Being Proactive: Identifying Weaknesses and Opportunities in Your Privacy Program IAPP Canadian...

Being Proactive:Identifying Weaknesses and

Opportunities in Your Privacy Program

IAPP Canadian Privacy Summit

May 2008

Cost of a Breach

$197 per compromised record

Source: 2007 Annual Study: U.S. Cost of a Data Breach, Ponemon Institute, Nov 2007

Why Self-Assess?

• Identify weaknesses and opportunities– Correct weaknesses before a breach occurs

• Benchmarking– Current state vs. desired state

• Demonstrates privacy compliance with stakeholders– Management / Board of Directors– Employees / Customers– Regulators / Privacy commissioners

What You’ll Learn This Hour

• Office of the Privacy Commissioner of Canada– Auditing for privacy and guidance for best

privacy practices

• Sun Life Assurance Co of Canada– How they conducted their own self-

assessment and lessons learned

• CICA– Privacy Risk Assessment Tool

Office of the Commissariat

Privacy Commissioner à la protection deof Canada la vie privée du Canada

Office of the Privacy Commissioner Office of the Privacy Commissioner of Canadaof Canada

Assessing Privacy ManagementAssessing Privacy Management

IAPP IAPP

TorontoToronto

May 22, 2008

Office of the CommissariatPrivacy Commissioner à la protection deof Canada la vie privée du Canada

Jennifer StoddartJennifer StoddartPrivacy Commissioner of Privacy Commissioner of

CanadaCanada


This PresentationThis Presentation

Overview of OPCOverview of OPC Privacy environmentPrivacy environment OPC audit & reviewOPC audit & review PIPEDA self assessing toolPIPEDA self assessing tool


Warm Up Warm Up

P+S = 0?P+S = 0?

oror

P+S = 1?P+S = 1?

P-S = 300million P-S = 300million


About the OPCAbout the OPC

Office of the Privacy Commissioner of Office of the Privacy Commissioner of CanadaCanada

Protect & promote privacy rights of individualsProtect & promote privacy rights of individuals Oversee compliance with two ActsOversee compliance with two Acts Independent Officer of ParliamentIndependent Officer of Parliament Multi-faceted ombudsman roleMulti-faceted ombudsman role Responsible for promoting good management of Responsible for promoting good management of

personal information by organizations, both public personal information by organizations, both public and private.and private.

Visit www.privcom.gc.caVisit www.privcom.gc.ca


OPC Audit & Review MandateOPC Audit & Review Mandate

Section 36(1) of the Section 36(1) of the Privacy Act Privacy Act to investigate exempt data to investigate exempt data banks. banks.

Section 37(1) of the Section 37(1) of the Privacy Act – Privacy Act – review of compliance with review of compliance with

sections 4-8 in respect of personal information under the sections 4-8 in respect of personal information under the control of government institutions (public sector). About control of government institutions (public sector). About 250 entities.250 entities.

TB Policy – Privacy Impact Assessment ReviewsTB Policy – Privacy Impact Assessment Reviews

Section 18(1) Section 18(1) PIPEDA – PIPEDA – with reasonable notice, time and on with reasonable notice, time and on reasonable grounds to believe contravention – audit the PI reasonable grounds to believe contravention – audit the PI management practices of an organization. Private sector management practices of an organization. Private sector audit universe. audit universe.


Audit & Review Branch Audit & Review Branch We do audits and privacy impact assessment We do audits and privacy impact assessment

reviews – with a purpose. reviews – with a purpose.

To conduct independent and objective To conduct independent and objective audits and reviews of personal information audits and reviews of personal information management systems for the purpose of management systems for the purpose of promoting compliance with applicable promoting compliance with applicable legislation, policies and standards and legislation, policies and standards and improving privacy practices and improving privacy practices and accountability.accountability.

Building capacity – now 9 growing to 19. Budget Building capacity – now 9 growing to 19. Budget increased to $1.7m (from $896K).increased to $1.7m (from $896K).


A Definition of Privacy AuditingA Definition of Privacy Auditing

““Privacy auditingPrivacy auditing” (in our context) can be ” (in our context) can be defined as a systematic examination of defined as a systematic examination of control and accountability for the life cycle control and accountability for the life cycle management of personal information – management of personal information – consistent with “fair information principles”. consistent with “fair information principles”. It can also be viewed as assessment of the It can also be viewed as assessment of the means employed by organizations to means employed by organizations to manage privacy risks. Using a “systems” manage privacy risks. Using a “systems” approach, any particular audit under the approach, any particular audit under the Privacy Act or the Personal Information and Privacy Act or the Personal Information and Electronic Documents Act Electronic Documents Act would be would be designed to address onedesigned to address one or more of the or more of the following basic questions – depending on the following basic questions – depending on the scope of audit.scope of audit.


Privacy management in Privacy management in contextcontext

Privacy Environment TodayPrivacy Environment Today


Toronto - 1907Toronto - 1907


Ubiquitous Computing Ubiquitous Computing


A New Universe - World A New Universe - World ConnectedConnected


Technology – no limits/boundsTechnology – no limits/bounds


No Shortage of Privacy No Shortage of Privacy ChallengesChallenges

Post 9/11 – increased emphasis on information sharing for Post 9/11 – increased emphasis on information sharing for security purposessecurity purposes

Trans border data flow Trans border data flow Outsourcing activitiesOutsourcing activities Protecting one’s actual persona in an age of information Protecting one’s actual persona in an age of information

expansion-integrationexpansion-integration– Data consolidation-mining-matching-resale Data consolidation-mining-matching-resale – Behavioral profiling and target advertising Behavioral profiling and target advertising

BiometricsBiometrics Increased surveillance (in many forms – visual and data)Increased surveillance (in many forms – visual and data) Internet - Web2 – Wireless communication (generation shift)Internet - Web2 – Wireless communication (generation shift) Identity theft – loss/theft of PIIdentity theft – loss/theft of PI Privacy breachesPrivacy breaches


Public increasingly Public increasingly concernedconcerned


Some days we feel a little Some days we feel a little overwhelmedoverwhelmed


Privacy BreachesPrivacy Breaches

TheThe number one issue raised in number one issue raised in submissions on PIPEDA review was submissions on PIPEDA review was data breachdata breach

Seems not a day without oneSeems not a day without one How many actually happen How many actually happen

compared to ones known about?compared to ones known about?


ID Theft – solutions? ID Theft – solutions?

Virginia state legislature passed a law Virginia state legislature passed a law prohibiting individuals from dissemination prohibiting individuals from dissemination Social Security Numbers legally obtained from Social Security Numbers legally obtained from government web sites -- $2,500 civil penalty. government web sites -- $2,500 civil penalty. Ostergren story.Ostergren story.

Canada introducing ID theft legislation – C27.Canada introducing ID theft legislation – C27.

Informing people on how to protect Informing people on how to protect themselves.themselves.


Privacy BreachesPrivacy Breaches

Industry Canada Policy Objectives:Industry Canada Policy Objectives:1.1. Encourage better data security practices Encourage better data security practices

and better understand the link between and better understand the link between current practices and data losses.current practices and data losses.

2.2. Reduce public concern about data Reduce public concern about data breaches and increase confidence in the breaches and increase confidence in the electronic marketplace and online electronic marketplace and online commercecommerce

3.3. Ensure that individuals obtain the Ensure that individuals obtain the information necessary to take steps to information necessary to take steps to mitigate harm resulting from a breach of mitigate harm resulting from a breach of their personal information.their personal information.


Why do breaches happen?Why do breaches happen? An accident – one off thing?An accident – one off thing?

Function of:Function of:– CultureCulture– Flawed systems and procedures?Flawed systems and procedures?

Likely that the resources invested to prevent a breach i.e. Likely that the resources invested to prevent a breach i.e. protect personal information would depend on the extent to protect personal information would depend on the extent to which management believes they can “afford” a breach – which management believes they can “afford” a breach – function of risk management.function of risk management.

Privacy breach protocol is a key element of a privacy Privacy breach protocol is a key element of a privacy management program/framework. management program/framework.


What about data security?What about data security? ““Despite agency reported progress, major federal Despite agency reported progress, major federal

agencies continue to experience significant information agencies continue to experience significant information security control deficiencies that limit the effectiveness of security control deficiencies that limit the effectiveness of their efforts to protect the confidentiality, integrity and their efforts to protect the confidentiality, integrity and availability of their information and information systems.” availability of their information and information systems.”

GAO March 12,2008 GAO-08-571TGAO March 12,2008 GAO-08-571T

OAG Canada has reported concerns about information OAG Canada has reported concerns about information security among federal departments and agencies.security among federal departments and agencies.

OPC has observed cases of poor information OPC has observed cases of poor information management and/or weak data protection in federal management and/or weak data protection in federal departments and agencies as well as private sector.departments and agencies as well as private sector.


Keeping privacy hKeeping privacy healthyealthy


How privacy management How privacy management “friendly” is your organization?“friendly” is your organization?1.1. How does your organization view privacy - what’s the culture?How does your organization view privacy - what’s the culture?2.2. Is privacy on the agenda/radar of Senior Management? Is privacy on the agenda/radar of Senior Management? 3.3. How’s your PMF? Do you have one – can you articulate it? How’s your PMF? Do you have one – can you articulate it? 4.4. Do you have a handle on what personal information you hold, why you Do you have a handle on what personal information you hold, why you

collect it and what you do with it?collect it and what you do with it?5.5. Do you have a privacy training program?Do you have a privacy training program?6.6. How’s your CPO Shop? – is it sufficiently resourced/have capacity to do How’s your CPO Shop? – is it sufficiently resourced/have capacity to do

what it should? Is it a marginal or a key player?what it should? Is it a marginal or a key player?7.7. Do you track privacy breaches and have responsive mechanisms?Do you track privacy breaches and have responsive mechanisms?8.8. When you introduce/change business lines or systems – do you do a When you introduce/change business lines or systems – do you do a

privacy impact assessment (including TRA) before hand and then do you privacy impact assessment (including TRA) before hand and then do you use it?use it?

9.9. You have policy – that’s good – but is it just “words on paper”? How do you You have policy – that’s good – but is it just “words on paper”? How do you know its followed/supported?know its followed/supported?– Does your internal audit function consider privacy issues/risks? Does your internal audit function consider privacy issues/risks? – When did your organization last do a privacy practices check-up?When did your organization last do a privacy practices check-up?– In what ways is managing for privacy part of a manager’s performance In what ways is managing for privacy part of a manager’s performance

agreement and evaluation?agreement and evaluation?


OPC Self–assessment toolOPC Self–assessment tool A compliance guide and a diagnostic tool A compliance guide and a diagnostic tool

we expect to make public by July 08.we expect to make public by July 08. A set of standards that medium to large A set of standards that medium to large

organizations can use to monitor organizations can use to monitor compliance with the 10 Fair Information compliance with the 10 Fair Information Principles from Schedule 1 of PIPEDAPrinciples from Schedule 1 of PIPEDA

Framework of principles and criteriaFramework of principles and criteria A guide - series of must, should, may by A guide - series of must, should, may by

each Principle.each Principle. Diagnostic tool – checklists, means of Diagnostic tool – checklists, means of

interpretation and action determination. interpretation and action determination.


Self Assessment ChecklistsSelf Assessment Checklists

P1 AccountabilityP1 Accountability 23 Qs23 Qs

P2 Identifying PurposeP2 Identifying Purpose 9 Qs9 Qs

P3 ConsentP3 Consent 9 Qs9 Qs

P4 Limiting CollectionP4 Limiting Collection 6 Qs6 Qs

P5 Limiting use, disclosure, retentionP5 Limiting use, disclosure, retention 5 Q5 Q

P6 AccuracyP6 Accuracy 6 Qs6 Qs

P7 SafeguardsP7 Safeguards 8 Qs8 Qs

P8 OpennessP8 Openness 6 Qs6 Qs

P9 Individual AccessP9 Individual Access 15 Qs15 Qs

P10 Challenging ComplianceP10 Challenging Compliance 5 Qs5 Qs


Sample checklist – Principle 1Sample checklist – Principle 1AccountabilityAccountability

StatementStatement AsAsss

essessmm

entent EvidenceEvidence ActionsActions

MetMet Not Not MetMet

Partly Partly MetMet

You have reviewed your privacy You have reviewed your privacy policies and are satisfied that they policies and are satisfied that they are complete and easy to are complete and easy to understand.understand.

You have clearly delineated who, You have clearly delineated who, within your organization, is within your organization, is responsible for privacy governance responsible for privacy governance and management.and management.

You have privacy policies and You have privacy policies and practices that apply to the practices that apply to the personal information of your personal information of your employees as well as that of your employees as well as that of your customers.customers.


Evaluating Evaluating

Evaluating the results of a self-Evaluating the results of a self-assessment should enable an assessment should enable an organization to dedicate resources to organization to dedicate resources to improving privacy practices in the improving privacy practices in the right areas. right areas.

Over time, evaluation of an Over time, evaluation of an organization’s compliance should be organization’s compliance should be put into the context of a maturity put into the context of a maturity level. level.


