Privacy Advisory
Services …
… A Best
Practices,
Integrated
Approach
Insert Firm Name Here
PRIVACY IN THE NEWS
Breach of Credit Card
Companies' Security
Affects
40 Million Accounts
INFORMATION TRENDS
 Every day, companies collect, use,
profile, disclose, and analyze
customer information…
 Unfortunately, some of this information is:
– Misused
– Stolen
– Abused
 This has led to a trust gap among customers.
INFORMATION STAKEHOLDER
CONCERNS
 Customers
– Concerned with how and why their information
is collected, used, disclosed, and retained
– Want businesses to earn trust
 Businesses
– Trying to strike a balance between
collection and use of information
– Concerned with reducing privacy risk of poor privacy
practices
– Want to leverage good privacy practices and retain
trust of customers
 Government
– Taking increased action on growing
concerns about privacy to:
 Protect rights of citizens
 Better manage its own data stores
GOVERNMENTS’ RESPONSE

U.S. legislation
–
–
–
–
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
Children’s Online Privacy Protection Act (COPPA)
Controlling the Assault on Non-Solicited Pornography and
Marketing Act (CAN SPAM)
– Fair and Accurate Credit Transaction Act of 2003 (FACTA)

Other important laws, regulations, and guidelines
–
–
–
–
Privacy Act of 1974
European Union Directive on Data Protection
OECD privacy guidelines
Personal Information, Protection and Electronic Documents Act
(PIPEDA) in Canada
– Privacy Online: A Report to Congress
SO WHERE ARE WE?
 Privacy is increasingly in the news,
particularly for violations.
 Consumers are greatly concerned and
want more control.
 Businesses are trying to balance collection
and use.
 The Government is taking increased
action.
PRIVACY: A DEFINITION
PRIVACY encompasses the rights
and obligations of individuals and
organizations with respect to the…




Collection
Use
Disclosure, and
Retention
…of personal information.
PERSONAL INFORMATION: WHAT IS IT?
 Personal information is any information that is, or
reasonably could be, attributable to a specific
individual. The information can be either factual or
subjective, and recorded in any form or even
unrecorded. Some examples include:
–
–
–
–
–
Name, address, email address
Identification numbers
Credit records
Buying history
Employee records
 Much of this information is sensitive and greater
cause for concern.
Individuals
Rights and Obligations




Be aware of the organization’s
privacy policies
Provide accurate and appropriate
information suited to the purpose
for which the information is
needed
Notify the organization of
inaccuracies in or changes to
personal information used by the
organization
Adhere to applicable laws and
regulations, and other agreements
with the organization
Organizations






Establish and communicate its
privacy policies and
commitments to the individual
Provide choices or seek consent
for the use of the personal
information
Collect, use, retain, and disclose
personal information according
to its privacy policies and
commitments
Allow the individual to update or
correct personal information that
is used by the organization
Protect the personal information
from unauthorized use and
disclosure
Otherwise adhere to its policies,
applicable laws and regulations,
and other agreements with the
individual
BUSINESS RISKS
 60% of customers* say they have decided not to use a company
because they weren't sure how their personal information would
be used.
 Litigation…FTC settlements: BJ’s Wholesale Club, Inc. settles
charges that its failure to take appropriate security measures to
protect the sensitive information of thousands of its customers
was an unfair practice that violated federal law; Petco Animal
Supplies Inc. settles charges that security flaws in its Web site
violated privacy promises it made to its customers and violated
federal law.
 Poor privacy practices can damage brand, reputation, customer
loyalty and satisfaction, market position, shareholder value,
revenue and more
*Source: 2004 Privacy & American Business survey
PRIVACY AS A COMPETITIVE
ADVANTAGE

Companies are concerned with how their customers see
them handling privacy concerns:
–
–
–
•
100% of companies surveyed* have a privacy policy.
100% of companies surveyed * report that privacy compliance
is a significant regulatory concern for their company.
95% of companies surveyed * monitor emerging state and
federal privacy regulations.
However, only:
–
–
–
62% of companies surveyed * monitor internal compliance with
their privacy policy.
49% of companies surveyed * have privacy policies that are
easy to understand.
19% of companies surveyed * have had an independent privacy
audit conducted within the last two years.
*Source: 2005 Benchmark Study of Corporate Privacy Practices co-released by the Ponemon Institute and Vontu, Inc.)
How can our firm help?
 We provide a full range of services, including
 Privacy strategic and business planning.
 Privacy gap and risk analysis.
 Benchmarking against the Generally
Accepted Privacy Principles (GAPP).
 Privacy policy design and implementation.
 Performance measurement.
 Independent verification of privacy controls.
GENERALLY ACCEPTED PRIVACY
PRINCIPLES
A Global Privacy Framework
OVERALL PRIVACY OBJECTIVE
Personal information is collected, used,
retained, and disclosed in conformity with
the commitments in the entity’s privacy
notice and with criteria set forth in
Generally Accepted Privacy Principles
issued by the AICPA/CICA.
GENERALLY ACCEPTED
PRIVACY PRINCIPLES










Management
Notice
Choice and Consent
Collection
Use and Retention
Access
Disclosure
Security
Quality
Monitoring and Enforcement
The Generally Accepted Privacy
Principles (A Global Framework)
provide detailed privacy guidance!
• The Framework contains criteria for each of
the 10 Privacy Principles.
• Each criterion’s illustrations and
explanations are designed to enhance the
understanding of the criteria.
• Many criteria have additional
considerations, such as good privacy
practices and selected requirements of
specific laws and regulations pertaining to a
certain industry or country.
[Firm Name] & GENERALLY ACCEPTED
PRIVACY PRINCIPLES HELP BRIDGE THE
TRUST GAP
[Your Firm
Name]
WHAT DOES THIS MEAN?
•
Privacy is a RISK MANAGEMENT ISSUE.
•
Privacy can be used as a COMPETITIVE ADVANTAGE.
– 56% of the companies surveyed* believe that
safeguarding privacy has a direct positive impact on
their company's brand or image in the marketplace.
(source: 2005 Benchmark Study of Corporate Privacy Practices co-released by the Ponemon Institute and Vontu, Inc.)
Steps to Better Privacy Practices:
• Designate an individual to be responsible for
privacy.
• Develop a business strategy.
• Perform a risk assessment and gap analysis
of controls and procedures.
• Develop, design, and implement privacy
initiatives.
• Sustain and manage privacy processes.
CPA Privacy Advisory
Services
Your Trusted Adviser in
Privacy
[Insert Firm Name Here]
[Insert Address]
[Insert Phone No.]
[Insert E-mail Address]