Forrester issued the latest revisions to the “Effective Privacy Program Measurements Report which draws from a wealth of analyst experience, insight and research through advisory and inquiry discussions with more than 50 Chief Information Security Officers. Additionally, end users, vendors, industry experts (including Verdasys and Varonis Systems) contributed to the report which was composed by the Security & Risk Professionals team at Forrester, including Ed Ferrara and Andrew Rose (Principal Analysts), Stephanie Balaouras (Vice President and Research Director) and Kelley Mak (Research Associate).
Forrester talks about how sensitive privacy issues are due to the emotional response that they trigger in consumers.
“Although most people probably can’t easily define it. However, they know they want their personal information to remain private unless they themselves release it, and they feel unnerved, even angry, when they feel a trusted party has breached their privacy. The emotional aspect makes it difficult to evaluate privacy concern: Directly asking about a privacy issue may result in an emotional and biased response.”
It is noted that “the emotional aspect of privacy makes both customer and employee privacy a critical issue for business and S&R professionals.” It results in an intense emotional reaction to your customer’s privacy being breached and, it becomes likely that you will lose their trust, confidence, and business.
Besides having a volatile characteristic due to its tie to emotions, privacy is also unpredictable due to inconsistent human behavior on the matter.
67% of smartphone and tablet users consider it very convenient and useful to have location-based coupons sent to their mobile devices. However, 45% of respondents are concerned about security issues based on the tracking of their location.
Forrester proposes a method to measure privacy using “The 3 Rs and 8 Principles. The “3 Rs” are security metrics groups: Readiness, Response and Recovery. The “8 Principles” align guidelines to treat the personal information of consumers responsibly. Some of these principles address:
- Implementing periodic privacy audits in the company
- Setting a limit to types of personal data that is being collected
- Keeping a record of when an organization has exceeded the set amount of collected required information
- Maintaining transparency with customers about how their information is being used
- Setting a limit to the purposes for which collected information would be used which excludes everything that is not permitted by law and required by ethics
The conclusion is “ensuring that private information stays private is costly. However, a breach to this information is even costlier because of regulatory fines, remediation costs, and damage to your brand.”