Maturity Maturity

A mature privacy management A mature privacy management program/framework is characterized program/framework is characterized by due diligence and documentation by due diligence and documentation of risk acceptance or mitigation of risk acceptance or mitigation decisions which should help set decisions which should help set priorities for remedial action and priorities for remedial action and define a realistic timeline for define a realistic timeline for completion.completion.


A Privacy Program Maturity A Privacy Program Maturity ScaleScale

Level 1 – Non existent/seriously Level 1 – Non existent/seriously underdevelopedunderdeveloped

Level 2 – Early stages of developmentLevel 2 – Early stages of development Level 3 – Advanced – requirements Level 3 – Advanced – requirements

mostly met – improvements possiblemostly met – improvements possible Level 4 – Fully developed – Level 4 – Fully developed –

requirements mostly met with only requirements mostly met with only minor or no adjustments needminor or no adjustments need


Likelihood of OccurrenceLikelihood of Occurrence

LeveLevell

DescriptorDescriptor DescriptionDescription

55 Almost Almost CertainCertain

Event occurs regularly here. Event occurs regularly here.

44 LikelyLikely Event has occurred here more than Event has occurred here more than once, or is occurring to others in similar once, or is occurring to others in similar circumstances. circumstances.

33 ModerateModerate Event has occurred here before, or has Event has occurred here before, or has been observed in similar circumstancesbeen observed in similar circumstances..

22 UnlikelyUnlikely Event has occurred infrequently before Event has occurred infrequently before to others in similar circumstances, but to others in similar circumstances, but has not occurred here. has not occurred here.

11 RareRare Event has almost never been observed, Event has almost never been observed, it may occur only in exceptional it may occur only in exceptional circumstances. circumstances.


ImpactImpact

LeveLevell

DescriptoDescriptorr

DescriptionDescription

55 ExtremeExtreme A major event with the potential to lead to long-A major event with the potential to lead to long-term damage to an organization’s ability to term damage to an organization’s ability to meet its objectives.meet its objectives.

44 Very HighVery High A critical event, which with proper A critical event, which with proper management, can be endured by the management, can be endured by the organization.organization.

33 MediumMedium A significant event that can be managed under A significant event that can be managed under normal normal

circumstances by the organization. circumstances by the organization.

22 LowLow An event where consequences can be absorbed, An event where consequences can be absorbed, but management effort is required to minimize but management effort is required to minimize the impact. the impact.

11 NegligibleNegligible An event, the consequences of which can be An event, the consequences of which can be absorbed through normal activity. absorbed through normal activity.


Heat MappingHeat Mapping

E

xtre

me

Ver

y H

igh

Im

pac

t

Med

ium

Low

Neg

ligib

le

Rare Unlikely Moderate Likely Almost CertainLikelihood

For Illustrative Purposes Only

For Illustrative Purposes Only


Keeping Privacy HealthyKeeping Privacy Healthy

Focus on privacy principlesFocus on privacy principles Value privacy as a credential and not just a Value privacy as a credential and not just a

compliance requirement – treat personal compliance requirement – treat personal information as a key asset to be safeguarded as information as a key asset to be safeguarded as well as any otherwell as any other

Systematic approach to privacy risk managementSystematic approach to privacy risk management Better legislative and regulatory frameworksBetter legislative and regulatory frameworks Robust privacy management frameworkRobust privacy management framework Strong IT control, especially for identification and Strong IT control, especially for identification and

authentication authentication Privacy checkupsPrivacy checkups Be a privacy guardian……..why………Be a privacy guardian……..why………


Privacy MattersPrivacy Matters

Fundamental Human RightFundamental Human RightRRights against arbitrary intrusion – freedom from ights against arbitrary intrusion – freedom from unreasonable search and seizure. Right to unreasonable search and seizure. Right to protect personal information.protect personal information.

Privacy matters because its about the kind of Privacy matters because its about the kind of society we want – the relationship we have with society we want – the relationship we have with government, business and among ourselves.government, business and among ourselves.


Thank YouThank You

Questions?Questions?

www.privcom.gc.cawww.privcom.gc.ca

1-800-282-13761-800-282-1376

Trevor R. Shaw, CA CMCTrevor R. Shaw, CA CMC

A/Director General - Audit and ReviewA/Director General - Audit and Review

613-996-2252613-996-2252

Privacy Self-Assessment

David T Shuen, MBA, LL.B., CIPP/C

VP, Chief Compliance Officer

Canadian Operations

Sun Life Financial

Objectives of the Self-Assessment

Governance– Update and document compliance status– Obtain evidence of management due diligence– Input for compliance testing

Risk Management– Identify trends and systemic control weakness– Identify emerging issues and risks– Input for control measures development– Maintain awareness

The Self-Assessment

Developed in-house by our privacy team with input from our Privacy Advisory Committee.

