As IBM’s long history of security and privacy leadership demonstrates, IBM understands that these two elements are essential for trust in the digital economy. IBM will continue to lead in these critical areas as we embrace the challenge of reducing risk and safeguarding data at the cutting edge.

IT security

As companies continue to expand their businesses and IT infrastructure — adding more devices and increasing connectivity — their vulnerabilities can also increase. At IBM, we not only carefully consider security when developing our technology solutions, but also examine our internal systems and processes to assess how we can best reduce risk and maintain the continuity of our business.

The human element also puts businesses at risk as attackers take advantage of lapses in security or use social engineering to target unwitting users. Recognizing that education is among the best forms of protection, we continuously strive to reinforce a cybersecurity-aware culture within our company and throughout the communities around us, by promoting increased knowledge and understanding of relevant issues. Because threats continuously evolve, each of IBM’s active employees is required to complete a mandatory, annual cybersecurity and privacy course that is regularly updated with new insights on the latest types of attacks and security best practices.


Trust is the foundation of IBM’s leadership in the cloud and cognitive solutions — trust in IBM’s cutting-edge technology, but also trust in IBM’s ability to protect data stored at the cutting edge. IBM continues to match its long-standing technical leadership in the fields of cloud and cognitive solutions with sustained leadership in the sensitive area of data privacy.

Global Data Stewardship Program — As a business that operates in a specialized and highly regulated space, Watson Health has developed a Global Data Stewardship Program to prevent and mitigate the risk of inappropriate access, use, disclosure, loss and theft of protected data with which we come into contact in connection with IBM’s Watson Health business.

Compliance with Industry Standards — IBM’s Watson Health Cloud remains HIPAA-enabled, allowing us to maintain and curate health data in accordance with industry-leading security requirements. With proper permissions, data stored on the Watson Health Cloud also may be used for research purposes or to improve health-related offerings and services. These advances are made possible through IBM’s use of some of the most sophisticated, enterprise-level security capabilities and privacy-protective techniques available. For example, IBM’s information security standards and management practices for cloud services align with the ISO/IEC 27001 standard for information security management and comply with the ISO/IEC 27002 Code of Practice for Information Security Controls. The majority of IBM’s cloud offerings are now certified as compliant against these standards.

Responding proactively to the General Data Protection Regulation — IBM’s approach to privacy and security has been informed by key changes in industry standards and best practices — many of which reflect IBM leadership. Of critical importance, the European Union published in 2016 a new General Data Protection Regulation (GDPR), which enters into force in May 2018. This significant regulatory change will affect organizations that handle personal data in Europe and beyond, given the extraterritorial nature of the GDPR. IBM is responding proactively to GDPR, establishing a global project to implement GDPR — with respect to IBM’s internal processes as well as IBM’s commercial offerings. IBM recognizes that our customers will rely on IBM’s offerings and technical assistance to achieve GDPR compliance within their own organizations, and IBM is well-positioned to meet this critical need.

As part of its GDPR project, IBM is enhancing its ongoing commitment to privacy by design. IBM is working to embed data protection principles even more deeply into its business processes, with the objective that technical and organizational security measures limit, by default, the amount and use of personal data to what is specifically required. This work also will strengthen controls already in place to limit access to personal data, including with respect to mobile applications that rely on sensible default settings to ensure that personal data is not inadvertently shared with others.

EU Data Protection Code of Conduct — Consistent with IBM’s commitment to GDPR compliance, IBM also signed on to the EU Data Protection Code of Conduct for Cloud Services Providers for our IBM SoftLayer® and IBM Bluemix® Infrastructure offerings. This Code of Conduct resulted from a four-year development process involving multiple parties, including the Cloud Industry Select Committee, of which IBM was a founding member. IBM considers the Code of Conduct to be the most reliable tool available to assure cloud users that their data is secure. The Code of Conduct will strengthen the trust between cloud providers and cloud users, and IBM is proud to have championed its development.

Cristina Cabella, IBM Chief Privacy Officer

Read the blog post by Cristina Cabella, IBM’s Chief Privacy Officer, for more about IBM signing the EU Data Protection Code of Conduct for Cloud Service Providers.

Cristina Cabella, IBM Chief Privacy Officer

Read the blog post by Cristina Cabella, IBM’s Chief Privacy Officer, for more about IBM signing the EU Data Protection Code of Conduct for Cloud Service Providers.

Download the 2016 report