2005 Most Trusted Companies for

Privacy Study ©

Summary Report Prepared by Ponemon Institute, LLC

Report Dated September 20, 2005

Ponemon Institute© Please Do Not Use Without Express Written Permission.

 2005 Most Trusted Companies for Privacy ©

I. Executive Summary

We are pleased to present the results of our second annual Most Trusted Companies for Privacy
Study. The purpose of the study is to have consumers assign a rating to companies according to
how much they trust these organizations to protect the privacy of their personal information. The
study was conducted by Ponemon Institute and TRUSTe.

Why is trust important for companies? Based on previous consumer studies conducted by
Ponemon Institute, it has been shown that companies perceived as trustworthy are rewarded with
a higher degree of customer loyalty and retention. Moreover, according to the 2005 Online
Consumers Permission Study conducted by Ponemon Institute, it was found that consumers are
willing to share more personal information with companies when they have a trusted relationship.
Understandably, the more informed a company is about the purchasing habits and preferences of
its customers, the more likely it is to increase sales and revenues.

We offer one cautionary note about the results of the 2005 Most Trusted Companies for Privacy
study. Based on previous consumer studies we have conducted, we have found that consumer
perceptions about privacy and trust can be influenced by a number of factors. In fact, the ratings
may not reflect at all the actual privacy practices of the company and its efforts to protect the
personal information of its customers and employees. Further, what a company does in the area
of privacy and data protection can be invisible to the customer until he or she experiences a
problem and seeks redress or has a question that needs to be answered.

Some factors influencing consumers’ perceptions can include a favorable (or unfavorable) opinion
about a company’s brand and products, a personal experience with a call center employee or
other employee or how well the company’s advertising messages resonate with them—especially
if privacy and protection of identity are included in the promotion. Trust may also be earned when
a customer receives an order on time and in good condition.

We also believe media coverage of companies experiencing a security breach can affect not only
an individual company but the industry as well. It is interesting to note that in this year’s study the
trustworthiness rating of the banking industry has slipped from Number 3 to Number 7. The
decline in trust could perhaps be attributed to the rash of news reports on security breaches of
credit card information.

The most trusted industries in this year’s study are healthcare organizations, Internet Service
Providers (ISPs) and consumer product companies. Considered not as trustworthy for privacy
commitments are the toy, hospitality and food service industries.

II. Survey Method

Our Web-based research study asked respondents to name one to five companies in 23
industries listed in the study they believed to be the most trustworthy when handling their
personal information. Company names were not provided in the survey instrument to allow each
participant to freely select the organizations believed to be most trusted for privacy.

Participants were asked to apply the following definitions when determining the companies they
trusted most for privacy:

• Personal information – Information about yourself and your family. This information includes
name, address, telephone numbers, e-mail address, Social Security number, other personal

Ponemon Institute ©: Private & Confidential Document Page 2

 identification numbers, access codes, age, gender, income and tax information, shopping
information, account activity and many other pieces of data about you.

• Privacy trust– Your belief that the company is honoring its privacy commitments to you, and
keeping your personal information safe and secure. This includes its commitment not to
share your personal information unless there is a just cause or you have given your consent.

Our fieldwork ended on August 9, 2005, with the collection of 6,792 useable responses over an
eight-week period. We asked participants to list one to five companies in various industry sectors
that they believed to be the most trustworthy for honoring their privacy commitments. According
to their responses, we compiled a list of the most trusted companies for privacy. The aggregated
list in our analysis contained 203 different company names, compiled from almost 28,000
individual company ratings.

Using the same ranking procedures as in our 2004 study, we careful executed the following
decision rules to compile this year’s list of most trusted companies for privacy:

1. All companies with 20 or more individual positive ratings were included in analysis.
Companies with less than 20 positive ratings were excluded from further inspection.

2. A combined rating system composed of three ranking procedures was used to determine the
overall rank of a given company. Following are the three different rating schemes:

• R1: The rank order of a given company based on the net positive responses. While this
metric is unambiguous, it is biased. Larger companies or those with a bigger brand name
would be more likely to earn a higher net response.

• R2: The rank order of a given company based on the percentage of “first place” ratings.
This is an unbiased metric because the percentage is not associated with the size of a
company.

• R3: The rank order of a given company based on the ratio of positive to negative ratings.
Unlike R1, this metric is biased to smaller companies because they are more likely to
have very few negative ratings (as opposed to larger companies).

