Data Security Is Top Compliance Concern, Report Finds

By Aliah D. Wright Aug 28, 2008

Companies in the United States say their top two ethics and compliance concerns aren’t sexual harassment and corruption—rather electronic data protection and data privacy. This is according to the LRN 2008 Ethics and Compliance Risk Management Practices Report, a study that LRN has conducted for two years.

Sequentially, survey participants ranked data protection, data privacy, and conflicts of interest as their top three concerns—far higher than other perceived risks including, respectively, sexual harassment, environmental safety and health issues, corruption, and bribery.

LRN defines itself as a global leader in ethics and compliance management and education serving leading companies in 120 countries. It surveyed more than 460 senior ethics, compliance, legal, risk and audit professionals to uncover trends and risk areas. Of those surveyed, 52 percent cited electronic data protection as the top risk, with 47 percent citing data privacy as a risk concern.

Most of those worries have to do with the growing amount of electronic data generated by companies nationwide and new data privacy laws and regulations, concerns not solely limited to the United States. Germany, for example, has instituted specific new laws on data protection, LRN states. In this country, 47 states have ratified separate data privacy laws protecting individuals from fraud and malicious use of their data.

In a recent poll by Deloitte Financial Advisory Services LLP (Deloitte FAS), nearly two out of every five executives (39.7 percent) feel that data volumes in the organizations they work for are increasing in size and becoming unmanageable.

Of particular concern, the LRN report states, is compliance with the eDiscovery Rule that went into effect in 2007.

The rule states that companies must manage and maintain all electronic data, including e-mails and instant messages, which might be relevant in future legal disputes.

“Discovery is a very serious issue to business today,” Bruce Hartley, a director in the Analytic and Forensic Technology (AFT) practice of Deloitte FAS, said in a previous release. He noted that in the past few years, defendants have faced millions in sanctions, penalties and jail time.

LRN noted that banking, financial, insurance and health care industries have more rules and regulations regarding data privacy than other trades.

As a result of the concern over data privacy and other issues, the LRN report says that many companies are working diligently to make sure that their employees are trained properly to prevent risk. However, nearly six out of 10 companies say they lack resources to do so.

And, in a cause for even greater concern, the study points out that one of the most significant challenges companies say they face is detecting violations—this despite the prevalence of anonymous reporting channels. Employees generally lack motivation to report a violation or fear retaliation if they do, the report states.

Among other key findings:

  • Since 2007, there has been a significant increase in the number of companies (nearly eight in 10) that provide formal ethics and compliance education to their CEO and senior management. In 2008, more than three times as many companies involve their board of directors in the risk assessment process compared to 2007.
  • Almost nine in 10 companies now perform a formal ethics and compliance risk assessment, with more than half integrating it into other business risk assessments.
  • Companies remain challenged in engaging international locations and supply chains—less than one-third of multinational companies are extending ethics and compliance efforts to parties that work closely with them, even though their violations could affect their company directly.

In order to meet compliance targets, LRN recommends that companies:

  • Develop comprehensive privacy and security policies.
  • Conduct audits of their data practices, including Internet activities, cross-marketing and data sharing with affiliates and partners.
  • Manage their internal data usage, such as handling of customer and employee personal data and educating employees to prevent breaches or losses related to data privacy.

Marjorie Doyle, global practice leader, Ethics and Compliance Solutions at LRN, said ethics education is key. “You have to win employees’ hearts and minds to convince them that ethics and compliance education and detection processes are not another 'flavor of the month.' Team members need to understand … how a violation of a company's data privacy policy can affect their specific business. Lastly, companies must make the issues real. Real-life accounts of ethical and compliance wins and losses drive home the effectiveness of the detection process, educate employees on policies and procedures and send the message that management is serious about holding the company and its people accountable."

Aliah D. Wright is an online editor/manager for SHRM. Reach her at


Job Finder

Find an HR Job Near You
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect