Managing Your Privacy Commitments An update on recent regulatory developments and how to effectively navigate them February 2013 www.pwc.com DRAFT – FOR DISCUSSION PURPOSES ONLY
Managing Your Privacy Commitments An update on recent regulatory developments and how to effectively navigate them
February 2013
www.pwc.com
DRAFT – FOR DISCUSSION PURPOSES ONLY
PwC 2
Agenda
Introduction
1. Privacy Within the Enterprise
4
2. Regulatory Updates Affecting Privacy 10
3. Ensuring Compliance with Operating Models 15
4. The Role of Internal Audit 21
5. PwC’s Approach to Privacy 28
PwC 3
Introduction e
Chris Clancy – Director, Bay Area Market Leader Data Protection & Privacy
• Specializing in privacy program strategy and development, risk and regulatory compliance, and data loss prevention.
• Ten years of experience with a mix of Fortune 500 organizations and “Big-4” accounting and consulting firms
• Privacy leader at Silicon Valley Bank
• National Privacy & Data Protection – Deloitte
• Internal Auditor at Fidelity National Financial
• Delivered a wide range of data protection projects including: Privacy Program Strategy,
Implementing International Privacy Requirements, Providing Regulatory Compliance, IT Security Controls Rationalization, IT Internal Audit, Data Loss Prevention, and Data Classification
• Certified in industry leading privacy and security disciplines
• Certified Information Privacy Professional (CIPP/US)
• Certified Information Systems Security Professional (CISSP)
• Certified Information Systems Auditor (CISA)
PwC 4
Privacy Within the Enterprise
PwC 5
What is Privacy?
There are numerous definitions for privacy, such as:
• The right to be left alone
• A fundamental human right of a person to make personal decisions regarding their own matters
• The right of people to lead their lives in a manner that is reasonably secluded from public scrutiny
What about information privacy?
• The ability of an individual or group to stop personal information about themselves from becoming known to people other than those they choose
Generally, there are three social concerns that drive the issue of privacy. These include individuals’ fears about:
• How data is used
• How data is protected
• Who is accountable
It is important to note that everyone views privacy differently and this view can
depend on individual characteristics such as generation and national origin
PwC 6
Why is Privacy Protection Important?
• To earn and keep the public’s trust
• To prevent identity fraud and theft
• To prevent privacy incidents
• It’s the law!
PwC 7
Consequences of Violating Privacy Law
Organizations that do not adequately manage the risk of non-compliance with privacy laws and regulations may face the following:
• Negative brand impact
• Compliance with intrusive enforcement requirements
• Loss of shareholder value
• Violation of local laws
• Loss of confidence with data protection authorities
• Stoppages/delays imposed by regulatory bodies such as the Federal Trade Commission (FTC), Department of Commerce, International Data Protection Authorities, and others
• Potential additional legislation or regulations that will impose greater restrictions
PwC 8
No Single Legal Framework Exists Currently…
Currently there are no overarching privacy laws to govern privacy for financial services institutions in the U.S.
As such, companies must comply with a combination of industry/sector, state, and federal privacy laws based on:
• Types of business conducted
• Where business is conducted and where employees are located
• Where clients/customers are located
Sample Privacy
Laws
Gramm-Leach Bliley Act (GLBA)
Right to Financial
Privacy Act
HITRUST
Health Insurance Portability
and Accountability Act (HIPAA)
State Social Security Number
Protection Laws
State Breach Notification
Laws
PwC 9
Privacy Trends Domestically and Internationally (a.k.a. Cross Border Compliance)
APEC Privacy Principals)
Numerous State Laws Breach Notification 46States from CA to NY
India Information Technology Act 2008
European Union EU Data Protection Directive and Member States Data Protection Laws
US Federal GLBA, HIPAA, COPPA, Do Not Call, PCI DSS
China Pending local requirements; APEC Privacy Framework
PwC 10
Regulatory Updates Affecting Privacy
PwC 11
Children’s Online Privacy Protection Act (COPPA)
Overview
The COPPA Rule, 16 CFR Part 312 became effective on April 21, 2000.
