Corporate Sloppiness

Current Privacy Storm As of the moment, there is no official government explanation for Arizona’s rank as the worst state for ID theft. However, Identity Theft 911, a leading provider of identity management, resolution and education services, released a new report that highlights potential reasons for the dramatic increase of identity theft, including: illegal immigration (fraudulent employment, social security benefits); Drug trafficking; Arizona state government's lack of action in combating this type crime.

System Availability – system is available for operations and use at times set forth in SLAs Information Security – system is protected against unauthorized physical and logical access Data Integrity – system processing is complete, accurate, timely and authorized. Maintainability – systems can be updated when required in a manner that continues to provide for system availability, security, and integrity. Governance – an appropriate IT organizational structure allows for lines of reporting and responsibility to be defined and effective controls systems to be implemented. Operating System Application Data

Assessment Area/Principle Criteria – specific areas from IT and Privacy frameworks to assess the organizations practices and controls Current Practices/Controls Assessment/Gaps Remediation Plans Likelihood Impact

Show IT Risk Assessment Tool – Excel Show Narrative Template

Discuss various scoping decisions – business unit, customer information, employee information

GAPP 10 Privacy Principles

Illustration of one assessment area with one requirement PCI format – In Place – Not In Place

Benchmarking against internal privacy policies and procedures Used for gap analysis Used in the development of our Privacy Risk Assessment Used to help develop our Privacy audit plans and privacy audit program Shared internally with privacy governance committees

AICPA – criteria and procedures CoBiT – IT controls ITIL – IT operations PCI – credit card security NIST – Special publications (i.e. SP 800-64 Security Considerations in the SDLC, SP 800-30 Risk Management Guide for IT Systems

A Privacy Audit Using Generally Accepted Privacy Principles A Global Privacy Framework The Next Sarbanes Oxley? AAA Annual Meeting - Anaheim August 6, 2008

2 Everett C. Johnson, CPA Title: AICPA/CICA Privacy Task Force Chair Area of Focus: Information Protection Services, Computer Auditing Background: Retired Partner – Deloitte & Touche Over 40 years experience in audit, control and security matters Affiliations: Former International President - ISACA, IT Governance Institute Past Chair AICPA Electronic Commerce Assurance Services Task Force AICPA Information Technology Research Subcommittee Deloitte’s International Enterprise Risk Services Committee IFAC Information Technology Committee Past National Director – Deloitte’s Computer Assurance Services Group Past Chair & USA Representative – Former Member AICPA Information Technology Executive Committee AICPA Assurance Services Executive Committee

3 Ken Askelson, CPA.CITP, CIA Title: AICPA/CICA Privacy Task Force Vice Chair Area of Focus: Information Security, Microcomputer Accounting Systems, IT Infrastructure Management. Background: Retired Senior IT Audit Manager – JCPenney Over 20 years of IT audit experience Affiliations: Former Commissioner – AICPA National Accreditation Commission Past Member – AICPA Information Technology Executive Committee Past Member – AICPA Information Technology Research Subcommittee Past Member – AICPA Business and Industry Executive Committee Past Member – IIA Advanced Technology Committee Past Member – Journal of Accounting Advisory Board Past participant - Partnership for Critical Infrastructure Security sponsored by the U.S. Chamber of Commerce and the Critical Infrastructure Assurance Office of the Department of Homeland Security

4 Marilyn Prosch, PhD., CIPP Title: Associate Professor of Accounting – Arizona State University, School of Global Management Area of Focus: Privacy, Data Protection, Accounting Information Systems, Internal Controls, eBusiness Affiliations: Member – AICPA/CICA Privacy Task Force Sample of Journal Articles International Journal of Corporate Governance Journal of Emerging Technologies in Accounting Journal of Information Systems Journal of Forecasting Journal of Accountancy Research in Accounting Regulation The Accounting Review

AGENDA Overview of Privacy Breach Trends Overview of GAPP & How it may be used GAPP & Privacy Risk Assessment Q&A

Privacy Media Hype or a Real Problem? Some of the reported incidents that occurred in 2007…

