IAPP Canadian Privacy Summit May 2008 Being Proactive: Identifying Weaknesses and Opportunities in Your Privacy Program IAPP Canadian Privacy Summit May 2008 CICA sets accounting and assurance standards for businesses, not-for-profit organizations and government Our members are trusted business advisors, whether in public or private practice. In public practice, we have CAs that provide privacy advisory, assurance and consulting services. We use the same, trusted methodology and standards to perform privacy audits as we do financial statement audits.

per compromised record Cost of a Breach $197 per compromised record $128 from the cost of lost business (65% of data breach costs) $46 – ex-post response. Setting up phone lines/websites to inform and communicate with customers, obtain recommendations on further actions, credit monitoring, reissuing account or credit card $16 – notification $8 – detection/discovery of breach How much is that really? 2,900 patients = $571k (Sick Kids) 470,000 customers = $92.6M (CIBC Talvest) Source: 2007 Annual Study: U.S. Cost of a Data Breach, Ponemon Institute, Nov 2007

Why Self-Assess? Identify weaknesses and opportunities Benchmarking Correct weaknesses before a breach occurs Benchmarking Current state vs. desired state Demonstrates privacy compliance with stakeholders Management / Board of Directors Employees / Customers Regulators / Privacy commissioners

What You’ll Learn This Hour Office of the Privacy Commissioner of Canada Auditing for privacy and guidance for best privacy practices Sun Life Assurance Co of Canada How they conducted their own self-assessment and lessons learned CICA Privacy Risk Assessment Tool

Office of the Privacy Commissioner of Canada English Copy – Library of Parliament Office of the Privacy Commissioner of Canada Assessing Privacy Management IAPP Toronto May 22, 2008

Jennifer Stoddart Privacy Commissioner of Canada

This Presentation Overview of OPC Privacy environment OPC audit & review PIPEDA self assessing tool

Warm Up P+S = 0? or P+S = 1? P-S = 300million

Office of the Privacy Commissioner of Canada About the OPC Office of the Privacy Commissioner of Canada Protect & promote privacy rights of individuals Oversee compliance with two Acts Independent Officer of Parliament Multi-faceted ombudsman role Responsible for promoting good management of personal information by organizations, both public and private. Visit www.privcom.gc.ca

OPC Audit & Review Mandate Section 36(1) of the Privacy Act to investigate exempt data banks. Section 37(1) of the Privacy Act – review of compliance with sections 4-8 in respect of personal information under the control of government institutions (public sector). About 250 entities. TB Policy – Privacy Impact Assessment Reviews Section 18(1) PIPEDA – with reasonable notice, time and on reasonable grounds to believe contravention – audit the PI management practices of an organization. Private sector audit universe.

Audit & Review Branch We do audits and privacy impact assessment reviews – with a purpose. To conduct independent and objective audits and reviews of personal information management systems for the purpose of promoting compliance with applicable legislation, policies and standards and improving privacy practices and accountability. Building capacity – now 9 growing to 19. Budget increased to $1.7m (from $896K).

A Definition of Privacy Auditing “Privacy auditing” (in our context) can be defined as a systematic examination of control and accountability for the life cycle management of personal information – consistent with “fair information principles”. It can also be viewed as assessment of the means employed by organizations to manage privacy risks. Using a “systems” approach, any particular audit under the Privacy Act or the Personal Information and Electronic Documents Act would be designed to address one or more of the following basic questions – depending on the scope of audit.

Privacy management in context Privacy Environment Today

Toronto - 1907

Ubiquitous Computing

A New Universe - World Connected

Technology – no limits/bounds

No Shortage of Privacy Challenges Post 9/11 – increased emphasis on information sharing for security purposes Trans border data flow Outsourcing activities Protecting one’s actual persona in an age of information expansion-integration Data consolidation-mining-matching-resale Behavioral profiling and target advertising Biometrics Increased surveillance (in many forms – visual and data) Internet - Web2 – Wireless communication (generation shift) Identity theft – loss/theft of PI Privacy breaches

Public increasingly concerned

Some days we feel a little overwhelmed

Privacy Breaches The number one issue raised in submissions on PIPEDA review was data breach Seems not a day without one How many actually happen compared to ones known about?

ID Theft – solutions? Virginia state legislature passed a law prohibiting individuals from dissemination Social Security Numbers legally obtained from government web sites -- $2,500 civil penalty. Ostergren story. Canada introducing ID theft legislation – C27. Informing people on how to protect themselves.

Privacy Breaches Industry Canada Policy Objectives: Encourage better data security practices and better understand the link between current practices and data losses. Reduce public concern about data breaches and increase confidence in the electronic marketplace and online commerce Ensure that individuals obtain the information necessary to take steps to mitigate harm resulting from a breach of their personal information.

