2015 AGA/EEI Utility Internal Audit Training
Data Privacy
August 25, 2015
www.pwc.com
PwC
Agenda
• Key concepts of data privacy
• Current privacy trends
• Emerging privacy focus areas for utilities
2
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
PwC
Key concepts of data privacy
3
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
PwC
Role of the CPO versus the CISO
• CPO – Determines what data needs to be protected
- Regulations
- Privacy requirements/controls
- Privacy risk assessments
- Privacy by design
- Privacy impact assessments
- Governs privacy incident management processes, notification, and impact to individual experience
• CISO – Develops and manages data protection
- Technical security and controls
- Identifies, evaluates, protects against, and reports on information security risks
- Educates stakeholders that this is not solely a technology and security issue
4
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
PwC
The information lifecycle
1
5
4
2
3
Create/Collect
Use/Distribute
Dispose/Destroy
Retain Store/Transmit
Information flows throughout the organization and privacy must be considered in all phases.
5
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
PwC
What are organizations trying to protect?Key drivers for data protection & privacy
Proprietary Business Information: intellectual property, critical asset information, regulated data, sourcing strategy
Personally Identifiable Information:name, age, identification numbers, home ore-mail address, geolocation data, phone number, income or physical characteristics, opinions, web browsing or energy history/patterns. Most information collected by an organization about an individual is likely to be considered personal if it can be attributed to an identified individual.
Sensitive Personal Information: Information on medical or health conditions, financial information (including credit cards), ethnic origin –defined by regulation but also policy
1
2
3
4
5
6
Title
6
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
PwC
What is data privacy?
Privacy encompasses the rights of individuals and obligations of organizations with respect to the collection, use, retention, disclosure and disposal of personal information across the information lifecycle.
Notice
Choice and consent
Access
DisclosureCollection
Use, retention and disposal
7
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
PwC
Accountability and Governance
Risk and ComplianceAssessment
Processes and Controls
Training and Awareness
Vendor Management
Monitoring and Auditing
Incident Management and Response
Sensitive Data
Accountability and Governance
• Designation of responsibility for sensitive data protection
• Cross functional partnerships and processes
Risk and Compliance Assessment
• Applicable laws and regulations
• Business process risk ranking
• Data flow mapping and inventory
• Privacy impact assessment
Processes and Controls
• Policies and procedures
• Collection, storage, use, transfer and destruction processes
• Technical, administrative and physical data protection controls
• Privacy By Design principles
Training and Awareness
• Comprehensive training with defined elements, audience, frequency, monitoring and sanctions
Monitoring and Auditing
• Periodic testing of control effectiveness
• Independent assessments
Incident Management and Response
• Defined response and breach notification plan
• Testing of plan
• Inclusion of vendor or third party
Vendor Management
• Risk valuation of vendor relationships
• Vendor assessment (questionnaire/onsite)
• Reporting and on-going evaluation
Data Protection & Privacy Program Components
8
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
PwC
Current privacy trends
9
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
PwC
Evolving perspective on privacy & security
Scope of the challenge Limited to your “four walls” and the extended enterprise
Spans your interconnected global business ecosystem
Ownership and accountability
IT and Legal led and operated Business-aligned and owned; CEO and board accountable
Adversaries’ characteristics
One-off and opportunistic; motivated by notoriety, technical challenge, and individual gain
Organized, funded and targeted;motivated by economic, monetary and political gain
Information asset protection
One-size-fits-all approach Prioritize and protect your “crown jewels” and manage data across the information management lifecycle
Defense posture Protect the perimeter; respond if attacked
Plan, monitor, and rapidly respond when attacked
Regulatory Environment Self regulation Regulatory upheaval in privacy across the globe and emerging cyber security regulation. Increased enforcement.
Security intelligence and information sharing
Keep to yourself Public/private partnerships; collaboration with industry working groups
Consumer awareness and expectations
Limited use of consumer data to market and personalize products
The boom of Big Data is colliding with increased concerns/awareness over privacy
Historical IT Security and Privacy Perspectives
Today’s Leading Cybersecurity and Privacy Insights
10
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
PwC
• Continued focus on privacy and security in all sectors, states and at federal level –emerging regulations do not necessarily align amongst each other
• Companies want to leverage Big Data and are re-evaluating their current information governance model to for compliance and maximized opportunities
• Significant data breaches continue, targets go beyond payment card data
• Intersection of information governance and data privacy
• Ongoing challenges with:
• Creating a sufficiently robust privacy strategy that accounts for a complex, multi-regulatory, and changing environment
• Effectively managing information across structured and unstructured data
• Standardizing practices across all entities and regions
• Coordinating incident response and investigations
• Adopting privacy values throughout the enterprise
• Implementing privacy commitments with supporting processes and controls
Overall trends in privacy efforts across industries
11
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
PwC
Trends in the regulatory enforcement
• Transparency – Information collection and use practices should be transparent to the consumer and appropriate to the medium at which its provided (i.e., short form privacy notices for mobile apps)
• Simplified Choice – Companies should provide consumers the ability to make decisions about their data at a relevant time and context
• Privacy and security by design – Privacy needs to be embedded in every stage of the product/systems development lifecycle
• Compliance with privacy policies – regulators looks to consumer facing privacy policies to determine whether companies have a program to comply with those notices
• “Reasonable” security practices –expectation that all companies have reasonable security practices and safeguards in place to protect consumer data
• Ownership & accountability –expectation is that there is a clearly defined individual or group of individuals that are responsible for privacy and security programs.
• Formally documented privacy program –expectation is that companies have a formally documented program, including review against accepted frameworks, including the FTC’s Privacy Report issued in March 2012
12
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
PwC
GSISS Survey 2015 – Utilities summary results Progress implementing key safeguards
13
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
PwC
GSISS Survey 2015 – Utilities summary resultsSecurity spending
14
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
PwC
GSISS Survey 2015 – Utilities summary resultsSources of incidents
15
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
PwC
Emerging privacy focus areas for utilities
16
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
PwC
Privacy focus areas for utilities
• Smart Grid continues to drive much of the privacy dialogue, but a broader focus on customer (and employee) data is emerging
• Industry transformation is driving new data and processes and requires new controls; emerging uses for technology and data
• M&A activity disrupts resource availability and program stability
• Information sharing and analysis centers (ISAC) maturing
• Regulatory activity continues with broad ranges of compliance requirements
• DataGuard Energy Data Privacy Program published
• Exploration of outsourcing and cloud services, particularly related to employee – vendor risk programs remain under development
• Increase in Board focus on privacy, but often after an incident
17
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
PwC
Maturity of Internal privacy
programs
Optimized
4%
Undefined
15%
Initial
31%
Managed
4%
Defined
27%
Repeatable
19%
Optimized
Have found no material gaps in two consecutive enterprise privacy assessments or audits
Managed
Regularly quantify our privacy performance, including keeping data inventory current
Make process improvements based on results
Defined
Have a formally designated privacy leader and a complete set of documented privacy policies and procedures
Have completed first enterprise privacy assessment or audit
Undefined
• Have not formally or informally assigned anyone with the privacy responsibilities
Initial
At least one person is handling privacy issues at least part time on an ad-hoc basis
Activities are mostly reactive in nature
Repeatable
At least one person has been handling privacy issues on a full time basis for at least a year
Complete program has yet to be defined
18
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
2015 PwC Power & Utilities CAE SurveyCustomer Information
PwC
Personal Details Courtesy of the Smart Grid
UtilityUsage
ConsumerProfiling
PersonalInformation
Smart GridData
• Identifiable load signatures (i.e. laundry, toaster, dishwasher) tracking consumer living patterns
• PEV charge stations tracking Electric vehicle travel routines and location data
• Number of members in a household and sleep routines
• Medical device usage and consumer health implications
• Identifying homes with security systems vs. vacant houses
Trove (GridGlo) Mines Smart Grid Data for B2B Monetization*
• Data is aggregated from:• Public Records – DMV, City Permits• Smart Grid data
• Complex algorithms used to develop applications for:• Energy Forecasting Modeler, • Demand Response,• Customer Scoring, and• Financial Risk Management
*Source: http://www.greentechmedia.com/articles/read/gridglo-mines-data-for-smart-grid-apps
19
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
PwC
Gearing up for convergence
The convergence of information, operational and consumer technologies will very likely introduce tremendous benefits for business and conveniences for customers. It will also create a new world of privacy and security risks for power and utility companies.
20
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
PwC
2015 PwC Power & Utilities CAE SurveyCustomer Information
Customer Engagement Mechanisms
Social Media
Message
boards/blogs
Mobile
applications
Press events
81% of respondents indicated their company has initiated or expanded customer engagement mechanisms through Social media (e.g., Twitter, Facebook) as well as Mobile applications
5% of the respondents also specified Television as one of the mechanisms for customer engagement.
21
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
PwC
6%
19%
25%
38%
13%
63%
0%
20%
40%
60%
80%
100%
Privacy officeprovides annual
report to the Board
Privacy principlesare included in
tariffs
Privacy isdesignated in a
publicly-availabledocument as a topenterprise risk to
be managed
Havecommunicated
privacy approachto consumers
Have a specialweb page
dedicated toexplaining
consumer privacy
All employeescomplete annualprivacy training
Level of Visibility of Consumer Data Privacy
Privacy risks in order of highest concern to lowest concern:
1
Company does not have sufficiently defined policies around acceptable uses of consumer personal data
2
Company does not have a robust enough approach for handling third-party requests for personal data
3Company does not have sufficient information security protections for personal data
4Company does not know where all personal data is
5Company does not have sufficient oversight of vendors’ handling of personal data
22
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
2015 PwC Power & Utilities CAE SurveyCustomer Information
PwC
Board level focus
Board members should ensure a proactive focus on:
Determining what their most valuable information assets are, where they are located at any given time, and who has access to them.
