1 / 52

A Privacy Audit Using Generally Accepted Privacy Principles A Global Privacy Framework The Next Sarbanes Oxley?

A Privacy Audit Using Generally Accepted Privacy Principles A Global Privacy Framework The Next Sarbanes Oxley?. AAA Annual Meeting - Anaheim August 6, 2008. Everett C. Johnson, CPA. Title: AICPA/CICA Privacy Task Force Chair

palmer
Download Presentation

A Privacy Audit Using Generally Accepted Privacy Principles A Global Privacy Framework The Next Sarbanes Oxley?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Privacy AuditUsingGenerally Accepted Privacy PrinciplesA Global Privacy FrameworkThe Next Sarbanes Oxley? AAA Annual Meeting - Anaheim August 6, 2008

  2. Everett C. Johnson, CPA • Title: • AICPA/CICA Privacy Task Force Chair • Area of Focus: Information Protection Services, Computer Auditing • Background: • Retired Partner – Deloitte & Touche • Over 40 years experience in audit, control and security matters • Affiliations: • Former International President - ISACA, IT Governance Institute • Past Chair • AICPA Electronic Commerce Assurance Services Task Force • AICPA Information Technology Research Subcommittee • Deloitte’s International Enterprise Risk Services Committee • IFAC Information Technology Committee • Past National Director – Deloitte’s Computer Assurance Services Group • Past Chair & USA Representative – • Former Member • AICPA Information Technology Executive Committee • AICPA Assurance Services Executive Committee

  3. Ken Askelson, CPA.CITP, CIA • Title: • AICPA/CICA Privacy Task Force Vice Chair • Area of Focus: Information Security, Microcomputer Accounting Systems, IT Infrastructure Management. • Background: • Retired Senior IT Audit Manager – JCPenney • Over 20 years of IT audit experience • Affiliations: • Former Commissioner – AICPA National Accreditation Commission • Past Member – AICPA Information Technology Executive Committee • Past Member – AICPA Information Technology Research Subcommittee • Past Member – AICPA Business and Industry Executive Committee • Past Member – IIA Advanced Technology Committee • Past Member – Journal of Accounting Advisory Board • Past participant - Partnership for Critical Infrastructure Security sponsored by the U.S. Chamber of Commerce and the Critical Infrastructure Assurance Office of the Department of Homeland Security

  4. Marilyn Prosch, PhD., CIPP • Title: • Associate Professor of Accounting – Arizona State University, School of Global Management • Area of Focus: Privacy, Data Protection, Accounting Information Systems, Internal Controls, eBusiness • Affiliations: • Member – AICPA/CICA Privacy Task Force • Sample of Journal Articles • International Journal of Corporate Governance • Journal of Emerging Technologies in Accounting • Journal of Information Systems • Journal of Forecasting • Journal of Accountancy • Research in Accounting Regulation • The Accounting Review

  5. AGENDA • Overview of Privacy Breach Trends • Overview of GAPP & How it may be used • GAPP & Privacy Risk Assessment • Q&A

