Being Proactive: Identifying Weaknesses and Opportunities in Your Privacy Program IAPP Canadian...
-
Upload
taylor-whitehead -
Category
Documents
-
view
217 -
download
1
Transcript of Being Proactive: Identifying Weaknesses and Opportunities in Your Privacy Program IAPP Canadian...
Being Proactive:Identifying Weaknesses and
Opportunities in Your Privacy Program
IAPP Canadian Privacy Summit
May 2008
Cost of a Breach
$197 per compromised record
Source: 2007 Annual Study: U.S. Cost of a Data Breach, Ponemon Institute, Nov 2007
Why Self-Assess?
• Identify weaknesses and opportunities– Correct weaknesses before a breach occurs
• Benchmarking– Current state vs. desired state
• Demonstrates privacy compliance with stakeholders– Management / Board of Directors– Employees / Customers– Regulators / Privacy commissioners
What You’ll Learn This Hour
• Office of the Privacy Commissioner of Canada– Auditing for privacy and guidance for best
privacy practices
• Sun Life Assurance Co of Canada– How they conducted their own self-
assessment and lessons learned
• CICA– Privacy Risk Assessment Tool
Office of the Commissariat
Privacy Commissioner à la protection deof Canada la vie privée du Canada
Office of the Privacy Commissioner Office of the Privacy Commissioner of Canadaof Canada
Assessing Privacy ManagementAssessing Privacy Management
IAPP IAPP
TorontoToronto
May 22, 2008
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
Jennifer StoddartJennifer StoddartPrivacy Commissioner of Privacy Commissioner of
CanadaCanada
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
This PresentationThis Presentation
Overview of OPCOverview of OPC Privacy environmentPrivacy environment OPC audit & reviewOPC audit & review PIPEDA self assessing toolPIPEDA self assessing tool
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
Warm Up Warm Up
P+S = 0?P+S = 0?
oror
P+S = 1?P+S = 1?
P-S = 300million P-S = 300million
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
About the OPCAbout the OPC
Office of the Privacy Commissioner of Office of the Privacy Commissioner of CanadaCanada
Protect & promote privacy rights of individualsProtect & promote privacy rights of individuals Oversee compliance with two ActsOversee compliance with two Acts Independent Officer of ParliamentIndependent Officer of Parliament Multi-faceted ombudsman roleMulti-faceted ombudsman role Responsible for promoting good management of Responsible for promoting good management of
personal information by organizations, both public personal information by organizations, both public and private.and private.
Visit www.privcom.gc.caVisit www.privcom.gc.ca
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
OPC Audit & Review MandateOPC Audit & Review Mandate
Section 36(1) of the Section 36(1) of the Privacy Act Privacy Act to investigate exempt data to investigate exempt data banks. banks.
Section 37(1) of the Section 37(1) of the Privacy Act – Privacy Act – review of compliance with review of compliance with
sections 4-8 in respect of personal information under the sections 4-8 in respect of personal information under the control of government institutions (public sector). About control of government institutions (public sector). About 250 entities.250 entities.
TB Policy – Privacy Impact Assessment ReviewsTB Policy – Privacy Impact Assessment Reviews
Section 18(1) Section 18(1) PIPEDA – PIPEDA – with reasonable notice, time and on with reasonable notice, time and on reasonable grounds to believe contravention – audit the PI reasonable grounds to believe contravention – audit the PI management practices of an organization. Private sector management practices of an organization. Private sector audit universe. audit universe.
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
Audit & Review Branch Audit & Review Branch We do audits and privacy impact assessment We do audits and privacy impact assessment
reviews – with a purpose. reviews – with a purpose.
To conduct independent and objective To conduct independent and objective audits and reviews of personal information audits and reviews of personal information management systems for the purpose of management systems for the purpose of promoting compliance with applicable promoting compliance with applicable legislation, policies and standards and legislation, policies and standards and improving privacy practices and improving privacy practices and accountability.accountability.
Building capacity – now 9 growing to 19. Budget Building capacity – now 9 growing to 19. Budget increased to $1.7m (from $896K).increased to $1.7m (from $896K).
