| EXECUTIVE
SUMMARY |
 PROTECTING
THE PRIVACY of personal
information is no longer optional for
organizations that collect, use and
distribute it. Federal law now requires
entities to take responsibility for
safeguarding the data they gather from
customers and patients. ORGANIZATIONS THAT
ACCEPT AND FULFILL their
privacy-related obligations will find it
easier to develop close business
relationships with consumers who prefer
them to competitors that don’t make
privacy a priority.
THE COMPLEXITY OF
PRIVACY COMPLIANCE and the
allure of turning a regulatory burden
into a competitive advantage combine to
create a consulting opportunity for CPAs
who know the regulations and can help
companies satisfy them and, thus, attract
and retain customers.
CPAs LEADING A
COMPLIANCE PROJECT, whether as
employees or consultants, should adopt a
systematic approach that identifies and
resolves deficiencies in the
organization’s privacy policies and
practices.
TO DO THIS
EFFECTIVELY, CPAs should follow
a four-phase plan in which they assess
the entity’s current compliance
level, design a remedial strategy,
implement the plan and then monitor its
ongoing effectiveness.
CPAs SHOULD
FAMILIARIZE THEMSELVES with the
provisions of major federal privacy
legislation, including the Health
Insurance Portability and Accountability
Act of 1996, the Gramm-Leach-Bliley Act
of 1999 and the Children’s Online
Privacy Protection Act of 1998.
|
| ROBERT G. PARKER, a chartered
accountant and certified information
systems auditor, is a partner of Deloitte
& Touche LLP, Toronto, and a member
of the AICPA-CICA enterprise-wide privacy
task force. His e-mail address is rparker@deloitte.ca. |
rotecting the privacy of confidential information
is quickly becoming a measure of success in the
business world—because companies improve
their reputation when they take care to safeguard
the personal data people entrust to them. These
organizations also attract customer loyalty, and
that gives them an edge over competitors who
don’t make privacy a priority. This article
shows CPAs in industry or in public practice how
they can help businesses achieve their privacy
compliance goals. It also summarizes provisions
of the major federal privacy laws (see “Privacy
Protection Is Mandatory”).
THE
CPA AS PRIVACY STRATEGIST
Some businesses may not see privacy
compliance as a way to develop a positive
corporate image. But CPAs can stress to
them that solid policies are good
business practices, says Everett C.
Johnson, CPA, partner at Deloitte &
Touche LLP in Wilton, Connecticut, and
chairman of the AICPA enterprise-wide
privacy task force. “Privacy matters
to people who provide an organization
with personal information about
themselves,” he adds, “and
businesses need to demonstrate their
respect for the confidentiality of the
data that customers entrust to
them.” |
A Consumers
Want Proof
Nine in ten
consumers said they’d do
more business with a company
whose adherence to its own
privacy policy was verified by a
third party. Source: A survey
Harris Interactive conducted on
behalf of Privacy & American
Business, 2002.
|
|
To succeed in these
engagements, CPAs must be well versed in privacy
law and be able to evaluate an entity’s
compliance level (see “Resources for
Privacy Consultants”).
To help an organization become privacy compliant,
a CPA must understand how it gathers, uses,
stores and discloses customer/client data.
A
FOUR-PHASE APPROACH
CPAs should
assemble a versatile team to design a plan to
identify data protection deficiencies, create a
strategy and implement and monitor the plan for
compliance. Team members should represent various
parts of the organization including legal,
internal auditing, risk management, finance,
information security, human resources and
operations. The group will assess the
company’s practices and should report to an
executive in charge of privacy compliance. These
are the team’s responsibilities:
Phase 1: Perform an
initial assessment of privacy policies and
procedures.
To determine whether the entity
follows formal methods to protect data, the team
will
 Document the type and
location of all customer/client data—inside
and outside the organization—and all systems
that collect, process, use or distribute personal
information.
Verify compliance
deadlines.
Review and record existing
information security and management policies and
procedures.
Conduct a “gap
analysis” to identify any discrepancies
between those policies and procedures and
applicable compliance regulations.
In an actual example of this
process, Ken Askelson, CPA, audit manager at J.C.
