Presentation is loading. Please wait.

Presentation is loading. Please wait.

IAPP Canadian Privacy Summit May 2008

Similar presentations

Presentation on theme: "IAPP Canadian Privacy Summit May 2008"— Presentation transcript:

1 IAPP Canadian Privacy Summit May 2008
Being Proactive: Identifying Weaknesses and Opportunities in Your Privacy Program IAPP Canadian Privacy Summit May 2008 CICA sets accounting and assurance standards for businesses, not-for-profit organizations and government Our members are trusted business advisors, whether in public or private practice. In public practice, we have CAs that provide privacy advisory, assurance and consulting services. We use the same, trusted methodology and standards to perform privacy audits as we do financial statement audits.

2 per compromised record
Cost of a Breach $197 per compromised record $128 from the cost of lost business (65% of data breach costs) $46 – ex-post response. Setting up phone lines/websites to inform and communicate with customers, obtain recommendations on further actions, credit monitoring, reissuing account or credit card $16 – notification $8 – detection/discovery of breach How much is that really? 2,900 patients = $571k (Sick Kids) 470,000 customers = $92.6M (CIBC Talvest) Source: 2007 Annual Study: U.S. Cost of a Data Breach, Ponemon Institute, Nov 2007

3 Why Self-Assess? Identify weaknesses and opportunities Benchmarking
Correct weaknesses before a breach occurs Benchmarking Current state vs. desired state Demonstrates privacy compliance with stakeholders Management / Board of Directors Employees / Customers Regulators / Privacy commissioners

4 What You’ll Learn This Hour
Office of the Privacy Commissioner of Canada Auditing for privacy and guidance for best privacy practices Sun Life Assurance Co of Canada How they conducted their own self-assessment and lessons learned CICA Privacy Risk Assessment Tool

5 Office of the Privacy Commissioner of Canada
English Copy – Library of Parliament Office of the Privacy Commissioner of Canada Assessing Privacy Management IAPP Toronto May 22, 2008

6 Jennifer Stoddart Privacy Commissioner of Canada

7 This Presentation Overview of OPC Privacy environment
OPC audit & review PIPEDA self assessing tool

8 Warm Up P+S = 0? or P+S = 1? P-S = 300million

9 Office of the Privacy Commissioner of Canada
About the OPC Office of the Privacy Commissioner of Canada Protect & promote privacy rights of individuals Oversee compliance with two Acts Independent Officer of Parliament Multi-faceted ombudsman role Responsible for promoting good management of personal information by organizations, both public and private. Visit

10 OPC Audit & Review Mandate
Section 36(1) of the Privacy Act to investigate exempt data banks. Section 37(1) of the Privacy Act – review of compliance with sections 4-8 in respect of personal information under the control of government institutions (public sector). About 250 entities. TB Policy – Privacy Impact Assessment Reviews Section 18(1) PIPEDA – with reasonable notice, time and on reasonable grounds to believe contravention – audit the PI management practices of an organization. Private sector audit universe.

11 Audit & Review Branch We do audits and privacy impact assessment reviews – with a purpose. To conduct independent and objective audits and reviews of personal information management systems for the purpose of promoting compliance with applicable legislation, policies and standards and improving privacy practices and accountability. Building capacity – now 9 growing to 19. Budget increased to $1.7m (from $896K).

12 A Definition of Privacy Auditing
“Privacy auditing” (in our context) can be defined as a systematic examination of control and accountability for the life cycle management of personal information – consistent with “fair information principles”. It can also be viewed as assessment of the means employed by organizations to manage privacy risks. Using a “systems” approach, any particular audit under the Privacy Act or the Personal Information and Electronic Documents Act would be designed to address one or more of the following basic questions – depending on the scope of audit.

13 Privacy management in context
Privacy Environment Today

14 Toronto

15 Ubiquitous Computing

16 A New Universe - World Connected

17 Technology – no limits/bounds

18 No Shortage of Privacy Challenges
Post 9/11 – increased emphasis on information sharing for security purposes Trans border data flow Outsourcing activities Protecting one’s actual persona in an age of information expansion-integration Data consolidation-mining-matching-resale Behavioral profiling and target advertising Biometrics Increased surveillance (in many forms – visual and data) Internet - Web2 – Wireless communication (generation shift) Identity theft – loss/theft of PI Privacy breaches

19 Public increasingly concerned

20 Some days we feel a little overwhelmed

21 Privacy Breaches The number one issue raised in submissions on PIPEDA review was data breach Seems not a day without one How many actually happen compared to ones known about?

22 ID Theft – solutions? Virginia state legislature passed a law prohibiting individuals from dissemination Social Security Numbers legally obtained from government web sites -- $2,500 civil penalty. Ostergren story. Canada introducing ID theft legislation – C27. Informing people on how to protect themselves.