Types of Information Protected
• Personal information of children under the age of 13
Who the law regulates
• “Operators”
Recent Updates
• The updated Rule contains references to modern technologies , which expands the definition of “operator” to include these service providers
• More activities are specifically permitted
• New forms of parental consent are also permitted
Updated December, 2012
PwC 12
Health Information Portability and Protection Act (HIPAA)
Overview
• Privacy Rule • Security Rule
Types of Information Protected
Protected Health Information (PHI) - is information, including demographic data, that relates to:
Who the law regulates
• Health Plans • Health Care Providers • Health Care Clearinghouses • “Business Associates”
Recent Updates
• The final rules’ effective date is March 26, 2013, and full compliance by covered entities and business associates is required 180 days later (by September 23, 2013)
• Genetic information
• Breach Notification
Updated January, 2013
PwC 13
European Union – Data Protection Directive Updated January, 2012 – DRAFT ONLY
Overview
• Directive 95/46/EC
• Each of the 26 member states has adopted this Directive in the form of national laws
which, at minimum, must meet the standards within the Directive.
Types of Information Protected
‘Personal Data' - any information relating to an identified or identifiable natural person
('data subject');
Who the law regulates
• “Data controllers”
Proposed Updates • Explicit consent model
• Privacy by Design
• Right to be Forgotten
PwC 14
Other Related Updates
California
• California’s Attorney General, Kamala D. Harris has announced the creation of the Privacy Enforcement and Protection Unit
• Will be housed in the eCrime Unit of the California Department of Justice, will combine the various privacy functions of the Department of Justice into a single enforcement and education unit with privacy expertise
• JoAnne McNabb – Director
• Travis LeBlanc – Head of enforcement division
U.S. Federal – NIST SP(800-53 rev.4)
• Highly referenced Information Security Framework
• Appendix J, Privacy Control Catalog, is a new addition intended to address the privacy needs of federal agencies
PwC 15
Ensuring Compliance with Operating Models
PwC 16
As Companies Expand and Change their Business/Operating Model…
What Organizations are Currently Doing
Related Privacy Considerations
Expanding into new (global) markets
• What laws will I have to comply with?
• Will information reside in one country or be transferred between several countries?
• How should I protect any data I collect or transmit?
• Do I need to have different policies for different customers based on geographic location?
• How do I train and educate my employees to understand and comply with regulations for these new markets?
Off-shoring /Outsourcing certain business functions to third parties across a variety of countries
• Who is responsible for complying with local/national laws?
• Will I need to comply with regulations enacted by the country my off-shoring firm is located in?
Expanding/Creating new products for customers
• Am I allowed to monitor consumers purchasing habits?
• What data am I allowed to collect?
• What data am I allowed to share with outside parties?
PwC 17
Questions Arise About Privacy and Protecting Sensitive Data…
What Companies are Currently Doing
Related Privacy Considerations
Targeting specific products to certain groups/sets of customers
• What data am I allowed to collect without consent to analyze customer behavior?
• Are there restrictions on how I can use certain information?
• How should I protect the data or customer information once I have it?
Providing excellent customer service based on personal attributes
• What data am I allowed collect?
• Which data will I need to gain consent?
• What are my processes to ensure that I can pass an audit?
PwC 18
Having a Program In Place to Ensure Compliance
In the U.S., organizations are required to comply with numerous laws and regulations regarding the protection of consumer information. A comprehensive program is needed to address the myriad requirements.
Governance
Risk
Assessment
Privacy
Processes &
Controls
Technical
Security &
Controls
Training &
Awareness
Monitoring &
Auditing
Incident
Response
PwC 19
Footer
Engage your Stakeholders
Privacy is a relatively new consideration within the Risk Management disciplines. As a result, the manner with which organizations address this risk could differ widely. Some of the typical stakeholders and associated privacy concerns are listed below:
Process Area Privacy concern (examples)
Legal • FTC complaints • Records Management
Marketing • eCommerce initiatives • CRM • Social media campaigns
Information Security • Audit findings • PCI readiness • Data breaches
Internal Audit • Board or Audit Committee requests • Increasing the enterprise risk scope
Compliance • HIPAA (healthcare), GLBA (financial) • Regulatory examination
Privacy Office • Governance structure • Operating privacy, how to “live” by the privacy policy
PwC 20
Focus on the Next Hot Topics and Privacy Trends
Topic Trend
Customer Perception Customers are willing to provide personal information with the expectation of corporate safeguarding and accountability
Privacy by Design Privacy is embedded into new technologies and business practices, from the outset
Social Networking Increasing new risks for organizations (i.e. security) and individuals (i.e. consumer privacy)
Online Behavioral Advertising
Self-regulatory principles (i.e. transparency, consumer control and accountability)
Legislative Activity Congress and States are becoming increasingly active developing legislation to address the changing privacy environment
Active Players
Rising enforcements from the FTC and HHS-OCR, and increasing involvement by the Department of Commerce, Dept of Justice, Federal Trade Commission, HHS-OCR, the Consumer Financial Protection Bureau, and State Attorneys General
Companies should be aware of the dynamic and changing privacy landscape in order to anticipate and prepare for future regulations.