Penney in Plano, Texas, led a team in assessing
the company’s privacy and security
practices. Using a technique known as “data
mapping,” the group’s members tracked
the flow of personal information throughout the
organization. First they identified various
collections of data—such as customer and
credit information—and their business uses.
Then they classified the information as mission
critical and/or confidential, identified who had
primary responsibility for safeguarding it, who
had access to it, what controls governed its
storage and use and what privacy laws applied. As
a result, the team was able to identify certain
weaknesses in the company’s privacy
practices and offer useful advice on how to
correct them.
But even when a team such as
Askelson’s follows an agreed-upon compliance
assessment process, individual group members may
interpret its results in widely varying ways.
“They often disagree about how great the gap
is,” says Stephen W. Head, CPA, a member of
the AICPA information technology executive
committee. “Here’s where the CPA can
build consensus by explaining how other
businesses resolve their deficiencies and by
helping the team agree on an appropriate plan for
improving compliance,” he says.
With a CPA’s guidance, the
team must identify risks related to an
organization’s failure to protect personal
information. Such dangers include potential
damage to the corporate image or brand, as well
as reduced goodwill, inability to meet
contractual obligations, financial losses and the
imposition of fines—all of which could have
a negative impact on current and future
customers, shareholders and employees.
Phase 2: Design a
strategic plan for achieving compliance. The
team should evaluate the organization’s
legal and technology resources, including its
employees’ skills in these areas. It may be
necessary to hire consultants to ensure the
company’s computer systems conform with
regulatory requirements in the areas of security,
controlling requesters’ access to
information and recording and managing
individuals’ consent to release their
personal data. CPAs can guide the team through
the following steps in producing a plan.
Create a privacy policy. This
is an official record of the organization’s
compliance practices. In clear language it spells
out why and what personal information is
collected and how it is used, and it places
reasonable limits on the kind and extent of data
gathered. These controls guide the company’s
collection of information for a stated use and
should not be unduly restrictive. The policy also
explains how and where inquirers can obtain
information on the privacy practices, such as
what data the entity discloses to related
businesses or third parties and for what reasons.
It is essential that legal counsel review the
privacy policy and procedures to ensure they
comply with all regulations. The official policy
should
Make someone
responsible. The team should name
someone in the organization to be the chief
privacy officer, taking day-to-day command of the
ongoing project, including implementation of new
policies and procedures.
Create a consent
mechanism. Generally, privacy laws
require that an entity obtain a person’s
permission to collect, use or disclose
information about him or her. Such consent is
effective whether it is written, oral (as in
speaking with a call center), technology-based
(such as a click on a Web site) or implied.
Therefore, if a person’s magazine
subscription expires and he or she has not
canceled it, the publisher may have implied
consent to solicit a renewal.
And when an organization wants
to change a person’s information or use it
for a second purpose, it must obtain additional
permission from the individual, who must at all
times understand and approve how the entity will
use the data. For example, if a bank wanted to
“mine” its databases to identify
customers who may qualify for a new loan product,
it would need the customers’ consent to use
their information for that type of solicitation.
Of course, privacy protection
must be balanced with practical considerations.
That’s why it’s important to tell
customers or patients exactly what information
they must provide in order to execute a
transaction or for them to obtain medical
services.
Ensure marketing materials
meet the individual’s privacy
expectations. The entity must
create personal information collection
forms that comply with its stated privacy
policies. For example, if a privacy
policy stated that “personal
information will not be used without the
individual’s written consent”
and that “an individual can withhold
consent,” then the forms must
contain “opt-in” or
“opt-out” options for each data
element or group. Customers also should
be able to use the form to verify their
current consent status and modify it if
necessary.
| Privacy
Protection Is Mandatory Privacy
laws affecting U.S. businesses:
 The
Health Insurance Portability and
Accountability Act of 1996
(HIPAA) (www.hhs.gov/ocr/combinedregtext.pdf)
created new standards for
electronic transactions, data
security, unique patient
identification numbers and the
privacy of individually
identifiable health information.
The act applies to health plans,
health care clearing houses and
health care providers.
Covered
entities, through the use of
contracts and other written
agreements, also must ensure
business associates’ HIPAA
compliance. Covered entities must
obtain patients’ written
permission to disclose protected
health information. Compliance
with HIPAA’s privacy
provisions became mandatory April
14, 2003.
