Presentation on theme: "IAPP Canadian Privacy Summit May 2008"— Presentation transcript:
1IAPP Canadian Privacy Summit May 2008 Being Proactive: Identifying Weaknesses and Opportunities in Your Privacy ProgramIAPP Canadian Privacy SummitMay 2008CICA sets accounting and assurance standards for businesses, not-for-profit organizations and governmentOur members are trusted business advisors, whether in public or private practice. In public practice, we have CAs that provide privacy advisory, assurance and consulting services.We use the same, trusted methodology and standards to perform privacy audits as we do financial statement audits.
2per compromised record Cost of a Breach$197per compromised record$128 from the cost of lost business (65% of data breach costs)$46 – ex-post response. Setting up phone lines/websites to inform and communicate with customers, obtain recommendations on further actions, credit monitoring, reissuing account or credit card$16 – notification$8 – detection/discovery of breachHow much is that really?2,900 patients = $571k (Sick Kids)470,000 customers = $92.6M (CIBC Talvest)Source: 2007 Annual Study: U.S. Cost of a Data Breach, Ponemon Institute, Nov 2007
3Why Self-Assess? Identify weaknesses and opportunities Benchmarking Correct weaknesses before a breach occursBenchmarkingCurrent state vs. desired stateDemonstrates privacy compliance with stakeholdersManagement / Board of DirectorsEmployees / CustomersRegulators / Privacy commissioners
4What You’ll Learn This Hour Office of the Privacy Commissioner of CanadaAuditing for privacy and guidance for best privacy practicesSun Life Assurance Co of CanadaHow they conducted their own self-assessment and lessons learnedCICAPrivacy Risk Assessment Tool
5Office of the Privacy Commissioner of Canada English Copy – Library of ParliamentOffice of the Privacy Commissioner of CanadaAssessing Privacy ManagementIAPPTorontoMay 22, 2008
9Office of the Privacy Commissioner of Canada About the OPCOffice of the Privacy Commissioner of CanadaProtect & promote privacy rights of individualsOversee compliance with two ActsIndependent Officer of ParliamentMulti-faceted ombudsman roleResponsible for promoting good management of personal information by organizations, both public and private.Visit
10OPC Audit & Review Mandate Section 36(1) of the Privacy Act to investigate exempt data banks.Section 37(1) of the Privacy Act – review of compliance with sections 4-8 in respect of personal information under the control of government institutions (public sector). About 250 entities.TB Policy – Privacy Impact Assessment ReviewsSection 18(1) PIPEDA – with reasonable notice, time and on reasonable grounds to believe contravention – audit the PI management practices of an organization. Private sector audit universe.
11Audit & Review BranchWe do audits and privacy impact assessment reviews – with a purpose.To conduct independent and objective audits and reviews of personal information management systems for the purpose of promoting compliance with applicable legislation, policies and standards and improving privacy practices and accountability.Building capacity – now 9 growing to 19. Budget increased to $1.7m (from $896K).
12A Definition of Privacy Auditing “Privacy auditing” (in our context) can be defined as a systematic examination of control and accountability for the life cycle management of personal information – consistent with “fair information principles”. It can also be viewed as assessment of the means employed by organizations to manage privacy risks. Using a “systems” approach, any particular audit under the Privacy Act or the Personal Information and Electronic Documents Act would be designed to address one or more of the following basic questions – depending on the scope of audit.
13Privacy management in context Privacy Environment Today
18No Shortage of Privacy Challenges Post 9/11 – increased emphasis on information sharing for security purposesTrans border data flowOutsourcing activitiesProtecting one’s actual persona in an age of information expansion-integrationData consolidation-mining-matching-resaleBehavioral profiling and target advertisingBiometricsIncreased surveillance (in many forms – visual and data)Internet - Web2 – Wireless communication (generation shift)Identity theft – loss/theft of PIPrivacy breaches
21Privacy BreachesThe number one issue raised in submissions on PIPEDA review was data breachSeems not a day without oneHow many actually happen compared to ones known about?
22ID Theft – solutions?Virginia state legislature passed a law prohibiting individuals from dissemination Social Security Numbers legally obtained from government web sites -- $2,500 civil penalty. Ostergren story.Canada introducing ID theft legislation – C27.Informing people on how to protect themselves.
23Privacy Breaches Industry Canada Policy Objectives: Encourage better data security practices and better understand the link between current practices and data losses.Reduce public concern about data breaches and increase confidence in the electronic marketplace and online commerceEnsure that individuals obtain the information necessary to take steps to mitigate harm resulting from a breach of their personal information.
