This is the outcome of a recent survey by The Strategic Counsel, at least based on the overview provided by this article (called "Only Eight Percent of Americans are 'Very Confident' Their Personal Data is Safe With Retailers, Banks and Governments"):

"Only an average of eight percent of Americans say they are very confident in the ability of U.S. retailers, government and banks to protect their personal information, according to a national survey commissioned by CA, Inc., and conducted by The Strategic Counsel. The CA 2008 Security and Privacy Survey was done as in follow-up to the 2006 survey. Additionally, the consumer survey indicated that an average of 79 percent of American consumers cite loss of trust and confidence, damage to reputation, and reduced customer satisfaction as consequences of major security and privacy breaches suffered by the business or government organizations that they deal with."

Even more interesting is this statement, mentioned by the above article:

 "Businesses used to worry about the hackers and thieves launching denial of service attacks from outside the firewall, now they recognize that their greatest danger lurks within the organization. The good news is that increasingly businesses are turning to identify and access management solutions to ensure that confidential data is safeguarded and available only to the people within the organization who genuinely need to have it."

Well, I just partially agree with the final part of this statement. Turning to identity and access management solutions is indeed important, but this is just one step towards really ensuring that personal and confidential data is managed according to legislation and users' preferences.

First of all, most of current IdM solutions are not really privacy-aware and/or do not provide privacy enhancing capabilities (e.g. privacy-aware access control) - aspects that are at the base for preventing that PII data is accessed and used beyond agreed purposes and for the wrong intents ... Secondly, IdM solutions can address the problem till at one point if accidents, social engineering, actions by traitors/insiders, and the effects of bad processes and practices can still happen ...

So, the other part of the story, for the enterprise, is putting in place proper "data governance processes" and dealing (upfront and periodically) with the necessary risk assessment and management steps. These steps (that should be carried out before deploying any "control point" in the IT infrastructure) are much, much harder to achieve and maintain than simply deploying IdM solutions ...

--- NOTE:  use this mirror blog if you prefer posting on an external blog site  ---