Building a privacy program in the data breach era

Building a privacy program in the data breach era
October 16, 2014

Cyberrisk is no longer an emerging threat—it's happening every day. In the wake of recent, high-profile data breaches, organizations are scrambling to put together comprehensive privacy programs. If this seems like a daunting task, that's because it is—unless you have guidelines to get you started. This blog post by senior associate with BrightLine CPAs & Associates, Zach Schmitt, will help you build a solid program foundation.

The technology frontier we find ourselves in today has given way to many new avenues for data intrusion, leakage, and theft. With high profile mega breach headlines becoming all too common in the news, organizations are realizing the importance of protecting their data. However, implementing a privacy program can be a daunting task, so below are six helpful steps that will enable you to build a solid program foundation.

Take inventory of your information

The first step in developing a privacy program is mapping the inlets, harbors, and outlets of your data flows. This exercise involves outlining how and why your information is processed, retained, shared, and destroyed in your business as well as how it moves both domestically and internationally. It's important to understand all current vendor relationships as well because your organization is accountable for all third parties that have custody of your data. Secondly, you must determine the significance of the information inventoried. From a legal perspective, personally identifiable information (PII), or data that can be used to identify an individual, is considered sensitive. This can be data like name, address, Social Security number or data items that are individually insignificant but can identify an individual when cross-aggregated. Sectorial information like health data, financial data, or political data may also be sensitive depending on the industry you're in and the related regulations. The information you determine to be most significant, or your "crown jewels", should be the focus of your privacy program.

Know the regulations

With a thorough understanding of your data holdings, you must identify all privacy compliance requirements that pertain to your organization. Businesses must adhere to national laws, state laws (if data is housed in the United States), and sectorial regulation based on industry (i.e., HIPAA for health care entities, Gramm-Leach-Bliley for financial institutions, etc.). There are also privacy-related stipulations established in business relationship contracts. Privacy regulations will determine the breadth of your program.

Integrate an information security framework

Introducing a security framework to safeguard your information is essential. It is recommended that risk assessments be performed to analyze and prioritize your IT assets and data when developing a control suite. The access provisioning process must be governed so that only appropriate individuals are able to create, edit, and view data. Conversely, timely access revocation procedures are imperative to ensure data rights are commensurate with changing job responsibilities and are deprovisioned when individuals are terminated. Periodically recertifying access rights and reviewing user activity are good detective controls to compliment access provisioning and revocation. Strong password parameters through multifactor authentication schemes should be enforced. Security solutions like antivirus software to prevent the use unauthorized or malicious code, firewall systems to filter unauthorized network traffic, and encryption methods to protect data communications should be employed. Control activities and frequencies must be clearly defined. Data and control owners must be effectively designated.

Bear in mind the importance of establishing a common language between those interpreting and communicating privacy requirements with those data and control owners. The legal, business, and technology fields are very different, so forming a common ground is key for cohesively upholding the security framework.

Develop data breach response procedures

When a data breach occurs, your organization must be prepared to investigate and resolve incidents promptly by following a set of actionable procedures. A data breach response team should be assembled and each member's specific responsibilities should be clearly defined. Detailed response measures should be set forth to analyze and contain incidents as they occur. A plan for notifying affected individuals in a timely fashion should be in place and remediation efforts, if necessary, should be carried out.

To develop strong data breach response procedures, you must understand prevalent and emerging threats and recognize who your potential enemies are (nation states, hacktivists, organized crime, etc.). It is recommended to seek external advice from legal, communications, and IT security/ forensics resources if your organization lacks a certain expertise in-house.

Draft your privacy policy

Your policy will be the core covenant of your program and should comprehensively state your organization's privacy standards. It should define sensitive data determined, the applicable laws and regulations identified, the specifics of the security framework composed, and the actionable data breach procedures developed. It should also outline the core components of the Fair Information Practices (FIPs) not already presented in steps one through four above. The policy should entail notice procedures to inform data subjects of how the organization is gathering data, the purpose of gathering the data, the secondary uses of the data, the length for which the data will be held, and the related security controls employed. Consent requirements should also be incorporated to ensure data subjects agree to the gathering and use of sensitive information. Consequences of noncompliance with the policy should be included too.

Your privacy statement should be revisited frequently because it is a living document that will change over time to reflect the shifting environment and emerging best practices.

Train, monitor, audit, repeat

After you've drafted your privacy policy, it should be disseminated and readily available. The importance of the document should be expressed from the executive level down in order to drive adoption. Individuals in your organization should undergo continual training so that the ever-evolving privacy statement is widely understood and controls are upheld. Find a way to baseline and measure privacy activities so that you can monitor policy adherence. When audited, identify weaknesses in the privacy program and remediate them. The overarching purpose of this step is to drive continual improvement and to evidence the program's maturity in the eyes of your customer, regulators, and all other relevant parties.

The takeaway is simple. Our societal need for privacy and security is derived from something innate. It has been magnified by developments in information technology and will only catalyze as we move into the future. You must swiftly and seriously invest in your privacy program to stay ahead of that trajectory.

This article is by Zach Schmitt at

Zach Schmitt

About the author

A senior associate with BrightLine CPAs & Associates, Zach Schmitt has a concentration in IT security and privacy in the Washington D.C. attestation and compliance practice. He is a member of the International Association of Privacy Professionals (IAPP) and endeavors to share his observations and feelings on the certain evolution of data security and privacy. Zach is a graduate of Virginia Tech and has B.A.s in Accounting & Information Systems and Marketing Management.