Privacy awareness still falls short
In Deloitte's third annual assessment of the privacy practices of the top 100 companies listed on the ASX 100 (as well as some large non-listed organisations such as government agencies) there was a clear disconnect between what organisations insist is happening and what their own employees want them to do. Deloitte surveyed more than 1000 employees of these top organisations, asking for their opinions of their organisation's privacy practices, in particular their expectations of trust, complaints and information handling. And the answer was a resounding "yes" to the question of whether there is more to be done. This is a concern, as companies in the ASX 100 include Australia's five biggest banks - ANZ, CBA, Macquarie Group, National Australia Bank, and Westpac - lest anyone need reminding, along with bancassurance operators AMP and Suncorp, the regionals Bank of Queensland and Bendigo and Adelaide Bank, large insurance players Insurance Australia Group and QBE Insurance Group and Medibank Private and the more specialised financial sector companies: ASX, Challenger, Henderson Group and Perpetual. Deloitte Cyber Risk Services Partner Tommy Viljoen said: "One of our key findings was that 91 per cent of organisations believe their organisation could be more transparent with consumers about how their information is used. And almost 60 per cent of organisations believe they should do more to build trust with their employees." Looking at some of the statistics that apply specifically to the financial sector: employees in FS firms tend to have multiple passwords across various websites, meaning less risk is transferred to the organisations they work for - obviously a plus. However, it's a mixed bag: almost 60 per cent of employees rated themselves "unlikely" to share their passwords - that means over 40 per cent could share. And while the stat that "81 per cent had never allowed a work colleague to use their work password" is higher than the ASX 100 in general, it leaves almost one on five who have not followed protocols. Of more concern is that 37 per cent of employees believe their organisation does not have a data breach procedure or don't know if their organisation has a data breach procedure. This contrast with the "brand" view. While all financial services organisations told Deloitte that they had a data breach response plan, from the above stats, it's clear that more than one in three (37 per cent) of staff do not know about any response procedure. All financial sector organisations feel comfortable that staff would report misuse or unauthorised disclosure of information - however, as Deloitte said, there is much more to be done, even at the best-run organisations. These stats drive that point home: just 67 per cent of organisations have undertaken a formal exercise to develop a privacy strategy; of these, 50 per cent have refreshed the strategy in the last 12 months; and for 75 per cent of the 67 per cent that had a formal privacy strategy, the primary focus behind the strategy was to build trust with customers, not compliance. The