A few weeks back, Price Waterhouse Cooper issued a new section of their Consumer Intelligence Series, an ongoing set of studies on different aspects of what influences consumer behavior, specifically in transactions that put something of theirs at risk. This section is a report on the consumers’ trust of businesses. Before dismissing the report on the basis that the study is of businesses, consider that standard practice for such reports, absent any special parameters, is to apply the term to nonprofits, government, and small businesses (including heritage organizations not included in some other classification) are considered businesses for the purposes of such studies. In the terms of the survey, consumer refers to those served in some way by the business.
The analysis included with this particular study emphasized terminology used in institutions that deal in financial transactions, but the ubiquity of cyber networks in general, and the blurring of lines between the primary activities of institutions that handle transactions of any type, (one of the Equifax breaches and the infamous Target breach were accomplished through attacks on third party vendors that did not exclusively deal with the financial side of things), justify a wide base of survey targets. The data was collected from a sample of individuals from different fields, and the questions included both specific types of transactions and general dealings with data used by the institutions.
One part of this study focused particularly on the subject of trust and its connection to security practices. This is not surprising for financial issues. Consumers expect to trust the security of the systems that will handle their data. As archivists, we also confront trust issues. We must assure donors that their information will be handled with care and the donors expect a repository to be a place with excellent security. Researchers also expect the records to come from a secure source, one that can offer assurances as to the quality of the research material as evidence. Additionally, an increasing amount of archival research, along with business transactions that may accompany such research (such as payments for archival services), is carried out across cyberspace.
The questions we must ask ourselves are what would happen if donors and researchers had no trust in our institutions’ security, and how do we establish and maintain that trust? The questions are somewhat rhetorical here, as the answer to the first is obvious, (they leave us), while the second is complicated enough that it is difficult to answer without more information. We do ask you to keep them in mind as we relay a few of the findings of the study to you:
- 69% of respondents believe most companies that handle sensitive data are vulnerable to hacks/cyberattacks.
- Only 25% felt that their sensitive personal data is handled securely by most companies that they give it to.
- More believe that their email or social media accounts will be hacked in the coming year than believe a flight will be cancelled or that they will be in even a small automobile accident.
- Very few believe they have complete control over their own personal information, while the vast majority specifically feel private business, as opposed to government, will do the best job of providing security.
The report closes with information that it feels is actionable, stating 92% of respondents say that companies should be proactive when it comes to protecting data, with most saying it is the organization collecting the data that has responsibility for its security. 72% thought the government unable to protect sensitive information and 70% believing it unable to assure fair use of such information.
In the final analysis, the vast majority of respondents stated they would not do business with someone they did not trust. They also feared many of the proposed solutions to help organizations establish better security would come at the expense of consumers, who in the end wants to be part of controlling their own sensitive data. As we said earlier, for the purpose of the survey, consumer refers to those served in some way by the business. In archives that could be donors, researchers, a dedicated community, or others. [When we decide how we will provide security, what stakeholders do we consult?] Fewer than 25% of those studied listed nonprofits, information technology, or government as trusted institutions.
The report gave a “call to action” and a bottom line summary. These stated that a company should make cybersecurity and privacy a high priority, “putting cybersecurity and customers’ privacy at the forefront” and “backing it with proven security tactics.”
While much of the report clearly reflects terms and goals associated with for-profit business, the majority has to do simply with whether intended stakeholders will trust an organization with their records and other information. Security is the issue. This is true with paper documents. In this world of constant assault on the security of digital information, that is to say the vast, vast majority of recorded information, it makes taking new, and in many cases radically different, steps to not only secure that which is entrusted to us, but to demonstrate we have done so.
The report can be found here: