Using Safe Harbor to Develop an Integrated, Global Assessment Approach August 20, 2008 Panelists Lael Bellamy, Chief Counsel - IT, IP & Privacy ING Americas (formerly with The Home Depot) PwC Laurie Smaldon, CIPP, Manager, Privacy and Identity Theft Practice, PricewaterhouseCoopers LLP C PricewaterhouseCoopers Slide 2 Agenda • • • • Safe Harbor Certification Overview Integrated Assessment Approach Key Benefits – Case Study Questions & Answers PricewaterhouseCoopers Slide 3 Safe Harbor Certification Overview Safe Harbor Certification Basics • • • • • • Requires certification with US Department of Commerce - One stop shop - adequacy determination from all EEA member states without any further approval Must agree to abide by 7 data privacy principles - Notice, Choice, Access, Security, Onward Transfer, Data Integrity and Enforcement Limits enforcement to the FTC instead of each of the 27 DPAs in EEA - DPAs have not investigated US Safe Harbor Pharma companies - FTC has not brought any case against a US company in 5 years No 3rd party beneficiary rights, but dispute resolution mechanism required - Must use DPAs for disputes regarding employee PII - May use independent US 3rd party for all other disputes Allows flexibility to support evolving business models and relationships Not available for financial services companies PricewaterhouseCoopers Slide 5 What it means to be a Safe Harbor company – 7 Principles Certification Requirements. In order to certify under the Safe Harbor Accord, a company must assess and put in place mechanisms to maintain compliance with the seven (7) Safe Harbor Principles. Key steps include: Develop and maintain a Privacy or Safe Harbor Policy. The policy will be based on the seven (7) Principles for certification under the Safe Harbor Accord. 1. Notice. Safe Harbor Companies update or prepare a global or EU applicable privacy policy or EU notice statements for the data subject of the certification to ensure such policy or notice is accurate, comprehensive, and visible to data subjects. Also, such companies often simultaneously aim to improve awareness so that both data subjects and management have comfort that employees are aware of the appropriate operating practices. 2. Choice. The policy will also cover areas where consent, permission, data use limitations/opt-out strategies and special treatment for "Sensitive Personal Data“ are applicable. 3, 4 & 5. Access, data integrity and enforcement. The policy also addresses other areas related to existing processes or controls, if applicable, to meet Access, Data Integrity and Enforcement requirements needed to cover a Safe Harbor election. PricewaterhouseCoopers Slide 6 What it means to be a Safe Harbor company – 7 Principles 6. Security. A Safe Harbor company must maintain adequate and reasonable administrative, technical and administrative safeguards and controls designed to address appropriate security requirements for US and EU applications that capture or process data subject to the certification. 7. Onward transfer. A Safe Harbor Company must maintain administrative safeguards (i.e., contractual protections) such that any onward transferee or any third party that can access the data subject to the certification will maintain safeguards comparable to those of the certifying company or the vendor/third party is also a company that has made a Safe Harbor election. 8. Annual re-certification. Under the Safe Harbor Accord, Safe Harbor companies must annually recertify that they are abiding by the principles of the Safe Harbor accord. In order to make such a certification, Safe Harbor companies typically develop a Safe Harbor annual assessment and training program. PricewaterhouseCoopers Slide 7 Survey and Gap Analysis Our approach performs a security and privacy assessment with the 7 Data Protection Principles • • • The objective is to identify and analyze: - existing data transfers (including PI received or accessible in the US); - privacy and data handling compliance; - security and data handling risks; and - gaps against the Safe Harbor Principles, including “reasonable security” with respect to identified Safe Harbor applications, systems and databases. Must have reasonable security as well as controls that enable verification of reasonable compliance with the privacy requirements and related guidance. The approach assesses compliance against recommended privacy practices and a reasonable security framework based on industry practices. PricewaterhouseCoopers Slide 8 Survey and Gap Analysis - Details • • • The details of the phased approach include an inventory of applicable Safe Harbor Applications and Systems utilizing our that is designed to identify: (i) applicable systems, applications and databases that will be the subject to the Safe Harbor certification (ii) data elements being used and maintained in such systems, applications and databases, and (iii) any internal and external transfers of the data. Based on the results of the survey, key applications and systems are identified that contain PI transferred from the EEA to