Wells Fargo via unnamed auditor Lloyd's of London (FL) Circuit City and Chase Card Services Linden Lab Telesource via Vekstar American Family Insurance Nikon Inc. and Nikon World Magazine Howard & Partners law firm via its auditor Morris, Davis & Chan Life Is Good Movie Gallery General Electric Direct Loans via its IT contractor ACS T-Mobile USA Inc VISA/FirstBank Empire Equity Group Limewire Gymboree Atlantic Plastics, Inc. via accounting firm Hancock Askew Hertz Global Holdings, Inc. Nissan Motor Co., Ltd. Avaya Home Finance Mortgage, Inc. Greater Media, Inc. Compulinx West Shore Bank Wesco Starbucks Corp. Four ARCO gas stations KSL Services, Inc ADP TransUnion Credit Bureau via Kingman, AZ, court office TD Ameritrade H&R Block Premier Bank Aetna / Nationwide / Wellpoint Group Health Plans via Concentra Preferred Systems Boeing Bank of America Major League Baseball players via SFX Baseball, Inc. Deb Shops, Inc. KeyCorp Altria & United Technologies via benefits consultant, Towers Perrin MoneyGram International TJ Stores KB Homes Chase Bank CTS Tax Service Metro Credit Services Front Range Ski Shop Piper Jaffrey Stop & Shop Supermarkets Rabun Apparel Inc Johnny's Selected Seeds Dai Nippon Science Applications International Corp. (SAIC) Tax Service Plus RadioShack Hortica Turbo Tax New Horizons Community Credit Union Bank of America CVS Pharmacy Albertson’s Neiman Marcus Ceridian Corp. Caterpillar, Inc. Couriers on Demand J. P. Morgan IBM Alcatel-Lucent Columbia Bank Check into Cash Jax Federal Credit Union HarborOne Credit Union Pfizer American Airlines Texas First Bank Winn-Dixie Fidelity National Information Services Disney Movie Club Western Union Kingston Technology Co. Cricket Communications Fox News American Education Services Verisign Electronic Data Systems Merrill Lynch Monster.com AT&T McKesson Gander Mountain TennCare / Americhoice Inc. Voxant.com Gap Inc eBay ABN Amro Mortgage Group

Transportation Security Administration via Accenture Florida National Guard Illinois Dept. of Corrections Michigan Dept. of Community Health U.S. Dept. of Commerce and Census Bureau North Carolina Dept. of Motor Vehicles Illinois Dept. of Transportation Kentucky Personnel Cabinet Picatinny Arsenal DOD Weapons Research Center Camp Pendleton Marine Corps base via Lincoln B.P. Management Florida Labor Department Congressional Budget Office Ohio Ethics Committee Georgia County Clerk U.S. Army Cadet Command Colorado Dept. of Human Services via Affiliated Computer Services (ACS) Internal Revenue Service Administration for Children's Services - NY Indiana State Department of Health PA Dept. of Transportation Army National Guard 130th Airlift Wing U.S. State Department Wisconsin Dept. of Revenue via Ripon Printers North Carolina Dept. of Revenue U.S. Dept. of Veteran's Affairs Ohio Board of Nursing Indiana Dept. of Transportation Massachusetts Dept. of Industrial Accidents Indian Consulate via Haight Ashbury Neighborhood Council Recycling Wisconsin Assembly NY Dept. of State NY Dept. of Labor Indiana State Web site Conn. Office of the State Comptroller Calif. Dept. of Health Services California National Guard U.S. Dept. of Agriculture Ohio State Auditor Georgia Secretary of State FEMA Maine State Lottery Commission Maryland Dept. of Natural Resources Indiana Dept. of Administration Georgia Div. of Public Health Texas Commission on Law Enforcement Standards & Education Illinois Dept. of Financial and Professional Regulation NC Dept. of Transportation Ohio state workers Idaho Army National Guard West Virginia Board of Barbers and Cosmetologists California Public Employees' Retirement System American Ex-Prisoners of War Connecticut Dept. of Revenue Services Maryland Department of the Environment PA Public Welfare Department State of Connecticut via Accenture Ltd.

