internal audit’s role the changing world of privacy · electronic sensitive data transmissions...

Internal Audit’s Role The Changing World of PRIVACY

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent

member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

42473SVO

1

Agenda

Privacy Background

Privacy Risk

Privacy Landscape

Trends in 2012 and Beyond

Internal Audits Role

Q/A



42473SVO

2

“Privacy involves the handling and

protection of personal identifiable

information (PII) that individuals

provide in the course of everyday

transactions. This involves the

exchange or use of data

electronically or by any other

means, including telephone, fax,

written correspondence, and even

direct word of mouth”



42473SVO

3

Background

Protecting information has become a major priority

for all companies. Organizations now store larger

quantities of sensitive data, both customer and non-

customer related, in multiple systems.

Organizations share increasingly growing volume of

information with third-parties through expanded

value chains, both domestically and globally (see

previous discussion on Outsourcing to Service

Providers).

Each of the data repositories can be accessed in

multiple ways, leading to greater opportunities for

privacy breaches. Reports of data breaches have

increased dramatically over the years. The Identity

Theft Resource Center’s 2008 breach report

reached 656 reported breaches at the end of 2008,

reflecting an increase of 47 percent over the

previous year’s total of 446.



42473SVO

4

What privacy is

Information about individuals (PII or PHI)

Physical characteristics (biometrics)

Medical records

Biographical data, including employment

All financial transactions and evaluations

Monitoring behavior in real time

Enterprisewide information

All media: electronic, paper, video, voice

All stakeholders: employees, customers, vendors

Throughout the chain of custody: locations, affiliates, business partners, third parties

Access to and control over PII

Individual’s own rights and preferences, and the record of those preferences

Opt in – to sharing or transfer across borders

Opt out – to sharing or transfer across borders

Don’t opt at all



42473SVO

5

What privacy is not

“You can have security without

privacy, but you cannot have

privacy without security.”

Security – enables private information to stay

private, but does not take into account proper

transfer or disclosure

Intellectual property – entails the ownership and use

of content (but think about information governance)

While all information is confidential, some is also

private (and protected by privacy laws)



42473SVO

6

Organization’s privacy relevant universe

Must protect:

Customer data

Personnel data

Job applicants

PII from third parties

Using the following tools:

Privacy and security policies

Access controls and encryption

Physical security, including protecting paper records

Proper destruction or disposal of data



42473SVO

7

Privacy risks

Data breaches can cause significant damage to

organizations:

Data breaches are costly. Security firms estimate

that a recent credit card data breach will cost the

organization $1.7B.

They can also results in legal consequences. For

example, organizations subject to regulations can

face fines and penalties for data breaches.

Public disclosure of data breaches can also result in

reputational risk for organizations, especially in

regard to inappropriate disclosure of customers’

information.



42473SVO

8

Privacy risks

Financial

Reputational

Brand/Image

Contractual

Legal

Regulatory

Employer of Choice



42473SVO

9

Current landscape

More data, less understanding

Regulatory and market expectations and pressure

The cost of data breaches are increasing

Increasing compliance costs

Siloed approaches to governance

Changes in business structure

Globalization

Emerging IT trends (Cloud Computing, Social Media,

RFIP, Virtualization)



42473SVO

10

Regulatory issues – what’s hot!

FTC Authority and Agenda/ Enforcement

Obama’s Privacy Bill of Rights

Social Media

Mobile & Geolocation

Cloud Computing

Offshore Outsourcing

Behavioral Advertising

Electronic and Personal Health Records

International Data Transfers

Harmonization/Conflict of Laws

Cybersecurity

New Technologies

Big Data



42473SVO

11

Top 5 privacy issues for 2012

Gartner’s forecast

– Data Breaches Continue to Be a Top Concern

– Location-Based Services Exploit Personal

Information in Unprecedented Ways

– Cloud Computing Challenges Traditional Legal

and Technical Privacy Protection

– The Value of Privacy Determines Necessary

Protection, but It Is Difficult to Quantify

– Regulatory Changes Are Imminent and Ongoing

From Gartner report "Top Five Issues and Research Agenda, 2011 to 2012:

The Privacy Officer."