Why do breaches happen? An accident – one off thing? Function of: Culture Flawed systems and procedures? Likely that the resources invested to prevent a breach i.e. protect personal information would depend on the extent to which management believes they can “afford” a breach – function of risk management. Privacy breach protocol is a key element of a privacy management program/framework.

What about data security? “Despite agency reported progress, major federal agencies continue to experience significant information security control deficiencies that limit the effectiveness of their efforts to protect the confidentiality, integrity and availability of their information and information systems.” GAO March 12,2008 GAO-08-571T OAG Canada has reported concerns about information security among federal departments and agencies. OPC has observed cases of poor information management and/or weak data protection in federal departments and agencies as well as private sector.

Keeping privacy healthy

How privacy management “friendly” is your organization? How does your organization view privacy - what’s the culture? Is privacy on the agenda/radar of Senior Management? How’s your PMF? Do you have one – can you articulate it? Do you have a handle on what personal information you hold, why you collect it and what you do with it? Do you have a privacy training program? How’s your CPO Shop? – is it sufficiently resourced/have capacity to do what it should? Is it a marginal or a key player? Do you track privacy breaches and have responsive mechanisms? When you introduce/change business lines or systems – do you do a privacy impact assessment (including TRA) before hand and then do you use it? You have policy – that’s good – but is it just “words on paper”? How do you know its followed/supported? Does your internal audit function consider privacy issues/risks? When did your organization last do a privacy practices check-up? In what ways is managing for privacy part of a manager’s performance agreement and evaluation?

OPC Self–assessment tool A compliance guide and a diagnostic tool we expect to make public by July 08. A set of standards that medium to large organizations can use to monitor compliance with the 10 Fair Information Principles from Schedule 1 of PIPEDA Framework of principles and criteria A guide - series of must, should, may by each Principle. Diagnostic tool – checklists, means of interpretation and action determination.

Self Assessment Checklists P1 Accountability 23 Qs P2 Identifying Purpose 9 Qs P3 Consent P4 Limiting Collection 6 Qs P5 Limiting use, disclosure, retention 5 Q P6 Accuracy P7 Safeguards 8 Qs P8 Openness P9 Individual Access 15 Qs P10 Challenging Compliance 5 Qs

Sample checklist – Principle 1 Accountability Statement Ass essm ent Evidence Actions Met Not Met Partly Met You have reviewed your privacy policies and are satisfied that they are complete and easy to understand. You have clearly delineated who, within your organization, is responsible for privacy governance and management. You have privacy policies and practices that apply to the personal information of your employees as well as that of your customers.

Evaluating Evaluating the results of a self-assessment should enable an organization to dedicate resources to improving privacy practices in the right areas. Over time, evaluation of an organization’s compliance should be put into the context of a maturity level.

Maturity A mature privacy management program/framework is characterized by due diligence and documentation of risk acceptance or mitigation decisions which should help set priorities for remedial action and define a realistic timeline for completion.

A Privacy Program Maturity Scale Level 1 – Non existent/seriously underdeveloped Level 2 – Early stages of development Level 3 – Advanced – requirements mostly met – improvements possible Level 4 – Fully developed – requirements mostly met with only minor or no adjustments need

Likelihood of Occurrence Level Descriptor Description 5 Almost Certain Event occurs regularly here. 4 Likely Event has occurred here more than once, or is occurring to others in similar circumstances. 3 Moderate Event has occurred here before, or has been observed in similar circumstances. 2 Unlikely Event has occurred infrequently before to others in similar circumstances, but has not occurred here. 1 Rare Event has almost never been observed, it may occur only in exceptional circumstances.

Impact Level Descriptor Description 5 Extreme 4 Very High 3 Medium 2 A major event with the potential to lead to long-term damage to an organization’s ability to meet its objectives. 4 Very High A critical event, which with proper management, can be endured by the organization. 3 Medium A significant event that can be managed under normal circumstances by the organization. 2 Low An event where consequences can be absorbed, but management effort is required to minimize the impact. 1 Negligible An event, the consequences of which can be absorbed through normal activity.

Heat Mapping

Keeping Privacy Healthy Focus on privacy principles Value privacy as a credential and not just a compliance requirement – treat personal information as a key asset to be safeguarded as well as any other Systematic approach to privacy risk management Better legislative and regulatory frameworks Robust privacy management framework Strong IT control, especially for identification and authentication Privacy checkups Be a privacy guardian……..why………

Privacy Matters Fundamental Human Right Rights against arbitrary intrusion – freedom from unreasonable search and seizure. Right to protect personal information. Privacy matters because its about the kind of society we want – the relationship we have with government, business and among ourselves.