  6. PrivacyMedia Hype or a Real Problem? Some of the reported incidents that occurred in 2007…

  7. J. P. Morgan General Electric Gander Mountain Gap Inc Atlantic Plastics, Inc. via accounting firm Hancock Askew Wells Fargo via unnamed auditor Merrill Lynch McKesson Albertson’s Altria & United Technologies via benefits consultant, Towers Perrin Fidelity National Information Services Premier Bank IBM Turbo Tax Lloyd's of London (FL) TJ Stores Direct Loans via its IT contractor ACS Check into Cash ADP T-Mobile USA Inc Winn-Dixie Caterpillar, Inc. Circuit City and Chase Card Services KeyCorp Dai Nippon TD Ameritrade Electronic Data Systems Deb Shops, Inc. Ceridian Corp. Columbia Bank Bank of America Linden Lab Greater Media, Inc. Pfizer Wesco Piper Jaffrey Hertz Global Holdings, Inc. Major League Baseball players via SFX Baseball, Inc. Tax Service Plus Voxant.com CVS Pharmacy Life Is Good Starbucks Corp. Metro Credit Services West Shore Bank Texas First Bank HarborOne Credit Union H&R Block Neiman Marcus Verisign Telesourcevia Vekstar Bank of America ABN Amro Mortgage Group VISA/FirstBank eBay Boeing KB Homes Compulinx Rabun Apparel Inc RadioShack American Family Insurance Western Union KSL Services, Inc American Airlines Hortica Disney Movie Club Stop & Shop Supermarkets New Horizons Community Credit Union Nikon Inc. and Nikon World Magazine CTS Tax Service Avaya Empire Equity Group MoneyGram International Monster.com Front Range Ski Shop Fox News Limewire Nissan Motor Co., Ltd. Johnny's Selected Seeds Alcatel-Lucent American Education Services TennCare / Americhoice Inc. Home Finance Mortgage, Inc. AT&T Four ARCO gas stations TransUnion Credit Bureau via Kingman, AZ, court office Couriers on Demand Gymboree Aetna / Nationwide / Wellpoint Group Health Plans via Concentra Preferred Systems Jax Federal Credit Union Cricket Communications Kingston Technology Co. Movie Gallery Howard & Partners law firm via its auditor Morris, Davis & Chan Chase Bank Science Applications International Corp. (SAIC)

  8. U.S. Dept. of Commerce and Census Bureau Colorado Dept. of Human Services via Affiliated Computer Services (ACS) State of Connecticut via Accenture Ltd. Connecticut Dept. of Revenue Services Conn. Office of the State Comptroller FEMA Wisconsin Dept. of Revenue via Ripon Printers Transportation Security Administration via Accenture California National Guard Wisconsin Assembly California Public Employees' Retirement System U.S. Army Cadet Command Administration for Children's Services - NY U.S. Dept. of Agriculture Calif. Dept. of Health Services NY Dept. of State Internal Revenue Service NY Dept. of Labor Ohio state workers Congressional Budget Office Ohio State Auditor Kentucky Personnel Cabinet U.S. State Department Ohio Ethics Committee Florida National Guard Ohio Board of Nursing Florida Labor Department Camp Pendleton Marine Corps base via Lincoln B.P. Management Texas Commission on Law Enforcement Standards & Education NC Dept. of Transportation Army National Guard 130th Airlift Wing North Carolina Dept. of Motor Vehicles Idaho Army National Guard North Carolina Dept. of Revenue Georgia Secretary of State Illinois Dept. of Corrections Picatinny Arsenal DOD Weapons Research Center Georgia County Clerk Illinois Dept. of Financial and Professional Regulation Georgia Div. of Public Health Maine State Lottery Commission Illinois Dept. of Transportation U.S. Dept. of Veteran's Affairs Michigan Dept. of Community Health PA Public Welfare Department PA Dept. of Transportation Indian Consulate via Haight Ashbury Neighborhood Council Recycling Massachusetts Dept. of Industrial Accidents West Virginia Board of Barbers and Cosmetologists Indiana State Department of Health Indiana Dept. of Administration Maryland Dept. of Natural Resources Indiana Dept. of Transportation Maryland Department of the Environment American Ex-Prisoners of War Indiana State Web site

  9. Cuyahoga County Dept. of Development Chicago Board of Elections Los Angeles County Child Support Services Chicago Voter Database City of Chicago via contractor Tuscarawas County and Warren County Fresno County Detroit Water and Sewerage Department Champaign Police Officers City of Savannah Orange County (FL) Controller Huntsville County Bowling Green Police Dept. Lynchburg City Santa Clara County Employment Agency Hidalgo County Commissioner’s Office Fort Monroe Port of Seattle ChildNet Metropolitan St. Louis Sewer District City of Encinitas Washiawa Women, Infants and Children program (HI) Cleveland Air Route Traffic Control Center Pima Co. Health Dept. City of Visalia, CA Fresno County/Refined Technologies Inc. New York City Financial Information Services Agency City of Wickliffe, OH Berks Co. Sheriff's Office via contractor Canon Technology Solutions Johnston County, NC City of Grand Prairie City of Lubbock Cumberland County, PA Poulsbo Department of Licensing Chicago Public Schools via All Printing & Graphics, Inc. Indianapolis Public Schools Harrison County Schools Waco Independent School District Jackson Local Schools Willamette Educational Service District Chicago Public Schools San Diego Unified School District Greenville County School District Clarksville-Montgomery County Middle and High Schools Shamokin Area School District Germanton Elementary School Cedarburg High School St. Mary Parish Riverside High School NC San Juan Capistrano Unified School District (CA) Iowa Dept. of Education Big Foot High School, WI Yuma Elementary School District Troy Athens High School St. Vrain Valley School District (CO) Clay High School, OH Loomis Chaffee School