Contains 37 questions based on the Fair Information Principles.

Captures information on:– Compliance status– Current compliance, risk management and regulatory

activities, e.g. audits, examinations– Trends / issues / risks identified– New privacy controls and safeguards and near-term

planned activities– Top 5 (self-identified) privacy risks including documentation

of corresponding controls and assessment of the net risk

The Process

Semi-annual Coordinated by the privacy office Completed by privacy / compliance officers in

business units with access to personal information – input from operations

Reviewed by business unit heads Certification required Takes about 3 weeks at the business level

The Process

Analyzed by the Privacy Office Consolidated report prepared for the CPO Summary reported to Canadian senior

management and enterprise risk management committee

Material issues escalated to executives and shared with control functions – Internal Audit, Compliance and Risk management

Lessons Learned

A good way to know what is going on in the business Effective way to keep Privacy on the radar screen Testing a necessity

– Perception of risk differs There is no such thing as too much awareness –

training needs to be on-going– Front-line workers have the least time for training but have

most access to customer information– Less formal but more frequent awareness campaign may

be more effective than formal training course Authentication a constant struggle between good

customer experience and good privacy protection

Privacy Risk Assessment Tool

• Based on Generally Accepted Privacy Principles developed by CICA and AICPA– A privacy framework to help organizations

develop and assess their privacy program and privacy risk

• Excel based• Allows up to 10 assessors

www.cica.ca/privacy

Generally Accepted Privacy Principles

• Management• Notice• Choice & Consent• Collection• Use & Retention

• Access• Disclosure to Third

Parties• Security for Privacy• Quality• Monitoring &

Enforcement

The Benefits of GAPP• Comprehensive

– Framework of over 60 measurable and relevant criteria

• Objective– Developed by the auditing profession to

• Address international expectations• Create a basis for comparability• Universally available at no charge

• Relevant– Widespread use and recognition– Applicable for evaluating privacy risk enterprise-wide

• Recognized as suitable criteria for a privacy audit– Can also be the basis for an internal assessment

GAPP - 66 Criteria Criteria Description

Likelihoodof a Control

FailureBusinessImpact

Effort/Cost to

Mitigate

MANAGEMENT (10 criteria)

Privacy Policies (1.1.0)

Policies are defined for: notice, choice/consent, collection, use/retention, access, disclosure, security, quality, and monitoring and enforcement.

2 5 8

Communications to Internal Personnel (1.1.1)

Privacy policies are communicated at least annually to internal personnel responsible for collecting, using, retaining, and disclosing personal information. Changes in policy are communicated shortly after the changes are approved.

2 5 8

Scoring Input Template

GAPP - 10 Principles

Likelihood of a

Control Failure

Business Impact

Size of Marker (Cost to Mitigate)

MANAGEMENT 2.3 2.3 2.6

NOTICE 4.6 3.9 4.7

CHOICE / CONSENT 5.0 8.0 4.6

COLLECTION 4.3 2.8 4.0

USE / RETENTION 5.0 5.0 5.0

ACCESS 5.8 5.0 6.5

DISCLOSURE 3.4 5.6 3.0

SECURITY 7.0 8.0 6.7

QUALITY 5.5 7.5 8.0

MONITORING / ENFORCEMENT 3.0 4.0 3.0

Scoring Summary

GAPP Privacy Risk Assessment10 Principles - 66 Criteria

MANAGEMENT

CHOICE / CONSENT

COLLECTION

USE / RETENTIONACCESS

NOTICE

DISCLOSURE

SECURITY

QUALITY

MONITORING /

ENFORCEMENT

0

5

10

0 5 10

Likel ihood of a Control Fai lur e

Actively Manage Remediation Plans

Fix at Mgmt Discretion, Bear Ri sk Plan to Remediate, Business Contingency Plans

Requi r es Immediate Attention, Senior Mgmt Focus

Low Hi gh

Contact Info

www.cica.ca/privacy

Nicholas F. Cheung, CA, CIPP/CPrincipal, Assurance Services DevelopmentCICA

(416) [email protected]

Questions?

Being Proactive: Identifying Weaknesses and Opportunities in Your Privacy Program IAPP Canadian...

Documents

Transcript of Being Proactive: Identifying Weaknesses and Opportunities in Your Privacy Program IAPP Canadian...