City of Chicago via contractor Berks Co. Sheriff's Office via contractor Canon Technology Solutions City of Savannah Pima Co. Health Dept. Port of Seattle Cumberland County, PA Orange County (FL) Controller Cleveland Air Route Traffic Control Center Poulsbo Department of Licensing City of Visalia, CA Bowling Green Police Dept. Chicago Voter Database Tuscarawas County and Warren County City of Lubbock Johnston County, NC City of Grand Prairie City of Wickliffe, OH Santa Clara County Employment Agency Chicago Board of Elections Washiawa Women, Infants and Children program (HI) Willamette Educational Service District San Juan Capistrano Unified School District (CA) Greenville County School District Chicago Public Schools via All Printing & Graphics, Inc. Riverside High School NC St. Vrain Valley School District (CO) Big Foot High School, WI Clay High School, OH Germanton Elementary School Troy Athens High School Iowa Dept. of Education Clarksville-Montgomery County Middle and High Schools Fort Monroe St. Mary Parish Los Angeles County Child Support Services Chicago Public Schools ChildNet Champaign Police Officers San Diego Unified School District Detroit Water and Sewerage Department Yuma Elementary School District Indianapolis Public Schools Waco Independent School District Fresno County/Refined Technologies Inc. Cedarburg High School Huntsville County Lynchburg City Shamokin Area School District Fresno County Harrison County Schools Cuyahoga County Dept. of Development City of Encinitas Metropolitan St. Louis Sewer District Jackson Local Schools Hidalgo County Commissioner’s Office New York City Financial Information Services Agency Loomis Chaffee School

Virginia Commonwealth University University of Minnesota Berry College via consultant Financial Aid Services Inc. University of Colorado-Boulder, Leeds School of Business Purdue University University of Iowa – Psychology Dept. Adams State College University of Texas at Arlington Villanova University students & staff Via Insurance broker University of Virginia Connors State College Cal State Los Angeles Nassau Community College UCLA University of Texas - Dallas Mississippi State University Texas Woman's University Montana State University University of Idaho University of New Mexico Rutgers-Newark University Vanguard University Eastern Illinois University Notre Dame University University of Missouri University of Nebraska Johns Hopkins University Central Connecticut State University East Carolina University Radford University City College of San Francisco Georgia Institute of Technology Metropolitan State College of Denver Los Rios Community College Univ. of Montana - Western UC San Francisco Black Hills State Univ. Ohio State Univ. New Mexico State Univ. Louisiana State Univ Montgomery College Goshen College Community College of Southern Nevada Stony Brook University Northwestern University Gadsden State Community College Grand Valley State University Georgia Tech Univ. Texas A&M University Bowling Green State University University of California, Davis Highlands University Westminster College Penn State Univ. - USMC University of Toledo Yale University Loyola University University of South Carolina De Anza College University of Michigan

Cleveland Clinic Mercy Medical Center Beaumont Hospital DePaul Medical Center Erlanger Health System Stevens Hospital via billing company Med Data Allina Hospitals and Clinics Manhattan Veteran's Affairs Medical Center & New York Harbor Health Care System Sisters of St. Francis Health Services via Advanced Receivables Strategy Jacobs Neurological Institute Swedish Medical Center Akron Children's Hospital McAlester Clinic & Veteran's Affairs Medical Center Intermountain Health Care Kaiser Permanente Colorado Gundersen Lutheran Medical Center Segal Group of New York via web site of Vermont state agency Emory University Hospital, Emory Crawford Long Hospital, Grady Memorial Hospital, Geisinger Health System, Williamson Medical Center via Electronic Registry Systems Deaconess Hospital WellPoint's Anthem Blue Cross Blue Shield Johns Hopkins Hospital St. Mary's Hospital, MD Kaiser Medical Center Seton Healthcare Network Back and Joint Institute of Texas Gulf Coast Medical Center Westerly Hospital Wellpoint's Empire Blue Cross/ Blue Shield NY Health Resources, Inc. Group Health Cooperative Health Care System Swedish Urology Group DCH Health Systems Georgia Dept. of Community Health Univ. of Pittsburgh, Med. Center Healing Hands Chiropractic Univ. Calif. Irvine Medical Center Highland Hospital University of Pittsburgh Medical Center Beacon Medical Services Concord Hospital South County Hospital Prudential Financial Inc. St. Vincent Hospital WorkCare Orem Providence Alaska Medical Center Sky Lakes Medical Center via Verus Inc

Federal Trade Commission Has settled 14 cases “challenging faulty data-security practices by companies that handle sensitive consumer information.” They almost always require a security audit every 2 years for the next 10-20 years.

