The past year was marked by rapid increases in threats to personal information and in challenges to compliance with privacy and data protection policies and laws. As we survey the privacy agenda for 2005, two clear themes emerge: the impacts of identity theft and the Sarbanes-Oxley Act.

Privacy in the Headlines

The risk individuals face when providing their personal information to organizations has been a favorite topic in the media for several years. However, the shift in public attention we are seeing is the nature of the risks reported in the media, as well as the public’s broader interest in these reports.

Alarming reporting on privacy matters used to highlight the perils of visiting unscrupulous websites or the threats of cookies. Such reports, although attracting an interested audience, appealed mainly to individuals who were both privacy conscious and Web users. The picture today is much different. When it comes to privacy, the topic of most interest to the media is how privacy violations result in identity theft. The very tangible threat of identity theft and the inconvenience, if not the financial losses associated with it, drastically increase the audience attentive to these reports. In that respect, a privacy issue that makes headlines is more likely to resonate with customers and lead to actions that would hurt brand and customer loyalty, whether the data subjects involved are indeed at risk or not.

The Sarbanes-Oxley Act

The Sarbanes-Oxley Act of 2002, with its emphasis on validating internal controls, has indirectly brought increased attention to applying reasonable practices in privacy management. Section 404 of the act in particular lays out a number of required internal controls that organizations must implement within their systems for processing financial information, especially when vendors are used for processing personal information.

The internal control requirements of the Sarbanes-Oxley Act have ripped through public companies in the United States and are starting to make their way through the foreign affiliates of those companies.

The act’s regimen of documented, tested controls is a model of effective protection of financial information, one that may also be applied to personal information. As companies achieve compliance with the act after a long period of concentrated work, Sarbanes-Oxley teams are freeing up and are able to assist other enterprise-wide control issues like privacy and data protection. The discipline the act has injected into organizations has led to an overall reevaluation of compliance activity, compliance audit, and the development of internal controls.

Phishing and Spyware

Identity theft is a major concern for both companies and individuals. Companies are targeted by identity thieves for their information, and the target companies may be held responsible for the theft. Phishing and spyware are examples of the increasingly sophisticated threats that allow identity thieves to directly target individuals.

Spyware is not only the scourge of consumer PCs but also of those used in business. Malicious and unwanted software that is unwittingly downloaded can compromise the integrity of the corporate network and expose personal information, other confidential information, and sensitive business practices. Spyware finds both companies and individuals ill prepared. Organizations are faced with an absence of standards as they try to protect their networks as they do for viruses.

Potentially the most serious threat to a company’s e-business reputation, phishing scams continue to spread, involving such seemingly innocuous subjects as magazine subscriptions, tsunami aid, and even Harry Potter e-book offers. Combating phishing demands a combination of careful Web practices, security, and authentication in email.

Most importantly, both spyware and phishing require organizations to engage in education and outreach for consumers. Organizations should also raise employee awareness to these threats and clearly communicate what legitimate requests and actions individuals can expect of the organization to make so that threats can be more easily identified.

The Human Factor

The human element of data privacy and security is gaining increased awareness among top executives. Ernst & Young’s 10th annual Global Information Security Survey, which polled 1,233 organizations in 51 countries, showed that respondents saw the insider threat as a growing obstacle to achieving a good information-security posture. Whereas many of the respondents appeared fixated on external threats such as viruses, the more likely and most lethal threats are those originating within an organization’s growing extended enterprise, including its vendors and outsourced service providers.

These threats are the individuals -- current, temporary, and former employees -- who are already inside an enterprise. Such insiders can operate, with limited risk of detection, through their intimate knowledge of the system, its plausible access requirements, and the organization’s controls. Nontechnical and human-behavior-based forms of intrusion are common enough that they are now significant causes of identify theft. What makes the insider threat so prevalent is that most breaches involve unsophisticated methods of gaining access and occur during normal working hours. The risk of identity theft drives organizations to pay closer attention to the insider threat. The wide media coverage of identity theft cases is a doubled-edged sword in such cases. As companies become more aware of the risks and consequences of insider-driven identity theft, so do rogue employees learn more about the ease with which they can abuse their position to perpetrate or cooperate in a crime.