  10. University of Colorado-Boulder, Leeds School of Business Virginia Commonwealth University University of Michigan Rutgers-Newark University UCLA University of Idaho Northwestern University Loyola University Yale University University of Iowa – Psychology Dept. Villanova University students & staff Via Insurance broker Purdue University Mississippi State University University of Missouri Louisiana State Univ Berry College via consultant Financial Aid Services Inc. Georgia Tech Univ. Ohio State Univ. University of Minnesota University of South Carolina Johns Hopkins University Montana State University Notre Dame University University of Texas at Arlington Texas A&M University University of California, Davis University of Virginia New Mexico State Univ. University of Texas - Dallas University of Nebraska Connors State College University of Toledo Texas Woman's University Georgia Institute of Technology University of New Mexico Eastern Illinois University Radford University Westminster College De Anza College Univ. of Montana - Western City College of San Francisco UC San Francisco Black Hills State Univ. Cal State Los Angeles Metropolitan State College of Denver Nassau Community College Central Connecticut State University Montgomery College Bowling Green State University Los Rios Community College Adams State College Goshen College Stony Brook University Community College of Southern Nevada Highlands University Penn State Univ. - USMC Vanguard University East Carolina University Gadsden State Community College Grand Valley State University

  11. Univ. of Pittsburgh, Med. Center Manhattan Veteran's Affairs Medical Center & New York Harbor Health Care System Beaumont Hospital Sisters of St. Francis Health Services via Advanced Receivables Strategy Swedish Medical Center Univ. Calif. Irvine Medical Center Group Health Cooperative Health Care System Mercy Medical Center DCH Health Systems Johns Hopkins Hospital Allina Hospitals and Clinics Prudential Financial Inc. Beacon Medical Services DePaul Medical Center Seton Healthcare Network University of Pittsburgh Medical Center Kaiser Medical Center McAlester Clinic & Veteran's Affairs Medical Center Akron Children's Hospital Highland Hospital Back and Joint Institute of Texas Cleveland Clinic Emory University Hospital, Emory Crawford Long Hospital, Grady Memorial Hospital, Geisinger Health System, Williamson Medical Center via Electronic Registry Systems Jacobs Neurological Institute Gulf Coast Medical Center Westerly Hospital Erlanger Health System Deaconess Hospital WellPoint's Anthem Blue Cross Blue Shield Health Resources, Inc. Kaiser Permanente Colorado South County Hospital Providence Alaska Medical Center Swedish Urology Group Intermountain Health Care Gundersen Lutheran Medical Center Stevens Hospital via billing company Med Data WorkCare Orem Concord Hospital St. Mary's Hospital, MD St. Vincent Hospital Sky Lakes Medical Center via Verus Inc Wellpoint's Empire Blue Cross/ Blue Shield NY Segal Group of New York via web site of Vermont state agency Healing Hands Chiropractic Georgia Dept. of Community Health

  12. Federal Trade Commission • Has settled 14 cases “challenging faulty data-security practices by companies that handle sensitive consumer information.” • They almost always require a security audit every 2 years for the next 10-20 years.

  13. Texas – Attorney General Sues Company for Privacy Violations • Texas Attorney General Greg Abbott is suing EZCORP Inc. for allegedly contributing to the possibility of identity theft. • The attorney general alleges that EZCORP Inc. of Austin and its subsidiary, EZPAWN, have exposed customers to identity theft by failing to properly protect customer records. • Joe Rotunda, EZCORP president and CEO, responded to the suit by saying that the company has a number of identity protection policies and systems in place. • Attorney General alleges in his lawsuit that employees at several San Antonio EZPAWN stores dumped personal business records in trash bins behind the stores. The attorney general's investigation found similarly discarded customer data at dumpsters of nearby stores in Austin, Houston, Lubbock and in the Rio Grande Valley area, according to the suit.