Texas – Attorney General Sues Company for Privacy Violations Texas Attorney General Greg Abbott is suing EZCORP Inc. for allegedly contributing to the possibility of identity theft. The attorney general alleges that EZCORP Inc. of Austin and its subsidiary, EZPAWN, have exposed customers to identity theft by failing to properly protect customer records. Joe Rotunda, EZCORP president and CEO, responded to the suit by saying that the company has a number of identity protection policies and systems in place. Attorney General alleges in his lawsuit that employees at several San Antonio EZPAWN stores dumped personal business records in trash bins behind the stores. The attorney general's investigation found similarly discarded customer data at dumpsters of nearby stores in Austin, Houston, Lubbock and in the Rio Grande Valley area, according to the suit.

Poor Information Management Practices Largely at Fault The Gartner Group has estimated that internal employees commit 70% of information intrusions, and more than 95% of intrusions that result in significant financial losses; — IPC Publication. Identity Theft Revisited: Security is Not Enough, www.ipc.on.ca/userfiles/page_attachments/idtheft-revisit.pdf

Identity Theft Source: Consumer Sentinel Arizona ranks number 1 in the nation for identity theft complaints per capita. More than a third of stolen identities in Arizona are used for fraudulent employment. www.net-security.org/secworld.php?id=5874

Data Lifecycle – Protecting from cradle to grave Data protection needs to be considered at all phases of the lifecycle Collection What data & why is it collected? Use Appropriate access and documentation? Storage How long & protection of non-redacted copies? Retention & Ultimate Disposal When, how, and all applicable copies?

Know what data you have and where it is! McKesson …. Notified patients that the computers were stolen on July 18, 2007. The names of the people being alerted were on one of the two PCs, but it's not known how much of their accompanying identifying information was also contained on the machines. http://www.informationweek.com/news/internet/showArticle.jhtml?articleID=201804872

Mind the GAPP: Accountants bring GAAP-like principles to the privacy sphere “If you haven't heard of the Generally Accepted Privacy Principles (GAPP), take stock: They're likely to become the most important new source of requirements for your IT projects since Y2k and Sarbanes-Oxley. Why is this? The accounting industry has closed ranks around the idea that the GAPP is the best international framework for assessing the privacy health of an organization. So when it comes to IT projects, any system or related business process touching personal data will have new rules to play by.” Computerworld, December 6, 2007

Wall Street Journal, February 29, 2008

AGENDA Overview of Privacy Breach Trends Overview of GAPP & How it may be used GAPP & Privacy Risk Assessment Q&A

22 Overview of Privacy Audits Growing demand Types of audits Internal audits Regulatory External Management Elements of the privacy audit Scope Measurement criteria Generally Accepted Privacy Principles - GAPP Type and use of report

23 AGENDA Privacy: Our Definition What is GAPP? Privacy Principles Components of GAPP Comparison with International Concepts Some Benefits of GAPP Using GAPP for Privacy Audits Other Application Examples

24 PRIVACY: OUR DEFINITION PRIVACY encompasses the rights and obligations of individuals and organizations with respect to the… Collection Use Disclosure, and Retention …of personal information.

25 Rights and Obligations

26 OVERALL PRIVACY OBJECTIVE Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA/CICA.

27 WHAT IS GAPP? Generally Accepted Privacy Principles Developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) Help guide organizations in implementing, sustaining and auditing privacy programs

28 WHAT IS GAPP? A set of 10 privacy principles and 66 related criteria for privacy and the handling of personal information throughout an organization Incorporates concepts from domestic and foreign laws, regulations, guidelines, and other bodies of knowledge on privacy One of a series of Trust Services offered by CPAs which also include: Security Process integrity Availability Confidentiality Privacy

29 What are the Principles? 1 - Management: The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures. 2 - Notice: The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed. 3 - Choice and Consent: The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, retention, and disclosure of personal information. 4 - Collection: The entity collects personal information only for the purposes identified in the notice. 5 - Use and Retention: The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes.

