1 / 26

Reducing Privacy Risks with the AICPA’s Generally Accepted Privacy Principles

Dr. Marilyn Prosch, CIPP Arizona State University School of Global Management and Leadership Presentation to the Government Finance Officers Association of Arizona May 9, 2008. Reducing Privacy Risks with the AICPA’s Generally Accepted Privacy Principles. PRIVACY.

neila
Download Presentation

Reducing Privacy Risks with the AICPA’s Generally Accepted Privacy Principles

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dr. Marilyn Prosch, CIPP Arizona State University School of Global Management and Leadership Presentation to the Government Finance Officers Association of ArizonaMay 9, 2008 Reducing Privacy Risks with the AICPA’s Generally Accepted Privacy Principles

  2. PRIVACY • PRIVACY encompasses the rights and obligations of individuals and organizations with respect to the… • Collection • Use • Disclosure, and • Retention …of personal information. AICPA/CICA’s Generally Accepted Privacy Principles

  3. PRIVACY RISK • Privacy is a risk management issue for any organization • Threats • Investigation and Litigation • Negative publicity • Operational disruptions • Distrust • Unplanned Budget Impact

  4. Personal Information Management: Trust in Government Agency Performance Most Trusted U.S. Postal Service                        83%   Federal Trade Commission           80%   Bureau of Consumer Protection   79%   National Institutes of Health        71%   Census Bureau                              68%   Ponemon Institute’s 2007 Study of 74 federal agencies Least Trusted National Security Agency                 19%   Central Intelligence Agency             21%   Department of Homeland Security   22%  Office of Attorney General               23%   Transportation Security Adm.     25%   

  5. Just in this week! “One of the cardinal rules of computer programming is to never trust your input. This holds especially true when your input comes from users, and even more so when it comes from the anonymous, general public. Apparently, the developers at Oklahoma’s Department of Corrections slept through that day in computer science class, and even managed to skip all of Common Sense 101. You see, not only did they trust anonymous user input on their public-facing website, but they blindly executed it and displayed whatever came back. “ “The result of this negligently bad coding has some rather serious consequences: the names, addresses, and social security numbers of tens of thousands of Oklahoma residents were made available to the general public for a period of at least three years. Up until yesterday, April 13 2008, anyone with a web browser and the knowledge from Chapter One of SQL For Dummies could have easily accessed – and possibly, changed – any data within the DOC’s databases. It took me all of a minute to figure out how to download 10,597 records – SSNs and all – from their website…” http://thedailywtf.com/Articles/Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Numbers,-Other-Sensitive-Data.aspx

  6. http://thedailywtf.com/Articles/Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Numbers,-Other-Sensitive-Data.aspxhttp://thedailywtf.com/Articles/Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Numbers,-Other-Sensitive-Data.aspx

  7. Oklahoma “As the title of that last screenshot indicates, the records were made available through the state’s Sexual and Violent Offender Registry. Not only did Oklahoma make available the SSN of those types of offenders, but that of every type of offender in their system. It was all accessible through an innocent looking link on both the SVOR and Offender search pages.” http://thedailywtf.com/Articles/Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Numbers,-Other-Sensitive-Data.aspx

  8. Federal Trade Commission • Has settled 14 cases “challenging faulty data-security practices by companies that handle sensitive consumer information.” • They almost always require a security audit every 2 years for the next 10-20 years.

  9. Prosch, 2008

  10. Data Lifecycle – Protecting from cradle to grave • Data protection needs to be considered at all phases of the lifecycle • Collection • What data & why is it collected? • Use • Appropriate access and documentation? • Storage • How long & protection of non-redacted copies? • Retention & Ultimate Disposal • When, how, and all applicable copies?

  11. McKesson …. Notified patients that the computers were stolen on July 18. The names of the people being alerted were on one of the two PCs, but it's not known how much of their accompanying identifying information was also contained on the machines. http://www.informationweek.com/news/internet/showArticle.jhtml?articleID=201804872 Know what Data you have & Where it is!

  12. WHAT IS GAPP? • Generally Accepted Privacy Principles • Developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) to help guide organizations in implementing, sustaining, and auditing privacy programs. • A set of 10 privacy principles and 66 related criteria for privacy and the handling of personal information throughout an organization • Incorporates concepts from domestic and foreign laws, regulations, guidelines, and other bodies of knowledge on privacy

  13. “If you haven't heard of the Generally Accepted Privacy Principles (GAPP), take stock: They're likely to become the most important new source of requirements for your IT projects since Y2k and Sarbanes-Oxley. Why is this? The accounting industry has closed ranks around the idea that the GAPP is the best international framework for assessing the privacy health of an organization. So when it comes to IT projects, any system or related business process touching personal data will have new rules to play by.” Computerworld, December 6, 2007 Mind the GAPP: Accountants bring GAAP-like principles to the privacy sphere

  14. Privacy Commissioner of Ontario Recommends the use of GAPP in an audit of Toronto’s mass-transit system February 2008

  15. Wall Street Journal, February 29, 2008

  16. Management:The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures. Notice: The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed. Choice and Consent: The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, retention, and disclosure of personal information. 4. Collection: The entity collects personal information only for the purposes identified in the notice. 5. Use and Retention: The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes. What are the Principles?

  17. 6. Access: The entity provides individuals with access to their personal information for review and update. 7. Disclosure: The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual. 8. Security for Privacy: The entity protects personal information against unauthorized access (both physical and logical). 9. Quality: The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice. 10. Monitoring and Enforcement: The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes. What are the Principles?

  18. COMPONENTS OF GAPP Consistency ofCommitments With Privacy Policies and Procedures Infrastructure and Systems Management

  19. COMPARISON WITH INTERNATIONAL CONCEPTS

  20. Tool demo Privacy risk assessment

  21. BENEFITS OF GAPP • Based upon best practices • Aligned with key regulations • A recent study done by the Ontario privacy commissioners found the framework to aligned with PIPEDA, Canada’s Personal Information Protection and Electronic Documents Act

  22. GAPP HELPS ORGANIZATIONSCOMPLY WITH THE PATCHWORK OF LEGISLATION! Utah NY GLBA Australia Canada HIPAA EU California Texas Arizona

  23. INDIVIDUALS GOVERNMENT GAPP HELPS BRIDGE THE TRUST GAP GAPP

  24. ILLUSTRATIVE APPLICATIONS • Agency A adopts GAPP as the basis for its statewide privacy program so it can follow consistent privacy practices and use similar terminology across its various agencies.  Although specific exceptions and variations may exist, they are being captured in policy and procedures. • Agency B uses GAPP as a benchmark against internal privacy practices and procedures. • Agency C uses GAPP as a basis for a privacy assessment and provides findings to its constituents, customers and other important stakeholders.

  25. Arizona Mary Beth Joublanc, J.D. Chief Privacy Officer, State of Arizona David VanderNaalt Chief Information Security Officer State of Arizona Executive Order Every agency must report security incidents to his Office Every agency must appoint a CISO and a CPO

  26. AICPA Privacy Resources • http://www.aicpa.org/privacy • OR • SAVE THE DATE January 9, 2009 • Privacy Conference at the Convention Center Want to know more

More Related