Managing Your Privacy Commitments

Transcription

1 Managing Your Privacy Commitments An update on recent regulatory developments and how to effectively navigate them February 2013 DRAFT FOR DISCUSSION PURPOSES ONLY

2 Agenda Introduction 1. Privacy Within the Enterprise 4 2. Regulatory Updates Affecting Privacy Ensuring Compliance with Operating Models The Role of Internal Audit PwC s Approach to Privacy 28 PwC 2

3 Introduction e Chris Clancy Director, Bay Area Market Leader Data Protection & Privacy Specializing in privacy program strategy and development, risk and regulatory compliance, and data loss prevention. Ten years of experience with a mix of Fortune 500 organizations and Big-4 accounting and consulting firms Privacy leader at Silicon Valley Bank National Privacy & Data Protection Deloitte Internal Auditor at Fidelity National Financial Delivered a wide range of data protection projects including: Privacy Program Strategy, Implementing International Privacy Requirements, Providing Regulatory Compliance, IT Security Controls Rationalization, IT Internal Audit, Data Loss Prevention, and Data Classification Certified in industry leading privacy and security disciplines Certified Information Privacy Professional (CIPP/US) Certified Information Systems Security Professional (CISSP) Certified Information Systems Auditor (CISA) PwC 3

4 Privacy Within the Enterprise PwC 4

5 What is Privacy? There are numerous definitions for privacy, such as: The right to be left alone A fundamental human right of a person to make personal decisions regarding their own matters The right of people to lead their lives in a manner that is reasonably secluded from public scrutiny What about information privacy? The ability of an individual or group to stop personal information about themselves from becoming known to people other than those they choose Generally, there are three social concerns that drive the issue of privacy. These include individuals fears about: How data is used How data is protected Who is accountable It is important to note that everyone views privacy differently and this view can depend on individual characteristics such as generation and national origin PwC 5

6 Why is Privacy Protection Important? To earn and keep the public s trust To prevent identity fraud and theft To prevent privacy incidents It s the law! PwC 6

7 Consequences of Violating Privacy Law Organizations that do not adequately manage the risk of noncompliance with privacy laws and regulations may face the following: Negative brand impact Compliance with intrusive enforcement requirements Loss of shareholder value Violation of local laws Loss of confidence with data protection authorities Stoppages/delays imposed by regulatory bodies such as the Federal Trade Commission (FTC), Department of Commerce, International Data Protection Authorities, and others Potential additional legislation or regulations that will impose greater restrictions PwC 7

8 No Single Legal Framework Exists Currently Currently there are no overarching privacy laws to govern privacy for financial services institutions in the U.S. Gramm-Leach Bliley Act (GLBA) As such, companies must comply with a combination of industry/sector, state, and federal privacy laws based on: Types of business conducted Where business is conducted and where employees are located State Breach Notification Laws State Social Security Number Protection Laws Sample Privacy Laws Right to Financial Privacy Act HITRUST Where clients/customers are located Health Insurance Portability and Accountability Act (HIPAA) PwC 8

9 Privacy Trends Domestically and Internationally (a.k.a. Cross Border Compliance) US Federal GLBA, HIPAA, COPPA, Do Not Call, PCI DSS China Pending local requirements; APEC Privacy Framework Numerous State Laws Breach Notification 46States from CA to NY APEC Privacy Principals) European Union EU Data Protection Directive and Member States Data Protection Laws India Information Technology Act 2008 PwC 9

10 Regulatory Updates Affecting Privacy PwC 10

11 Children s Online Privacy Protection Act (COPPA) Updated December, 2012 Overview The COPPA Rule, 16 CFR Part 312 became effective on April 21, Types of Information Protected Personal information of children under the age of 13 Who the law regulates Operators Recent Updates The updated Rule contains references to modern technologies, which expands the definition of operator to include these service providers More activities are specifically permitted New forms of parental consent are also permitted PwC 11

12 Health Information Portability and Protection Act (HIPAA) Updated January, 2013 Overview Privacy Rule Security Rule Types of Information Protected Protected Health Information (PHI) - is information, including demographic data, that relates to: Who the law regulates Health Plans Health Care Providers Health Care Clearinghouses Business Associates Recent Updates The final rules effective date is March 26, 2013, and full compliance by covered entities and business associates is required 180 days later (by September 23, 2013) Genetic information Breach Notification PwC 12