30 6 - Access: The entity provides individuals with access to their personal information for review and update. 7 - Disclosure: The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual. 8 - Security for Privacy: The entity protects personal information against unauthorized access (both physical and logical). 9 - Quality: The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice. 10 - Monitoring & Enforcement: The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes. What are the Principles?

31 COMPONENTS OF GAPP Section Definition Policies and Communication: Privacy Policies Communication to Internal Personnel

32 COMPONENTS OF GAPP Responsibility and Accountability for Policies

33 COMPARISON OF INTERNATIONAL CONCEPTS

34 SOME BENEFITS OF GAPP Business, rather than regulatory, focused Examples based upon best practices Aligned with key regulations

35 Using GAPP for Privacy Audits - 1 Reason for audit Public reporting - “external audit” Could include a “WebTrust Seal” on website Management reporting - “internal audit” Regulatory requirement FTC and Ontario Privacy Commissioner Scope for an external audit Entire business Business segment Needs to address entire information cycle Collection through destruction Includes consideration of third-party processors Needs to include all 10 privacy principles

36 Using GAPP for Privacy Audits - 2 Performed under AICPA Attestation Standards Report covers a period of time and opines on Effectiveness of controls over privacy of personal information collected based on its privacy notice and GAPP Complied with the commitments in its privacy notice Important that client is ready

37 Using GAPP for Privacy Audits - 3 Other Types of Privacy “Audits” Internal audit GAP GAPP Assessment Focused on a few principles or all Maturity model assessment Report for management use only Regulatory audits Usually required following a breach FTC has focused on security Ontario Privacy Commissioner has required a GAPP audit

38 OTHER GAPP APPLICATION EXAMPLES Company A adopts GAPP as the basis of its privacy program for its U.S.-based online operations and includes GAPP’s principles and criteria in its online privacy policy. GAPP’s criteria and illustrations serves as the basis for the privacy procedures. Company B adopts GAPP as the basis for its global privacy program so it can follow consistent privacy practices and use similar terminology across its various countries of operations.  Although country specific exceptions and variations still exist, they are being captured in policy and procedures. Company C uses GAPP as a benchmark against internal privacy practices and procedures. Company D uses GAPP as a basis for a risk assessment

39 So - Is GAPP the Next SOX? More breaches might result in a mandatory audit requirement to protect personal information More organizations will voluntarily want an audit to demonstrate that they have an effective privacy program Organizations will want the 3rd party processors they use to have an audit of their privacy-related controls

AGENDA Overview of Privacy Breach Trends Overview of GAPP & How it may be used GAPP & Privacy Risk Assessment Q&A

IT and Privacy Risk Assessments AGENDA IT Risk Assessment Privacy Risk Assessment Case Study Risk Assessment Tools

IT Risk Assessment Assessment Areas System Availability Information Security Data Integrity Maintainability Governance Five Principles - 22 Criteria

IT and Privacy Risk Assessment - Template

IT Risk Assessment Illustration IT Risk Assessment Tool Narrative Template

Privacy Risk Assessment Case Study Scope – Customer Information U.S. Laws and Regulations Privacy Notice Industry Regulations – DMA’s Privacy Promise PCI Data Security Standards

Privacy Risk Assessment Access Disclosure Security Quality Monitoring/ Enforcement Assessment Areas – Case Study Management Notice Choice/Consent Collection Use/Retention

Privacy Risk Assessment Privacy Risk Assessment Template – CASE STUDY Attorney Client Privileged – Draft for Discussion Purposes Only

AICPA/CICA GAPP Uses Benchmarking Best Practice Privacy Risk Assessment Privacy Audits Training and Awareness

Privacy Risk Assessment Illustration AICPA/CICA Privacy Risk Assessment Tool

IT Risk Assessment Frameworks AICPA’s Trust Services - SysTrust ISO 17799 CoBiT – IT Governance Institute ITIL PCI Data Security Standards NIST Computer Security Division SOX General IT Controls IIA GTAG – IT Controls

51 RESOURCES The AICPA and the CICA have many privacy resources AICPA Privacy Resources http://www.aicpa.org/privacy CICA Privacy Resources http://www.cica.ca/privacy

Agenda Overview of Privacy Breach Trends Overview of GAPP & How it may be used GAPP & Privacy Risk Assessment Q&A