Financial firms unsure where personal data is held

Most financial-services organisations lack a clear idea of where their employees' and customers' personal data is held, a PricewaterhouseCoopers survey has revealed.

The Global State of Information Security 2008 survey analysed various industries to judge their approach to information security, canvassing the views of "more than 7,000 CEOs, CFOs, CIOs, CSOs, vice presidents and directors of IT and information security from 119 countries". Of those surveyed, 665 worked in financial services, with 23 percent of those people coming from Europe.

According to the survey, 54 percent of those surveyed in financial services "report their organisation does not have an accurate inventory of where personal data for employees and customers is collected, transmitted and stored".

Furthermore, 49 percent of respondents in that sector said their firm did not integrate privacy and compliance policies, and 61 percent said their information security and physical security departments did not report to the same executive leader. The solution, according to the report's authors, would be to employ a chief privacy officer, a measure adopted by 28 percent of respondents to the survey.

Only 45 percent of respondents said their firm carries out "security- or privacy-related due diligence of third parties handling customer information". Only 34 percent had an inventory of those third parties to hand.

However, PwC found that the financial-services sector has made advances in security-technology adoption. According to the survey, 84 percent now use malicious-code detection tools, compared to 67 percent a year ago. Eighty percent now use content filters, versus 62 percent in 2007, and 50 percent use wireless handheld-device security — compared to 38 percent in 2007.