Developing an evolved approach to security and privacy programs in which businesses allocate and prioritize resources to proactively protect and create and enact incident response plans in case of an event.
Holding business executives accountable for protecting valuable data in the same manner as they are held accountable for financial results and other key business management metrics.
Identify
1
Protect
Be Accountable
2
3
23
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
PwC
Additional questions boards are consideringDue Care
What does the board exercising due care mean in the context of cybersecurity and privacy? Regulators are increasingly
taking this approach. (Can we show that we have 1) done a risk assessment? 2) assessed ourselves against a recognized
standard (e.g. NIST or ISO) and 3) implemented a program 4) have a way of monitoring compliance against
commitments?)
Storing data in the cloud
Is outsourcing data storage a better security system than at least most companies can securely do on their own? What are
the privacy considerations associated with storing data in the cloud e.g. cross-border data transfer requirements?
Mergers and Acquisitions
Where a merger or acquisition is contemplated, is a review of the sufficiency and integrity of cybersecurity and privacy
protections necessary? Has valuable IP already been leaked?
Insider Threat
What has been done to mitigate threats from insiders to prevent crown jewels from “walking out the door”?
Global Regulations
Do we know what global and US privacy and cybersecurity laws and regulations apply to us? Do we have processes in place
to comply with the myriad of regulations and to monitor compliance over time?
Cyber Insurance
Regarding “cyber insurance”, what does it truly cover? Will insurer refuse to cover you if they say you didn’t meet certain
standards, duties and obligations?
Collaboration
Do companies share breach experience/solutions with competitors so everyone learns or is this competitiveness barrier?
Do they communicate with the federal government about threats and intel?
Compliance with Privacy Commitments
Are we collecting, using or sharing data in new ways? Do our data handling practices comply with our customer privacy
commitments/policies?
1
2
3
4
5
6
7
8
24
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
PwC
Does your company have a vendor risk management program?
Is it reviewed or audited by an independent function?
Vendor RiskManagement
Program
34% have review/audit by Internal
Audit
8% have review/audit
by an independent
function*
50% do not have an
independent review/audit
8% do not have a
program
28%
60% have
program that
is still being
developed
12% do not have a
program
Have a mature program
25
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
2015 PwC Power & Utilities CAE SurveyThird Party Risk management
PwC
Third party inventory, stratification & assessment Illustrative model
An inventory, risk rating and on-going testing model enables efforts to establish theThird Party inventory and to oversee services with higher levels of inherent risk.
The model drives the on-going due diligence process based on the inherent risk and thebusiness facts of the services provided.
26
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
PwC
3rd Party Risk Management considerations
Contract Considerations
Contract inventory
• Does a complete list of all contracts exist, and are they reviewed by Legal?
Contract terms
• Are there clear contract terms regarding the collection and use of information , and are they consistent with your privacy policy and notice?
• Is there a “right to audit” clause?
Contract maintenance
• How are changes to the policy approved and communicated?
• Is an annual review of the contract performed?
Attest reports
• Are there SOC reports, Safe Harbor considerations or other considerations?
Risk Assessment
Vendor risk assessment
• Has a complete vendor /third party inventory and risk assessment been performed?
• Have you understood and documented the data lifecycle process?
• Has the vendor’s people, process, or technology changed? For example, has the vendor begun using cloud technology or a subcontractor?
Data exposure
• Is there understanding of what data is provided to vendors and how the vendors protect, store, use, and destroy that data?
Vendor access
• Has vendor access been restricted appropriately, and are all points of access known?
• Do any terminated vendors still have access to your data?
RiskAssessment
Vendor ManagementProgram
Contracts
Vendor risk assessment Data
exposure
Vendoraccess
Contract inventory
Contractterms
Incidentresponse
Policy alignment
TPRM
Contractmaintenance
Attestreports
Impactassessment
Monitoring
Vendor Management Program
Policy alignment
• Does the vendor policy align with the Company’s privacy policies?
Incident response & Impact assessment
• Is there a process to address a vendor data breach? Is there a process in place to determine the impact?
Monitoring
• Has a program been established to monitor ongoing compliance of the vendors?
27
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
PwC
In summary…Questions IA should be asking
• How are our investments in privacy trending – has progress stalled?
• How would we respond to a regulatory inquiry about our current privacy practices?
• Are we coordinating disparate efforts related information management?
• How have changes / disruptions in our business impacted the privacy program?
• Which third parties have access to our customers personal information? Do we know how they are they actually using it? How are we protecting it?
• Does our Board have a sufficient understanding of the magnitude of our organization’s privacy and security risk, as well as what we’re doing to eliminate or mitigate those risks?
28
August 20152015 AGA/EEI Utility Internal Auditor Training - Data Privacy
Thank You
Dave SandsPwC Power & Utilities [email protected]
© 2015 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm,
and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.
This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.
Top Related