Skip to main content

Privacy and Security

Today’s digital society is built on the fast flow and analysis of information. The strides we make in gathering, routing and analyzing torrents of data hold the promise of an ever-brighter future, a vision we at IBM refer to as Smarter Planet.

But behind these data are real people, real organizations and real concerns about privacy and security. At IBM, we take these concerns very seriously.


IBM believes that consideration for privacy and data protection must be built into the fabric of our business, and our society, in order for individuals and organizations to realize the promises of social progress and economic growth offered by our increasingly interconnected and data-driven world.

The economic value of information continues to increase, and much of that information relates to us as individuals. This information, and how we use it, is at the heart of new business models, new jobs and new ways in which individuals and businesses organize and connect with one another around the globe. Institutions of all types—including businesses—must work to earn the public’s trust in their ability to steward information, and in turn we as consumers must take educated steps to protect ourselves and our families.

IBM has long been a pioneer in privacy policy and practice:

  • Early 1970s—first company in the world to adopt a global privacy code of conduct
  • 2000—one of the first companies of any size to appoint a chief privacy officer
  • 2005—first company to adopt a global genetic nondiscrimination and privacy policy
  • 2010—recognized as “Most Trusted for Privacy” in the technology industry in the United States and Canada

In 2011, IBM launched a number of new initiatives around privacy, and expanded others already underway. Some of these programs are designed to help organizations in need of expertise in these areas, some share what works at IBM with the rest of the world, and others strive to promote consideration of privacy and security in the realm of public policy.

Pro Bono Privacy Initiative

According to Independent Sector, a coalition of not-for-profit organizations, foundations and corporate giving programs, there are 1.4 million not-for-profits in the United States serving the broad public interest by providing services such as homeless shelters, domestic violence assistance and nutrition support. Given the staggering growth of digital data, these organizations are increasingly likely to encounter issues related to privacy and personal data security that they must understand, analyze and address.

In 2011, IBM took part in creating an initiative dedicated to providing these not-for-profit organizations with free legal and other advice on responsible and pragmatic practices for protecting individual privacy and data security. Called the Pro Bono Privacy Initiative, this group of privacy professionals aims to engage with human services agencies to help them navigate mission-critical privacy and data protection considerations. As part of the initiative’s pilot, IBM is sharing its data security and privacy expertise with Safe Horizon, the largest victims’ assistance agency in the United States.

The Pro Bono Privacy Initiative is designed to help:

  • interested not-for-profits improve their compliance and risk posture
  • participating privacy professionals give back to society while enriching their experience and networks
  • supporting companies, law firms and consultancies demonstrate corporate citizenship

Privacy by Design

IBM has done extensive work to build a globally recognized enterprise privacy program, and in 2011 we furthered those efforts by sharing our experiences with others. Our progress in turning privacy policy into practice is summarized in this case study written about IBM by Ann Cavoukian, Ph.D., information and privacy commissioner of Ontario, Canada. Cavoukian is a globally recognized leader in privacy initiatives who is attributed with developing the concept of Privacy by Design.

The paper discusses the importance of designing data protection policies into every operation in an organization, and describes how IBM used the principles of Privacy by Design, despite our geographically dispersed and culturally diverse workforce. In doing so, IBM has been able to become proactive, meet business objectives, and create a user-centric environment that fosters respect for privacy.

Cavoukian writes: “For IBM, such a strategic focus on privacy has enabled process improvements that demonstrably link to reduced operational costs and documented compliance. Beyond the foundational objectives at the heart of every organization’s privacy program, the team at Big Blue discovered that Privacy by Design enabled them to tackle more ambitious challenges—ones that directly supported the business strategy of the company.”

In 2011, we launched, a site that offers resources and discussion about privacy and data protection for large enterprises, small businesses and not-for-profit organizations. In doing so, IBM hopes to help demystify the privacy and data security issues that all organizations must address in today’s digital world. By proactively developing privacy plans based on current and practical knowledge, organizations will be better positioned to achieve their overall missions in a way that maintains their good reputation and also enhances compliance.