Employee Privacy

Faced with a plethora of privacy and data protection laws, labor laws, and trade union and works-council agreements, multinational companies are struggling with effectively implementing the privacy impacts on human resources administration and infrastructure across their global operations.

The issue of employee monitoring is further exacerbated by the risks and liabilities associated with identify theft and the increased awareness of the potential involvement of insiders in such scams. As organizations realize that their responsibility to protect their customers, and indeed the broader body of employees, from identity theft requires them to better understand who has access to personal information and under what circumstances this access is initiated, the appeal of various monitoring technologies rises.

Reasonableness

U.S. state and federal rulings mandate that organizations implement “reasonable” protections to protect the personal information of customers, and international regulations are similar. Data protection authorities worldwide are intolerant of hacking events that result in the compromise of personal information and are taking strong action against companies with inadequate controls. Organizations are being challenged to identify what they deem "reasonable and appropriate" safeguarding of personal information. They understand that should a breach occur and vulnerabilities be exploited, regulators and data protection authorities will challenge these positions.

When describing the rights and obligations of organizations and data subjects, privacy regulations range in their level of specificity. Over and over, organizations must decide how to “reasonably” translate the broad requirements of legislation to their ongoing processes, networks, databases, and systems.

From protecting information from external threats to appropriately limiting internal access to data in order to prevent insiders from engaging in identity theft, the challenge -- and liability -- in identifying a reasonable privacy and data protection approach is tremendous.

Data protection officers and privacy officers should work with their organization’s information security group to craft and implement a comprehensive data-protection strategy. Staying current on both technology trends and privacy-related threats helps staff make reasonable decisions, and so does communicating with privacy and security professionals in other firms. All reasonableness decisions should be documented, indicating the rational behind each decision, especially when the organization chooses to follow less common solutions. When considering reasonableness in data protection approaches, organizations should not forget to implement controls to keep their security programs operating effectively over time.

The Privacy Audit

From privacy seals to privacy audits, the benefits of obtaining assurance from independent parties over privacy have repeatedly been affirmed in consumer attitude surveys. On the corporate side, lawyers long have insisted on the inclusion of “right to audit” clauses when companies contract with vendors. Nonetheless, the notion of a structured, criteria-based examination of privacy practices that follows formal rules has been slow to develop beyond the online environment. This year, however, promises a shift in the role that independent auditors, whether internal divisions or members of reputable third-party organizations, will play in examining privacy across complex organizations.

The reason for this development is twofold. First, a comprehensive framework of privacy criteria developed by the American Institute of Certified Public Accountants/Canadian Institute of Chartered Accountants (AICPA/CICA) is available, and the marketplace is becoming increasingly familiar with this important tool. The AICPA/CICA Privacy Framework provides auditable criteria for a comprehensive set of privacy principles that align with many international and U.S. regulations.

Second, the visibility associated with privacy violations increases the need for independent verification over the handling of personal information. Organizations increasingly realize that the cost of obtaining an audit and making the needed adjustments for passing it are significantly lower than the cost of a significant breech or violation. Organizations handling financial information may find that their compliance work for the Sarbanes-Oxley Act has made them better prepared to pass such an audit, as many risks that may have been part of the information processing have already been mitigated with effective controls.

Conclusion

Traditionally, privacy and data protection have been about complying with policies and laws and protecting consumer trust. As threats to individuals increase, the need to safeguard personal information is expanding to cover such areas as corporate security, investigations, counter-fraud, and records management. In fact, 2005 will require a more complete view of reasonable data protection of personal information, requiring even more collaboration across organizations. Routine auditing of compliance with data protection policy and laws should be extended to broader auditing of the effectiveness of controls over the protection of personal information. In 2005, it is no longer good enough, or reasonable, to be compliant with paper policies -- it is necessary to sustain data protection with active controls.

Sagi Leizerov and Brian Tretick lead Ernst & Young’s privacy assurance and advisory services in the United States.

 

IAPP