1 / 53

Being Proactive: Identifying Weaknesses and Opportunities in Your Privacy Program

Being Proactive: Identifying Weaknesses and Opportunities in Your Privacy Program. IAPP Canadian Privacy Summit May 2008. Cost of a Breach. $197 per compromised record. Source: 2007 Annual Study: U.S. Cost of a Data Breach, Ponemon Institute, Nov 2007. Why Self-Assess?.

brede
Download Presentation

Being Proactive: Identifying Weaknesses and Opportunities in Your Privacy Program

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Being Proactive:Identifying Weaknesses and Opportunities in Your Privacy Program IAPP Canadian Privacy Summit May 2008

  2. Cost of a Breach $197 per compromised record Source: 2007 Annual Study: U.S. Cost of a Data Breach, Ponemon Institute, Nov 2007

  3. Why Self-Assess? • Identify weaknesses and opportunities • Correct weaknesses before a breach occurs • Benchmarking • Current state vs. desired state • Demonstrates privacy compliance with stakeholders • Management / Board of Directors • Employees / Customers • Regulators / Privacy commissioners

  4. What You’ll Learn This Hour • Office of the Privacy Commissioner of Canada • Auditing for privacy and guidance for best privacy practices • Sun Life Assurance Co of Canada • How they conducted their own self-assessment and lessons learned • CICA • Privacy Risk Assessment Tool

  5. Office of the Privacy Commissioner of Canada Assessing Privacy Management IAPP Toronto May 22, 2008

  6. Jennifer StoddartPrivacy Commissioner of Canada

  7. This Presentation • Overview of OPC • Privacy environment • OPC audit & review • PIPEDA self assessing tool

  8. Warm Up P+S = 0? or P+S = 1? P-S = 300million

  9. About the OPC Office of the Privacy Commissioner of Canada • Protect & promote privacy rights of individuals • Oversee compliance with two Acts • Independent Officer of Parliament • Multi-faceted ombudsman role • Responsible for promoting good management of personal information by organizations, both public and private. • Visit www.privcom.gc.ca

  10. OPC Audit & Review Mandate • Section 36(1) of the Privacy Act to investigate exempt data banks. • Section 37(1) of the Privacy Act – review of compliance with sections 4-8 in respect of personal information under the control of government institutions (public sector). About 250 entities. • TB Policy – Privacy Impact Assessment Reviews • Section 18(1) PIPEDA – with reasonable notice, time and on reasonable grounds to believe contravention – audit the PI management practices of an organization. Private sector audit universe.

  11. Audit & Review Branch We do audits and privacy impact assessment reviews – with a purpose. To conduct independent and objective audits and reviews of personal information management systems for the purpose of promoting compliance with applicable legislation, policies and standards and improving privacy practices and accountability. Building capacity – now 9 growing to 19. Budget increased to $1.7m (from $896K).

  12. A Definition of Privacy Auditing “Privacy auditing” (in our context) can be defined as a systematic examination of control and accountability for the life cycle management of personal information – consistent with “fair information principles”. It can also be viewed as assessment of the means employed by organizations to manage privacy risks. Using a “systems” approach, any particular audit under the Privacy Act or the Personal Information and Electronic Documents Act would be designed to address oneor more of the following basic questions – depending on the scope of audit.

  13. Privacy management in context Privacy Environment Today

  14. Toronto - 1907

  15. Ubiquitous Computing

  16. A New Universe - World Connected

  17. Technology – no limits/bounds

  18. No Shortage of Privacy Challenges • Post 9/11 – increased emphasis on information sharing for security purposes • Trans border data flow • Outsourcing activities • Protecting one’s actual persona in an age of information expansion-integration • Data consolidation-mining-matching-resale • Behavioral profiling and target advertising • Biometrics • Increased surveillance (in many forms – visual and data) • Internet - Web2 – Wireless communication (generation shift) • Identity theft – loss/theft of PI • Privacy breaches

  19. Public increasingly concerned

  20. Some days we feel a little overwhelmed

  21. Privacy Breaches • The number one issue raised in submissions on PIPEDA review was data breach • Seems not a day without one • How many actually happen compared to ones known about?

  22. ID Theft – solutions? • Virginia state legislature passed a law prohibiting individuals from dissemination Social Security Numbers legally obtained from government web sites -- $2,500 civil penalty. Ostergren story. • Canada introducing ID theft legislation – C27. • Informing people on how to protect themselves.

  23. Privacy Breaches Industry Canada Policy Objectives: • Encourage better data security practices and better understand the link between current practices and data losses. • Reduce public concern about data breaches and increase confidence in the electronic marketplace and online commerce • Ensure that individuals obtain the information necessary to take steps to mitigate harm resulting from a breach of their personal information.

  24. Why do breaches happen? • An accident – one off thing? • Function of: • Culture • Flawed systems and procedures? • Likely that the resources invested to prevent a breach i.e. protect personal information would depend on the extent to which management believes they can “afford” a breach – function of risk management. • Privacy breach protocol is a key element of a privacy management program/framework.

  25. What about data security? • “Despite agency reported progress, major federal agencies continue to experience significant information security control deficiencies that limit the effectiveness of their efforts to protect the confidentiality, integrity and availability of their information and information systems.” GAO March 12,2008 GAO-08-571T • OAG Canada has reported concerns about information security among federal departments and agencies. • OPC has observed cases of poor information management and/or weak data protection in federal departments and agencies as well as private sector.

