privacy n.
Skip this Video
Loading SlideShow in 5 Seconds..
Privacy PowerPoint Presentation
Download Presentation

Loading in 2 Seconds...

play fullscreen
1 / 34

Privacy - PowerPoint PPT Presentation

  • Uploaded on

Privacy. Marilyn Prosch , Ph.D., CIPP Arizona State University W.P. Carey School of Business Department of Information Systems Member AICPA/CICA Privacy Task Force. IS PRIVACY REALLY ALL THAT BIG OF A PROBLEM?. Data Breaches: Where is the Horse?.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript


Marilyn Prosch, Ph.D., CIPP

Arizona State University

W.P. Carey School of Business

Department of Information Systems

Member AICPA/CICA Privacy Task Force

data breaches where is the horse
Data Breaches: Where is the Horse?

Some of the reported incidents that have recently occurred.


Univ. of Pittsburgh, Med. Center

Manhattan Veteran's Affairs Medical Center &

New York Harbor Health Care System

Beaumont Hospital

St. Rita's Medical Center

Swedish Medical Center

Univ. Calif. Irvine Medical Center

Sisters of St. Francis Health Services

via Advanced Receivables Strategy

Baystate Medical Center

DCH Health Systems

Baylor Health Care System Inc.

Mercy Medical Center

Cedars-Sinai Medical Center

Group Health Cooperative Health Care System

Southwest Medical Association

Johns Hopkins Hospital

Allina Hospitals and Clinics

CBIZ Medical Management Professionals

Prudential Financial Inc.

Wuesthoff Medical Center

Northeast Orthopaedics

DePaul Medical Center

Beacon Medical Services

Massachusetts General Hospital

Seton Healthcare Network

University of Pittsburgh Medical Center

Christus Health Care

Kaiser Medical Center

St. Anthony Central Hospital

McAlester Clinic

& Veteran's Affairs Medical Center

Bue Cross/Blue Shield

Akron Children's Hospital

Highland Hospital

Emory University Hospital, Emory Crawford Long Hospital, Grady Memorial Hospital, Geisinger Health System, Williamson Medical Center via Electronic Registry Systems

Back and Joint Institute of Texas

Cleveland Clinic

Gulf Coast Medical Center

Jacobs Neurological Institute

Erlanger Health System

Westerly Hospital

Parkland Memorial Hospital

Deaconess Hospital

CVS Pharmacies

Palo Alto Medical Foundation

WellPoint's Anthem

Blue Cross Blue Shield

Health Resources, Inc.

Moses Cone Hospital

Kanawha-Charleston Health Dept.

South County Hospital

Kaiser Permanente Colorado

Harris County Hospital

Providence Alaska Medical Center

Concord Hospital

Swedish Urology Group

Stevens Hospital

via billing company Med Data

Intermountain Health Care

Gundersen Lutheran Medical Center

Catskill Regional Medical Center

New Hampshire Dept. of HS

St. Mary's Hospital, MD

WorkCare Orem

North Carolina Dept. of HHS

St. Vincent Hospital

Womancare Inc.

Sky Lakes Medical Center

via Verus Inc

Mary Washington Hospital

Wellpoint's Empire Blue Cross/

Blue Shield NY

Grady Memorial Hospital

Segal Group of New York

via web site of Vermont agency

New Hampshire's Lakes Region General Hospital

Peninsula Orthopaedic Associates

Healing Hands Chiropractic

Georgia Dept. of Community Health


Some of the causes!

A Blackberry containing patient information was stolen from the hospital.

The Blackberry contained an email message that included patient information,

such as Social Security numbers, dates of birth and medical histories. 3,200 people affected

Laptop stolen from an employee's car. 14,000 people affected

Laptop stolen from an employee's car. 9,300 people affected

Office broken into and computer stolen. Unknown people affected

Office broken into and laptop stolen. 1,000 people affected

Tapes stolen while in transit. 100,000 people affected

Paper-based records left on a train by an employee. 56 people affected

Child welfare worker’s records ended up with a local TV station. The files, which included names,

Social Security numbers, contact information and details on child abuse investigations, reportedly

were left behind when a DHS worker was evicted from a rent house.

Paper based records stolen from an employee's car. 242 people affected

Records posted on the Internet. The records appeared on a Web site, which was a defunct

company in India. 1,000 people affected

Documents, such as labels from prescription bottles and old prescriptions, in unsecured dumpsters.

