Using Safe Harbor to Develop an
Integrated, Global Assessment Approach
August 20, 2008
Panelists
Lael Bellamy, Chief Counsel - IT, IP & Privacy
ING Americas (formerly with The Home Depot)
PwC
Laurie Smaldon, CIPP, Manager, Privacy and Identity
Theft Practice, PricewaterhouseCoopers LLP
C
PricewaterhouseCoopers
Slide 2
Agenda
•
•
•
•
Safe Harbor Certification Overview
Integrated Assessment Approach
Key Benefits – Case Study
Questions & Answers
PricewaterhouseCoopers
Slide 3
Safe Harbor Certification Overview
Safe Harbor Certification Basics
•
•
•
•
•
•
Requires certification with US Department of Commerce
- One stop shop - adequacy determination from all EEA member states without
any further approval
Must agree to abide by 7 data privacy principles
- Notice, Choice, Access, Security, Onward Transfer, Data Integrity and
Enforcement
Limits enforcement to the FTC instead of each of the 27 DPAs in EEA
- DPAs have not investigated US Safe Harbor Pharma companies
- FTC has not brought any case against a US company in 5 years
No 3rd party beneficiary rights, but dispute resolution mechanism required
- Must use DPAs for disputes regarding employee PII
- May use independent US 3rd party for all other disputes
Allows flexibility to support evolving business models and relationships
Not available for financial services companies
PricewaterhouseCoopers
Slide 5
What it means to be a Safe Harbor company – 7 Principles
Certification Requirements. In order to certify under the Safe Harbor Accord, a
company must assess and put in place mechanisms to maintain compliance with the
seven (7) Safe Harbor Principles. Key steps include:
Develop and maintain a Privacy or Safe Harbor Policy. The policy will be based on
the seven (7) Principles for certification under the Safe Harbor Accord.
1. Notice. Safe Harbor Companies update or prepare a global or EU applicable
privacy policy or EU notice statements for the data subject of the certification to
ensure such policy or notice is accurate, comprehensive, and visible to data
subjects. Also, such companies often simultaneously aim to improve awareness
so that both data subjects and management have comfort that employees are
aware of the appropriate operating practices.
2. Choice. The policy will also cover areas where consent, permission, data use
limitations/opt-out strategies and special treatment for "Sensitive Personal Data“
are applicable.
3, 4 & 5. Access, data integrity and enforcement. The policy also addresses other
areas related to existing processes or controls, if applicable, to meet Access, Data
Integrity and Enforcement requirements needed to cover a Safe Harbor election.
PricewaterhouseCoopers
Slide 6
What it means to be a Safe Harbor company – 7 Principles
6. Security. A Safe Harbor company must maintain adequate and reasonable
administrative, technical and administrative safeguards and controls designed to
address appropriate security requirements for US and EU applications that capture
or process data subject to the certification.
7. Onward transfer. A Safe Harbor Company must maintain administrative
safeguards (i.e., contractual protections) such that any onward transferee or any
third party that can access the data subject to the certification will maintain
safeguards comparable to those of the certifying company or the vendor/third party
is also a company that has made a Safe Harbor election.
8. Annual re-certification. Under the Safe Harbor Accord, Safe Harbor companies
must annually recertify that they are abiding by the principles of the Safe Harbor
accord. In order to make such a certification, Safe Harbor companies typically
develop a Safe Harbor annual assessment and training program.
PricewaterhouseCoopers
Slide 7
Survey and Gap Analysis
Our approach performs a security and privacy assessment with the 7 Data
Protection Principles
•
•
•
The objective is to identify and analyze:
- existing data transfers (including PI received or accessible in the US);
- privacy and data handling compliance;
- security and data handling risks; and
- gaps against the Safe Harbor Principles, including “reasonable security” with
respect to identified Safe Harbor applications, systems and databases.
Must have reasonable security as well as controls that enable verification of
reasonable compliance with the privacy requirements and related guidance.
The approach assesses compliance against recommended privacy practices and a
reasonable security framework based on industry practices.
PricewaterhouseCoopers
Slide 8
Survey and Gap Analysis - Details
•
•
•
The details of the phased approach include an inventory of applicable Safe Harbor
Applications and Systems utilizing our that is designed to identify:
(i) applicable systems, applications and databases that will be the subject to
the Safe Harbor certification
(ii) data elements being used and maintained in such systems, applications
and databases, and
(iii) any internal and external transfers of the data.
Based on the results of the survey, key applications and systems are identified that
contain PI transferred from the EEA to the US, along with the types of PI contained
in such systems and onward transferees.
