Privacy & Security

Privacy & Security

Today’s digital society is built on the fast flow and analysis of information. The strides we make in gathering, routing, and analyzing torrents of data hold the promise of an ever-brighter future, a vision we at IBM refer to as Smarter Planet. But behind these data are real people, real organizations, and real concerns about privacy and security. At IBM, we take these concerns very seriously.


IBM believes that consideration for privacy and data protection must be built into the fabric of our business and our society, in order for individuals and organizations to realize the possible benefits of social progress and economic growth offered by our increasingly interconnected and data-driven world.

The economic value of information continues to increase, and much of that information relates to us as individuals. This information, and how we use it, is at the heart of new business models, new jobs, and new ways in which individuals and businesses organize and connect with one another around the globe. Institutions of all types—including businesses—must work to earn the public’s trust in their ability to steward information, and in turn we as consumers must take educated steps to protect ourselves and our families.

IBM has long been a pioneer in privacy policy and practice:

Early 1970s


First company in the world to adopt a global privacy code of conduct



One of the first companies of any size to appoint a chief privacy officer



First company to adopt a global genetic nondiscrimination and privacy policy



Recognized as one of the top 10 companies “Most Trusted for Privacy” by US consumers for the seventh consecutive year



First company in the world to be certified under Asia Pacific Economic Cooperation (APEC) Cross Border Privacy Rules

In 2013, IBM continued its work to promote privacy and security in the realm of public policy.

Promoting trusted flows of data around the world

As nations around the world adopt privacy laws, moving data across borders has become an important issue. That’s why IBM has been working with APEC for years on its Cross Border Privacy Rules system. Under this system, a third party “accountability agent” examines a company’s privacy policies and practices in order to certify that they match strong principles articulated by APEC. Having become the first company to receive this stringent certification last year, we regard it as tangible evidence of our commitment to privacy, a way to put ourselves in the best possible position to serve populations in this vibrant region, and a concrete step toward true global interoperability.

Privacy by design

In 2013, IBM continued its extensive work to build a globally recognized enterprise privacy program that follows privacy-by-design practices. Our software tools for performing global privacy assessments on IBM’s collection and use of data for our own enterprise have been updated to reflect changes in the law and the environment and to improve risk management and usability.


Security is an important critical aspect of the lifecycle of a system, from design and architecture through implementation, testing, deployment, maintenance, and retirement. Today, organizations and individuals are confronting heightened risks as cybersecurity threats continue to grow and evolve.

At IBM, we carefully consider cybersecurity challenges when conceiving, developing, and marketing our technology solutions. We also recognize the importance of collaborating with public and private organizations that build market awareness of these issues and implement policy governing them. We understand the benefit of providing education as well as technology.

In 2013, IBM was an active participant in the development of the National Institute of Standards and Technology’s voluntary Framework for Improving Critical Infrastructure Cybersecurity. The framework arose out of President Obama’s Cybersecurity Executive Order and addresses key security issues for today’s critical infrastructure companies. Its risk-based, flexible approach allows it to be adapted by organizations of all types and sizes as a valuable and cost-effective tool to improve their cybersecurity posture. With the first version of the framework completed in early 2014, IBM is helping clients understand and incorporate it into their own cybersecurity risk-management programs.

Internally, IBM continues to reinforce a cybersecurity-awareness culture. Each of IBM’s 430,000-plus employees completes a mandatory, annual course on cybersecurity and privacy called Cybersecurity for Digital IBMers. Additional training and education programs are also provided for IBM privileged users, employees who administer applications, systems, or networks. And practical guidance on cybersecurity practices is provided throughout the year to employees and managers in various venues.

IBM also takes part in National Cybersecurity Awareness Month each October, led by the US Department of Homeland Security and the National Cyber Security Alliance. In 2013, IBM was a corporate champion of the event and chose the theme: “Think. Protect. Prevent.” For employees, we launched a redesigned IBM Cybersecurity intranet site and provided weekly articles and blog posts highlighting various aspects of secure computing. IBM also provided resources for employees so they can teach secure computing practices at home, in their neighborhoods, schools, and communities. To encourage clients and fellow IT security professionals to participate in Cybersecurity Awareness Month, IBM’s Chief Information Security Officer Joanne Martin published an article in IBM’s Security Intelligence blog.

We also recognize that our clients, employees, and other stakeholders may have questions about how government access to information impacts IBM. And so we have published an open letter to our clients to help address those questions.