies are doing to move beyond compliance with regulations. For example, are progressive companies starting to view privacy as an opportunity to build trusted relationships with their customers, employees and investors?

In addition, privacy management is a relatively new organizational activity in many organizations. As a consequence, there is a lack of information about the practices and processes companies us to reduce business risk and ensure compliance. We wanted to find answers to the following questions:

What are leading companies doing today to ensure adequate compliance with the rash of new privacy and data protection compliance requirements in Canada and the U.S.?
Is there a common set of business practices employed by leading companies in Canada and the U.S. today to ensure reasonable protection and controls over the collection, use, sharing and protection of personal information?
Are there apparent gaps in privacy and data protection activities that create vulnerabilities for companies in terms of their privacy and data protection responsibilities?
Do Canadian and U.S. corporate privacy and data protection practices differ? If so, are these differences due to regulation or cultural orientation to responsible information management?

Nymity: How many companies participated in the Study? What size? What industries?

Ponemon: We had 19 Canadian companies and a matched sample of 19 U.S. companies. The largest sample segments are manufacturing (26%) and financial services (21%). Retail, technology and consumer goods are each 11% of the total sample. The remaining industry groups, each representing only 5% of the sample, include: telecom, transportation, health products and services.

Our sampling procedure was organized into two stages. The first stage was to select large multinational companies with significant operations in both Canada and the United States. This allowed us achieve a matching or side-by-side comparison of results. In total, 12 companies in this Study provided separate benchmark surveys for both their Canadian and U.S. divisions. This results in 24 separate entities for analysis.

The second stage of our sample was to select organizations that had a Canadian presence with a U.S. affiliate or parent. Another seven Canadian-only organizations participated. These companies were matched to a U.S.-based company based on industry and approximate organization size.

The following matrix provides a simple summary recap of sample response results from Canadian (19) and U.S. (19) companies, totaling 38 separate benchmark surveys.

Table 1: Sample Characteristics Frequency

Total number of companies contacted for participation	61
Total number of companies with both U.S. and Canadian companies participating in Study	12
Total number of separate survey units to analyze	24
Total number of companies with only Canadian operations	7
Total number of industry matched companies in U.S.	7
Total number of companies in sample	38

Nymity: What were the major challenges in completing this Study?

Ponemon: This was the first benchmark Study that seeks to compare Canadian and U.S. companies. Consequently, we anticipate that there will be many open issues and potential areas for future improvement to the basic research.
Nymity: Before we look at the results, what caveats or considerations should we be aware off?
There are inherent limitations to survey research that need to be carefully considered before drawing conclusions from findings. The following items are specific limitations that are germane to the present Study.

Non-statistical Results. The purpose of this Study is descriptive rather than normative inference. The current Study draws upon a representative (non-statistical) sample of large organizations, mostly composed of Canadian or U.S. publicly listed corporations. Statistical inferences, margins of error and confidence intervals cannot be applied to these data given the nature and sampling process used.
Sampling-frame Bias. The current findings are based on a small representative sample of completed surveys. As explained below, companies were pre-selected and contacted by Ponemon Institute or OPIC based solely on organizational size and reputation. Non-response bias was not tested so it is always possible companies that did not participate are substantially different in terms of benchmark performance criteria from those that completed the instrument.
Company-Specific Information. The benchmark information is sensitive and confidential. Thus, the collection instrument does not capture company-identifying information. It also allows individuals to use categorical response variables to disclose demographic information about the company and industry category. Industry classification relies on self-reported results.
Unmeasured Factors. To keep the survey concise and focused, we decided to omit other important variables from our analyses such as leading trends and organizational characteristics. The extent to which omitted variables might explain benchmark results cannot be estimated at this time.
Self-Reported Results. The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response.

Nymity: What were the Study's key findings regarding Canadian Companies?

Ponemon: Canadian companies are more likely to have a formal redress process for customers and other stakeholders to respond to queries and concerns about how personal information is used, shared and retained. Similarly, Canadian companies are more open to providing customers with access rights to see and correct personal information collected about them and their families. As part of their customer-centric privacy approach, corporate marketers in Canadian companies appear to be more involved and active in privacy initiatives than comparable U.S. companies.

While Canadian and U.S. privacy policies have similar language and nearly identical levels of complexity, Canadian policies appear to offer more choice to customers and consumers in terms of opting out (or opting in) to secondary uses and sharing. In addition, while data sharing with third parties is a common practice in both Canada and the U.S., none of the Canadian companies actually permitted the sale of customer data.

Canadian companies appear to hold their vendors and other third parties to higher standards or due diligence requirements. This is especially the case for companies that acquire sensitive personal data for legitimate business purposes. There is no clear evidence, however, that Canadian companies are more aggressive at monitoring or enforcing these standards than comparable U.S. companies.

Canadian companies appear to have a more aggressive data control orientation when collecting and retaining sensitive personal information. They are more concerned about insider misuse than external penetration.

Canadian companies also appear to require more rigorous data quality controls and monitoring requirements for transacting and moving of personal information about employees and customers, especially when the application involves trans-border movement.

Nymity: What were the Study's key finding regarding U.S. firms?

Ponemon: U.S. companies are more focused on preventing potential hackers from penetrating the company’s IT core and data warehouses. I find it interesting that both Canadian and U.S. companies have a difficult time measuring the effectiveness of specific controls intended to reduce privacy risks. They also have an equally difficult time proving the economic value of privacy and data protection on corporate profitability (ROI).

Nymity: Privacy Program Management was broken up into eight categories; what are the categories and how did you decide on these eight activities?

