June 4, 2003

Ponemon Institute, IAPP Release Results of Benchmark Privacy Practices Survey

Tucson, AZ – June 4, 2003 – While a vast majority of U.S. corporations have privacy
policies to document how they collect, use, share and protect personal information about
customers, consumers and employees, more than half report that these privacy policies
may be too difficult for the average person to understand. Further, many privacy
professionals believe they don’t have the resources to achieve their organization’s
privacy compliance objectives.

These are some of the findings of the 2003 Benchmark Study of Corporate Privacy
Practices Report
released today by the Ponemon Institute of Tucson, Arizona, and the
International Association of Privacy Professionals (IAPP), based in Philadelphia. Unisys
Corporation sponsored the survey.

“Based on the survey’s findings, it appears the most companies are putting their resources
into privacy policy development, employee communications and regulatory compliance
monitoring,” said Dr. Larry Ponemon, founder and chairman of Ponemon Institute.
“Areas that are getting the least attention include having a formal process for responding
to a privacy complaint and having programs to measure and monitor the effectiveness of
an organization’s privacy and data protection activities. Ignoring these important aspects
of a privacy program can make organizations vulnerable to a privacy breach.”

The benchmark survey, sent to more than 1,000 IAPP member organizations, was taken
from 55 completed responses of 107 returned to the Ponemon Institute. The 55 selected
responses were chosen from responses from organizations with more than 5,000
employees. The survey had a response rate of more than 10 percent and a sampling rate
of more than 5 percent.

The survey’s goal was to answer four basic questions:

  • What are companies doing to ensure compliance with new privacy regulations?
  • Are there common strategies among leading companies to ensure reasonable protection or personal information?
  • What vulnerabilities exist with regard to personal data and privacy protection?
  •  Do privacy protection practices vary across industry sectors?

The 2003 Benchmark Study of Corporate Privacy Practices Report includes a number of
interesting findings related to corporate privacy policy and implementation, including:

  • While 98 percent of companies report having privacy policies in place, 52 percent feel their policies may be too difficult for most people to understand;
  • 92 percent of companies have a process to inform their employees of corporate
  • privacy policy, but only 53 percent have mandatory training;
  • 52 percent of companies report inadequate resources for privacy management;
  • Only 36 percent believe privacy is important to corporate brand or image; and,
  • Only 19 percent of respondents report using privacy-enabling technologies.

“This survey illustrates the gulf that exists between planing and implementation, and the
need within organizations for privacy professionals who can manage the new and
complex realm of privacy policy,” said Trevor Hughes, executive director of the IAPP.
“Companies understand the importance of being compliant with privacy law, but reveal
that they are unsure of how to actually put their policies into effect.”

The 2003 Benchmark Study of Corporate Privacy Practices Report drew most heavily
from the financial services (17 percent), health and pharmaceuticals (16 percent),
manufacturing (16 percent), and consumer products (13 percent) industries. Other
industries represented include retail, telecommunications, automotive and transportation,
and technology.

To obtain a copy of the 2003 Benchmark Study of Corporate Privacy Practices Report,
contact Ponemon Institute at (520) 290-3400, or the IAPP at
(800) 266-6501 or

About International Association of Privacy Professionals
The IAPP is the world’s leading association of privacy and security professionals. With more than 1,000
individual and corporate members, the IAPP is helping to define and support the profession of privacy by
being a forum for interaction, education discussion across industries. For more information about IAPP, its
high quality educational opportunities, policy forums and other organizational efforts, please contact Mr.
Trevor Hughes, executive director, at (800) 266-6501.

About Ponemon Institute
Ponemon Institute is a “think tank” dedicated to advancing responsible information management practices in business and government. To achieve this objective, Ponemon Institute conducts independent research to promote best practices, to educate leaders from the private and public sectors and to verify the privacy and data protection practices of organizations. The Institute is headquartered in Tucson, Arizona. For more information, visit or contact Ms. Susan Jayson, executive director, at (520) 290-3400.