the US, along with the types of PI contained in such systems and onward transferees. To gather further information and clarify our understanding regarding the data flows associated with identified systems and applications, interviews are also conducted with key system, application and business owners to validate our understanding and findings. PricewaterhouseCoopers Slide 9 Integrated Assessment Approach Integrated Assessments Overview Pulling it all together: • Many companies operate in vertical silos with different frameworks. • Clients often ask for one-off assessments of GLBA, HIPAA, PCI, ID Theft, Security Breach Laws, Marketing Laws or Other Privacy Technical Standards • • • • • US - Fair Information Practices (e.g., HIPAA, GLBA) • Global - Organization of Economic Cooperation and Development (e.g., EU Data Protection Directive) ISO 17799 COBIT PCI Others Regulatory Technical Standards • FTC GLBA 501(b) An Integrated Approach Safeguards Rule • HIPAA Security Risk • COSO II • SOX • Basel II Compliance • Federal Sentencing Guidelines (7 Principles of an Effective Compliance Program) PricewaterhouseCoopers Slide 11 Integrated Assessments Overview The trend is to search for common requirements and points of leverage. Integrated approach. Consider people, process, technology and organization perspectives to classify privacy and information management: • Key compliance program elements and culture; • Consumer privacy awareness and rights; • Security safeguards; • Key data handling and identity theft risks; and • Organizational design and change. PricewaterhouseCoopers Common Vulnerabilities and Practices that can Compromise Sensitive Data • Third-party vendor handling and transfers; • Improper access or broad access controls; • Paper handling and dumpster diving; • Phishing, web/email vulnerabilities; • Mobile and home-based workforce; • Call centers and social engineering; • Use of personal information in authentication processes with customers (online, phone, fax); • Back-up tapes; • Peer-to-peer networks (iPods, etc.); • Collecting/using SSNs and personal info; and • Transportable media. Slide 12 Key Differences and Benefits to New Approach to Information • Coordination and Cost Savings. Increasingly developing coordinated approaches to compliance and information risk management and leveraging prior investments especially around technology and approaches related to (among several areas): - Sarbanes-Oxley Controls - Intellectual Property Protection - Outsourcing, Procurement, Vendor Management and - International Data Management - Records Retention - Information Security - Payment Card Industry Security Standards - Privacy Compliance and Identity Theft Prevention PricewaterhouseCoopers Slide 13 Key Benefits – Case Study Survey Design • • • Survey was developed to quickly assess key privacy compliance, identity theft risks and gaps against internal and common industry best practices. The survey was designed to promote efficiency, minimize burden and to develop tools that can be used for current and ongoing business as usual processes and compliance obligations. The survey was designed to address multiple needs: - Privacy and Identity Theft/Data Mishandling Prevention Assessment. - Data Element Inventory. - PCI scope confirmation. - Key Security Controls Assessment and Benchmarking. - Marketing (opt-in/out) Compliance Awareness and Compliance Assessment. - Inventory Third Party Vendors and Transfers - eDiscovery and Records Benchmarking PricewaterhouseCoopers Slide 15 Integrated Assessment Potential Benefits Integrated Approach. • Ongoing Assessment and Reporting Process. The survey questionnaire may serve as a potential annual process to reassess highest risk areas, priorities and progress. • FTC (and Other Regulator) Assessment Expectations. The FTC has expressed its expectation that companies conduct privacy and security assessments every other year, and this assessment and approach should serve as an effort to satisfy that expectation. Data Element Approach. • Breach Response Capabilities. The inventory will allow quick identification of the data elements involved in the event of a lost laptop or other breach and what the resulting US State notice obligations involved. • Data Classification. When data elements are baked into data classification scheme, a data element inventory will provide the ability to quickly classify the required controls. Safe Harbor & Ongoing Privacy Assessment • Combines Annual Privacy Assessment and Safe Harbor Processes. Both a privacy assessment (required by the FTC) and the Safe Harbor Assessment (required by the Department of Commerce for recertification) could both be required activities. The design of the survey allows both to be efficiently (and cost-effectively) pursued simultaneously. • Accelerates Safe Harbor Certifications. If a company were to decide to pursue Safe Harbor certification, the survey would actually position them on the road to Safe Harbor (saving months and significant fees). PricewaterhouseCoopers Slide 16 QUESTIONS? PricewaterhouseCoopers Slide 17