42473SVO

12

What internal auditors need to know

Enterprise data transfer management capabilities decentralized

Inventory of sensitive enterprise data flows doesn’t exist and is immature

Lines of business and IT aren’t coordinated on what types of sensitive data are being transmitted and where the data is being transferred

Large volumes of paper with sensitive data elements are being created during routine business processes

Electronic sensitive data transmissions occur in multiple ways (FTP, NDM)

Enterprise control frameworks aren’t mature enough to account, monitor, and report on sensitive enterprise data flows

Removable media (CD/DVD, USB Drives, Tapes) are pervasive throughout the environment and technology controls are playing catch up

Reactive approach to protecting data, by responding after a breach occurs

Breach notification plans aren’t fully mature to anticipate notification requirements based upon sensitive data elements present



42473SVO

13

Phase 1 –

Generation Ownership Classification Governance

Phase 5 – Storage Access Control Structured v. Unstructured Integrity/Availability/Confide

ntiality Encryption

Phase 2 – Use Internal v. External Third Party Appropriateness Discovery/Subpoena

Phase 3 – Transfer Public v. Private

Networks Encryption

Requirements Access Control

Phase 6 – Archival Legal and Compliance Offsite Considerations Media Concerns Retention

Phase 7 –

Destruction Secure Complete

Compliance Audit &

Regulatory Legal Measurement Business

Objectives

Phase 4 – Transformation Derivation Aggregation Lineage Integrity

Phase 1 and 2:

Employee/Trusted

third- party creation

and usage should

drive business value.

Phase 3:

Infrastructure

capabilities should

enable controlled

transfer and

movement of data.

Phase 4:

Additional processing and/or

manipulation to achieve increased

business value for reporting or

specific business requirements.

Phase 5 and 6:

Organizational

capabilities to

manage and

maintain

information in a

cost-effective

manner for timely

access or retrieval

to achieve

business

objectives.

Organizational responsibility

to ensure adherence to legal

and regulatory requirements

through each phase of the

life cycle.

Phase 7:

Controlled

destruction of

information and

storage media.

13

The information life cycle



42473SVO

14

Privacy risk considerations

Threats to brand and business that can be caused by privacy mismanagement. As a result, organizations are recognizing the need to ask tougher questions about privacy and data-handling practices of business partners.

Privacy risks in outsourcing and cloud countries – many popular outsourcing countries do not have national privacy laws. Vendors there may not maintain privacy, security, and data-handling practices consistent with the organizations that hire them.

Due diligence is essential to help ensure that vendor’s privacy practices are in synch with the organization practices and expectations. Monitoring and auditing are critical.

Regulators – Established formal guidelines on their expectations in multiple areas, such as the event of a move to the cloud.

Customers – See the entity that collected their data accountable for any future issue.

Media – Focus on the “big names”.

Offshore data transfer activities may occur without the organization for which the data is processed ever knowing it actually occurs.



42473SVO

15

Next steps to consider

Conduct a robust Assessment with an Annual or Bi-Annual reassessment for compliance

Determine Lines of Business affected by Personal Information

Consider internal employee information in evaluation

Map/Flow PII movement within your organization, as well as flows to/from third parties

Perform Data discovery to find all of your PII

Establish effective technical safeguards over PII (encryption, access management, restriction for required use only)



42473SVO

16

Next steps to consider (continued)

Increase your Monitoring program, establish an effective ERM program as well as GRC services

Leverage GRC to do exception reporting on incidence, security protection and access monitoring

Don’t forget your third party vendors in assessment

Establish an incident response team

Train affected employees annually



42473SVO

17

Impact on auditors

Cloud usage is driven by business units/end users—do you know if personal information is in the cloud?

Personal Information may be transferred to emerging service providers without established control environment

Lack of evidence on who has access to personal information and audit trail availability

Degree of change in the environment may impact the ability to gain comfort over privacy control for the period under review

Global footprint of the cloud—where do perform your audit, and what are the relevant privacy rules that should be taken into account?

Dependence on third parties—do you have the right to audit them to cover the data life cycle?

No clear standard for gaining assurance on the management and protection of personal information (SOC 1not a solution in many cases)



42473SVO

18

Internal audit’s role

Perform a Data Privacy Risk Assessment to

– Determine what personally identifiable information

(PII) the organization retains, where the data is

stored, how long it is retained, and if it is shared

with third-parties.

– Compare and contrast the organization’s current

IT Data Privacy Standards with applicable laws

and regulations to identify potential gaps.

Evaluate the organization’s Data Loss Prevention Strategies.

Conduct application-specific privacy reviews (based on a privacy/data risk assessment) to determine if the organization is in compliance with applicable laws and regulations.

Consult with management during IT projects (e.g., system implementations) to determine if privacy risks are appropriately mitigated prior to go-live.

Questions???



42473SVO

20

Doron Rotman

National Service Leader, Privacy

KPMG LLP

+1 408-367-7607

[email protected]

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S.

member firm of the KPMG network of independent member firms affiliated

with KPMG International Cooperative, a Swiss entity. All rights reserved.

The KPMG name, logo and "cutting through complexity" are

registered trademarks or trademarks of KPMG International

Cooperative ("KPMG International").

internal audit’s role the changing world of privacy · electronic sensitive data transmissions...

Documents