3. Because the focus of this work was the group of companies “most trusted” for privacy, all
aggregated negative ratings were excluded from further analysis after compiling the master
list of 203 companies.

Table 1 shows the sample and response statistics of our study:

Table 1
Sample Characteristics Total Pct %
Sample frame size 51,895 100.0%
Total responses 7,140 13.8%
Total rejections 348 -0.7%
Net responses 6,792 13.1%
Total positive & negative ratings 27,847
Average number of ratings per subject 4.10
Average number of positive ratings 2.52
Average number of negative ratings 1.58
Number of separate companies identified 417
Number of companies with ≥ 20 positive ratings 203

Ponemon Institute ©: Private & Confidential Document Page 3

Table 2 and the Pie Chart show the distribution of subjects across the United States. Please note
that this study only obtained information from people living in the United States (43 states in the
sampling frame). A separate study was conducted from subjects residing in nine Canadian
provinces. These results will be provided in a separate report.

1,243 1,518
Table 2
Geographic Regions Freq Pct% 844
Northeast 1,518 21%
Mid-Atlantic 1,532 21%
Southeast 957 13%
1,532
West/Pacific 1,046 15% 1,046
Southwest 844 12% 957

Mid-West 1,243 17% Northeast Mid-Atlantic Southeast West/Pacific Southw est Mid-West

Total 7,140 100%

III. Results

Bar Chart 1 shows the top 10 list of most trusted companies in ascending order based on the
combined rank scores from R1, R2 and R3 (described above). Please note that 11 companies
are displayed because of ties in combined rank scores.

The number next to each bar reflects the combined score for every one of the top 10 most trusted
companies for privacy. A low combined score indicates a positive result and a high combined
score indicates a negative result.

Please note that Dell and IBM achieve tied scores for eighth place, and EarthLink and Google
earn tied scores for tenth place. The overall average score for the top 10 companies shown in the
bar chart is 96 points. The overall average score for all 203 companies ranked in the most trusted
list is 305 points, and the score for the bottom 10 companies contained in the most trusted list
averaged 574 points.

Bar Chart 1: Top Companies Based on Combined Scores

A merican Express 65
A mazo n 67

P ro cter & Gamble (all brands) 83

Hewlett P ackard 90

eB ay 92
A OL 100

US P o stal Service 105

Dell 111

IB M 111

Earthlink 114

Go o gle 114

0 20 40 60 80 100 120

Ponemon Institute ©: Private & Confidential Document Page 4

Table 3 lists the top twenty companies that consumers’ believe are most trustworthy for honoring
privacy commitments. For comparison purposes, the prior results from our 2004 study are shown
in Panel A and results from the 2005 study are shown in Panel B. The ranking is based on a
combination of three different ranking procedures for R1, R2 and R3 as explained above.

Table 3 Panel A Table 3 Panel B

Rank 2004 Top Companies Rank 2005 Top Companies
1 eBay 1 American Express
2 American Express 2 Amazon
3 Procter & Gamble (all brands) 3 Procter & Gamble (all brands)
4 Amazon 4 Hewlett-Packard
5 Hewlett-Packard 5 eBay
6 U.S. Postal Service 6 AOL
7 IBM 7 US Postal Service
8 EarthLink 8 Dell
9 Citibank 8 IBM
10 Dell 10 EarthLink
11 Disney 10 Google
12 Bank of America 12 Charles Schwab
13 Harley-Davidson 13 Apple (including iPod brand)
14 Johnson & Johnson (all brands) 14 Johnson & Johnson (all brands)
14 US Bank 15 WebMD
16 Fidelity 16 E-Loan
17 E-Loan 17 Washington Mutual
18 VISA 18 Federal Express
19 Apple 18 Yahoo
20 Washington Mutual 20 USAA
20 Disney

Because of tied ranks, Panel B lists more than twenty organizations. Many of this year’s top
ranked organizations are computer technology or Internet firms. We also see new entrants to this
year’s top 20 list, including AOL, Google, Charles Schwab, WebMD, Federal Express, Yahoo and
USAA.

R1 Companies with highest net positive ratings (Net = ∑Positive – ∑Negative). Table 4 reports
the top 10 companies in terms of RI. As can be seen, IBM achieves the highest RI rank with a
net positive result of 367 responses, followed by Amazon and American Express.