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
A Definition of Privacy AuditingA Definition of Privacy Auditing
““Privacy auditingPrivacy auditing” (in our context) can be ” (in our context) can be defined as a systematic examination of defined as a systematic examination of control and accountability for the life cycle control and accountability for the life cycle management of personal information – management of personal information – consistent with “fair information principles”. consistent with “fair information principles”. It can also be viewed as assessment of the It can also be viewed as assessment of the means employed by organizations to means employed by organizations to manage privacy risks. Using a “systems” manage privacy risks. Using a “systems” approach, any particular audit under the approach, any particular audit under the Privacy Act or the Personal Information and Privacy Act or the Personal Information and Electronic Documents Act Electronic Documents Act would be would be designed to address onedesigned to address one or more of the or more of the following basic questions – depending on the following basic questions – depending on the scope of audit.scope of audit.
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
Privacy management in Privacy management in contextcontext
Privacy Environment TodayPrivacy Environment Today
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
Toronto - 1907Toronto - 1907
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
Ubiquitous Computing Ubiquitous Computing
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
A New Universe - World A New Universe - World ConnectedConnected
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
Technology – no limits/boundsTechnology – no limits/bounds
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
No Shortage of Privacy No Shortage of Privacy ChallengesChallenges
Post 9/11 – increased emphasis on information sharing for Post 9/11 – increased emphasis on information sharing for security purposessecurity purposes
Trans border data flow Trans border data flow Outsourcing activitiesOutsourcing activities Protecting one’s actual persona in an age of information Protecting one’s actual persona in an age of information
expansion-integrationexpansion-integration– Data consolidation-mining-matching-resale Data consolidation-mining-matching-resale – Behavioral profiling and target advertising Behavioral profiling and target advertising
BiometricsBiometrics Increased surveillance (in many forms – visual and data)Increased surveillance (in many forms – visual and data) Internet - Web2 – Wireless communication (generation shift)Internet - Web2 – Wireless communication (generation shift) Identity theft – loss/theft of PIIdentity theft – loss/theft of PI Privacy breachesPrivacy breaches
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
Public increasingly Public increasingly concernedconcerned
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
Some days we feel a little Some days we feel a little overwhelmedoverwhelmed
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
Privacy BreachesPrivacy Breaches
TheThe number one issue raised in number one issue raised in submissions on PIPEDA review was submissions on PIPEDA review was data breachdata breach
Seems not a day without oneSeems not a day without one How many actually happen How many actually happen
compared to ones known about?compared to ones known about?
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
ID Theft – solutions? ID Theft – solutions?
Virginia state legislature passed a law Virginia state legislature passed a law prohibiting individuals from dissemination prohibiting individuals from dissemination Social Security Numbers legally obtained from Social Security Numbers legally obtained from government web sites -- $2,500 civil penalty. government web sites -- $2,500 civil penalty. Ostergren story.Ostergren story.
Canada introducing ID theft legislation – C27.Canada introducing ID theft legislation – C27.
Informing people on how to protect Informing people on how to protect themselves.themselves.
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
Privacy BreachesPrivacy Breaches
Industry Canada Policy Objectives:Industry Canada Policy Objectives:1.1. Encourage better data security practices Encourage better data security practices
and better understand the link between and better understand the link between current practices and data losses.current practices and data losses.
2.2. Reduce public concern about data Reduce public concern about data breaches and increase confidence in the breaches and increase confidence in the electronic marketplace and online electronic marketplace and online commercecommerce
3.3. Ensure that individuals obtain the Ensure that individuals obtain the information necessary to take steps to information necessary to take steps to mitigate harm resulting from a breach of mitigate harm resulting from a breach of their personal information.their personal information.
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
Why do breaches happen?Why do breaches happen? An accident – one off thing?An accident – one off thing?
Function of:Function of:– CultureCulture– Flawed systems and procedures?Flawed systems and procedures?
Likely that the resources invested to prevent a breach i.e. Likely that the resources invested to prevent a breach i.e. protect personal information would depend on the extent to protect personal information would depend on the extent to which management believes they can “afford” a breach – which management believes they can “afford” a breach – function of risk management.function of risk management.
Privacy breach protocol is a key element of a privacy Privacy breach protocol is a key element of a privacy management program/framework. management program/framework.
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
What about data security?What about data security? ““Despite agency reported progress, major federal Despite agency reported progress, major federal
agencies continue to experience significant information agencies continue to experience significant information security control deficiencies that limit the effectiveness of security control deficiencies that limit the effectiveness of their efforts to protect the confidentiality, integrity and their efforts to protect the confidentiality, integrity and availability of their information and information systems.” availability of their information and information systems.”
GAO March 12,2008 GAO-08-571TGAO March 12,2008 GAO-08-571T
OAG Canada has reported concerns about information OAG Canada has reported concerns about information security among federal departments and agencies.security among federal departments and agencies.