The
Gramm-Leach-Bliley Act of 1999 (www.ftc.gov/privacy/glbact) gives
guidance on the privacy of
consumer information to financial
institutions and those giving
financial advice. The regulations
require organizations to have
sent a notice describing the
company’s privacy policies
and practices prior to July 1,
2001, and to annually notify all
individuals as long as they
remain customers.
In
addition to financial
institutions’ core business
functions, the act also governs
tax planning, estate planning,
wealth management, real estate
settlement and closing activities
and debt collection. CPA firms,
lawyers and others dealing with
personal financial information
all fall within the act’s
purview.
The
Corporate Child Online Privacy
Protection Act of 1998 (COPPA) (www.ftc.gov/os/1999/9910/64fr59888.htm)
prohibits Internet marketing to
children younger than 13 years of
age. Under COPPA the Federal
Trade Commission has prosecuted a
number of companies for
collecting and using personal
information from children.
|
Give people access to their
personal information. Most
privacy legislation requires that, upon
an individual’s request, an
organization must supply any personal
data it possesses and reveal how it uses
and discloses such information. Best
practices include quickly informing an
inquirer whether the entity has any
information about him or her, permitting
access to it in readable and
understandable form, appropriately
restricting the release of personal
information (for example, allowing only
medical practitioners to release medical
records), giving customers an account of
how the organization has used their
information and identifying third parties
to whom the entity has disclosed it.
Provide effective
security. Privacy policies and
procedures must adequately safeguard the
information from theft, loss and
unauthorized copying, modification or
disclosure. Companies must limit access
even to employees who have a legitimate
use for the information, safely store it
and destroy it when no longer needed. An
entity also must train its employees in
privacy risk management including
maintaining the confidentiality of such
records. Such training must explain the
organization’s privacy policies and
procedures and identify contact
personnel. Staff that deals directly with
customers must understand privacy issues,
know how to resolve them and continually
monitor compliance.
|
As part of the plan the
team also should develop and recommend criteria
for answering information requests. These include
response time frames, sources for requested
information, procedures for validating the
correctness and completeness of data and security
processes to ensure authorized inquirers receive
only information they are entitled to. The entity
must confirm the validity of parties requesting
personal information and ensure its disclosure
does not violate anyone’s privacy.
A process known as
“authentication” ensures the requester
is who he or she purports to be. Proof of
identity comes in three verifiable forms:
something one knows (for example, a password),
something one can present (such as an
identification card) or a measurable personal
characteristic (for example, a fingerprint, voice
or retina scan).
Ensure the accuracy
of information and consent. A company
must keep personal information as complete,
accurate and up-to-date as is necessary to
achieve the objectives for which it collected the
data. If an organization releases—even to an
authorized party—inaccurate or outdated
information about an individual, that
person’s reputation could be damaged or he
or she could be denied credit or a job promotion.
Therefore, the team should establish criteria the
organization can use to identify and avoid
problematic situations in which, for example, a
customer claims that his or her credit rating
contains errors or that the organization
disclosed personal information without the
person’s knowledge and consent.
Limit use,
disclosure and retention. Businesses do
not have the right to use personal information
for uses other than the stated purposes for which
they collected it. CPAs should advise companies
to devise storage systems that identify the
specific consent they obtained from customers or
patients as well as the minimum/maximum periods
they can retain the data, so they do not
illegally use or disclose information or have to
employ costly searches to confirm consent.
Systems also should allow people appropriate
access to their records. CPAs can assist in the
design and development of such systems by
assessing their efficiency, documenting the flow
of data throughout the organization and proposing
modifications—such as mandating monthly
changing of employee and customer
passwords—that would better safeguard
privacy.
| The Virtues
of Independence Third-party
verification is emerging as a best
practice for business leaders and policy
makers alike. Each of the two leading
privacy bills of the 107th Congress, S
2201 and HR 4678, provided that companies
were presumed to be in compliance with
the provisions of the legislation if they
participated in a Federal Trade
Commission (FTC)-approved self-regulatory
program that included regular independent
confirmation that they followed the
program’s privacy policies.
Lawmakers are likely to introduce
comparable legislation in the 108th
Congress.
