Using Safe Harbor to Develop anIntegrated, Global Assessment Approach

August 20, 2008

Slide 2PricewaterhouseCoopers

Panelists

Lael Bellamy, Chief Counsel - IT, IP & PrivacyING Americas (formerly with The Home Depot)

Laurie Smaldon, CIPP, Manager, Privacy and Identity Theft Practice, PricewaterhouseCoopers LLP

Click to edit Master subtitle style

Slide 3PricewaterhouseCoopers

Agenda

• Safe Harbor Certification Overview• Integrated Assessment Approach • Key Benefits – Case Study• Questions & Answers

Safe Harbor Certification Overview

Slide 5PricewaterhouseCoopers

Safe Harbor Certification Basics

• Requires certification with US Department of Commerce - One stop shop - adequacy determination from all EEA member states without

any further approval• Must agree to abide by 7 data privacy principles

- Notice, Choice, Access, Security, Onward Transfer, Data Integrity and Enforcement

• Limits enforcement to the FTC instead of each of the 27 DPAs in EEA- DPAs have not investigated US Safe Harbor Pharma companies - FTC has not brought any case against a US company in 5 years

• No 3rd party beneficiary rights, but dispute resolution mechanism required- Must use DPAs for disputes regarding employee PII- May use independent US 3rd party for all other disputes

• Allows flexibility to support evolving business models and relationships• Not available for financial services companies

Slide 6PricewaterhouseCoopers

What it means to be a Safe Harbor company – 7 Principles

Certification Requirements. In order to certify under the Safe Harbor Accord, a company must assess and put in place mechanisms to maintain compliance with the seven (7) Safe Harbor Principles. Key steps include:

Develop and maintain a Privacy or Safe Harbor Policy. The policy will be based on the seven (7) Principles for certification under the Safe Harbor Accord.

1. Notice. Safe Harbor Companies update or prepare a global or EU applicable privacy policy or EU notice statements for the data subject of the certification to ensure such policy or notice is accurate, comprehensive, and visible to data subjects. Also, such companies often simultaneously aim to improve awareness so that both data subjects and management have comfort that employees are aware of the appropriate operating practices.

2. Choice. The policy will also cover areas where consent, permission, data use limitations/opt-out strategies and special treatment for "Sensitive Personal Data“ are applicable.

3, 4 & 5. Access, data integrity and enforcement. The policy also addresses other areas related to existing processes or controls, if applicable, to meet Access, Data Integrity and Enforcement requirements needed to cover a Safe Harbor election.

Slide 7PricewaterhouseCoopers

What it means to be a Safe Harbor company – 7 Principles

6. Security. A Safe Harbor company must maintain adequate and reasonable administrative, technical and administrative safeguards and controls designed to address appropriate security requirements for US and EU applications that capture or process data subject to the certification.

7. Onward transfer. A Safe Harbor Company must maintain administrative safeguards (i.e., contractual protections) such that any onward transferee or any third party that can access the data subject to the certification will maintain safeguards comparable to those of the certifying company or the vendor/third party is also a company that has made a Safe Harbor election.

8. Annual re-certification. Under the Safe Harbor Accord, Safe Harbor companies must annually recertify that they are abiding by the principles of the Safe Harbor accord. In order to make such a certification, Safe Harbor companies typically develop a Safe Harbor annual assessment and training program.

Slide 8PricewaterhouseCoopers

Survey and Gap Analysis

Our approach performs a security and privacy assessment with the 7 Data Protection Principles

• The objective is to identify and analyze:- existing data transfers (including PI received or accessible in the US); - privacy and data handling compliance;- security and data handling risks; and- gaps against the Safe Harbor Principles, including “reasonable security” with

respect to identified Safe Harbor applications, systems and databases.• Must have reasonable security as well as controls that enable verification of

reasonable compliance with the privacy requirements and related guidance. • The approach assesses compliance against recommended privacy practices and

a reasonable security framework based on industry practices.

Slide 9PricewaterhouseCoopers

Survey and Gap Analysis - Details

• The details of the phased approach include an inventory of applicable Safe Harbor Applications and Systems utilizing our that is designed to identify:

(i) applicable systems, applications and databases that will be the subject to the Safe Harbor certification

(ii) data elements being used and maintained in such systems, applications and databases, and

(iii) any internal and external transfers of the data.• Based on the results of the survey, key applications and systems are identified

that contain PI transferred from the EEA to the US, along with the types of PI contained in such systems and onward transferees.

