The Andersen study used the general privacy guidelines developed
jointly between the EU and the US, known as the "Safe Harbor"
principles, as a means to benchmark the studied companies. These
principles were agreed to in July 2000 as a means by which certain
US companies could comply with the EU Directive on Data Protection,
Europe's baseline privacy law. Recognising there is no single
worldwide standard, Safe Harbor principles were chosen for this
study because they meet the EU Directive’s requirements for an
“adequate level of protection.”
“Disruption to the conduct of business is a very real risk,”
said Kerry Shackelford, of Andersen, who focuses on providing
privacy services. “The EU could block data transfer to US companies
that don’t meet the Directive’s requirements. US companies that
take the lead in embracing privacy standards will safeguard
customer loyalty, enhance reputation and image, and enjoy the
freedom to structure business operations unrestricted by data
protection laws.”
Andersen selected 75 FORTUNE 500 and medium-sized, well-known US
companies that will potentially need to meet emerging privacy
standards because they conduct commerce with individuals outside
the US. The companies represent five industries: financial
services, retail, technology,
telecommunications/media/entertainment, and travel/leisure.
Andersen evaluated the privacy standards evidenced in the
companies’ web sites.
Study findings include:
- Overall, none of the 75 companies studied completely met the 6
principles. Just 2 of the 75 companies passed 5 principles and 8
companies only passed one.
- Only 5% of the companies provided "enforcement" - having
mechanisms for assuring compliance, recourse for individuals whose
privacy is breached, and consequences for the company breaching the
principle.
- 25% included proper "notice" - informing individuals before
using their information for a purpose other than originally
intended or before disclosing their information.
- 34% addressed issues around "access" - providing individuals
access to their personal information held by an organisation as
well as the ability to correct, amend, block, or delete it.
- 46% offered acceptable levels of "security" - taking
precautions to protect against loss, misuse or unauthorised access
to the data.
- 74% addressed "data integrity" - requiring the personal
information captured be relevant to the purpose for which it is
used.
- 80% provided sufficient "choice" - allowing individuals to
opt-out of disclosing information to a third party or for a purpose
other than its initial intent.
Additionally, the study highlights differences between industry
sectors in implementing fair information practices:
- Companies in the travel/leisure industry were found to have the
best scores of any industry in "notice" and "security" with 47
percent and 73 percent respectively.
- The technology industry scored highest in the "access"
principle at 60 percent, and also received the highest rating of
any industry group in "enforcement."
- The telecommunications/media/entertainment organizations scored
the highest in the "data integrity" principle at 83 percent.
- The financial services industry scored the highest on any
single principle with 92 percent meeting benchmarks on
"choice."
“Any company can take a few simple actions to begin improving
their privacy practices,” added Shackelford. “First, companies can
review the completeness of their on-line notices. More than a third
of the companies we studied did not address if and how a user could
inquire about and amend or erase personal information possessed by
the company. Second, they can make sure they have addressed how a
user could submit a complaint and what follow-up they could expect.
Finally, companies can protect personal identity information with
the same rigor as they protect payment data. More than a third of
the companies studied failed to take this easy step.”