R1 Table 4: Top Companies for Privacy Positive Negative Net

1 IBM 449 82 367
2 Amazon 377 39 338
3 American Express 369 36 333
4 Hewlett-Packard 347 47 300
5 AOL 276 32 244
6 Procter & Gamble (all brands) 275 32 243
7 US Postal Service 271 34 237
8 eBay 260 30 230
8 MSN 293 63 230
10 Johnson & Johnson (all brands) 222 31 191

Ponemon Institute ©: Private & Confidential Document Page 5

R2 Companies with the highest percentage of ratings in first position on survey (Pct% first = total
first Place divided by positive). Table 5 shows E-Loan, Fifth Third Bank, and American Express
achieving the top three places using this ranking procedure. It appears that E-Loan, Fifth Third
Bank, American Express, PGP and Amazon all achieve percentages in excess of 90%.

First Pct%
R2 Table 5: Top Companies for Privacy Total Place First
1 E-Loan 31 30 96.8%
2 Fifth Third Bank 58 43 95.6%
3 American Express 405 341 92.4%
4 PGP 23 19 90.5%
5 Amazon 416 341 90.5%
6 Netflix 32 26 89.7%
7 Procter & Gamble (all brands) 307 245 89.1%
8 Hewlett- Packard 394 307 88.5%
9 IBM 531 390 86.9%
10 Charles Schwab 147 112 86.8%

R3 The following table ranks companies with the highest ratio (Positive ÷ Negative). The ranking
below assigned the highest rank to companies with the highest positive response for those
companies where ∑Negative = 0.

Positive/
R3 Table 6: Top Companies for Privacy Positive Negative Negative
1 E-Loan 31 0 α
1 NRA 22 0 α
3 Hallmark 68 1 68.00
4 Priceline.com 49 1 49.00
5 WebMD 47 1 47.00
6 Weight Watchers 46 1 46.00
7 Bristol-Myers Squib (all brands) 38 1 38.00
8 Diner's Club 37 1 37.00
9 Kodak 108 3 36.00
10 AG Edwards 34 1 34.00

The top ranking organizations with respect to the R3 variable is E-Loan, National Rifle
Association (NRA) and Hallmark. The note α in Table 6 means that the computed value cannot
be defined.

Table 7 provides a summary of top ranked companies by 23 industry subgroups. The table
shows significant variation in the average rank by industry, where health care, consumer products
and package and delivery services achieve much higher average rankings than companies in the
toy, food and hospitality industries, respectively.

It is also interesting to observe differences between 2004 and 2005 industry subgroup rankings.
For example, in 2005, banking moved from second to seventh place among all industries in our
ranking. On the other hand, delivery and package moved from eighth place in 2004 to third place
in 2005.

One reason for the public’s privacy concerns in banking may relate to the rise of phishing and
spoofing attacks on Internet users. The impact of phishing was revealed in earlier research

Ponemon Institute ©: Private & Confidential Document Page 6

conducted by Ponemon Institute over the past year.1 Another factor that may have diminished
consumer privacy trust is the wave of recent security breach incidents involving major
organizations.
Table 7
Average Combined Rankings by Industry Group

Top Ranked
Company by Industry Average
Industry Industry Ranking Numbers Rank Min Max
Health care WebMD 1 5 39.20 15 56
Consumer
products Procter & Gamble 2 4 49.25 3 140
Package &
delivery US Postal Service 3 4 55.50 105 75
Web business Amazon 4 14 59.86 2 162
Entertainment Disney 5 3 67.00 6 101
Insurance USAA 6 9 68.44 103 20
Washington
Banking Mutual 7 10 74.30 17 137
Computer
technology Hewlett Packard 8 18 87.11 4 180
Brokerage Charles Schwab 9 7 91.00 12 178
ISP & cable America Online 10 6 92.67 6 197
Auto & General Motors (all
transportation brands)* 11 11 96.64 28 170
Credit card American Express 12 7 100.71 1 201
National Rifle
Non-profit Association 13 8 101.88 48 167
Health & beauty Weight Watchers 14 7 102.00 44 159
Financial services
(general) E-Loan 15 14 109.86 16 194
Retail Hallmark 16 30 118.17 31 200
Pharmaceuticals Pfizer (all brands) 17 11 124.45 35 184
Telecom Verizon 18 9 125.11 70 200
Conglomerate DuPont 19 6 131.00 65 180
Airlines Air Alaska 20 3 141.22 43 183
Hospitality Bass (all chains) 21 8 149.00 52 202
Food service Trader Joes 22 6 161.50 85 203
Toy Lego 23 3 189.00 32 121
* Many of the positive privacy ratings attributed to General Motors concerns the company’s Onstar service offering.