24Why do breaches happen? An accident – one off thing? Function of: CultureFlawed systems and procedures?Likely that the resources invested to prevent a breach i.e. protect personal information would depend on the extent to which management believes they can “afford” a breach – function of risk management.Privacy breach protocol is a key element of a privacy management program/framework.
25What about data security? “Despite agency reported progress, major federal agencies continue to experience significant information security control deficiencies that limit the effectiveness of their efforts to protect the confidentiality, integrity and availability of their information and information systems.” GAO March 12,2008 GAO TOAG Canada has reported concerns about information security among federal departments and agencies.OPC has observed cases of poor information management and/or weak data protection in federal departments and agencies as well as private sector.
27How privacy management “friendly” is your organization? How does your organization view privacy - what’s the culture?Is privacy on the agenda/radar of Senior Management?How’s your PMF? Do you have one – can you articulate it?Do you have a handle on what personal information you hold, why you collect it and what you do with it?Do you have a privacy training program?How’s your CPO Shop? – is it sufficiently resourced/have capacity to do what it should? Is it a marginal or a key player?Do you track privacy breaches and have responsive mechanisms?When you introduce/change business lines or systems – do you do a privacy impact assessment (including TRA) before hand and then do you use it?You have policy – that’s good – but is it just “words on paper”? How do you know its followed/supported?Does your internal audit function consider privacy issues/risks?When did your organization last do a privacy practices check-up?In what ways is managing for privacy part of a manager’s performance agreement and evaluation?
28OPC Self–assessment tool A compliance guide and a diagnostic tool we expect to make public by July 08.A set of standards that medium to large organizations can use to monitor compliance with the 10 Fair Information Principles from Schedule 1 of PIPEDAFramework of principles and criteriaA guide - series of must, should, may by each Principle.Diagnostic tool – checklists, means of interpretation and action determination.
30Sample checklist – Principle 1 Accountability StatementAssessmentEvidenceActionsMetNot MetPartly MetYou have reviewed your privacy policies and are satisfied that they are complete and easy to understand.You have clearly delineated who, within your organization, is responsible for privacy governance and management.You have privacy policies and practices that apply to the personal information of your employees as well as that of your customers.
31EvaluatingEvaluating the results of a self-assessment should enable an organization to dedicate resources to improving privacy practices in the right areas.Over time, evaluation of an organization’s compliance should be put into the context of a maturity level.
32MaturityA mature privacy management program/framework is characterized by due diligence and documentation of risk acceptance or mitigation decisions which should help set priorities for remedial action and define a realistic timeline for completion.
33A Privacy Program Maturity Scale Level 1 – Non existent/seriously underdevelopedLevel 2 – Early stages of developmentLevel 3 – Advanced – requirements mostly met – improvements possibleLevel 4 – Fully developed – requirements mostly met with only minor or no adjustments need
34Likelihood of Occurrence LevelDescriptorDescription5Almost CertainEvent occurs regularly here.4LikelyEvent has occurred here more than once, or is occurring to others in similar circumstances.3ModerateEvent has occurred here before, or has been observed in similar circumstances.2UnlikelyEvent has occurred infrequently before to others in similar circumstances, but has not occurred here.1RareEvent has almost never been observed, it may occur only in exceptional circumstances.
35Impact Level Descriptor Description 5 Extreme 4 Very High 3 Medium 2 A major event with the potential to lead to long-term damage to an organization’s ability to meet its objectives.4Very HighA critical event, which with proper management, can be endured by the organization.3MediumA significant event that can be managed under normalcircumstances by the organization.2LowAn event where consequences can be absorbed, but management effort is required to minimize the impact.1NegligibleAn event, the consequences of which can be absorbed through normal activity.
37Keeping Privacy Healthy Focus on privacy principlesValue privacy as a credential and not just a compliance requirement – treat personal information as a key asset to be safeguarded as well as any otherSystematic approach to privacy risk managementBetter legislative and regulatory frameworksRobust privacy management frameworkStrong IT control, especially for identification and authenticationPrivacy checkupsBe a privacy guardian……..why………
38Privacy Matters Fundamental Human Right Rights against arbitrary intrusion – freedom from unreasonable search and seizure. Right to protect personal information.Privacy matters because its about the kind of society we want – the relationship we have with government, business and among ourselves.
