Docstoc

Canadian Institute of Chartered Accountants

Document Sample
Canadian Institute of Chartered Accountants Powered By Docstoc
					           Being Proactive:
    Identifying Weaknesses and
Opportunities in Your Privacy Program


       IAPP Canadian Privacy Summit
                May 2008
                     Cost of a Breach


                         $197
                 per compromised record



Source: 2007 Annual Study: U.S. Cost of a Data Breach, Ponemon Institute, Nov 2007
          Why Self-Assess?
• Identify weaknesses and opportunities
   – Correct weaknesses before a breach occurs

• Benchmarking
  – Current state vs. desired state

• Demonstrates privacy compliance with
  stakeholders
   – Management / Board of Directors
   – Employees / Customers
   – Regulators / Privacy commissioners
What You’ll Learn This Hour
 • Office of the Privacy Commissioner of
   Canada
   –   Auditing for privacy and guidance for best
       privacy practices
 • Sun Life Assurance Co of Canada
   – How they conducted their own self-
     assessment and lessons learned
 • CICA
   – Privacy Risk Assessment Tool
Office of the Privacy Commissioner
             of Canada




                       Assessing Privacy Management
                                              IAPP
                                            Toronto
                                      May 22, 2008
Office of the            Commissariat
Privacy Commissioner    à la protection de
of Canada               la vie privée du Canada
        Jennifer Stoddart
Privacy Commissioner of Canada




 Office of the          Commissariat
 Privacy Commissioner   à la protection de
 of Canada              la vie privée du Canada
                     This Presentation
 Overview of OPC
 Privacy environment
 OPC audit & review
 PIPEDA self assessing tool




    Office of the          Commissariat
    Privacy Commissioner   à la protection de
    of Canada              la vie privée du Canada
                            Warm Up

                          P+S = 0?
                              or
                          P+S = 1?
                       P-S = 300million



Office of the          Commissariat
Privacy Commissioner   à la protection de
of Canada              la vie privée du Canada
                            About the OPC
    Office of the Privacy Commissioner of Canada

 Protect & promote privacy rights of individuals
 Oversee compliance with two Acts
 Independent Officer of Parliament
 Multi-faceted ombudsman role
 Responsible for promoting good management of
  personal information by organizations, both public and
  private.
 Visit www.privcom.gc.ca

     Office of the           Commissariat
     Privacy Commissioner    à la protection de
     of Canada               la vie privée du Canada
           OPC Audit & Review Mandate

   Section 36(1) of the Privacy Act to investigate exempt data banks.

   Section 37(1) of the Privacy Act – review of compliance with
    sections 4-8 in respect of personal information under the control of
    government institutions (public sector). About 250 entities.

   TB Policy – Privacy Impact Assessment Reviews

   Section 18(1) PIPEDA – with reasonable notice, time and on
    reasonable grounds to believe contravention – audit the PI
    management practices of an organization. Private sector audit
    universe.



       Office of the          Commissariat
       Privacy Commissioner   à la protection de
       of Canada              la vie privée du Canada
          Audit & Review Branch
   We do audits and privacy impact assessment reviews –
    with a purpose.

    To conduct independent and objective audits and
    reviews of personal information management
    systems for the purpose of promoting compliance
    with applicable legislation, policies and standards
    and improving privacy practices and
    accountability.