A/Director General - Audit and Review Thank You Questions? www.privcom.gc.ca 1-800-282-1376 Trevor R. Shaw, CA CMC A/Director General - Audit and Review 613-996-2252

Privacy Self-Assessment David T Shuen, MBA, LL.B., CIPP/C VP, Chief Compliance Officer Canadian Operations Sun Life Financial

Objectives of the Self-Assessment Governance Update and document compliance status Obtain evidence of management due diligence Input for compliance testing Risk Management Identify trends and systemic control weakness Identify emerging issues and risks Input for control measures development Maintain awareness

The Self-Assessment Developed in-house by our privacy team with input from our Privacy Advisory Committee. Contains 37 questions based on the Fair Information Principles. Captures information on: Compliance status Current compliance, risk management and regulatory activities, e.g. audits, examinations Trends / issues / risks identified New privacy controls and safeguards and near-term planned activities Top 5 (self-identified) privacy risks including documentation of corresponding controls and assessment of the net risk

The Process Semi-annual Coordinated by the privacy office Completed by privacy / compliance officers in business units with access to personal information – input from operations Reviewed by business unit heads Certification required Takes about 3 weeks at the business level

The Process Analyzed by the Privacy Office Consolidated report prepared for the CPO Summary reported to Canadian senior management and enterprise risk management committee Material issues escalated to executives and shared with control functions – Internal Audit, Compliance and Risk management

Lessons Learned A good way to know what is going on in the business Effective way to keep Privacy on the radar screen Testing a necessity Perception of risk differs There is no such thing as too much awareness – training needs to be on-going Front-line workers have the least time for training but have most access to customer information Less formal but more frequent awareness campaign may be more effective than formal training course Authentication a constant struggle between good customer experience and good privacy protection

Privacy Risk Assessment Tool Based on Generally Accepted Privacy Principles developed by CICA and AICPA A privacy framework to help organizations develop and assess their privacy program and privacy risk Excel based Allows up to 10 assessors www.cica.ca/privacy

Generally Accepted Privacy Principles Access Disclosure to Third Parties Security for Privacy Quality Monitoring & Enforcement Management Notice Choice & Consent Collection Use & Retention

The Benefits of GAPP Comprehensive Objective Relevant Framework of over 60 measurable and relevant criteria Objective Developed by the auditing profession to Address international expectations Create a basis for comparability Universally available at no charge Relevant Widespread use and recognition Applicable for evaluating privacy risk enterprise-wide Recognized as suitable criteria for a privacy audit Can also be the basis for an internal assessment

Scoring Input Template GAPP - 66 Criteria Criteria Description Likelihood of a Control Failure Business Impact Effort/Cost to Mitigate MANAGEMENT (10 criteria)   Privacy Policies (1.1.0) Policies are defined for: notice, choice/consent, collection, use/retention, access, disclosure, security, quality, and monitoring and enforcement. 2 5 8 Communications to Internal Personnel (1.1.1) Privacy policies are communicated at least annually to internal personnel responsible for collecting, using, retaining, and disclosing personal information. Changes in policy are communicated shortly after the changes are approved. Risk scores taken from COBIT Maturity Model for Internal Control 2 – low risk - "An effective internal control and risk management environment is in place.“ 5 – medium risk – “"Privacy controls are in place and adequately documented.“ 8 – high risk – “"Many privacy control weaknesses exist and are not adequately addressed." Section 1: Likelihood of a Control Failure As an assessor scoring each criterion, think in terms of whether the organization's practices and controls are in place and working as intended. Business impact – evaluate as if the risk had occurred Reputation impact, monetary impact, regulatory/legal implications, customer impact, business operations Cost to Mitigate/Prevent -People effort, time to implement, complexity of computer environment, capital expenditures required, cultural resistance

Scoring Summary GAPP - 10 Principles MANAGEMENT 2.3 2.6 NOTICE 4.6 3.9 Likelihood of a Control Failure Business Impact Size of Marker (Cost to Mitigate) MANAGEMENT 2.3 2.6 NOTICE 4.6 3.9 4.7 CHOICE / CONSENT 5.0 8.0 COLLECTION 4.3 2.8 4.0 USE / RETENTION ACCESS 5.8 6.5 DISCLOSURE 3.4 5.6 3.0 SECURITY 7.0 6.7 QUALITY 5.5 7.5 MONITORING / ENFORCEMENT

Vertical axis difficult to read – business impact – low and high Size of dot is based on costs to mitigate

Contact Info www.cica.ca/privacy Nicholas F. Cheung, CA, CIPP/C Principal, Assurance Services Development CICA (416) 204-3251 nicholas.cheung@cica.ca For those who just can’t wait to get a copy of GAPP, I have a limited number of 1 GB USB keys that come preloaded with GAPP and the Privacy map Privacy Notice – This is a promotional item, so these keys are not encrypted and should not be used to store personal information!

Questions?