Bar Chart 2 illustrates the impact of a data security breach on company rankings. This analysis
looks at 14 different organizations that were included in both our 2004 and 2005 studies. All
organizations in this subgroup reported a data security breach in accordance with regulatory
requirements, such as SB 1386 in California.

1
See 2004 Tracking Study on Spoofing & Phishing, TRUSTe & Ponemon Institute dated 9/21/05, 2005
Online Banking Study Watchfire & Ponemon Institute dated 4/5/05, and National E-Mail Safety & Reliability
Survey Goodmail & Ponemon Institute dated 7/12/05.

Ponemon Institute ©: Private & Confidential Document Page 7

The bar chart shows computed variables, defined as the percentage distance between the
subgroup and the sample average ranking for 2004 and 2005. In 2004, 187 companies were on
the most trusted list and the average rank was 93.5. In 2005 there are 203 companies listed and
the average rank is 101.5.

Bar Chart 2: Percentage Difference between 14 Data Breach

Companies and Sample Average Ranks in 2004 and 2005

10%
5%
5%

0%
2004-Before Breach 2005-After Breach
-5%

-10%

-15%

-20%

-25% -22%

The 14 companies in this security breach analysis were 5% above the average in 2004. In other
words, these companies had an average score that was slightly higher than our average rank. In
2005 these same 14 companies are 22% below the average rank after the data security breach
was reported. This suggests that the average rank for the subgroup dropped considerably –
perhaps as a result of the breach.

Bar Chart 3 illustrates the impact of severe phishing attacks on company rankings. This analysis
looks at organizations identified by TRUSTe that experienced the most persistent or frequent
phishing attacks during the past year. Eleven of these companies were included in both our 2004
and 2005 studies.

Bar Chart 3: Percentage Difference between 11 Companies that

Experienced Persistent Phishing Attacks in the Last Twelve Months by
Sample Average Ranks in 2004 and 2005

16% 15%

14%
12%
10%
8%
6%
4% 2%
2%
0%
2004-Before Major Phishing Attacks 2005-After Major Phishing Attacks

Using the sample calculation above, Bar Chart 3 shows computed variables, defined as the
percentage distance between the subgroup and the sample average ranking for 2004 and 2005.
As reported, in 2004 the average rank for these 11 organizations was 15% above the mean. In

Ponemon Institute ©: Private & Confidential Document Page 8

2005, the average rank for these organizations dropped to 2% -- or a 13% decline in overall
ratings. It is important to note that most of these organizations are in the financial services or
retail banking industry.

Clearly, these data support the idea that the public’s trust is very fragile. While the analyses for
data breach incidents and phishing attacks relied on small subgroups, our results suggest that
companies experiencing a data breach or severe phishing attack should anticipate a potentially
negative affect on consumer trust in the marketplace.

Table 8 lists ten (10) factors considered important in defining a company’s privacy commitment to
consumers (the public) for the 2004 and 2005 studies. The importance of each factor was
determined based on the frequency of responses and the average points assigned (totaling 100
points for all factors).

Table 8
What factors do you consider when judging 2004 2004 2005 2005
the companies listed? Freq Pct% Freq Pct% Diff
Overall reputation of the company for product
or service quality 4,864 77.1% 5155 72.2% -4.9%
The privacy policy of the company 2,239 35.5% 2545 35.6% 0.1%
The company’s privacy education and
outreach 954 15.1% 1086 15.2% 0.1%
Positive experience in dealing with the
company in resolving a privacy concern or
question (redress) 580 9.2% 1294 18.1% 8.9%
Quality of advertisements and solicitations
that are respectful of my privacy
requirements or rights 3,298 52.3% 4326 60.6% 8.3%
Ability to access personal information
collected and used about me and my
household 1,061 16.8% 1255 17.6% 0.8%
The existence of a trust seal or audit report
for privacy or data protection 940 14.9% 1093 15.3% 0.4%
Media or press coverage about the
company’s privacy and data protection
practices 534 8.5% 1204 16.9% 8.3%
Sense of security protections when providing
personal information, such as access codes
and other ways to identify me 3,121 49.5% 3547 49.7% 0.2%
The company’s limits over the collection, use
and sharing of personal information 4,404 69.8% 5047 70.7% 0.9%
Additional factors (various) 339 5.4% 412 5.8% 0.4%