• To gather further information and clarify our understanding regarding the data flows associated with identified systems and applications, interviews are also conducted with key system, application and business owners to validate our understanding and findings.

Integrated Assessment Approach

Slide 11PricewaterhouseCoopers

Integrated Assessments Overview

Pulling it all together:

• Many companies operate in vertical silos with different frameworks.

• Clients often ask for one-off assessments of GLBA, HIPAA, PCI, ID Theft, Security Breach Laws, Marketing Laws or Other

An Integrated Approach

Privacy• US - Fair Information Practices (e.g., HIPAA, GLBA)• Global - Organization of

Economic Cooperation and Development (e.g., EU Data Protection Directive)

Risk • COSO II • SOX• Basel II

Compliance• Federal Sentencing Guidelines

(7 Principles of an Effective Compliance Program)

Regulatory Technical Standards• FTC GLBA 501(b)

Safeguards Rule • HIPAA Security

Technical Standards• ISO 17799• COBIT• PCI• Others

Slide 12PricewaterhouseCoopers

Integrated Assessments Overview

The trend is to search for common requirements and points of leverage.

Common Vulnerabilities and Practices that can Compromise Sensitive Data

• Third-party vendor handling and transfers;

• Improper access or broad access controls;

• Paper handling and dumpster diving;• Phishing, web/email vulnerabilities;• Mobile and home-based workforce;• Call centers and social engineering;• Use of personal information in

authentication processes with customers (online, phone, fax);

• Back-up tapes;• Peer-to-peer networks (iPods, etc.);• Collecting/using SSNs and personal

info; and• Transportable media.

Integrated approach. Consider people, process, technology and organization perspectives to classify privacy and information management:

• Key compliance program elements and culture;

• Consumer privacy awareness and rights;

• Security safeguards;• Key data handling and identity

theft risks; and• Organizational design and change.

Slide 13PricewaterhouseCoopers

Key Differences and Benefits to New Approach to Information

• Coordination and Cost Savings. Increasingly developing coordinated approaches to compliance and information risk management and leveraging prior investments especially around technology and approaches related to (among several areas): - Sarbanes-Oxley Controls - Intellectual Property Protection - Outsourcing, Procurement,

Vendor Management and - International Data Management- Records Retention- Information Security- Payment Card Industry Security Standards- Privacy Compliance and Identity Theft Prevention

Key Benefits – Case Study

Slide 15PricewaterhouseCoopers

Survey Design

• Survey was developed to quickly assess key privacy compliance, identity theft risks and gaps against internal and common industry best practices.

• The survey was designed to promote efficiency, minimize burden and to develop tools that can be used for current and ongoing business as usual processes and compliance obligations.

• The survey was designed to address multiple needs:- Privacy and Identity Theft/Data Mishandling Prevention Assessment.- Data Element Inventory.- PCI scope confirmation. - Key Security Controls Assessment and Benchmarking. - Marketing (opt-in/out) Compliance Awareness and Compliance Assessment.- Inventory Third Party Vendors and Transfers- eDiscovery and Records Benchmarking

Slide 16PricewaterhouseCoopers

Integrated Assessment Potential Benefits

Integrated Approach. • Ongoing Assessment and Reporting Process. The survey questionnaire may serve as a potential annual

process to reassess highest risk areas, priorities and progress. • FTC (and Other Regulator) Assessment Expectations. The FTC has expressed its expectation that

companies conduct privacy and security assessments every other year, and this assessment and approach should serve as an effort to satisfy that expectation.

Data Element Approach. • Breach Response Capabilities. The inventory will allow quick identification of the data elements involved

in the event of a lost laptop or other breach and what the resulting US State notice obligations involved.• Data Classification. When data elements are baked into data classification scheme, a data element

inventory will provide the ability to quickly classify the required controls.

Safe Harbor & Ongoing Privacy Assessment• Combines Annual Privacy Assessment and Safe Harbor Processes. Both a privacy assessment

(required by the FTC) and the Safe Harbor Assessment (required by the Department of Commerce for recertification) could both be required activities. The design of the survey allows both to be efficiently (and cost-effectively) pursued simultaneously.

• Accelerates Safe Harbor Certifications. If a company were to decide to pursue Safe Harbor certification, the survey would actually position them on the road to Safe Harbor (saving months and significant fees).

Slide 17PricewaterhouseCoopers

QUESTIONS?