According to an old adage, there's no such thing as bad publicity. Target Corp., however, would probably disagree. Late in 2013, a massive hacking plot that compromised Target's servers made headlines across the United States. The thieves accessed the confidential credit and debit card data of as many as 40 million Target customers as well as the personal information, such as phone numbers and addresses, of up to 70 million individuals. In the aftermath, Target faces multiple class-action lawsuits, a severely damaged reputation, lost customers, and mounting expenses related to remedying the data breach and restoring stakeholder confidence.
The potential consequences of a privacy breakdown can also include fines and penalties from regulators (see "The Role of Regulations" at the end of this article) but extend far beyond these areas. As the Target incident demonstrated, a breach can lead to the loss of data, reduced competitiveness in the marketplace, and the need to replace key leadership positions. Security research center Ponemon Institute's 2014 Cost of Data Breach Study, sponsored by IBM, found that the average cost of a breach to a U.S. company is US$5.9 million, up from US$5.4 million in 2013 — an increase of nearly 10 percent.
Growing regulatory expectations had already focused some companies on the importance of controlling privacy risks, but the Target episode captured the attention of a wider swath of organizations. More recently, Home Depot's massive data breach has brought the issue further to the forefront. Not surprisingly, boards of directors and audit committees are now applying greater pressure than ever on management to protect privacy — and internal audit can play a vital role.
It's not enough for companies to develop and implement comprehensive privacy practices — they also need the assurance that, in many instances, only internal audit can provide: that the practices are functioning as intended in an ever-changing risk environment. To deliver such assurance, internal audit must understand the types of data to be protected; the relevant regulations; the potential consequences of a breach; and the appropriate controls to expect, test, and help strengthen.
Critical Data to Protect
Most organizations need to protect three primary types of private information: personal data, company-
confidential data, and intellectual property. Personal data ranges from the less sensitive, such as individuals' contact information, to the more sensitive, such as Social Security numbers or medical and financial information. Although many organizations understandably treat consumer personal information as more sensitive, they must also safeguard employees' personal information — the inadvertent disclosure of the latter, however, often comes with less risk.
Company-confidential data comprises any nonpublic internal information. It could range from information about hirings and firings to potentially valuable data such as unreleased earnings reports or merger and acquisition details. The sensitivity of each depends on the timing and effect of the disclosure. For example, an earnings report due to be released on July 28 is more sensitive on July 25 than on July 29.
Intellectual property is defined more broadly for purposes of privacy than it is for legal purposes. In addition to guarding legally protected property such as patents, copyrights, and trade secrets, an organization must protect other valuable assets. These can include clinical trial results, prototypes, a methodology or process, or a list of prospective clients — assets that, if leaked, stolen, or otherwise compromised, could cause catastrophic damage to the organization. As such, this type of information is highly sensitive and warrants the highest levels of protection.
Whether part of a heavily regulated industry or not, organizations must develop and implement effective privacy controls. The question of effectiveness is where internal audit comes in. Internal audit's testing of a company's controls can assure their effectiveness and ultimately call for action to strengthen them. At a minimum, several essential controls should be in place.
Management. The organization defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
Notice. The organization provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.
Choice and Consent. The organization describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
Collection. The organization collects personal information only for the purposes identified in the notice.
Use, Retention, and Disposal. The organization limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. It retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulation and thereafter appropriately disposes of such information.
Access. The organization provides individuals with access to their personal information for review and update.
Disclosure to Third Parties. The organization discloses personal information to third parties
only for the purposes identified in the notice and with the implicit or explicit consent of
Security for Privacy. The organization protects personal information against unauthorized access (both physical and logical).
Quality. The organization maintains accurate, complete, and relevant personal information for the purposes identified in the notice.
Monitoring and Enforcement. The organization monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.
Medium or large organizations should also consider appointing a chief privacy officer or chief information security officer (CISO) to oversee the program. Ponemon Institute found that the appointment of a CISO to lead a data breach incident response reduced the per capita cost of a breach in the United States by US$6.59 — or an average reduction of US$191,683 per incident. Internal auditors may want to recommend this type of oversight structure if it is not already in place.
Training and Compliance Monitoring The privacy program should spell out the requisite employee training, which should be provided at onboarding and refreshed at regular intervals. Training should cover linkage of privacy policies to areas such as legal and regulatory requirements and how to abide by privacy controls, along with topics such as how to avoid phishing schemes designed to steal personal private and other sensitive information. The specific training should be appropriate to each trainee's role.
Independent Testing of Infrastructure The Target hackers broke into the company's network using credentials stolen from a third-party vendor that provided heating and air-conditioning services and had a data connection with the company for electronic billing, contract submission, and project management. Once they gained entry to the network, the hackers were able to access different parts of the system that weren't segregated correctly. Thorough, independent infrastructure testing by internal audit might reveal such a flaw. Companies also should consider seeking certification from organizations like the International Organization for Standardization, which involves undergoing a rigorous evaluation of controls.