OPC has observed cases of poor information OPC has observed cases of poor information management and/or weak data protection in federal management and/or weak data protection in federal departments and agencies as well as private sector.departments and agencies as well as private sector.
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
Keeping privacy hKeeping privacy healthyealthy
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
How privacy management How privacy management “friendly” is your organization?“friendly” is your organization?1.1. How does your organization view privacy - what’s the culture?How does your organization view privacy - what’s the culture?2.2. Is privacy on the agenda/radar of Senior Management? Is privacy on the agenda/radar of Senior Management? 3.3. How’s your PMF? Do you have one – can you articulate it? How’s your PMF? Do you have one – can you articulate it? 4.4. Do you have a handle on what personal information you hold, why you Do you have a handle on what personal information you hold, why you
collect it and what you do with it?collect it and what you do with it?5.5. Do you have a privacy training program?Do you have a privacy training program?6.6. How’s your CPO Shop? – is it sufficiently resourced/have capacity to do How’s your CPO Shop? – is it sufficiently resourced/have capacity to do
what it should? Is it a marginal or a key player?what it should? Is it a marginal or a key player?7.7. Do you track privacy breaches and have responsive mechanisms?Do you track privacy breaches and have responsive mechanisms?8.8. When you introduce/change business lines or systems – do you do a When you introduce/change business lines or systems – do you do a
privacy impact assessment (including TRA) before hand and then do you privacy impact assessment (including TRA) before hand and then do you use it?use it?
9.9. You have policy – that’s good – but is it just “words on paper”? How do you You have policy – that’s good – but is it just “words on paper”? How do you know its followed/supported?know its followed/supported?– Does your internal audit function consider privacy issues/risks? Does your internal audit function consider privacy issues/risks? – When did your organization last do a privacy practices check-up?When did your organization last do a privacy practices check-up?– In what ways is managing for privacy part of a manager’s performance In what ways is managing for privacy part of a manager’s performance
agreement and evaluation?agreement and evaluation?
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
OPC Self–assessment toolOPC Self–assessment tool A compliance guide and a diagnostic tool A compliance guide and a diagnostic tool
we expect to make public by July 08.we expect to make public by July 08. A set of standards that medium to large A set of standards that medium to large
organizations can use to monitor organizations can use to monitor compliance with the 10 Fair Information compliance with the 10 Fair Information Principles from Schedule 1 of PIPEDAPrinciples from Schedule 1 of PIPEDA
Framework of principles and criteriaFramework of principles and criteria A guide - series of must, should, may by A guide - series of must, should, may by
each Principle.each Principle. Diagnostic tool – checklists, means of Diagnostic tool – checklists, means of
interpretation and action determination. interpretation and action determination.
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
Self Assessment ChecklistsSelf Assessment Checklists
P1 AccountabilityP1 Accountability 23 Qs23 Qs
P2 Identifying PurposeP2 Identifying Purpose 9 Qs9 Qs
P3 ConsentP3 Consent 9 Qs9 Qs
P4 Limiting CollectionP4 Limiting Collection 6 Qs6 Qs
P5 Limiting use, disclosure, retentionP5 Limiting use, disclosure, retention 5 Q5 Q
P6 AccuracyP6 Accuracy 6 Qs6 Qs
P7 SafeguardsP7 Safeguards 8 Qs8 Qs
P8 OpennessP8 Openness 6 Qs6 Qs
P9 Individual AccessP9 Individual Access 15 Qs15 Qs
P10 Challenging ComplianceP10 Challenging Compliance 5 Qs5 Qs
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
Sample checklist – Principle 1Sample checklist – Principle 1AccountabilityAccountability
StatementStatement AsAsss
essessmm
entent EvidenceEvidence ActionsActions
MetMet Not Not MetMet
Partly Partly MetMet
You have reviewed your privacy You have reviewed your privacy policies and are satisfied that they policies and are satisfied that they are complete and easy to are complete and easy to understand.understand.
You have clearly delineated who, You have clearly delineated who, within your organization, is within your organization, is responsible for privacy governance responsible for privacy governance and management.and management.
You have privacy policies and You have privacy policies and practices that apply to the practices that apply to the personal information of your personal information of your employees as well as that of your employees as well as that of your customers.customers.
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
Evaluating Evaluating
Evaluating the results of a self-Evaluating the results of a self-assessment should enable an assessment should enable an organization to dedicate resources to organization to dedicate resources to improving privacy practices in the improving privacy practices in the right areas. right areas.