Among the resources available free of charge from this site are Security & Privacy Made Simpler, a toolkit and guide offered in the United States by the Better Business Bureau that was informed and co-sponsored by IBM and other leading experts and corporations. There’s also Privacy & Security Resources, presented by the Bureau of Consumer Protection office of the United States Federal Trade Commission. And, for a fee, visitors can download “Building a Privacy Program: A Practitioner’s Guide,” published by the International Association of Privacy Professionals.


Security is an important aspect of the entire lifecycle of any system, from design and architecture through to implementation, testing, deployment, maintenance and retirement. Today, organizations and individuals are confronting heightened risks and security threats as IT moves further into the fabric of business and consumer systems. The sizeable increase in online criminal activity compounds the challenge.

At IBM, we recognize and consider cybersecurity challenges when conceiving, developing and marketing our technology solutions. But we also recognize that it is important to collaborate with public and private organizations that build market awareness of these issues and implement policy governing them. We understand the benefit of providing education as well as technology.

Community Engagement

In support of that understanding, IBM took part in Safer Internet Day, held in early 2012. This year’s theme was “Connecting generations and educating each other.” IBM released free Internet safety training tools for students and deployed thousands of volunteers around the world to help educate consumers and businesses on Internet safety and digital awareness. The kits are designed to help teach teenagers how to protect their personal data and reputation online, to give teachers or adults working with children information on Internet safety and common Internet activities that young people engage in and to help adults recognize and prevent cyberbullying among youth.

Other External Engagements

In 2011, IBM also expanded its Institute for Advanced Security to help clients, academics, partners and other businesses understand, address and mitigate complex, multidisciplinary issues associated with securing cyberspace. Formed in 2010 with headquarters in Washington, DC, the Institute opened an office in Asia-Pacific in 2011, providing assistance to countries within the region to help mitigate a range of emerging security complexities. IBM also opened a division of the institute in Europe to help European organizations understand the complex issues associated with addressing their cybersecurity challenges by leveraging IBM’s broad array of security scientists, researchers and experts.

IBM also continued its strategic engagement with government organizations to assist them as they grapple with their role in addressing cybersecurity in today’s changing risk environment. For example, in response to NATO Secretary General Anders Fogh Rasmussen’s call for European allies to adopt a smarter approach to maximizing scarce defense resources, IBM in 2011 joined with the Atlantic Council to help develop strategies and practical road maps for NATO’s modernization to confront future challenges. This initiative focuses on providing thought leadership and innovative policy-relevant solutions for NATO’s continued reform and role in cyber defense and security. “Aligning with IBM allows the Council to continue our cutting edge work on transatlantic security challenges, focusing on NATO reform and cybersecurity,” said Frederick Kempe, president and CEO of the Atlantic Council. “We are especially pleased to work in concert with IBM, a global leader in leveraging technology to increase value, flexibility and productivity across the private and public sector.”

Secure, Smart and Social Computing Programs

IBM recognizes the value that social computing can bring to a company, both for internal employee interaction and building stronger relationships with customers, providers and partners. But the use of social media can also introduce risk. We realize that if not managed correctly, individuals’ engagement with social and other computing technologies can work against an organization’s relationship-building efforts and pose significant security threats.

Thus, in 2011, IBM took several additional steps to fortify the company’s ongoing risk management efforts. We formalized an internal Social Business Management Council, a cross-company group of senior leaders charged with aligning the company’s social business strategies with risk mitigation priorities, as well as leading our employee education and enterprise policy initiatives in this area. We continued to review and update the IBM Social Computing Guidelines and we are deploying mandatory employee security education and an interactive set of resources to emphasize and reinforce secure social computing called the “Digital IBMer Hub.” We’ve also developed social recruiting guidelines that outline how social media can and should be used by employees during the recruiting process, as well as an employee guide for managing digital reputations that stresses the importance of individuals taking responsibility for their own online personas. Finally, recognizing the changing risk environment in which all organizations now operate, we updated and streamlined the resources available to IBM’s entire workforce for reporting suspicious incidents involving data or IT systems, and we continue to devote resources to support expert response efforts.