   Building capacity – now 9 growing to 19. Budget
    increased to $1.7m (from $896K).
         Office of the          Commissariat
         Privacy Commissioner   à la protection de
         of Canada              la vie privée du Canada
A Definition of Privacy Auditing

“Privacy auditing” (in our context) can be
 defined as a systematic examination of control
 and accountability for the life cycle management
 of personal information – consistent with “fair
 information principles”. It can also be viewed as
 assessment of the means employed by
 organizations to manage privacy risks. Using a
 “systems” approach, any particular audit under
 the Privacy Act or the Personal Information and
 Electronic Documents Act would be designed to
 address one or more of the following basic
 questions – depending on the scope of audit.
    Office of the          Commissariat
    Privacy Commissioner   à la protection de
    of Canada              la vie privée du Canada
Privacy management in context



             Privacy Environment Today




  Office of the          Commissariat
  Privacy Commissioner   à la protection de
  of Canada              la vie privée du Canada
                       Toronto - 1907




Office of the           Commissariat
Privacy Commissioner    à la protection de
of Canada               la vie privée du Canada
            Ubiquitous Computing




Office of the          Commissariat
Privacy Commissioner   à la protection de
of Canada              la vie privée du Canada
A New Universe - World Connected




  Office of the          Commissariat
  Privacy Commissioner   à la protection de
  of Canada              la vie privée du Canada
Technology – no limits/bounds




   Office of the          Commissariat
   Privacy Commissioner   à la protection de
   of Canada              la vie privée du Canada
    No Shortage of Privacy Challenges

   Post 9/11 – increased emphasis on information sharing for security
    purposes
   Trans border data flow
   Outsourcing activities
   Protecting one’s actual persona in an age of information expansion-
    integration
     – Data consolidation-mining-matching-resale
     – Behavioral profiling and target advertising
   Biometrics
   Increased surveillance (in many forms – visual and data)
   Internet - Web2 – Wireless communication (generation shift)
   Identity theft – loss/theft of PI
   Privacy breaches
       Office of the          Commissariat
       Privacy Commissioner   à la protection de
       of Canada              la vie privée du Canada
Public increasingly concerned




  Office of the          Commissariat
  Privacy Commissioner   à la protection de
  of Canada              la vie privée du Canada
Some days we feel a little
overwhelmed




   Office of the          Commissariat
   Privacy Commissioner   à la protection de
   of Canada              la vie privée du Canada
                    Privacy Breaches


 The number one issue raised in
  submissions on PIPEDA review was data
  breach
 Seems not a day without one
 How many actually happen compared to
  ones known about?
   Office of the          Commissariat
   Privacy Commissioner   à la protection de
   of Canada              la vie privée du Canada
                    ID Theft – solutions?

   Virginia state legislature passed a law prohibiting
    individuals from dissemination Social Security
    Numbers legally obtained from government web
    sites -- $2,500 civil penalty. Ostergren story.

   Canada introducing ID theft legislation – C27.

   Informing people on how to protect themselves.
      Office of the          Commissariat
      Privacy Commissioner   à la protection de
      of Canada              la vie privée du Canada
                     Privacy Breaches
Industry Canada Policy Objectives:
1. Encourage better data security practices and
   better understand the link between current
   practices and data losses.
2. Reduce public concern about data breaches
   and increase confidence in the electronic
   marketplace and online commerce
3. Ensure that individuals obtain the information
   necessary to take steps to mitigate harm
   resulting from a breach of their personal
   information.
    Office of the          Commissariat
    Privacy Commissioner   à la protection de
    of Canada              la vie privée du Canada
       Why do breaches happen?
   An accident – one off thing?

   Function of:
     – Culture
     – Flawed systems and procedures?

   Likely that the resources invested to prevent a breach i.e. protect
    personal information would depend on the extent to which
    management believes they can “afford” a breach – function of risk
    management.

   Privacy breach protocol is a key element of a privacy management
    program/framework.


       Office of the          Commissariat
       Privacy Commissioner   à la protection de
       of Canada              la vie privée du Canada
     What about data security?
   “Despite agency reported progress, major federal agencies
    continue to experience significant information security control
    deficiencies that limit the effectiveness of their efforts to protect
    the confidentiality, integrity and availability of their information
    and information systems.” GAO March 12,2008 GAO-08-571T


   OAG Canada has reported concerns about information security
    among federal departments and agencies.

   OPC has observed cases of poor information management and/or
    weak data protection in federal departments and agencies as well
    as private sector.



