Just over half (51%) of financial services respondents questioned by PwC further admit that they do not require third-party service providers to comply with their company's privacy policies.

Sergio Pedro, managing director, PricewaterhouseCoopers, comments: "Financial services firms have been leaders in privacy and security, but their policies and capabilities are being outstripped by changes in technology and business practices."

Increased use of offshore third-party service providers to handle and process sensitive data has exposed firms to a maze of privacy-related requirements, he says, further exacerbating the problems.

The survey found that just 45% perform due diligence of third parties that handle the personal data of customers and employees. Despite this failing, a clear majority of 81% consider themselves either "somewhat" or "very" confident in the information security practices of their partners and suppliers.

This blind spot extends into incident response, both inhouse and at third party sites. Forty one percent reported that their organisation's security policies do not address incident response, and 56% do not have a process to address breaches involving data entrusted to third parties.

Firms also appear to be failing to learn the lessons from other high profile data loss incidents in the sector. Forty one percent do not encrypt data stored in databases; 52% do not encrypt file shares; and 43% do not encrypt backup tapes. Furthermore, one-third fail to deploy laptop encryption, a key data security safeguard for an increasingly mobile workforce.

The damning statistics come from PwC's annual Global State of Information Security Study it conducts in partnership with CIO and CSO magazines. Of the 7,000 CEOs, CFOs, CIOs, CSOs, vice presidents and directors of IT and information security interviewed for the study, results of which were first published in October 665 were from the financial services industry.