  14. $600,000 fine!

  15. Poor Information Management Practices Largely at Fault • The Gartner Group has estimated that internal employees commit 70% of information intrusions, and more than 95% of intrusions that result in significant financial losses; — IPC Publication. Identity Theft Revisited: Security is Not Enough, www.ipc.on.ca/userfiles/page_attachments/idtheft-revisit.pdf

  16. Identity Theft • Arizona ranks number 1 in the nation for identity theft complaints per capita. • More than a third of stolen identities in Arizona are used for fraudulent employment. Source: Consumer Sentinel www.net-security.org/secworld.php?id=5874

  17. Data Lifecycle – Protecting from cradle to grave Data protection needs to be considered at all phases of the lifecycle • Collection • What data & why is it collected? • Use • Appropriate access and documentation? • Storage • How long & protection of non-redacted copies? • Retention & Ultimate Disposal • When, how, and all applicable copies?

  18. Know what data you have and where it is! McKesson …. Notified patients that the computers were stolen on July 18, 2007. The names of the people being alerted were on one of the two PCs, but it's not known how much of their accompanying identifying information was also contained on the machines. http://www.informationweek.com/news/internet/showArticle.jhtml?articleID=201804872

  19. Mind the GAPP: Accountants bring GAAP-like principles to the privacy sphere • “If you haven't heard of the Generally Accepted Privacy Principles (GAPP), take stock: They're likely to become the most important new source of requirements for your IT projects since Y2k and Sarbanes-Oxley. • Why is this? The accounting industry has closed ranks around the idea that the GAPP is the best international framework for assessing the privacy health of an organization. So when it comes to IT projects, any system or related business process touching personal data will have new rules to play by.” • Computerworld, December 6, 2007

  20. Wall Street Journal, February 29, 2008

  21. AGENDA • Overview of Privacy Breach Trends • Overview of GAPP & How it may be used • GAPP & Privacy Risk Assessment • Q&A

  22. Overview of Privacy Audits • Growing demand • Types of audits • Internal audits • Regulatory • External • Management • Elements of the privacy audit • Scope • Measurement criteria • Generally Accepted Privacy Principles - GAPP • Type and use of report

  23. AGENDA • Privacy: Our Definition • What is GAPP? • Privacy Principles • Components of GAPP • Comparison with International Concepts • Some Benefits of GAPP • Using GAPP for Privacy Audits • Other Application Examples

  24. PRIVACY: OUR DEFINITION PRIVACY encompasses the rights and obligations of individuals and organizations with respect to the… • Collection • Use • Disclosure, and • Retention …of personal information.

  25. Rights and Obligations

  26. OVERALL PRIVACY OBJECTIVE Personal information is • collected, • used, • retained, and • disclosed • in conformity with the commitments in the entity’s privacy notice and • with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA/CICA.

  27. WHAT IS GAPP? Generally Accepted Privacy Principles • Developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) • Help guide organizations in implementing, sustaining and auditing privacy programs

  28. A set of 10 privacy principles and 66 related criteria for privacy and the handling of personal information throughout an organization Incorporates concepts from domestic and foreign laws, regulations, guidelines, and other bodies of knowledge on privacy One of a series of Trust Services offered by CPAs which also include: Security Process integrity Availability Confidentiality Privacy WHAT IS GAPP?

  29. 1 - Management:The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures. 2 - Notice: The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed. 3 - Choice and Consent: The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, retention, and disclosure of personal information. 4 - Collection: The entity collects personal information only for the purposes identified in the notice. 5 - Use and Retention: The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes. What are the Principles?

  30. 6 - Access: The entity provides individuals with access to their personal information for review and update. 7 - Disclosure: The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual. 8 - Security for Privacy: The entity protects personal information against unauthorized access (both physical and logical). 9 - Quality: The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice. 10 - Monitoring & Enforcement: The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes. What are the Principles?