     Office of the          Commissariat
     Privacy Commissioner   à la protection de
     of Canada              la vie privée du Canada
Keeping privacy healthy




   Office of the          Commissariat
   Privacy Commissioner   à la protection de
   of Canada              la vie privée du Canada
How privacy management “friendly” is
your organization?
1.   How does your organization view privacy - what’s the culture?
2.   Is privacy on the agenda/radar of Senior Management?
3.   How’s your PMF? Do you have one – can you articulate it?
4.   Do you have a handle on what personal information you hold, why you collect it and
     what you do with it?
5.   Do you have a privacy training program?
6.   How’s your CPO Shop? – is it sufficiently resourced/have capacity to do what it
     should? Is it a marginal or a key player?
7.   Do you track privacy breaches and have responsive mechanisms?
8.   When you introduce/change business lines or systems – do you do a privacy impact
     assessment (including TRA) before hand and then do you use it?
9.   You have policy – that’s good – but is it just “words on paper”? How do you know its
     followed/supported?
      –   Does your internal audit function consider privacy issues/risks?
      –   When did your organization last do a privacy practices check-up?
      –   In what ways is managing for privacy part of a manager’s performance
          agreement and evaluation?



          Office of the          Commissariat
          Privacy Commissioner   à la protection de
          of Canada              la vie privée du Canada
       OPC Self–assessment tool
   A compliance guide and a diagnostic tool we
    expect to make public by July 08.
   A set of standards that medium to large
    organizations can use to monitor compliance
    with the 10 Fair Information Principles from
    Schedule 1 of PIPEDA
   Framework of principles and criteria
   A guide - series of must, should, may by each
    Principle.
   Diagnostic tool – checklists, means of
    interpretation and action determination.
      Office of the          Commissariat
      Privacy Commissioner   à la protection de
      of Canada              la vie privée du Canada
      Self Assessment Checklists
P1 Accountability                                     23 Qs
P2 Identifying Purpose                                9 Qs
P3 Consent                                            9 Qs
P4 Limiting Collection                                6 Qs
P5 Limiting use, disclosure, retention                5Q
P6 Accuracy                                           6 Qs
P7 Safeguards                                         8 Qs
P8 Openness                                           6 Qs
P9 Individual Access                                  15 Qs
P10 Challenging Compliance                            5 Qs

     Office of the          Commissariat
     Privacy Commissioner   à la protection de
     of Canada              la vie privée du Canada
       Sample checklist – Principle 1
              Accountability
Statement                                               Ass essment          Evidence Actions
                                                        Met   Not   Partly
                                                              Met    Met
You have reviewed your privacy policies
and are satisfied that they are complete
and easy to understand.
You have clearly delineated who, within
your organization, is responsible for
privacy governance and management.
You have privacy policies and practices
that apply to the personal information
of your employees as well as that of
your customers.


       Office of the          Commissariat
       Privacy Commissioner   à la protection de
       of Canada              la vie privée du Canada
                              Evaluating
 Evaluating the results of a self-assessment
  should enable an organization to dedicate
  resources to improving privacy practices in
  the right areas.
 Over time, evaluation of an organization’s
  compliance should be put into the context
  of a maturity level.

    Office of the          Commissariat
    Privacy Commissioner   à la protection de
    of Canada              la vie privée du Canada
                                Maturity
A mature privacy management
program/framework is characterized by
due diligence and documentation of risk
acceptance or mitigation decisions which
should help set priorities for remedial
action and define a realistic timeline for
completion.

