Privacy And Data Protection Risks

As technology proliferates, the amount of personal information collected, used, stored, transferred, and disposed by organizations increases. In turn, the risk that data will be breached at some point along the information lifecycle increases. Over the past few years, several laws and regulations have been enacted to encourage organizations to address these risks.

Business Drivers

Beyond legal compliance, a number of business drivers exist for implementing a strong program for data protection and privacy. A recent study found that information privacy and security breaches can cost companies an average of $182 per compromised record, a 31 percent increase from 2005. If that sounds like pocket change, let's consider the big picture. A typical information breach will cost an organization $4.8 million, and possibly as much as $22 million to remediate. If we combine this research with data from the nonprofit Privacy Rights Clearinghouse and Attrition.org's Data Loss Database, the impact on the business community was just over $9 billion in 2006. And we're off to a running start in 2007 with about $10.9 billion of economic loss with a breach of almost 60-million records in the first quarter alone.

None of this captures the reputational loss and market capitalization impact of these data breaches. Failing to manage information effectively can affect customer acquisition and retention, employee morale, business reputation, and the bottom line.

I should also note that the likelihood that consumers and the public will be made aware of data breaches has increased over the past decade with the advent of state disclosure statutes. At least 35 states have enacted legislation requiring companies and government agencies to disclose security breaches involving personal information a trend led by the state of California (see sidebar).

And by the way, 92 percent of individuals blame the organization, rather than the culprit who actually committed the act, when a data breach occurs. So once the news breaks, there goes your reputation. Convinced?

Privacy And Security Go Hand-In-Hand

To put all of this in context, privacy is really a subset of the larger “information management” challenge that all organizations face. This includes whether enterprise information is accurate, complete, relevant, and timely and whether information is available to the people who need it when they need it. Further, privacy is considered by some to be a subset of the more general “information security” challenge. An emerging adage, “You can have good security without good privacy, but you cannot have good privacy without good security” is dead-on. As such, a strong security program must work hand-in-hand with your privacy program.

For example, an organization could implement the best policies and procedures to ensure that customer information is kept private, but it can still be at risk if the general IT environment is not secure. At the risk of being cliché, a privacy program is only as strong as its weakest link.

Frameworks, Frameworks, Frameworks

In the areas of information security and privacy, there are almost too many frameworks to choose from. The list below is not all-inclusive:

ISO 17799:2005 and ISO 27001:2005 and BS 7799-3:2006 are international standards focusing on information security management. Often overlooked ISO standards that are helpful to review in this context are ISO 13335, which deals with network security, and ISO 15408, which deals with “common criteria” against which system security can be evaluated.

NIST 800-100—Information Security Handbook: A Guide for Managers is an excellent resource published by the U.S. Department of Commerce's National Institute of Standards and Technology. It summarizes and puts in context related guides NIST800-53, NIST800-55, and other NIST documents that focus on IT security.

Australian Standards, including Security Risk Management Handbook HB167:2006 (to be used in conjunction with AS/NZ 4360:2004).

Information Security Management Maturity Model (ISM3) extends ISO 9001 quality management principles to information security management systems.

The Information Security Forum Standard of Good Practice is a detailed document that lists best practices for information security.

The Information Technology Infrastructure Library is a framework of best practices to facilitate the delivery of high-quality IT services and is maintained by the United Kingdom's Office of Government Commerce. A key process area is security management. ISO/IEC 20000 series is a related standard that allows an organization's IT service management to be audited and certified by third parties. CoBIT provides a high-level, “IT governance” framework that can be used by IT departments and IT auditors.

The PCI Data Security Standard, as maintained by the PCI Security Standards Council, which was established by American Express, Discover Financial, JCB, MasterCard Worldwide, and Visa International. While it is specific to payments processing, it provides a solid base for general data security.

“Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,” published by

The Organization of Economic Cooperation and Development and the Asia-Pacific Economic Cooperation Privacy Framework.

The International Labor Organization's guidelines and various state regulations also provide standards that offer guidance around how employee data should be handled.

One of the stronger frameworks is the Generally Accepted Privacy Principles (or as I like to call it, “the other GAPP”) developed by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants. This framework borrows from the OECD and APEC guidelines as well as the Federal Trade Commission's Fair Information Practices.

