Most companies will tell you that they place importance on protecting the privacy of their customers. But how much do the companies really care about your privacy? An indicator may be how much companies actually spend in terms of real dollars in their efforts to safeguard privacy. A recent study sponsored by IBM, independently conducted by the Ponemon Institute, and provided directly to the author, sheds some light on this very subject.

The study

Entitled "The Cost of Privacy Study," the study aimed to analyze how 44 U.S.-based multinational leading companies are spending and allocating resources for privacy. According to the study, this analysis is important because "cost is an objective indicator of the value and importance companies place on privacy commitments," and because "gaps in core privacy cost activity – and especially expenditures that aim to mitigate or lessen business risk – may indicate non-compliance with privacy and data protection requirements and policies."

The study made a point of addressing nine "core cost centers that are considered to encompass the full range of expenditures associated with a company's privacy and data protection program." Those nine cost centers are: privacy office, policy and procedures, downstream communications, training and awareness, enabling technologies, employee privacy, legal activities, audit and control, and redress and enforcement.

Results

A significant, but not surprising, finding of the study is that privacy program spending increases fairly dramatically as companies advance from early stage activities, such as planning and strategy, to later stage activities that focus on execution and delivery.

Interestingly, total direct spending on privacy varies widely across the 44 companies surveyed. Indeed, company spending ranges from less than $500,000 to over $22,000,000 in annual budgeted dollars for privacy. The lesson here is that you should get to know the company that you are dealing with, as they do not all equally put their money where their mouths are when it comes to privacy.

The highest privacy program cost activities relate to privacy office (overhead) and training programs. The lowest program cost activities currently relate to redress and audit/control.

As privacy programs mature, resources more commonly become centralized under the lead of a privacy office. Less mature programs have less budgetary control as they rely on cost sharing with other departments.

The study reveals that privacy expenditures lag company expenditures on quality and environmental and ethics initiatives. However, most participating companies believe that privacy expenditures will increase over the next several years.

The study suggests, according to cost survey results and market size analysis, that privacy direct and indirect spending by large corporations over the next year will be approximately $2.7 billion. And, as "corporate privacy programs evolve from early to late maturity stages," this spending should increase to almost $7 billion for companies within the Fortune 500.

Looking ahead

Hopefully an increased flow of money will lead to increased privacy protection by companies going forward. Time will tell whether more money, if forthcoming, will actually get the privacy job done right.

This article first appeared on Law.com.

Eric Sinrod is a partner in the San Francisco office of Duane Morris (www.duanemorris.com), where he focuses on litigation matters of various types, including information technology disputes. His column appears Thursdays at USATODAY.com. His Web site is www.sinrodlaw.com, and he can be reached at ejsinrod@duanemorris.com. To receive a weekly e-mail link to Mr. Sinrod's columns, please send an e-mail with the word Subscribe in the Subject line to ejsinrod@duanemorris.com.