Vulnerability Management Companies have access to a variety of tools for managing their technical vulnerabilities. Scanning tools can monitor platforms and applications for known vulnerabilities. A patching program will implement patches that close vulnerabilities in operating systems and applications. Antivirus software can help a company manage vulnerabilities by stopping viruses carrying malicious computer code from attacking its network. Intrusion detection systems monitor computer logs and activity to identify attacks in progress and alert the appropriate personnel so that action can be taken. Internal auditors should confirm the presence and evaluate the effectiveness of these types of technology.
Vulnerability management should be an ongoing process, as new threats and incidents crop up constantly. The Heartbleed bug, for example, one of the biggest security threats in recent years, sent many companies scrambling in April. Those with an incident response program, however, were positioned to take the necessary actions promptly to mitigate risk.
According to the Ponemon Institute's report, efficient response to a breach and containment of the damage can reduce the breach's cost significantly. Organizations with a formal incident response plan in place before an incident occurred saw a reduction in the average cost of a data breach of US$17 per record.
Authentication and Access Controls Companies need authentication or login controls for their networks and systems. Usernames, passwords, and mandatory password changes at regular intervals might not be enough, however. It could be necessary to implement controls such as session management, whereby a user will automatically be logged out after being idle for a certain amount of time. Access controls, such as segmenting network access from one part of the network to another, are also important.
Encryption Organizations should use encryption to alter electronic data so that, if intercepted, it is illegible. Encryption can be applied to:
Internal auditors should confirm the presence of these technical controls to encrypt data. Auditors can monitor network traffic for unencrypted sensitive information, review the process of emailing sensitive data, review the full disk encryption solution, and evaluate how applications protect data.
Incident Response Even with rigorous controls over privacy in place, any organization could still experience a data breach. New threats and vulnerabilities are always emerging, and no approach to security is foolproof. Of primary importance is having in place an incident response plan to react quickly and minimize the damage a breach can cause.
Stay Ahead of the Game
In the wake of increasing regulatory scrutiny and widely publicized security breakdowns, privacy protection has become a significant focus for organizations of all sizes and in all sectors. With the potential consequences of unauthorized access to private information so great, internal audit professionals must step up and help their organizations mitigate the constantly evolving privacy-related risks.
Watch an interview with author Raj Chaudhary here.
The Role of Regulations
In recent years, regulators have stepped up the
privacy-related requirements for a variety of industries. The financial sector,
for example, has been subject to heightened requirements for some time. As a
result, financial institutions have some of the more mature privacy controls — as well as some of the
highest costs related to security and privacy.
The state of the controls in health-care organizations
often compares starkly with that of controls in the financial industry. Some
health-care companies are struggling to keep up with the demands imposed by the
U.S. Health Insurance Portability and Accountability Act (HIPAA). Noncompliance
with HIPAA’s privacy, security, and breach notification rules, and the
requirements of the Health Information Technology for Economic and Clinical
Health Act (HITECH), can prove costly.
In July 2013, for example, the U.S. Office for Civil
Rights (OCR) reported a US$1.7 million settlement with a managed care company
for violating HIPAA privacy and security rules. And in late December 2013, the
OCR reported its first settlement — the office
fined a dermatology practice for failing to have policies and procedures in
place to address HITECH’s breach notification provisions. Among other issues
cited, an investigation by OCR found that the practice had failed to conduct an
accurate, thorough analysis of the potential risks and vulnerabilities to the
confidentiality of electronic protected health information. Although the
practice settled with the OCR for US$150,000, the OCR’s average imposed fine
In the European Union (EU), the EU Data Protection
Directive establishes minimum privacy protection requirements for the EU as a
whole, as well as those for each relevant country and locale. The EU is
generally stricter than the United States when it comes to privacy, with tight
restrictions on which data can be shared and travel across borders. Under US-EU
Safe Harbor, an international privacy framework, multinational companies — and third parties
delivering services to multinational companies — can go through an annual safe harbor certification
process to attest that they provide adequate privacy protection and satisfy the
safe harbor principles that address notice, choice, onward transfer, security,
data integrity, access, and enforcement. The EU and the United States share data
related to safe harbor, and the U.S. Federal Trade Commission has brought
several enforcement actions alleging violations of safe harbor commitments,
including actions against Facebook and Google.
Within the United States, companies can be subject to a
patchwork of different state privacy laws. When an organization operating in
two dozen states suffers a data breach, it must comply with two dozen different
notification requirements. As part of the annual audit plan, internal audit
should consider auditing the organization’s incident response plan to assure it
includes the states’ requirements for privacy notification.
Raj Chaudhary, CGEIT, CRISC, is a principal with Crowe Horwath LLP in Chicago. Michael Lucas, CISSP, is a manager with Crowe.