To gather further information and clarify our understanding regarding the data
flows associated with identified systems and applications, interviews are also
conducted with key system, application and business owners to validate our
understanding and findings.
PricewaterhouseCoopers
Slide 9
Integrated Assessment Approach
Integrated Assessments Overview
Pulling it all together:
• Many companies
operate in vertical silos
with different
frameworks.
• Clients often ask for
one-off assessments of
GLBA, HIPAA, PCI, ID
Theft, Security Breach
Laws, Marketing Laws
or Other
Privacy
Technical
Standards
•
•
•
•
• US - Fair Information
Practices (e.g., HIPAA,
GLBA)
• Global - Organization of
Economic Cooperation and
Development (e.g., EU Data
Protection Directive)
ISO 17799
COBIT
PCI
Others
Regulatory
Technical
Standards
• FTC GLBA 501(b)
An
Integrated
Approach
Safeguards Rule
• HIPAA Security
Risk
• COSO II
• SOX
• Basel II
Compliance
• Federal Sentencing Guidelines
(7 Principles of an Effective
Compliance Program)
PricewaterhouseCoopers
Slide 11
Integrated Assessments Overview
The trend is to search for common requirements and points of leverage.
Integrated approach. Consider
people, process, technology and
organization perspectives to classify
privacy and information management:
• Key compliance program elements
and culture;
• Consumer privacy awareness and
rights;
• Security safeguards;
• Key data handling and identity
theft risks; and
• Organizational design and change.
PricewaterhouseCoopers
Common Vulnerabilities and Practices
that can Compromise Sensitive Data
• Third-party vendor handling and
transfers;
• Improper access or broad access
controls;
• Paper handling and dumpster diving;
• Phishing, web/email vulnerabilities;
• Mobile and home-based workforce;
• Call centers and social engineering;
• Use of personal information in
authentication processes with
customers (online, phone, fax);
• Back-up tapes;
• Peer-to-peer networks (iPods, etc.);
• Collecting/using SSNs and personal
info; and
• Transportable media.
Slide 12
Key Differences and Benefits to New Approach to Information
•
Coordination and Cost Savings. Increasingly developing coordinated
approaches to compliance and information risk management and leveraging prior
investments especially around technology and approaches related to (among
several areas):
- Sarbanes-Oxley Controls
- Intellectual Property Protection
- Outsourcing, Procurement,
Vendor Management and
- International Data Management
- Records Retention
- Information Security
- Payment Card Industry Security Standards
- Privacy Compliance and Identity Theft Prevention
PricewaterhouseCoopers
Slide 13
Key Benefits – Case Study
Survey Design
•
•
•
Survey was developed to quickly assess key privacy compliance, identity theft
risks and gaps against internal and common industry best practices.
The survey was designed to promote efficiency, minimize burden and to develop
tools that can be used for current and ongoing business as usual processes and
compliance obligations.
The survey was designed to address multiple needs:
- Privacy and Identity Theft/Data Mishandling Prevention Assessment.
- Data Element Inventory.
- PCI scope confirmation.
- Key Security Controls Assessment and Benchmarking.
- Marketing (opt-in/out) Compliance Awareness and Compliance Assessment.
- Inventory Third Party Vendors and Transfers
- eDiscovery and Records Benchmarking
PricewaterhouseCoopers
Slide 15
Integrated Assessment Potential Benefits
Integrated Approach.
• Ongoing Assessment and Reporting Process. The survey questionnaire may serve as a
potential annual process to reassess highest risk areas, priorities and progress.
• FTC (and Other Regulator) Assessment Expectations. The FTC has expressed its
expectation that companies conduct privacy and security assessments every other year, and this
assessment and approach should serve as an effort to satisfy that expectation.
Data Element Approach.
• Breach Response Capabilities. The inventory will allow quick identification of the data
elements involved in the event of a lost laptop or other breach and what the resulting US State
notice obligations involved.
• Data Classification. When data elements are baked into data classification scheme, a data
element inventory will provide the ability to quickly classify the required controls.
Safe Harbor & Ongoing Privacy Assessment
• Combines Annual Privacy Assessment and Safe Harbor Processes. Both a privacy
assessment (required by the FTC) and the Safe Harbor Assessment (required by the Department
of Commerce for recertification) could both be required activities. The design of the survey
allows both to be efficiently (and cost-effectively) pursued simultaneously.
• Accelerates Safe Harbor Certifications. If a company were to decide to pursue Safe Harbor
certification, the survey would actually position them on the road to Safe Harbor (saving months
and significant fees).
PricewaterhouseCoopers
Slide 16
QUESTIONS?
PricewaterhouseCoopers
Slide 17