23 Privacy Breaches Industry Canada Policy Objectives:
Encourage better data security practices and better understand the link between current practices and data losses. Reduce public concern about data breaches and increase confidence in the electronic marketplace and online commerce Ensure that individuals obtain the information necessary to take steps to mitigate harm resulting from a breach of their personal information.

24 Why do breaches happen? An accident – one off thing? Function of:
Culture Flawed systems and procedures? Likely that the resources invested to prevent a breach i.e. protect personal information would depend on the extent to which management believes they can “afford” a breach – function of risk management. Privacy breach protocol is a key element of a privacy management program/framework.

25 What about data security?
“Despite agency reported progress, major federal agencies continue to experience significant information security control deficiencies that limit the effectiveness of their efforts to protect the confidentiality, integrity and availability of their information and information systems.” GAO March 12,2008 GAO T OAG Canada has reported concerns about information security among federal departments and agencies. OPC has observed cases of poor information management and/or weak data protection in federal departments and agencies as well as private sector.

26 Keeping privacy healthy

27 How privacy management “friendly” is your organization?
How does your organization view privacy - what’s the culture? Is privacy on the agenda/radar of Senior Management? How’s your PMF? Do you have one – can you articulate it? Do you have a handle on what personal information you hold, why you collect it and what you do with it? Do you have a privacy training program? How’s your CPO Shop? – is it sufficiently resourced/have capacity to do what it should? Is it a marginal or a key player? Do you track privacy breaches and have responsive mechanisms? When you introduce/change business lines or systems – do you do a privacy impact assessment (including TRA) before hand and then do you use it? You have policy – that’s good – but is it just “words on paper”? How do you know its followed/supported? Does your internal audit function consider privacy issues/risks? When did your organization last do a privacy practices check-up? In what ways is managing for privacy part of a manager’s performance agreement and evaluation?

28 OPC Self–assessment tool
A compliance guide and a diagnostic tool we expect to make public by July 08. A set of standards that medium to large organizations can use to monitor compliance with the 10 Fair Information Principles from Schedule 1 of PIPEDA Framework of principles and criteria A guide - series of must, should, may by each Principle. Diagnostic tool – checklists, means of interpretation and action determination.

29 Self Assessment Checklists
P1 Accountability 23 Qs P2 Identifying Purpose 9 Qs P3 Consent P4 Limiting Collection 6 Qs P5 Limiting use, disclosure, retention 5 Q P6 Accuracy P7 Safeguards 8 Qs P8 Openness P9 Individual Access 15 Qs P10 Challenging Compliance 5 Qs

30 Sample checklist – Principle 1 Accountability
Statement Ass essm ent Evidence Actions Met Not Met Partly Met You have reviewed your privacy policies and are satisfied that they are complete and easy to understand. You have clearly delineated who, within your organization, is responsible for privacy governance and management. You have privacy policies and practices that apply to the personal information of your employees as well as that of your customers.

31 Evaluating Evaluating the results of a self-assessment should enable an organization to dedicate resources to improving privacy practices in the right areas. Over time, evaluation of an organization’s compliance should be put into the context of a maturity level.

32 Maturity A mature privacy management program/framework is characterized by due diligence and documentation of risk acceptance or mitigation decisions which should help set priorities for remedial action and define a realistic timeline for completion.

33 A Privacy Program Maturity Scale
Level 1 – Non existent/seriously underdeveloped Level 2 – Early stages of development Level 3 – Advanced – requirements mostly met – improvements possible Level 4 – Fully developed – requirements mostly met with only minor or no adjustments need

34 Likelihood of Occurrence
Level Descriptor Description 5 Almost Certain Event occurs regularly here. 4 Likely Event has occurred here more than once, or is occurring to others in similar circumstances. 3 Moderate Event has occurred here before, or has been observed in similar circumstances. 2 Unlikely Event has occurred infrequently before to others in similar circumstances, but has not occurred here. 1 Rare Event has almost never been observed, it may occur only in exceptional circumstances.

35 Impact Level Descriptor Description 5 Extreme 4 Very High 3 Medium 2
A major event with the potential to lead to long-term damage to an organization’s ability to meet its objectives. 4 Very High A critical event, which with proper management, can be endured by the organization. 3 Medium A significant event that can be managed under normal circumstances by the organization. 2 Low An event where consequences can be absorbed, but management effort is required to minimize the impact. 1 Negligible An event, the consequences of which can be absorbed through normal activity.

36 Heat Mapping

37 Keeping Privacy Healthy
Focus on privacy principles Value privacy as a credential and not just a compliance requirement – treat personal information as a key asset to be safeguarded as well as any other Systematic approach to privacy risk management Better legislative and regulatory frameworks Robust privacy management framework Strong IT control, especially for identification and authentication Privacy checkups Be a privacy guardian……..why………

38 Privacy Matters Fundamental Human Right
Rights against arbitrary intrusion – freedom from unreasonable search and seizure. Right to protect personal information. Privacy matters because its about the kind of society we want – the relationship we have with government, business and among ourselves.