39A/Director General - Audit and Review Thank YouQuestions?Trevor R. Shaw, CA CMCA/Director General - Audit and Review
40Privacy Self-Assessment David T Shuen, MBA, LL.B., CIPP/CVP, Chief Compliance OfficerCanadian OperationsSun Life Financial
41Objectives of the Self-Assessment GovernanceUpdate and document compliance statusObtain evidence of management due diligenceInput for compliance testingRisk ManagementIdentify trends and systemic control weaknessIdentify emerging issues and risksInput for control measures developmentMaintain awareness
42The Self-AssessmentDeveloped in-house by our privacy team with input from our Privacy Advisory Committee.Contains 37 questions based on the Fair Information Principles.Captures information on:Compliance statusCurrent compliance, risk management and regulatory activities, e.g. audits, examinationsTrends / issues / risks identifiedNew privacy controls and safeguards and near-term planned activitiesTop 5 (self-identified) privacy risks including documentation of corresponding controls and assessment of the net risk
43The Process Semi-annual Coordinated by the privacy office Completed by privacy / compliance officers in business units with access to personal information – input from operationsReviewed by business unit headsCertification requiredTakes about 3 weeks at the business level
44The Process Analyzed by the Privacy Office Consolidated report prepared for the CPOSummary reported to Canadian senior management and enterprise risk management committeeMaterial issues escalated to executives and shared with control functions – Internal Audit, Compliance and Risk management
45Lessons Learned A good way to know what is going on in the business Effective way to keep Privacy on the radar screenTesting a necessityPerception of risk differsThere is no such thing as too much awareness – training needs to be on-goingFront-line workers have the least time for training but have most access to customer informationLess formal but more frequent awareness campaign may be more effective than formal training courseAuthentication a constant struggle between good customer experience and good privacy protection
46Privacy Risk Assessment Tool Based on Generally Accepted Privacy Principles developed by CICA and AICPAA privacy framework to help organizations develop and assess their privacy program and privacy riskExcel basedAllows up to 10 assessors
47Generally Accepted Privacy Principles AccessDisclosure to Third PartiesSecurity for PrivacyQualityMonitoring & EnforcementManagementNoticeChoice & ConsentCollectionUse & Retention
48The Benefits of GAPP Comprehensive Objective Relevant Framework of over 60 measurable and relevant criteriaObjectiveDeveloped by the auditing profession toAddress international expectationsCreate a basis for comparabilityUniversally available at no chargeRelevantWidespread use and recognitionApplicable for evaluating privacy risk enterprise-wideRecognized as suitable criteria for a privacy auditCan also be the basis for an internal assessment
49Scoring Input Template GAPP - 66 CriteriaCriteria DescriptionLikelihoodof a ControlFailureBusinessImpactEffort/CosttoMitigateMANAGEMENT (10 criteria)Privacy Policies (1.1.0)Policies are defined for: notice, choice/consent, collection, use/retention, access, disclosure, security, quality, and monitoring and enforcement.258Communications to Internal Personnel (1.1.1)Privacy policies are communicated at least annually to internal personnel responsible for collecting, using, retaining, and disclosing personal information. Changes in policy are communicated shortly after the changes are approved.Risk scores taken from COBIT Maturity Model for Internal Control2 – low risk - "An effective internal control and risk management environment is in place.“5 – medium risk – “"Privacy controls are in place and adequately documented.“8 – high risk – “"Many privacy control weaknesses exist and are not adequately addressed."Section 1: Likelihood of a Control FailureAs an assessor scoring each criterion, think in terms of whether the organization's practices and controls are in place and working as intended.Business impact – evaluate as if the risk had occurredReputation impact, monetary impact, regulatory/legal implications, customer impact, business operationsCost to Mitigate/Prevent-People effort, time to implement, complexity of computer environment, capital expenditures required, cultural resistance
50Scoring Summary GAPP - 10 Principles MANAGEMENT 2.3 2.6 NOTICE 4.6 3.9 Likelihood of a Control FailureBusiness ImpactSize of Marker (Cost to Mitigate)MANAGEMENT2.32.6NOTICE188.8.131.52CHOICE / CONSENT5.08.0COLLECTION184.108.40.206USE / RETENTIONACCESS5.86.5DISCLOSURE220.127.116.11SECURITY7.06.7QUALITY5.57.5MONITORING / ENFORCEMENT
51Vertical axis difficult to read – business impact – low and high Size of dot is based on costs to mitigate
52Contact InfoNicholas F. Cheung, CA, CIPP/CPrincipal, Assurance Services DevelopmentCICA(416)For those who just can’t wait to get a copy of GAPP, I have a limited number of 1 GB USB keys that come preloaded with GAPP and the Privacy mapPrivacy Notice – This is a promotional item, so these keys are not encrypted and should not be used to store personal information!