Unknown people affected

A woman was fired for allegedly spying. The employee had access to company files. 431 people affected

Medical records were improperly disposed of when left in a dumpster behind the office.


21st Century Challenge

Getting the Horse

Back in the Barn

privacy aicpa cica definition
  • PRIVACY encompasses the rights and obligations of individuals and organizations with respect to the…
    • Collection
    • Use
    • Disclosure, and
    • Retention

…of personal information.

security as it relates to privacy
Security, as it relates to privacy
  • Security of processes and technologies is a necessary, but not sufficient, condition of privacy
last week virginia prescription monitoring program drug database hacked
Last week – Virginia Prescription Monitoring Program drug database hacked
  • Data hijackers deleted records on more than 8 million patients and replaced the site's homepage with a ransom note demanding $10 million for the return of the records.
  • The database of prescriptions had been bundled into an encrypted, password-protected file and payment of the ransom would result in the password to decrypt.
  • Their backups seem to have gone missing, too.

  • With enterprise systems, personal information (PI) is commingled with accounting transactions
  • Much PI is part of accounting transaction data
  • Data has value and that “value” can be an asset or a liability
  • Good internal controls are a mechanism for protecting all “assets”
what is gapp1
  • Generally Accepted Privacy Principles
    • Developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) to help guide organizations in implementing, sustaining, and auditing privacy programs.
aicpa cica generally accepted privacy principles
AICPA/CICA Generally Accepted Privacy Principles
  • Available for free download and use
  • 10 Principles of privacy and 66 criteria, (soon to have an additional 8 criteria with the new exposure draft is finished with the review process)
what are the principles
Management:The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.

Notice: The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.

Choice and Consent: The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, retention, and disclosure of personal information.

4. Collection: The entity collects personal information only for the purposes identified in the notice.

5. Use and Retention: The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes.

What are the Principles?
what are the principles1
6. Access: The entity provides individuals with access to their personal information for review and update.

7. Disclosure: The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.

8. Security for Privacy: The entity protects personal information against unauthorized access (both physical and logical).

9. Quality: The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.

10. Monitoring and Enforcement: The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.

What are the Principles?
components of gapp



With Privacy Policies

and Procedures


and Systems


continuous improvement of gapp
Continuous improvement of GAPP
  • Major changes
  • Modification of 2 criteria
  • 8 new criteria
global privacy standard
Global Privacy Standard
  • Final version of the GPS was formally in the United Kingdom, on November 3, 2006, at the 28th International Data Protection Commissioners Conference
  • Championed and developed by Commissioner Ann Cavoukian, Ontario
  • 10 Principles
new red flag rules effective may 1 2009 postponed until 8 1 2009
New Red Flag Rules – effective may 1, 2009: Postponed until 8/1/2009
  • Require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program (Program) for combating identity theft in connection with new and existing accounts. Originally effective May 1, 2009.
  • The program can be different, depending on the organization’s size and complexity.
  • Thus, a small physician practice might have a much different program than a large hospital.
  • Programs should include four basic points/steps, which could be covered under one or multiple policies.

4 required steps
4 Required Steps
  • Identify Common Red Flags
  • Detect Red Flags
  • Responses to Red Flags
  • Program Execution and Updates

what is the relationship of privacy and other more traditional areas of ais audit and assurance
What is the relationship of privacy and other more traditional areas of AIS, Audit, and assurance
the primary link to these 3 areas is
The primary link to these 3 areas is
  • effective internal controls!
  • GAPP provides tangible criteria that can be audited and about which assurances can be made.
3 tricks to getting horses back in the barn keeping them there
3 Tricks to getting horses back in the barn & keeping them there
  • Teach your horse that you are in control over him/her.
    • Corporate Culture towards the use and management of personal information will likely have to change. Who owns and controls the data?
  • Make it dang hard for the horse to do the wrong thing.
    • Implement privacy enhancing policies, procedures, and controls.
  • Ride a lot!
    • Test the use and management of your data frequently.
implications for ca cm research
Implications for CA/CM Research
  • Descriptive research:
    • What are companies actually doing?
    • Are they aware of the issues?
    • If so, how are they handling these issues?
    • Are they using some kind of data masking during these processes?
  • Normative research: How can we build privacy protection into processes?
    • Data tagging and masking
    • Data replication (logging)
    • Security around possession and handling
    • Data life and destruction techniques (poison pills)
further questions
Further Questions?