39 A/Director General - Audit and Review
Thank You Questions? Trevor R. Shaw, CA CMC A/Director General - Audit and Review

40 Privacy Self-Assessment
David T Shuen, MBA, LL.B., CIPP/C VP, Chief Compliance Officer Canadian Operations Sun Life Financial

41 Objectives of the Self-Assessment
Governance Update and document compliance status Obtain evidence of management due diligence Input for compliance testing Risk Management Identify trends and systemic control weakness Identify emerging issues and risks Input for control measures development Maintain awareness

42 The Self-Assessment Developed in-house by our privacy team with input from our Privacy Advisory Committee. Contains 37 questions based on the Fair Information Principles. Captures information on: Compliance status Current compliance, risk management and regulatory activities, e.g. audits, examinations Trends / issues / risks identified New privacy controls and safeguards and near-term planned activities Top 5 (self-identified) privacy risks including documentation of corresponding controls and assessment of the net risk

43 The Process Semi-annual Coordinated by the privacy office
Completed by privacy / compliance officers in business units with access to personal information – input from operations Reviewed by business unit heads Certification required Takes about 3 weeks at the business level

44 The Process Analyzed by the Privacy Office
Consolidated report prepared for the CPO Summary reported to Canadian senior management and enterprise risk management committee Material issues escalated to executives and shared with control functions – Internal Audit, Compliance and Risk management

45 Lessons Learned A good way to know what is going on in the business
Effective way to keep Privacy on the radar screen Testing a necessity Perception of risk differs There is no such thing as too much awareness – training needs to be on-going Front-line workers have the least time for training but have most access to customer information Less formal but more frequent awareness campaign may be more effective than formal training course Authentication a constant struggle between good customer experience and good privacy protection

46 Privacy Risk Assessment Tool
Based on Generally Accepted Privacy Principles developed by CICA and AICPA A privacy framework to help organizations develop and assess their privacy program and privacy risk Excel based Allows up to 10 assessors

47 Generally Accepted Privacy Principles
Access Disclosure to Third Parties Security for Privacy Quality Monitoring & Enforcement Management Notice Choice & Consent Collection Use & Retention

48 The Benefits of GAPP Comprehensive Objective Relevant
Framework of over 60 measurable and relevant criteria Objective Developed by the auditing profession to Address international expectations Create a basis for comparability Universally available at no charge Relevant Widespread use and recognition Applicable for evaluating privacy risk enterprise-wide Recognized as suitable criteria for a privacy audit Can also be the basis for an internal assessment

49 Scoring Input Template
GAPP - 66 Criteria Criteria Description Likelihood of a Control Failure Business Impact Effort/Cost to Mitigate MANAGEMENT (10 criteria) Privacy Policies (1.1.0) Policies are defined for: notice, choice/consent, collection, use/retention, access, disclosure, security, quality, and monitoring and enforcement. 2 5 8 Communications to Internal Personnel (1.1.1) Privacy policies are communicated at least annually to internal personnel responsible for collecting, using, retaining, and disclosing personal information. Changes in policy are communicated shortly after the changes are approved. Risk scores taken from COBIT Maturity Model for Internal Control 2 – low risk - "An effective internal control and risk management environment is in place.“ 5 – medium risk – “"Privacy controls are in place and adequately documented.“ 8 – high risk – “"Many privacy control weaknesses exist and are not adequately addressed." Section 1: Likelihood of a Control Failure As an assessor scoring each criterion, think in terms of whether the organization's practices and controls are in place and working as intended. Business impact – evaluate as if the risk had occurred Reputation impact, monetary impact, regulatory/legal implications, customer impact, business operations Cost to Mitigate/Prevent -People effort, time to implement, complexity of computer environment, capital expenditures required, cultural resistance

50 Scoring Summary GAPP - 10 Principles MANAGEMENT 2.3 2.6 NOTICE 4.6 3.9
Likelihood of a Control Failure Business Impact Size of Marker (Cost to Mitigate) MANAGEMENT 2.3 2.6 NOTICE 4.6 3.9 4.7 CHOICE / CONSENT 5.0 8.0 COLLECTION 4.3 2.8 4.0 USE / RETENTION ACCESS 5.8 6.5 DISCLOSURE 3.4 5.6 3.0 SECURITY 7.0 6.7 QUALITY 5.5 7.5 MONITORING / ENFORCEMENT

51 Vertical axis difficult to read – business impact – low and high
Size of dot is based on costs to mitigate

52 Contact Info Nicholas F. Cheung, CA, CIPP/C Principal, Assurance Services Development CICA (416) For those who just can’t wait to get a copy of GAPP, I have a limited number of 1 GB USB keys that come preloaded with GAPP and the Privacy map Privacy Notice – This is a promotional item, so these keys are not encrypted and should not be used to store personal information!

53 Questions?

Download ppt "IAPP Canadian Privacy Summit May 2008"

Similar presentations

Ads by Google