GLOBAL LAWS

Below is an overview of global data protection laws, as adopted from a Mortgage Bankers Association white paper.

Nearly 50 countries have data protection laws, and many of them conflict, or require specific security measures or certifications. Other countries have no privacy laws at all. Here are a few:

North America

The United States has several state and federal statues protecting data. At a federal level, HIPPA, the Financial Services Modernization Act (Gramm-Leach-Bliley) and Sarbanes-Oxley Act all contain provisions that impact how information is managed. In addition, there are several bills introduced in 2006, still awaiting debate, including the Federal Agency Data Breach Notification Act and the Personal Data Privacy and Security Act of 2007 (Senate 495) and the Data Accountability and Trust Act (H.R. 958). At least 35 states have enacted legislation requiring companies and government agencies to disclose security breaches involving personal information – most notably California's 1798.80 and Illinois 530.

Canada has two federal privacy laws. The Privacy Act of 1983 regulates the privacy practices of the federal government. The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to all private sector organizations and covers all phases of the information lifecycle. Most provinces have enacted private sector legislation that is substantially similar to PEPEDA.

European Union

EU data protection law has its roots in human rights treaties and national constitutes. In 1983, the German Federal Constitutional Court recognized a “right to informational self-determination” and set the stage for several European treaties. The EU was also the first legal system in the world to produce a comprehensive omnibus approach to privacy and data protection. Currently, the data protection regime is covered by:

Data Protection Directive (General Directive) of 1995.

Directive on Privacy and Electronic Communications covers telecommunications, faxes, e-mail, the Internet and similar services. This directive also addresses “opt-in” and “out-out” rules for marketing communications.

Data Retention Directive (effective September 15, 2007) requires providers of electronic communications to retain certain data (e.g., web traffic data) for law enforcement and national security purposes.

Asia Pacific

Australia has several federal statues and some State and Territorial laws that address privacy and data protection. The principal federal statute is the Privacy Act of 1988 which instantiates the Organization for Economic Cooperation and Development (OECD) Guidelines. In addition, the National Privacy Principles (NPPs) were enacted in December 2001 and they elaborate on the Privacy Act.

Hong Kong enacted the Personal Data Privacy Ordinance (PDPO) in 1996. The PDPO also flows from the OECD Guidelines but does not apply to the People's Republic of China government agencies located in Hong Kong.

India, like the United States, does not have a universal data protection law. In fact, a search for “data protection” or “privacy” on the Department of Information Technology of the Ministry of Communications and Information Technology (the department that handles these issues) yields no results. There are a few provisions is the Information Technology Act of 2000, but they deal primarily with systems security rather than privacy. Most data protection issues are covered in sector-specific regulations such as the Public Financial Institutes Act of 1993. Given the degree of information processing outsourcing, it is not surprising that there is substantial political pressure to shore up data protection laws.

Japan has an omnibus Personal Information Protection Act (PIPA) of 2005 that covers the public sector as well as various industry regulations that cover the private sector. (e.g., the Financial Services Agency Guidelines for Personal Information Protection for the Financial Sector).

South Korea, like Japan, has one act that covers the public sector and several industry-specific laws. In 2005, South Korea contemplated enacting the Personal Information Protection Act, but it failed to pass.

People's Republic of China is currently considering data protection legislation. A more narrow law addressing spam was enacted in early 2006 called Chinese Ministry of Information Industry's Measures for the Administration of Internet E-Services. However, this law is constrained to e-mail communications.

Singapore has officially “reviewed” the need for universal data protection legislation for the past 13 years. In the meantime, the National Internet Advisory Committee proposed the Model Data Protection Code (MDPC) for the Private Sector which was implemented by the National Trust Council in 2003. The MDPC is voluntary. Like most nations, Singapore also has banking regulations that govern the use of financial information. The Monetary Authority of Singapore issued “Know your Customer” guidelines in 1998.

Source

Adopted From "Privacy Primer: An Overview of Global Data Protection" (Mortgage Bankers Association; Feb. 6, 2007)

I find that most of these frameworks, standards, and guidelines are complementary, but they lack actionable practices. Thus, they tend to be excellent guides and checklists rather than implementation blueprints. Most organizations will have to “operationalize” these frameworks to suit their needs. To put it more plainly, don't get too tied in knots deciding which framework to use. All of them are good, and all of them will help improve some aspect of your program. My suggestion is that you do a little research, find the one (or three) that seem most logical, and get to work. Over time, you can augment your program with practices or ideas from the others.

