Using Safe Harbor to Develop an Integrated, Global Assessment Approach August 20, 2008. Lael Bellamy, Chief Counsel - IT, IP & Privacy ING Americas (formerly with The Home Depot) Laurie Smaldon, CIPP, Manager, Privacy and Identity Theft Practice, PricewaterhouseCoopers LLP.
Using Safe Harbor to Develop an
Integrated, Global Assessment Approach
August 20, 2008
Lael Bellamy, Chief Counsel - IT, IP & Privacy
ING Americas (formerly with The Home Depot)
Laurie Smaldon, CIPP, Manager, Privacy and Identity Theft Practice, PricewaterhouseCoopers LLP
Click to edit Master subtitle style
Safe Harbor Certification Overview
2.Choice. The policy will also cover areas where consent, permission, data use limitations/opt-out strategies and special treatment for "Sensitive Personal Data“ are applicable.
3, 4 & 5.Access, data integrity and enforcement. The policy also addresses other areas related to existing processes or controls, if applicable, to meet Access, Data Integrity and Enforcement requirements needed to cover a Safe Harbor election.
(i) applicable systems, applications and databases that will be the subject to the Safe Harbor certification
(ii) data elements being used and maintained in such systems, applications and databases, and
(iii) any internal and external transfers of the data.
Integrated Assessment Approach
Pulling it all together:
An Integrated Approach
The trend is to search for common requirements and points of leverage.
Common Vulnerabilities and Practices that can Compromise Sensitive Data
Third-party vendor handling and transfers;
Improper access or broad access controls;
Paper handling and dumpster diving;
Phishing, web/email vulnerabilities;
Mobile and home-based workforce;
Call centers and social engineering;
Use of personal information in authentication processes with customers (online, phone, fax);
Peer-to-peer networks (iPods, etc.);
Collecting/using SSNs and personal info; and
Key Benefits – Case Study
Safe Harbor & Ongoing Privacy Assessment