Transcript Privacy as a Competitive advantage

REDUCING PRIVACY RISKS WITH THE AICPA’S
GENERALLY ACCEPTED PRIVACY PRINCIPLES
Dr. Marilyn Prosch, CIPP
Arizona State University
School of Global Management and Leadership
Presentation to the
Government Finance Officers Association of Arizona
May 9, 2008
PRIVACY

PRIVACY encompasses the rights and obligations
of individuals and organizations with respect to
the…
Collection
 Use
 Disclosure, and
 Retention

…of personal information.
AICPA/CICA’s Generally Accepted Privacy Principles
PRIVACY RISK

Privacy is a risk management issue for any
organization
 Threats
 Investigation
and Litigation
 Negative publicity
 Operational disruptions
 Distrust
 Unplanned Budget Impact
PERSONAL INFORMATION MANAGEMENT: TRUST
IN GOVERNMENT AGENCY PERFORMANCE
Most Trusted
U.S. Postal Service
Federal Trade Commission
Bureau of Consumer Protection
National Institutes of Health
Census Bureau
83%
80%
79%
71%
68%
Least Trusted
National Security Agency
Central Intelligence Agency
Department of Homeland Security
Office of Attorney General
Transportation Security Adm.
Ponemon Institute’s 2007 Study of 74 federal agencies
19%
21%
22%
23%
25%
Just in this week!


“One of the cardinal rules of computer programming is to never trust your
input. This holds especially true when your input comes from users, and
even more so when it comes from the anonymous, general public.
Apparently, the developers at Oklahoma’s Department of Corrections slept
through that day in computer science class, and even managed to skip all of
Common Sense 101. You see, not only did they trust anonymous user input
on their public-facing website, but they blindly executed it and displayed
whatever came back. “
“The result of this negligently bad coding has some rather serious
consequences: the names, addresses, and social security numbers of tens
of thousands of Oklahoma residents were made available to the general
public for a period of at least three years. Up until yesterday, April 13 2008,
anyone with a web browser and the knowledge from Chapter One of SQL For
Dummies could have easily accessed – and possibly, changed – any data
within the DOC’s databases. It took me all of a minute to figure out how to
download 10,597 records – SSNs and all – from their website…”
http://thedailywtf.com/Articles/Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Numbers,-Other-Sensitive-Data.aspx
http://thedailywtf.com/Articles/Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Numbers,-Other-Sensitive-Data.aspx
Oklahoma
“As the title of that last screenshot indicates,
the records were made available through the
state’s Sexual and Violent Offender Registry.
 Not only did Oklahoma make available the SSN
of those types of offenders, but that of every
type of offender in their system. It was all
accessible through an innocent looking link on
both the SVOR and Offender search pages.”

http://thedailywtf.com/Articles/Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Numbers,-Other-Sensitive-Data.aspx
FEDERAL TRADE COMMISSION


Has settled 14 cases “challenging faulty data-security
practices by companies that handle sensitive consumer
information.”
They almost always require a security audit every 2 years for
the next 10-20 years.
Figure 1
Ogburn’s Sequential Time-Paradigm of Cultural Lag
Technology, Social Culture, and Privacy Controls
a
b
c
Technology
Social Culture
(Privacy Expectations)
Privacy-enhancing
Technologies & controls
Adjusted
Maladjusted
Time
Prosch, 2008
Adjusted
DATA LIFECYCLE – PROTECTING FROM CRADLE
TO GRAVE

Data protection needs to be considered at all
phases of the lifecycle
 Collection
 What
data & why is it collected?
 Use
 Appropriate
access and documentation?
 Storage
 How
long & protection of non-redacted copies?
 Retention
 When,
& Ultimate Disposal
how, and all applicable copies?
KNOW WHAT DATA YOU HAVE & WHERE IT IS!
McKesson
 …. Notified patients that the computers were
stolen on July 18. The names of the people
being alerted were on one of the two PCs, but
it's not known how much of their accompanying
identifying information was also contained on
the machines.


http://www.informationweek.com/news/internet/showArticle.jhtml?articleID=201804872
WHAT IS GAPP?

Generally Accepted Privacy Principles
 Developed
by the American Institute of Certified
Public Accountants (AICPA) and the Canadian
Institute of Chartered Accountants (CICA) to help
guide organizations in implementing, sustaining,
and auditing privacy programs.
– A set of 10 privacy principles and 66 related
criteria for privacy and the handling of personal
information throughout an organization
– Incorporates concepts from domestic and foreign
laws, regulations, guidelines, and other bodies of
knowledge on privacy
MIND THE GAPP: ACCOUNTANTS BRING GAAPLIKE PRINCIPLES TO THE PRIVACY SPHERE

“If you haven't heard of the Generally Accepted Privacy
Principles (GAPP), take stock: They're likely to become
the most important new source of requirements for your
IT projects since Y2k and Sarbanes-Oxley.