13 European Union Data Protection Directive Updated January, 2012 DRAFT ONLY Overview Directive 95/46/EC Each of the 26 member states has adopted this Directive in the form of national laws which, at minimum, must meet the standards within the Directive. Types of Information Protected Personal Data' - any information relating to an identified or identifiable natural person ('data subject'); Who the law regulates Data controllers Proposed Updates Explicit consent model Privacy by Design Right to be Forgotten PwC 13

14 Other Related Updates California California s Attorney General, Kamala D. Harris has announced the creation of the Privacy Enforcement and Protection Unit Will be housed in the ecrime Unit of the California Department of Justice, will combine the various privacy functions of the Department of Justice into a single enforcement and education unit with privacy expertise JoAnne McNabb Director Travis LeBlanc Head of enforcement division U.S. Federal NIST SP( rev.4) Highly referenced Information Security Framework Appendix J, Privacy Control Catalog, is a new addition intended to address the privacy needs of federal agencies PwC 14

15 Ensuring Compliance with Operating Models PwC 15

16 As Companies Expand and Change their Business/Operating Model What Organizations are Currently Doing Expanding into new (global) markets Off-shoring /Outsourcing certain business functions to third parties across a variety of countries Expanding/Creating new products for customers Related Privacy Considerations What laws will I have to comply with? Will information reside in one country or be transferred between several countries? How should I protect any data I collect or transmit? Do I need to have different policies for different customers based on geographic location? How do I train and educate my employees to understand and comply with regulations for these new markets? Who is responsible for complying with local/national laws? Will I need to comply with regulations enacted by the country my off-shoring firm is located in? Am I allowed to monitor consumers purchasing habits? What data am I allowed to collect? What data am I allowed to share with outside parties? PwC 16

17 Questions Arise About Privacy and Protecting Sensitive Data What Companies are Currently Doing Targeting specific products to certain groups/sets of customers Providing excellent customer service based on personal attributes Related Privacy Considerations What data am I allowed to collect without consent to analyze customer behavior? Are there restrictions on how I can use certain information? How should I protect the data or customer information once I have it? What data am I allowed collect? Which data will I need to gain consent? What are my processes to ensure that I can pass an audit? PwC 17

18 Having a Program In Place to Ensure Compliance In the U.S., organizations are required to comply with numerous laws and regulations regarding the protection of consumer information. A comprehensive program is needed to address the myriad requirements. Incident Response Governance Monitoring & Auditing Risk Assessment Training & Awareness Privacy Processes & Controls Technical Security & Controls PwC 18

19 Engage your Stakeholders Privacy is a relatively new consideration within the Risk Management disciplines. As a result, the manner with which organizations address this risk could differ widely. Some of the typical stakeholders and associated privacy concerns are listed below: Process Area Legal Marketing Information Security Internal Audit Compliance Privacy Office Privacy concern (examples) FTC complaints Records Management ecommerce initiatives CRM Social media campaigns Audit findings PCI readiness Data breaches Board or Audit Committee requests Increasing the enterprise risk scope HIPAA (healthcare), GLBA (financial) Regulatory examination Governance structure Operating privacy, how to live by the privacy policy Footer PwC 19

20 Focus on the Next Hot Topics and Privacy Trends Companies should be aware of the dynamic and changing privacy landscape in order to anticipate and prepare for future regulations. Topic Customer Perception Privacy by Design Social Networking Online Behavioral Advertising Legislative Activity Active Players Trend Customers are willing to provide personal information with the expectation of corporate safeguarding and accountability Privacy is embedded into new technologies and business practices, from the outset Increasing new risks for organizations (i.e. security) and individuals (i.e. consumer privacy) Self-regulatory principles (i.e. transparency, consumer control and accountability) Congress and States are becoming increasingly active developing legislation to address the changing privacy environment Rising enforcements from the FTC and HHS-OCR, and increasing involvement by the Department of Commerce, Dept of Justice, Federal Trade Commission, HHS-OCR, the Consumer Financial Protection Bureau, and State Attorneys General PwC 20