In comparing 2004 and 2005 differences, it appears that respondents hold a consistent view of
privacy trust factors over two years. The most salient change between 2005 and 2004 (Diff)
concerns: (1) the organization’s redress process increased by 8.9%, (2) advertising or marketing
practices increased by 8.3% and (3) media or press coverage increased by 8.3%. While still the
most salient factor to consumer trust, the importance of the company’s overall reputation
decreased by 4.9%.

One reason for the 8.9% increase in the importance of redress (as well as the press coverage
increase of 8.4%) may relate to data security breach issues analyzed in Bar Chart 2. In short,
consumers who are notified of a data security breach expect the company to have adequate
support practices to assist the individual (victim). A redress failure – wherein the individual

Ponemon Institute ©: Private & Confidential Document Page 9

cannot get adequate information or support from the company reporting a data breach – may
have enormous negative consequences in terms of reputation, loyalty and churn.

Table 9 reports individuals’ responses to the question, “What worries you most if your personal
information was leaked to individuals or organizations that do not have a right to this information
(please check only those items about which you have serious concerns)?”

In our 2005 study, identity theft appears to be the most serious privacy concern (for 76.6% of
respondents). The second most serious concern (for 55.9% of respondents) is the loss of civil
liberties.

Table 9 2004 2005

What worries respondents the most. Freq Pct% Freq Pct% Diff
Identity theft 4,771 75.6% 5472 76.6% 1.0%
Stolen assets 2,045 32.4% 2104 29.5% -2.9%
Stalking or spying activities 1,346 21.3% 1512 21.2% -0.2%
Telemarketing Abuse 2,271 36.0% 2256 31.6% -4.4%
Unwanted e-mail activity (spam) 3,641 57.7% 3678 51.5% -6.2%
Unwanted junk mail 2,325 36.9% 2125 29.8% -7.1%
Loss of civil liberties 3,011 47.7% 3989 55.9% 8.1%
Public embarrassment 1,389 22.0% 1401 19.6% -2.4%

Comparing 2004 and 2005 responses, it is interesting to see the 8% increase in the category
“loss of civil liberties.” This change in perception over the two year period may be caused by new
national security and surveillance requirements implemented at the time of this survey (including
the public debate at continuing various aspects the USA Patriot Act). It is also interesting to note
the decrease in telemarketing (-4.4%) and spam (-6.2%) as serious privacy concerns.

Table 10 summarizes how respondents feel about the privacy of their personal information.
Clearly, results show that the vast majority of individuals view privacy as either important or very
important to them. As shown, there is a 1.4% increase (Diff) in the categories “very important”
and “important,” suggesting that privacy has become more important over the two year period.

Table 10
How respondents feel about the privacy of 2004 2005
their personal information. Freq Pct% Freq Pct% Diff
Very Important 1,193 19.0% 1456 20.4% 1.4%
Important 3,998 63.0% 4598 64.4% 1.4%
Not Important 589 9.0% 615 8.6% -0.4%
No Comment 520 8.0% 470 6.6% -1.4%
Total 6,300 100.0% 7139 100.0% 0.0%

Ponemon Institute ©: Private & Confidential Document Page 10

If you have questions or comments about this research or you would like to obtain additional
copies of the document (including permission to quote or reuse this report), please contact by
letter, phone call or email:

Ponemon Institute, LLC

Attn: Research Department
212 River Street, PO Box 601
Elk Rapids, Michigan 49629
800.887.3118
research@ponemon.org

Ponemon Institute, LLC

Measuring Trust in Privacy & Security

Ponemon Institute is dedicated to independent research and education that advances responsible
information and privacy management practices within business and government. Our mission is
to conduct high quality, empirical studies on critical issues affecting the management and security
of sensitive information about people and organizations.

As a member of the Council of American Survey Research Organizations (CASRO), we

uphold strict data confidentiality, privacy and ethical research standards. We do not collect any
personally identifiable information from individuals (or company identifiable information in our
business research). Furthermore, we have strict quality standards to ensure that subjects are not
asked extraneous, irrelevant or improper questions.

Ponemon Institute ©: Private & Confidential Document Page 11