Why is this? The accounting industry has closed ranks
around the idea that the GAPP is the best international
framework for assessing the privacy health of an
organization. So when it comes to IT projects, any
system or related business process touching personal
data will have new rules to play by.”
Computerworld, December 6, 2007

Privacy Commissioner of Ontario

Recommends the use of GAPP in an audit of
Toronto’s mass-transit system

February 2008
Wall Street Journal, February 29, 2008
WHAT ARE THE PRINCIPLES?
16
1.
Management: The entity defines,
documents, communicates, and
assigns accountability for its privacy
policies and procedures.
2.
Notice: The entity provides notice
about its privacy policies and
procedures and identifies the
purposes for which personal
information is collected, used,
retained, and disclosed.
3.
Choice and Consent: The entity
describes the choices available to
the individual and obtains implicit or
explicit consent with respect to the
collection, use, retention, and
disclosure of personal information.

4. Collection: The entity
collects personal
information only for the
purposes identified in the
notice.

5. Use and Retention: The
entity limits the use of
personal information to
the purposes identified in
the notice and for which
the individual has
provided implicit or explicit
consent. The entity retains
personal information for
only as long as necessary
to fulfill the stated
purposes.
17
WHAT ARE THE PRINCIPLES?

6. Access: The entity provides
individuals with access to their
personal information for review and
update.

7. Disclosure: The entity discloses
personal information to third parties
only for the purposes identified in
the notice and with the implicit or
explicit consent of the individual.

8. Security for Privacy: The entity
protects personal information
against unauthorized access (both
physical and logical).

9. Quality: The entity
maintains accurate,
complete, and relevant
personal information for
the purposes identified in
the notice.

10. Monitoring and
Enforcement: The entity
monitors compliance with
its privacy policies and
procedures and has
procedures to address
privacy-related complaints
and disputes.
18
COMPONENTS OF GAPP
Consistency
of Commitments
With Privacy Policies
and Procedures
Infrastructure
and Systems
Management
COMPARISON WITH INTERNATIONAL CONCEPTS
AICPA/CICA
GAPP
US FTC
FIPs
Management
Canada
PIPEDA
Australia
US Safe Harbor
Accountability
EU Data Protection Directive
OECD
Notification
Accountability
Notice
Notice
Identifying
Purposes,
Openness
Openness
Notice
Information to be Given to the Data Subject
Purpose
Specification,
Openness
Choice &
Consent
Choice
Consent
Use and
Disclosure
Choice
Criteria for Making Data Processing Legitimate, Data
Subject’s Right to Object
Collection
Limitation
Collection
Limiting
Collection
Collection,
Sensitive
Information,
Anonymity
Data Integrity
Principles Relating to Data Quality, Exemptions and
Restrictions
Collection
Limitation
(including
consent)
Use and
Retention
Limiting Use,
Disclosure,
and
Retention
Identifiers, Use
and Disclosure
(implied but not
specified)
Making Data Processing Legitimate, Special
Categories of Processing, Principles Relating to
Data Quality, Exemptions and Restrictions, The Data
Subject’s Right to Object
Use Limitation
(including
disclosure
limitation)
Access
Individual
Access
Access and
Correction
Access
The Data Subject’s Right of Access to Data
Individual
Participation
Transfer of Personal Data to Third Countries
Use Limitation
Disclosure
Limiting Use,
Use and
Onward Transfer
Disclosure, Disclosure, Transand
border Data Flows
Retention
Security for
Privacy
Security
Safeguards
Data Security
Security
Confidentiality and Security of Processing
Security
Safeguards
Integrity
Integrity
Accuracy
Data Quality
Data Integrity
Principles Relating to Data Quality
Data Quality
Monitoring &
Enforcement
Enforcement
Challenging
Compliance
(Enforcement by
the Office of the
Privacy
Commissioner)
Enforcement
Judicial Remedies, Liability and Sanctions, Codes of
Conduct, Supervisory Authority and Working Party
on the Protection of Individuals with Regard to the
Processing of Personal Data
Individual
Participation
19
PRIVACY RISK ASSESSMENT

Tool demo
21
BENEFITS OF GAPP

Based upon best practices

Aligned with key regulations
A
recent study done by the Ontario
privacy commissioners found the
framework to aligned with PIPEDA,
Canada’s Personal Information
Protection and Electronic
Documents Act
22
GAPP HELPS ORGANIZATIONS
COMPLY WITH THE PATCHWORK OF
LEGISLATION!
Utah
Australia
EU
NY
Canada
GLBA
HIPAA California
Texas
Arizona
23
GAPP HELPS BRIDGE THE TRUST GAP
GAPP
INDIVIDUALS
GOVERNMENT
ILLUSTRATIVE APPLICATIONS

Agency A adopts GAPP as the basis for its statewide privacy
program so it can follow consistent privacy practices and
use similar terminology across its various
agencies. Although specific exceptions and variations may
exist, they are being captured in policy and procedures.

Agency B uses GAPP as a benchmark against internal
privacy practices and procedures.

Agency C uses GAPP as a basis for a privacy assessment
and provides findings to its constituents, customers and
other important stakeholders.
ARIZONA
Every agency must
report security
incidents to his
Office
Every agency must
appoint a CISO and a
CPO
WANT TO KNOW MORE

AICPA Privacy Resources
 http://www.aicpa.org/privacy

OR
SAVE THE DATE January 9, 2009
 Privacy Conference at the Convention Center