21 The Role of Internal Audit PwC 21

22 Privacy is a top-10 risk! Is privacy a top-10 risk or initiative at your organization? Yes top 5 risk 43% Yes between risk #6 and #10 38% Not in the top 10 19% Source: PwC Data Protection and Privacy webcast, "Tomorrow's Privacy - Balancing Commitments with Business Innovation (Feb. 2012) PwC 22

23 Risks generally not perceived as well managed 15 most-cited risks Economic uncertainty Talent and labor New product introductions Only Regulations and government policies Reputation and brand Fraud and ethics 45% Competition Financial markets Data privacy and security Commercial market shifts Energy and commodity costs Government spending /taxation Business continuity Mergers, acquisitions, and JVs Large program risk are comfortable with how well their critical risks are being managed Source: PwC s 2012 State of the Internal Audit Profession Study PwC 23

24 Three Lines of Defense Management Reporting/organizational structure Ownership, responsibility and accountability Risk management and compliance functions Facilitate and monitor the implementation of effective risk management practices Internal audit Provides objective assurance to board and executive management PwC 24

25 The role of internal audit Keep the Audit Committee aware of emerging security and privacy risks Identify exposures in the organization, and help discover possible solutions Embed yourself in key activities that support the implementation of new business processes, products or information systems (i.e., privacy by design) Regular and specialty audits of data protection controls Common Barriers to Success A mindset that believes adequate controls are already in place Cost Low expectations Fragmented responsibilities PwC 25

26 What kinds of questions should you be asking? Understanding Company Governance & Awareness What are the company s privacy commitments? Think about relevant regulations, employment agreements and business partner contracts. What is the operational culture of the company, and what is the philosophy regarding information security and privacy? Who leads the efforts for privacy and/or information security (e.g., Steering Committee)? Understanding sensitive data What sensitive data do you have that needs to be protected? Does a data or systems inventory exist? Understanding threats Has your data been exposed and would you know if it were? Do you know what breach indicators you should be monitoring? PwC 26

27 What kinds of questions should you be asking? Building protections Has the company established formal governance and controls to protect sensitive data? Are the controls and safeguards periodically tested? Have the controls and safeguards been updated to respond to changing business models? Responding to incidents Are you prepared to respond to legal actions regarding privacy complaints? If a regulator were to inquire or investigate the company, would the company be prepared to respond? Has the company established formal plans to respond to privacy incidents when they occur? PwC 27

28 PwC s Approach to Privacy PwC 28

29 Data protection & privacy How we enable, from assisting with strategy definition, to providing assurance Envision Design & Build Implement Operate Review & Assure Develop Vision Where do you want to go, and what does it look like when you get there? Understand Current State Where are you today? Develop Roadmap How do you get from here to there, efficiently? Design Program Set up the program, and the governance of the function, in line with your culture and requirements. Design Privacy Process Define the services that the privacy program will deliver to the organization and how they will be delivered Implement Program Transition the design into production. Adjust as necessary Implement Privacy Process Roll out / implement privacy services. Operate Program Operate elements of the program, such as governance, risk management and reporting. Operate Privacy Process Operate elements of the privacy program, such as assessing the privacy controls in place at key vendors. Review Assist management to confirm the effective operation of their privacy program, or certain elements of it. Assure Provide external assurance, through reports such as SSAE16, SOC2, HITRUST, and others. PwC 29

30 PwC brings global experience to the table Understanding technology, the regulatory maze, risk management and control development and assurance is our core strength. Our team is highly experienced in providing data protection and privacy related services. Using a scalable, risk-based approach, we ll help you determine what needs to be secured and how to do it, by performing services such as: Providing attest reporting to a regulatory body such as the Federal Trade Commission (FTC) or Office for Civil Rights (OCR). Developing data protection strategies that align with and support your broader business plans. Creating a blueprint for cost-effective regulatory compliance. Positioning you to reap the benefits of new technology and avoid the risks. Contact: Chris Clancy Director, San Jose christopher.j.clancy@us.pwc.com (408) Aaron Weller Managing Director, Seattle aaron.weller@us.pwc.com (206) PwC 30

31 Questions?? 2012 PricewaterhouseCoopers LLP. All rights reserved. In this document, PwC refers to PricewaterhouseCoopers LLP, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.