  26. Keeping privacy healthy

  27. How privacy management “friendly” is your organization? • How does your organization view privacy - what’s the culture? • Is privacy on the agenda/radar of Senior Management? • How’s your PMF? Do you have one – can you articulate it? • Do you have a handle on what personal information you hold, why you collect it and what you do with it? • Do you have a privacy training program? • How’s your CPO Shop? – is it sufficiently resourced/have capacity to do what it should? Is it a marginal or a key player? • Do you track privacy breaches and have responsive mechanisms? • When you introduce/change business lines or systems – do you do a privacy impact assessment (including TRA) before hand and then do you use it? • You have policy – that’s good – but is it just “words on paper”? How do you know its followed/supported? • Does your internal audit function consider privacy issues/risks? • When did your organization last do a privacy practices check-up? • In what ways is managing for privacy part of a manager’s performance agreement and evaluation?

  28. OPC Self–assessment tool • A compliance guide and a diagnostic tool we expect to make public by July 08. • A set of standards that medium to large organizations can use to monitor compliance with the 10 Fair Information Principles from Schedule 1 of PIPEDA • Framework of principles and criteria • A guide - series of must, should, may by each Principle. • Diagnostic tool – checklists, means of interpretation and action determination.

  29. Self Assessment Checklists

  30. Sample checklist – Principle 1Accountability

  31. Evaluating • Evaluating the results of a self-assessment should enable an organization to dedicate resources to improving privacy practices in the right areas. • Over time, evaluation of an organization’s compliance should be put into the context of a maturity level.

  32. Maturity A mature privacy management program/framework is characterized by due diligence and documentation of risk acceptance or mitigation decisions which should help set priorities for remedial action and define a realistic timeline for completion.

  33. A Privacy Program Maturity Scale • Level 1 – Non existent/seriously underdeveloped • Level 2 – Early stages of development • Level 3 – Advanced – requirements mostly met – improvements possible • Level 4 – Fully developed – requirements mostly met with only minor or no adjustments need

  34. Likelihood of Occurrence

  35. Impact

  36. Heat Mapping

  37. Keeping Privacy Healthy • Focus on privacy principles • Value privacy as a credential and not just a compliance requirement – treat personal information as a key asset to be safeguarded as well as any other • Systematic approach to privacy risk management • Better legislative and regulatory frameworks • Robust privacy management framework • Strong IT control, especially for identification and authentication • Privacy checkups • Be a privacy guardian……..why………

  38. Privacy Matters Fundamental Human Right Rights against arbitrary intrusion – freedom from unreasonable search and seizure. Right to protect personal information. Privacy matters because its about the kind of society we want – the relationship we have with government, business and among ourselves.

  39. Thank You Questions? www.privcom.gc.ca 1-800-282-1376 Trevor R. Shaw, CA CMC A/Director General - Audit and Review 613-996-2252

  40. Privacy Self-Assessment David T Shuen, MBA, LL.B., CIPP/C VP, Chief Compliance Officer Canadian Operations Sun Life Financial

  41. Objectives of the Self-Assessment • Governance • Update and document compliance status • Obtain evidence of management due diligence • Input for compliance testing • Risk Management • Identify trends and systemic control weakness • Identify emerging issues and risks • Input for control measures development • Maintain awareness

  42. The Self-Assessment • Developed in-house by our privacy team with input from our Privacy Advisory Committee. • Contains 37 questions based on the Fair Information Principles. • Captures information on: • Compliance status • Current compliance, risk management and regulatory activities, e.g. audits, examinations • Trends / issues / risks identified • New privacy controls and safeguards and near-term planned activities • Top 5 (self-identified) privacy risks including documentation of corresponding controls and assessment of the net risk

  43. The Process • Semi-annual • Coordinated by the privacy office • Completed by privacy / compliance officers in business units with access to personal information – input from operations • Reviewed by business unit heads • Certification required • Takes about 3 weeks at the business level

  44. The Process • Analyzed by the Privacy Office • Consolidated report prepared for the CPO • Summary reported to Canadian senior management and enterprise risk management committee • Material issues escalated to executives and shared with control functions – Internal Audit, Compliance and Risk management

  45. Lessons Learned • A good way to know what is going on in the business • Effective way to keep Privacy on the radar screen • Testing a necessity • Perception of risk differs • There is no such thing as too much awareness – training needs to be on-going • Front-line workers have the least time for training but have most access to customer information • Less formal but more frequent awareness campaign may be more effective than formal training course • Authentication a constant struggle between good customer experience and good privacy protection

  46. Privacy Risk Assessment Tool • Based on Generally Accepted Privacy Principlesdeveloped by CICA and AICPA • A privacy framework to help organizations develop and assess their privacy program and privacy risk • Excel based • Allows up to 10 assessors www.cica.ca/privacy

  47. Generally Accepted Privacy Principles Management Notice Choice & Consent Collection Use & Retention Access Disclosure to Third Parties Security for Privacy Quality Monitoring & Enforcement

  48. The Benefits of GAPP • Comprehensive • Framework of over 60 measurable and relevant criteria • Objective • Developed by the auditing profession to • Address international expectations • Create a basis for comparability • Universally available at no charge • Relevant • Widespread use and recognition • Applicable for evaluating privacy risk enterprise-wide • Recognized as suitable criteria for a privacy audit • Can also be the basis for an internal assessment

  49. Scoring Input Template

  50. Scoring Summary

More Related