PwC 21
The Role of Internal Audit
PwC 22
19%
38%
43%
Yes – top 5 risk
Yes – between risk #6 and #10
Not in the top 10
Privacy is a top-10 risk! Is privacy a top-10 risk or initiative at your organization?
Source: PwC Data Protection and Privacy webcast, "Tomorrow's Privacy - Balancing Commitments with Business
Innovation” (Feb. 2012)
PwC 23
Risks generally not perceived as well managed
Economic uncertainty
Regulations and government policies
Competition
Financial markets
Data privacy and security
Talent and labor
Reputation and brand
Commercial market shifts
Energy and commodity costs
Government spending /taxation
New product introductions
Fraud and ethics
Business continuity
Mergers, acquisitions, and
JVs
Large program risk
15 most-cited risks
Only
45% are
comfortable with how well
their critical risks are
being managed
Source: PwC’s 2012 State of the Internal Audit Profession Study
PwC 24
Three Lines of Defense
Management
• Reporting/organizational structure
• Ownership, responsibility and accountability
Risk management and compliance functions
• Facilitate and monitor the implementation of effective risk management practices
Internal audit
• Provides objective assurance to board and executive management
PwC 25
The role of internal audit
• Keep the Audit Committee aware of emerging security and privacy risks
• Identify exposures in the organization, and help discover possible solutions
• Embed yourself in key activities that support the implementation of new business processes, products or information systems (i.e., privacy by design)
• Regular and specialty audits of data protection controls
Common Barriers to Success
• A mindset that believes adequate controls are already in place
• Cost
• Low expectations
• Fragmented responsibilities
PwC 26
What kinds of questions should you be asking?
Understanding Company Governance & Awareness
• What are the company’s privacy commitments? Think about relevant regulations, employment agreements and business partner contracts.
• What is the operational culture of the company, and what is the philosophy regarding information security and privacy?
• Who leads the efforts for privacy and/or information security (e.g., Steering Committee)?
Understanding sensitive data
• What sensitive data do you have that needs to be protected?
• Does a data or systems inventory exist?
Understanding threats
• Has your data been exposed – and would you know if it were?
• Do you know what breach indicators you should be monitoring?
PwC 27
What kinds of questions should you be asking?
Building protections
• Has the company established formal governance and controls to protect sensitive data?
• Are the controls and safeguards periodically tested?
• Have the controls and safeguards been updated to respond to changing business models?
Responding to incidents
• Are you prepared to respond to legal actions regarding privacy complaints?
• If a regulator were to inquire or investigate the company, would the company be prepared to respond?
• Has the company established formal plans to respond to privacy incidents when they occur?
PwC 28
PwC’s Approach to Privacy
PwC 29
Data protection & privacy
How we enable, from assisting with strategy definition, to providing assurance
Develop Vision Where do you want to go, and what does it look like when you get there?
Understand Current State Where are you today?
Develop Roadmap How do you get from here to there, efficiently?
Design Program Set up the program, and the governance of the function, in line with your culture and requirements.
Design Privacy Process Define the services that the privacy program will deliver to the organization and how they will be delivered
Implement Program Transition the design into production. Adjust as necessary
Implement Privacy Process Roll out / implement privacy services.
Operate Program Operate elements of the program, such as governance, risk management and reporting.
Operate Privacy Process Operate elements of the privacy program, such as assessing the privacy controls in place at key vendors.
Review Assist management to confirm the effective operation of their privacy program, or certain elements of it.
Assure Provide external assurance, through reports such as SSAE16, SOC2, HITRUST, and others.
Envision Design
& Build Implement Operate
Review
& Assure
PwC 30
PwC brings global experience to the table
Understanding technology, the regulatory maze, risk management and control development and assurance is our core strength. Our team is highly experienced in providing data protection and privacy related services.
Using a scalable, risk-based approach, we’ll help you determine what needs to be secured and how to do it, by performing services such as:
• Providing attest reporting to a regulatory body such as the Federal Trade Commission (FTC) or Office for Civil Rights (OCR).
• Developing data protection strategies that align with and support your broader business plans.
• Creating a blueprint for cost-effective regulatory compliance.
• Positioning you to reap the benefits of new technology and avoid the risks.
Contact: Chris Clancy Director, San Jose [email protected] (408) 817-8273
Aaron Weller Managing Director, Seattle [email protected] (206) 398-3497
Questions??
© 2012 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to
PricewaterhouseCoopers LLP, which is a member firm of PricewaterhouseCoopers
International Limited, each member firm of which is a separate legal entity.