  Office of the          Commissariat
  Privacy Commissioner   à la protection de
  of Canada              la vie privée du Canada
    A Privacy Program Maturity Scale
 Level 1 – Non existent/seriously
  underdeveloped
 Level 2 – Early stages of development
 Level 3 – Advanced – requirements mostly
  met – improvements possible
 Level 4 – Fully developed – requirements
  mostly met with only minor or no
  adjustments need
     Office of the          Commissariat
     Privacy Commissioner   à la protection de
     of Canada              la vie privée du Canada
           Likelihood of Occurrence
Level        Descriptor                                  Description
 5         Almost Certain Event occurs regularly here.
 4                Likely           Event has occurred here more than once, or is
                                   occurring to others in similar circumstances.
 3             Moderate            Event has occurred here before, or has been
                                   observed in similar circumstances.

 2              Unlikely           Event has occurred infrequently before to
                                   others in similar circumstances, but has not
                                   occurred here.
 1                 Rare            Event has almost never been observed, it may
                                   occur only in exceptional circumstances.
        Office of the          Commissariat
        Privacy Commissioner   à la protection de
        of Canada              la vie privée du Canada
                                     Impact
Level Descriptor                                      Description
 5        Extreme           A major event with the potential to lead to long-term
                            damage to an organization’s ability to meet its
                            objectives.

 4       Very High          A critical event, which with proper management, can
                            be endured by the organization.

 3        Medium            A significant event that can be managed under normal
                            circumstances by the organization.

 2            Low           An event where consequences can be absorbed, but
                            management effort is required to minimize the impact.
 1       Negligible         An event, the consequences of which can be absorbed
                            through normal activity.
     Office of the          Commissariat
     Privacy Commissioner   à la protection de
     of Canada              la vie privée du Canada
                                  Heat Mapping

                     Extreme
                                     Fo
                                        r Il
                     Very High



                                             lus
                                                 tra
                                                     tiv
                                                         eP
            Impact
                     Medium




                                                           urp
                                                               os
                                                                  es
                                                                     On
                     Low




                                                                       ly
                     Negligible




                                  Rare          Unlikely      Moderate   Likely   Almost Certain
                                                            Likelihood

Office of the                            Commissariat
Privacy Commissioner                     à la protection de
of Canada                                la vie privée du Canada
                 Keeping Privacy Healthy

 Focus on privacy principles
 Value privacy as a credential and not just a compliance
  requirement – treat personal information as a key asset
  to be safeguarded as well as any other
 Systematic approach to privacy risk management
 Better legislative and regulatory frameworks
 Robust privacy management framework
 Strong IT control, especially for identification and
  authentication
 Privacy checkups
 Be a privacy guardian……..why………
     Office of the          Commissariat
     Privacy Commissioner   à la protection de
     of Canada              la vie privée du Canada
                         Privacy Matters

Fundamental Human Right
Rights against arbitrary intrusion – freedom from
unreasonable search and seizure. Right to protect
personal information.
Privacy matters because its about the kind of society we
want – the relationship we have with government,
business and among ourselves.

  Office of the           Commissariat
  Privacy Commissioner    à la protection de
  of Canada               la vie privée du Canada
                              Thank You

                           Questions?

                       www.privcom.gc.ca
                        1-800-282-1376

                Trevor R. Shaw, CA CMC
          A/Director General - Audit and Review
                      613-996-2252
Office of the           Commissariat
Privacy Commissioner    à la protection de
of Canada               la vie privée du Canada
Privacy Self-Assessment




           David T Shuen, MBA, LL.B., CIPP/C
           VP, Chief Compliance Officer
           Canadian Operations
           Sun Life Financial
Objectives of the Self-Assessment

   Governance
    –   Update and document compliance status
    –   Obtain evidence of management due diligence
    –   Input for compliance testing
   Risk Management
    –   Identify trends and systemic control weakness
    –   Identify emerging issues and risks
    –   Input for control measures development
    –   Maintain awareness
The Self-Assessment

   Developed in-house by our privacy team with input
    from our Privacy Advisory Committee.
   Contains 37 questions based on the Fair Information
    Principles.
   Captures information on:
    –   Compliance status
    –   Current compliance, risk management and regulatory
        activities, e.g. audits, examinations
    –   Trends / issues / risks identified
    –   New privacy controls and safeguards and near-term
        planned activities
    –   Top 5 (self-identified) privacy risks including documentation
        of corresponding controls and assessment of the net risk
The Process