Regulators, too, are using
independent verification as a legal
settlement tool, forcing companies to
obtain outside audits in cases involving
alleged privacy and security violations.
Last year the FTC entered into settlement
agreements with two Fortune 500
companies, requiring them to undergo
regular security and privacy audits. In
addition the settlement of a civil
privacy case against a well-known online
network advertiser required an audit. And
as part of a settlement agreement with
the attorneys general of Vermont, New
York and California in a case involving
an Internet security breach, a prominent
technology publisher agreed to an
external review of its online systems.
CPAs can use two AICPA assurance
services to help businesses comply with
privacy requirements: WebTrust (www.cpawebtrust.org) verifies
whether a company’s Web site meets
e-commerce standards—some of which
relate to privacy—that are based on
internationally accepted best practices,
and SysTrust (www.aicpa.org/assurance/systrust/index.htm) evaluates the
availability, security, integrity and
maintainability of an organization’s
computer systems.
—Robert Tie
Robert Tie is a senior editor
with the JofA. His e-mail
address is rtie@aicpa.org.
|
Phase
3: Implement planned changes. Once
the team has a strategic plan, it must oversee
any changes in the systems, procedures, forms,
brochures or other elements related to privacy.
This might include modifying and testing computer
software, scheduling systems upgrades to handle
new forms and procedures, devising appropriate
procedures for maintaining, as well as
destroying, personal information records and
training employees who directly interact with
customers.
During the implementation phase
CPAs also can help the business modify its human
resources, accounting, travel and expense and
other organizational practices to make them fully
compliant with regulators’ privacy
requirements. “This is a huge
undertaking,” says Marilyn Greenstein, PhD,
an associate professor of accounting and
information systems at Arizona State University
and a member of the AICPA’s privacy task
force. “To do the job properly, you have to
understand how each department in the
organization collects, uses and discloses
information, and you must be well versed in data
integrity and internal controls. The CPA knows
all that and can ensure the business implements
its privacy plan fully and effectively.”
Phase 4: Monitor
systems and procedures. The CPA can
identify the key actions to take in monitoring
privacy initiatives. These include procedures to
Verify that the company
adheres to its privacy policies and processes.
Track and comply with
applicable legislative and regulatory changes.
Document complaints,
because customer dissatisfaction may indicate
problems with the organization’s processes
and warn of potential litigation.
Identify and refer to the
chief privacy officer all problematic cases, such
as the organization’s unauthorized use or
disclosure of personal information, to ensure
they receive adequate attention and that
requesters obtain authorized information without
involving regulators or the media.
Develop criteria for
identifying high-visibility situations that
require management’s attention and allow
adequate time for due diligence reviews of any
new privacy systems or procedures.
Ensure company Web sites
earn professional security
certifications—such as those offered in
conjunction with the enterprise-wide privacy
audit offered under the AICPA’s trust
services.
CPAs also can recommend
establishing a program to survey requesters to
determine their satisfaction level and whether
company responses were timely. In addition,
practitioners should advise companies to conduct
periodic compliance audits. As internal or
external auditors or consultants, CPAs can help
by monitoring policies, processes and the
supporting technology.
THE
CPA EDGE
The complexity and
evolution of privacy regulations can make it
difficult for organizations to ensure their
computer systems, business practices, corporate
policies and administrative processes are fully
compliant. But CPAs experienced in these contexts
who also are conversant with the latest
regulatory developments can help their clients or
employers identify and address situations and
factors that threaten privacy. These are valuable
skills in today’s business environment,
where any organization that breaches privacy
regulations or fails to meet the public’s
confidentiality expectations will lose customers,
suffer adverse press and perhaps face litigation
and/or penalties as a result of individuals
filing complaints with federal or state agencies
such as the Federal Trade Commission.
“We’re at the
beginning of a mini rebellion in which public
concerns about privacy are growing rapidly,”
says Don H. Hansen, CPA, a partner with Moss
Adams LLP in Everett, Washington.
“But,” he adds, “with the help of
CPAs, companies can manage this effectively and
say to their customers, ‘We’re
protecting the privacy of your information.’
And that’s great publicity.”
|
| HOME | ARCHIVE | CONTACT | ADVERTISE | SUBSCRIBE | AICPA