Over time, evaluation of an Over time, evaluation of an organization’s compliance should be organization’s compliance should be put into the context of a maturity put into the context of a maturity level. level.
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
Maturity Maturity
A mature privacy management A mature privacy management program/framework is characterized program/framework is characterized by due diligence and documentation by due diligence and documentation of risk acceptance or mitigation of risk acceptance or mitigation decisions which should help set decisions which should help set priorities for remedial action and priorities for remedial action and define a realistic timeline for define a realistic timeline for completion.completion.
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
A Privacy Program Maturity A Privacy Program Maturity ScaleScale
Level 1 – Non existent/seriously Level 1 – Non existent/seriously underdevelopedunderdeveloped
Level 2 – Early stages of developmentLevel 2 – Early stages of development Level 3 – Advanced – requirements Level 3 – Advanced – requirements
mostly met – improvements possiblemostly met – improvements possible Level 4 – Fully developed – Level 4 – Fully developed –
requirements mostly met with only requirements mostly met with only minor or no adjustments needminor or no adjustments need
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
Likelihood of OccurrenceLikelihood of Occurrence
LeveLevell
DescriptorDescriptor DescriptionDescription
55 Almost Almost CertainCertain
Event occurs regularly here. Event occurs regularly here.
44 LikelyLikely Event has occurred here more than Event has occurred here more than once, or is occurring to others in similar once, or is occurring to others in similar circumstances. circumstances.
33 ModerateModerate Event has occurred here before, or has Event has occurred here before, or has been observed in similar circumstancesbeen observed in similar circumstances..
22 UnlikelyUnlikely Event has occurred infrequently before Event has occurred infrequently before to others in similar circumstances, but to others in similar circumstances, but has not occurred here. has not occurred here.
11 RareRare Event has almost never been observed, Event has almost never been observed, it may occur only in exceptional it may occur only in exceptional circumstances. circumstances.
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
ImpactImpact
LeveLevell
DescriptoDescriptorr
DescriptionDescription
55 ExtremeExtreme A major event with the potential to lead to long-A major event with the potential to lead to long-term damage to an organization’s ability to term damage to an organization’s ability to meet its objectives.meet its objectives.
44 Very HighVery High A critical event, which with proper A critical event, which with proper management, can be endured by the management, can be endured by the organization.organization.
33 MediumMedium A significant event that can be managed under A significant event that can be managed under normal normal
circumstances by the organization. circumstances by the organization.
22 LowLow An event where consequences can be absorbed, An event where consequences can be absorbed, but management effort is required to minimize but management effort is required to minimize the impact. the impact.
11 NegligibleNegligible An event, the consequences of which can be An event, the consequences of which can be absorbed through normal activity. absorbed through normal activity.
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
Heat MappingHeat Mapping
E
xtre
me
Ver
y H
igh
Im
pac
t
Med
ium
Low
Neg
ligib
le
Rare Unlikely Moderate Likely Almost CertainLikelihood
For Illustrative Purposes Only
For Illustrative Purposes Only
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
Keeping Privacy HealthyKeeping Privacy Healthy
Focus on privacy principlesFocus on privacy principles Value privacy as a credential and not just a Value privacy as a credential and not just a
compliance requirement – treat personal compliance requirement – treat personal information as a key asset to be safeguarded as information as a key asset to be safeguarded as well as any otherwell as any other
Systematic approach to privacy risk managementSystematic approach to privacy risk management Better legislative and regulatory frameworksBetter legislative and regulatory frameworks Robust privacy management frameworkRobust privacy management framework Strong IT control, especially for identification and Strong IT control, especially for identification and
authentication authentication Privacy checkupsPrivacy checkups Be a privacy guardian……..why………Be a privacy guardian……..why………
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
Privacy MattersPrivacy Matters
Fundamental Human RightFundamental Human RightRRights against arbitrary intrusion – freedom from ights against arbitrary intrusion – freedom from unreasonable search and seizure. Right to unreasonable search and seizure. Right to protect personal information.protect personal information.
Privacy matters because its about the kind of Privacy matters because its about the kind of society we want – the relationship we have with society we want – the relationship we have with government, business and among ourselves.government, business and among ourselves.
Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada
Thank YouThank You
Questions?Questions?
www.privcom.gc.cawww.privcom.gc.ca
1-800-282-13761-800-282-1376
Trevor R. Shaw, CA CMCTrevor R. Shaw, CA CMC
A/Director General - Audit and ReviewA/Director General - Audit and Review
613-996-2252613-996-2252
Privacy Self-Assessment
David T Shuen, MBA, LL.B., CIPP/C
VP, Chief Compliance Officer
Canadian Operations
Sun Life Financial
Objectives of the Self-Assessment
Governance– Update and document compliance status– Obtain evidence of management due diligence– Input for compliance testing
Risk Management– Identify trends and systemic control weakness– Identify emerging issues and risks– Input for control measures development– Maintain awareness
The Self-Assessment
Developed in-house by our privacy team with input from our Privacy Advisory Committee.
Contains 37 questions based on the Fair Information Principles.
Captures information on:– Compliance status– Current compliance, risk management and regulatory
activities, e.g. audits, examinations– Trends / issues / risks identified– New privacy controls and safeguards and near-term
planned activities– Top 5 (self-identified) privacy risks including documentation
of corresponding controls and assessment of the net risk
The Process
Semi-annual Coordinated by the privacy office Completed by privacy / compliance officers in
business units with access to personal information – input from operations
Reviewed by business unit heads Certification required Takes about 3 weeks at the business level
The Process
Analyzed by the Privacy Office Consolidated report prepared for the CPO Summary reported to Canadian senior
management and enterprise risk management committee
Material issues escalated to executives and shared with control functions – Internal Audit, Compliance and Risk management
Lessons Learned
A good way to know what is going on in the business Effective way to keep Privacy on the radar screen Testing a necessity
– Perception of risk differs There is no such thing as too much awareness –
training needs to be on-going– Front-line workers have the least time for training but have
most access to customer information– Less formal but more frequent awareness campaign may
be more effective than formal training course Authentication a constant struggle between good
customer experience and good privacy protection
Privacy Risk Assessment Tool
• Based on Generally Accepted Privacy Principles developed by CICA and AICPA– A privacy framework to help organizations
develop and assess their privacy program and privacy risk
• Excel based• Allows up to 10 assessors
www.cica.ca/privacy
Generally Accepted Privacy Principles
• Management• Notice• Choice & Consent• Collection• Use & Retention
• Access• Disclosure to Third
Parties• Security for Privacy• Quality• Monitoring &
Enforcement
The Benefits of GAPP• Comprehensive
– Framework of over 60 measurable and relevant criteria
• Objective– Developed by the auditing profession to
• Address international expectations• Create a basis for comparability• Universally available at no charge
• Relevant– Widespread use and recognition– Applicable for evaluating privacy risk enterprise-wide
• Recognized as suitable criteria for a privacy audit– Can also be the basis for an internal assessment
GAPP - 66 Criteria Criteria Description
Likelihoodof a Control
FailureBusinessImpact
Effort/Cost to
Mitigate
MANAGEMENT (10 criteria)
Privacy Policies (1.1.0)
Policies are defined for: notice, choice/consent, collection, use/retention, access, disclosure, security, quality, and monitoring and enforcement.
2 5 8
Communications to Internal Personnel (1.1.1)
Privacy policies are communicated at least annually to internal personnel responsible for collecting, using, retaining, and disclosing personal information. Changes in policy are communicated shortly after the changes are approved.
2 5 8
Scoring Input Template
GAPP - 10 Principles
Likelihood of a
Control Failure
Business Impact
Size of Marker (Cost to Mitigate)
MANAGEMENT 2.3 2.3 2.6
NOTICE 4.6 3.9 4.7
CHOICE / CONSENT 5.0 8.0 4.6
COLLECTION 4.3 2.8 4.0
USE / RETENTION 5.0 5.0 5.0
ACCESS 5.8 5.0 6.5
DISCLOSURE 3.4 5.6 3.0
SECURITY 7.0 8.0 6.7
QUALITY 5.5 7.5 8.0
MONITORING / ENFORCEMENT 3.0 4.0 3.0
Scoring Summary
GAPP Privacy Risk Assessment10 Principles - 66 Criteria
MANAGEMENT
CHOICE / CONSENT
COLLECTION
USE / RETENTIONACCESS
NOTICE
DISCLOSURE
SECURITY
QUALITY
MONITORING /
ENFORCEMENT
0
5
10
0 5 10
Likel ihood of a Control Fai lur e
Actively Manage Remediation Plans
Fix at Mgmt Discretion, Bear Ri sk Plan to Remediate, Business Contingency Plans
Requi r es Immediate Attention, Senior Mgmt Focus
Low Hi gh
Contact Info
www.cica.ca/privacy
Nicholas F. Cheung, CA, CIPP/CPrincipal, Assurance Services DevelopmentCICA
(416) [email protected]
Questions?