Building a Privacy Program in the Data Breach Era
By Zach Schmitt
The technology frontier we find ourselves in today has given way to many new avenues for data intrusion, leakage, and theft. With high profile mega breach headlines becoming all too common in the news, organizations are realizing the importance of protecting their data. However, implementing a privacy program can be a daunting task, so below are six helpful steps that will enable you to build a solid program foundation.
Take inventory of your information
The first step in developing a privacy program is mapping the inlets, harbors, and outlets of your data flows. This exercise involves outlining how and why your information is processed, retained, shared, and destroyed in your business as well as how it moves both domestically and internationally. It’s important to understand all current vendor relationships as well because your organization is accountable for all third parties that have custody of your data. Secondly, you must determine the significance of the information inventoried. From a legal perspective, personally identifiable information (PII), or data that can be used to identify an individual, is considered sensitive. This can be data like name, address, Social Security number or data items that are individually insignificant but can identify an individual when cross-aggregated. Sectorial information like health data, financial data, or political data may also be sensitive depending on the industry you’re in and the related regulations. The information you determine to be most significant, or your “crown jewels”, should be the focus of your privacy program.
Know the regulations
With a thorough understanding of your data holdings, you must identify all privacy compliance requirements that pertain to your organization. Businesses must adhere to national laws, state laws (if data is housed in the United States), and sectorial regulation based on industry (i.e. HIPAA for health care entities, Gramm-Leach-Bliley for financial institutions, etc.). There are also privacy-related stipulations established in business relationship contracts. Privacy regulations will determine the breadth of your program.
Integrate an information security framework
Introducing a security framework to safeguard your information is essential. It is recommended that risk assessments be performed to analyze and prioritize your IT assets and data when developing a control suite. The access provisioning process must be governed so that only appropriate individuals are able to create, edit, and view data. Conversely, timely access revocation procedures are imperative to ensure data rights are commensurate with changing job responsibilities and are deprovisioned when individuals are terminated. Periodically recertifying access rights and reviewing user activity are good detective controls to compliment access provisioning and revocation. Strong password parameters through multi-factor authentication schemes should be enforced. Security solutions like antivirus software to prevent the use unauthorized or malicious code, firewall systems to filter unauthorized network traffic, and encryption methods to protect data communications should be employed. Control activities and frequencies must be clearly defined. Data and control owners must be effectively designated.
Bear in mind the importance of establishing a common language between those interpreting and communicating privacy requirements with those data and control owners. The legal, business, and technology fields are very different, so forming a common ground is key for cohesively upholding the security framework.
Develop data breach response procedures
When a data breach occurs, your organization must be prepared to investigate and resolve incidents promptly by following a set of actionable procedures. A data breach response team should be assembled and each member’s specific responsibilities should be clearly defined. Detailed response measures should be set forth to analyze and contain incidents as they occur. A plan for notifying affected individuals in a timely fashion should be in place and remediation efforts, if necessary, should be carried out.
To develop strong data breach response procedures, you must understand prevalent and emerging threats and recognize who your potential enemies are (nation states, hacktivists, organized crime, etc.). It is recommended to seek external advice from legal, communications, and IT security/ forensics resources if your organization lacks a certain expertise in-house.
Your policy will be the core covenant of your program and should comprehensively state your organization’s privacy standards. It should define sensitive data determined, the applicable laws and regulations identified, the specifics of the security framework composed, and the actionable data breach procedures developed. It should also outline the core components of the Fair Information Practices (FIPs) not already presented in steps one through four above. The policy should entail notice procedures to inform data subjects of how the organization is gathering data, the purpose of gathering the data, the secondary uses of the data, the length for which the data will be held, and the related security controls employed. Consent requirements should also be incorporated to ensure data subjects agree to the gathering and use of sensitive information. Consequences of noncompliance with the policy should be included too.
Your privacy statement should be revisited frequently because it is a living document that will change over time to reflect the shifting environment and emerging best practices.
Train, monitor, audit, repeat
The takeaway is simple. Our societal need for privacy and security is derived from something innate. It has been magnified by developments in information technology and will only catalyze as we move into the future. You must swiftly and seriously invest in your privacy program to stay ahead of that trajectory.
A Senior Associate with BrightLine CPAs & Associates, Zach Schmitt has a concentration in IT security and privacy in the Washington D.C. attestation and compliance practice. He is a member of the International Association of Privacy Professionals (IAPP) and endeavors to share his observations and feelings on the certain evolution of data security and privacy. Zach is a graduate of Virginia Tech and has BAs in Accounting & Information Systems and Marketing Management.