What Should We Protect?

While customer information is the data most usually breached, an organization should be careful to protect both of these major categories of information:

Customer Information. Non-public information about customers including Social Security numbers, birth dates, phone numbers, addresses, ethnicity, sexual preference, citizenship, physical characteristics, political opinions, trade union membership, email address, drivers' license numbers, order history, personal preferences, mother's maiden name, account numbers, credit card numbers, credit rating, credit history, account balances, bank account numbers, income data, payment data, expiration dates and confirmation codes, biometric data, DNA profile, digital signature, and so forth.

Employee Information. Nonpublic information, including the above information as well as employment history; information used for hiring purposes; information about criminal offenses; smoking status; political activity; voting; and professional, occupational, recreational, or governmental license, certificate, permit or membership numbers.

How Should We Protect It?

When implementing a privacy program, the following principles should be considered. These principles borrow heavily from the OCEG “Red Book,” GAPP, OECD, and APEC.

Oversight, management, and accountability. Competent individuals should provide oversight in the form of strategic and day-to-day management of the privacy program. These individuals should be, at varying levels, specifically accountable for the outcome of the privacy program.

Plan and organize. An organization should conduct a risk assessment to focus resources on those areas of the business where personal information is vulnerable. An overall strategy and privacy program should be authorized by senior management.

Promote, prevent, and prepare. An organization should design and implement an overall program to promote data protection, and prepare the organization using policies, procedures, controls, training, and other workforce incentives. If possible, noncompliant conduct will be prevented by either outright deterrence or delay of data breach.

Collect. When collecting information, an organization should be careful to collect personal information only for the purposes identified in a notice that is readily available to subjects from whom information will be collected. Subjects should be given choices regarding how their information can be used. They should at least implicitly—or, better yet, explicitly—consent to the collection, use, and transmission of personal information.

Access. Individuals should have access to their personal information throughout the information lifecycle so that they can review, update, and correct their information.

Use. An organization must limit the use of information to the purposes identified in the notice and for which the individual provided consent.

Store and retain. Personal information should be retained for only as long as necessary to fulfill the stated purposes.

Transfer or disclose. An organization should disclose personal information to third parties only in accordance with the notice and privacy policy and with the consent of the individual.

Dispose. Personal information should be permanently and completely disposed of when it is no longer needed.

Secure. Throughout the lifecycle, an organization should provide reasonable assurance that personal information is secure and kept private in accordance with the notice and privacy policy. This includes both logical (access control, encryption, etc.) and physical (building controls, etc.) security.

Monitor. The organization should conduct ongoing and periodic assessments of the privacy program to detect both noncompliance and weaknesses. In addition, an organization should provide a mechanism for stakeholders to report unauthorized collection, use, retention, transfer, or disposal of information.

Respond and improve. An organization should have procedures in place to respond quickly to noncompliance and improve the program to reduce the likelihood that similar noncompliance will occur in the future. An important part of responding to noncompliance is notifying individuals when their information is improperly handled. Keep in mind that customers are three to four times more likely to terminate their relationship with an organization that communicates using impersonal forms and email rather than personal phone calls and letters.

Extended Enterprise

Thirty percent of all breaches originate with vendors. Research conducted in 2006 suggests that organizations use 4,100 to 7,700 vendors per $1 billion in capital spending. That's a lot of moving parts. As such, it is important to consider data protection beyond the traditional enterprise and extend these sound practices to suppliers, vendors, partners, and other agents that act on behalf of the organization. Many organizations are including data protection clauses in master contracts and certifying vendors on data privacy policies and procedures before they conduct work on behalf of the company.

A Final Word

Breaches of data protection schemes rarely involve the disclosure of one or two files. They tend to involve an average of 5,000 records and up to tens of millions of records. The consequences are clear and, fortunately, the path to an effective program is within reach of all organizations.

A downloadable illustration of the elements of privacy risk management and compliance, as well as related coverage and other entries in the GRC Illustrated series, can be found in the box above, right.