Survey: Half of businesses don't secure personal data

Fifty-five percent of businesses don't secure Social Security numbers, bank accounts, and other data, even though 79 percent have experienced a data breach.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
Lance Whitney
2 min read

The personal information you give to businesses may not be as secure as you hope, according to a new survey.

Around 55 percent of all businesses acknowledge that they secure credit card information but not Social Security numbers, bank account details, and other personal data, according to a survey of more than 500 companies released Wednesday by Imperva and Ponemon Institute.

The survey was conducted to determine how many companies are complying with PCI DSS, the Payment Card Industry's Data Security Standard. PCI DSS tries to ensure that businesses take specific measures to secure their Web sites, databases, and other systems that process and store credit card information.

Of the companies surveyed, 71 percent acknowledged not making data security a top initiative, despite the fact that 79 percent of them said they've been hit by one or more data breaches. In fact, Ponemon and Imperva noted that since the PCI DSS standard was enacted in 2005, the number of breaches and cases of credit card fraud has actually risen.


Cost and lack of resources were the biggest factors cited for not focusing on PCI DSS compliance. For those reasons, larger firms fared better than smaller ones. Only 28 percent of businesses with 501 to 1,000 employees were compliant as opposed to 70 percent of companies with 75,000 or more employees.

"Companies devote 35 percent of their IT security budgets to PCI compliance on average, making cost a significant obstacle, especially for smaller companies," Amichai Shulman, Imperva's chief technology officer, said in a statement. "This is why Imperva is recommending that the PCI DSS Council modify the requirements for larger and smaller companies to take into account different environments and security needs."

Another problem stems from the priorities of the organization itself. Of those questioned, 55 percent didn't feel their CEO strongly supports PCI DSS compliance, while 52 percent said their company is not proactive in managing privacy or security risks.

On the positive side, PCI DSS compliance has found a certain measure of success. Around 75 percent of those surveyed said their company has achieved some level of compliance, with 28 percent compliant for most of their applications and databases and 25 percent compliant for some apps and databases. Only 22 percent reported being fully compliant.


Conducted by Ponemon and sponsored by Imperva, the survey questioned 517 U.S. and multinational IT security professionals who work on PCI compliance efforts for their companies.

Over the past few years, data breaches at large organizations such as T.J.Maxx and Marshalls parent company TJX and Maine-based Hannaford Supermarkets have highlighted the need for better security for credit card and customer records.