Ponemon: The eight categories are: Privacy Policy, Communications & Training, Privacy Management, Data Security Methods, Privacy Compliance, Choice & Consent, Global Standards and Redress. These categories were selected because many of the large companies in our Study view these areas as key to having a comprehensive privacy program.

Nymity: What were the most common privacy activities in Canada?

Ponemon: Both Canadian and U.S. companies devote most of their efforts to the privacy policy, which documents the company’s practices and procedures for collecting, using, sharing and protecting personal information about customers, consumers and employees. Unlike the U.S. companies, Canadian companies appear to spend more effort vetting policies before key stakeholder groups.

The second most common activity for Canadian organizations is compliance with global standards. More than 60% of Canadian companies evaluate trans-border data flows to ensure that they adhere to the national privacy laws of the E.U. countries where personally identifiable data about individuals is exported. More than 79% of Canadian companies report that they are in substantial compliance with E.U. Data Protection laws and 83% state that they translate their privacy policies into the native languages of customers and employees. Only 44% of U.S. companies have translated their privacy policies into other languages.

Nymity: What were the most common privacy activities in US?

Ponemon: Again, privacy policy and rigorous data security mechanisms and controls to prevent potential hackers from penetrating the company’s IT core and data warehouses are of utmost concern to U.S. companies.

Nymity: What insight does the Study provide as to why there are differences between Canada and US?

Ponemon: Findings of the Study suggest that most U.S. corporations are approaching their privacy initiative as one restricted to compliance and risk management. For example, only 36% of U.S. privacy leaders believe that corporate privacy is an important part of their companies’ brand or image in the marketplace. This does not appear to be true among Canadian companies. More than 70% of Canadian companies connect good privacy practices with enhanced customer trust and loyalty to the brand.

Further, Canadian privacy leaders seem to understand and respect the need for compliance with federal and provincial laws and requirements. However, they rarely see compliance as the single goal or mission of privacy management. Canadian privacy leaders are more likely to hold the view or belief that their role is inextricably tied to business ethics rather than the law.

Nymity: What conclusions can be made about Employee Privacy?

Ponemon: U.S. companies are less likely to have strict policies that protect the privacy of employees’ personal data and records. In Canadian companies there are few policies governing the monitoring and surveillance of employee computer usage in the workplace. In addition, 72% of Canadian companies give employees a choice over the way their personal information is used as opposed to 44% of U.S. companies and only 32% of Canadian companies share employee data with affiliates. In contrast, 56% of U.S. companies share employee data with affiliates.

Nymity: What percentage of firms train employees and what were the major findings about training programs?

Ponemon: Canadian companies are more likely to offer privacy training or awareness programs for employees and contractors who handle sensitive personal information than comparable U.S. companies. According to the Study, Canadian companies are more focused on employee privacy training. Specifically, 82% of Canadian companies have an ongoing privacy training program and only 50% of U.S. companies provide ongoing training. More than 70% of Canadian companies have privacy awareness activities for new employees as opposed to 43% of U.S. companies. Finally, 53% of Canadian companies have mandatory training for employees who handle sensitive and confidential data. Among U.S. companies in our Study, it is 40%.

Nymity: What were some of the major differences in the role of Privacy Officers in the US and Canada?

Ponemon: Canadian companies are more likely to have a dedicated privacy officer or leader responsible for privacy issues than comparable U.S. companies. In addition, Canadian privacy officers are more likely to have high level reporting authority (to CEOs and Boards) and access to significant resources within the organization.

Nymity: What percentage of firms have inventories of personal information collected and used?

Ponemon: This was a very positive finding from our Study. More than 63% of U.S. firms and 65% of Canadian companies are conducting inventories of the personal data collected and retained by them. Approximately 64% of U.S. and Canadian companies are developing an overall strategic plan for privacy and data protection.

Nymity: What percentage of firms integrates security into privacy management?

Ponemon: Currently, approximately 50% of Canadian companies and less than 47% of U.S. firms in our Study do not integrate information security with privacy initiatives.

Nymity: What percentage of firms performs privacy audits?

Ponemon: The percentage for both U.S. and Canadian companies is low. Only 40% of U.S. firms and 25% of Canadian companies use internal auditing to monitor privacy compliance activities. Less than 42% of U.S. respondents and 36% of Canadian firms perform privacy monitoring on an on-going basis. Very few U.S. and Canadian companies (23% and 29%, respectively) conduct mock regulatory assessments or audits.

Nymity: In conclusion, what do leading companies business practices includes as an integral part of their enterprise privacy program?

Ponemon: Bell Canada achieved the highest benchmark survey scores among 38 U.S. and Canadian multinational corporations in our Study. In my opinion, these results suggest that Bell Canada has embraced privacy as part of its culture and, consequently, has a comprehensive and progressive program to safeguard the personal information of its customers.

Charles Giordano, associate director of Bell Canada’s Regulatory Marketing Privacy, is one of the few privacy leaders who has worked in marketing and deeply understands the connection between privacy trust and brand loyalty. At Bell Canada it is understood that when customers are loyal to your brand, they are more apt to listen to your message, read information from your organization more carefully and be more willing to accept calls marketing new products and services.

Bell Canada’s policy is to collect information about a customer on a “need to know” basis. Collecting unnecessary information about an individual could risk being in non-compliance with privacy regulations. It is also inefficient to store and safeguard data that is not needed.

As we learned from our Study, Canadian companies are more likely to devote resources to privacy training and awareness programs. This means making sure any employee who comes in contact with customer data or who might be asked about a privacy issue can respond appropriately.

Bell Canada has instituted numerous privacy training and awareness programs. For example, there are face-to-face training sessions and an online course that teaches employees about privacy from both a customer and employee perspective. Employees are given reference materials and informed about any changes in privacy rules and regulations. There is also a hotline employees can use when they have questions.