  31. COMPONENTS OF GAPP Section Definition Policies and Communication: Privacy Policies Communication to Internal Personnel

  32. COMPONENTS OF GAPP Responsibility and Accountability for Policies

  33. COMPARISON OF INTERNATIONAL CONCEPTS

  34. SOME BENEFITS OF GAPP • Business, rather than regulatory, focused • Examples based upon best practices • Aligned with key regulations

  35. Using GAPP for Privacy Audits - 1 • Reason for audit • Public reporting - “external audit” • Could include a “WebTrust Seal” on website • Management reporting - “internal audit” • Regulatory requirement • FTC and Ontario Privacy Commissioner • Scope for an external audit • Entire business • Business segment • Needs to address entire information cycle • Collection through destruction • Includes consideration of third-party processors • Needs to include all 10 privacy principles

  36. Using GAPP for Privacy Audits - 2 • Performed under AICPA Attestation Standards • Report covers a period of time and opines on • Effectiveness of controls over privacy of personal information collected based on its privacy notice and GAPP • Complied with the commitments in its privacy notice • Important that client is ready

  37. Using GAPP for Privacy Audits - 3 Other Types of Privacy “Audits” • Internal audit • GAP GAPP Assessment • Focused on a few principles or all • Maturity model assessment • Report for management use only • Regulatory audits • Usually required following a breach • FTC has focused on security • Ontario Privacy Commissioner has required a GAPP audit

  38. OTHER GAPP APPLICATION EXAMPLES • Company A adopts GAPP as the basis of its privacy program for its U.S.-based online operations and includes GAPP’s principles and criteria in its online privacy policy. GAPP’s criteria and illustrations serves as the basis for the privacy procedures. • Company B adopts GAPP as the basis for its global privacy program so it can follow consistent privacy practices and use similar terminology across its various countries of operations.  Although country specific exceptions and variations still exist, they are being captured in policy and procedures. • Company C uses GAPP as a benchmark against internal privacy practices and procedures. • Company D uses GAPP as a basis for a risk assessment

  39. So - Is GAPP the Next SOX? • More breaches might result in a mandatory audit requirement to protect personal information • More organizations will voluntarily want an audit to demonstrate that they have an effective privacy program • Organizations will want the 3rd party processors they use to have an audit of their privacy-related controls

  40. AGENDA • Overview of Privacy Breach Trends • Overview of GAPP & How it may be used • GAPP & Privacy Risk Assessment • Q&A

  41. IT and Privacy Risk Assessments AGENDA • IT Risk Assessment • Privacy Risk Assessment • Case Study • Risk Assessment Tools

  42. IT Risk Assessment • Assessment Areas • System Availability • Information Security • Data Integrity • Maintainability • Governance • Five Principles - 22 Criteria

  43. IT and Privacy Risk Assessment - Template

  44. IT Risk Assessment Illustration • IT Risk Assessment Tool • Narrative Template

  45. Privacy Risk AssessmentCase Study Scope – Customer Information • U.S. Laws and Regulations • Privacy Notice • Industry Regulations – DMA’s Privacy Promise • PCI Data Security Standards

  46. Privacy Risk Assessment Assessment Areas – Case Study • Access • Disclosure • Security • Quality • Monitoring/Enforcement • Management • Notice • Choice/Consent • Collection • Use/Retention

  47. Privacy Risk Assessment Privacy Risk Assessment Template – CASE STUDY Attorney Client Privileged – Draft for Discussion Purposes Only

  48. AICPA/CICA GAPP Uses • Benchmarking • Best Practice • Privacy Risk Assessment • Privacy Audits • Training and Awareness

  49. Privacy Risk Assessment • Illustration • AICPA/CICA Privacy Risk Assessment Tool

  50. IT Risk Assessment Frameworks • AICPA’s Trust Services - SysTrust • ISO 17799 • CoBiT – IT Governance Institute • ITIL • PCI Data Security Standards • NIST Computer Security Division • SOX General IT Controls • IIA GTAG – IT Controls

More Related