   Semi-annual
   Coordinated by the privacy office
   Completed by privacy / compliance officers in
    business units with access to personal
    information – input from operations
   Reviewed by business unit heads
   Certification required
   Takes about 3 weeks at the business level
The Process


   Analyzed by the Privacy Office
   Consolidated report prepared for the CPO
   Summary reported to Canadian senior
    management and enterprise risk
    management committee
   Material issues escalated to executives and
    shared with control functions – Internal Audit,
    Compliance and Risk management
Lessons Learned

   A good way to know what is going on in the business
   Effective way to keep Privacy on the radar screen
   Testing a necessity
    –   Perception of risk differs
   There is no such thing as too much awareness –
    training needs to be on-going
    –   Front-line workers have the least time for training but have
        most access to customer information
    –   Less formal but more frequent awareness campaign may be
        more effective than formal training course
   Authentication a constant struggle between good
    customer experience and good privacy protection
 Privacy Risk Assessment Tool

• Based on Generally Accepted Privacy
  Principles developed by CICA and AICPA
  –   A privacy framework to help organizations
      develop and assess their privacy program and
      privacy risk
• Excel based
• Allows up to 10 assessors


www.cica.ca/privacy
    Generally Accepted Privacy
            Principles

• Management      • Access
• Notice          • Disclosure to Third
• Choice & Consent Parties
• Collection     • Security for Privacy

• Use & Retention • Quality
                  • Monitoring &
                    Enforcement
       The Benefits of GAPP
• Comprehensive
   –   Framework of over 60 measurable and relevant criteria
• Objective
   –   Developed by the auditing profession to
        • Address international expectations
        • Create a basis for comparability
        • Universally available at no charge

• Relevant
   –   Widespread use and recognition
   –   Applicable for evaluating privacy risk enterprise-wide
• Recognized as suitable criteria for a privacy audit
   –   Can also be the basis for an internal assessment
                   Scoring Input Template
                                                              Likelihood               Effort/Cost
                                                             of a Control   Business       to
  GAPP - 66 Criteria          Criteria Description              Failure      Impact     Mitigate
MANAGEMENT (10
  criteria)
Privacy Policies        Policies are defined for: notice,
    (1.1.0)                 choice/consent, collection,
                            use/retention, access,
                            disclosure, security, quality,       2             5           8
                            and monitoring and
                            enforcement.
Communications to    Privacy policies are
  Internal Personnel     communicated at least
  (1.1.1)                annually to internal personnel
                            responsible for collecting,
                            using, retaining, and
                            disclosing personal                  2             5           8
                            information. Changes in
                            policy are communicated
                            shortly after the changes are
                            approved.
      Scoring Summary
                         Likelihood               Size of
                               of a                 Marker
                            Control    Business    (Cost to
  GAPP - 10 Principles       Failure     Impact    Mitigate)
MANAGEMENT                      2.3         2.3         2.6
NOTICE                          4.6         3.9         4.7
CHOICE / CONSENT                5.0         8.0         4.6
COLLECTION                      4.3         2.8         4.0
USE / RETENTION                 5.0         5.0         5.0
ACCESS                          5.8         5.0         6.5
DISCLOSURE                      3.4         5.6         3.0
SECURITY                        7.0         8.0         6.7
QUALITY                         5.5         7.5         8.0
MONITORING /
  ENFORCEMENT                   3.0         4.0         3.0
             Contact Info
www.cica.ca/privacy


Nicholas F. Cheung, CA, CIPP/C
Principal, Assurance Services Development
CICA

(416) 204-3251
nicholas.cheung@cica.ca
Questions?

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:6/30/2012
language:English
pages:53