Privacy Impact Analysis

WrenchesI was a participant in a security forum last week in Northern Virginia on the topic of data privacy in general and its implications for fraud examination specifically.   One of my fellow speakers made a very forceful case for the performance of privacy impact analysis by any corporation holding large amounts of customer data.  Her argument was that a privacy impact analysis should be a key component of every corporate security management program.  The objective of this type of assessment is to ensure that the risk of exposing personally identifiable information is contained at every level of  the organization… every business process composing the enterprise needs to be separately assessed for its vulnerability to privacy threats, not just the business functions directly related to information management.

By identifying vulnerabilities throughout the entire book of business processes constituting its enterprise, an organization can significantly reduce the possibility of identity theft occurring at different stages of its business cycle and safeguard the client information entrusted to its care.  My colleague argued that a privacy impact assessment creates a structured process for analyzing non-technical and technical privacy requirements and compliance with relevant regulation, all of which can be dovetailed neatly into the organization’s enterprise risk management (ERM) effort.

For the risks identified by the privacy impact analysis found to be above an acceptable level, our speaker recommended three additional steps. First, conduct the necessary research and fully, not partially, implement appropriate prevention techniques, tools and corporate policy changes.  Second, make sure that there’s a sound, tested recovery plan in place in case of a successful attack involving loss of personal information. Third, develop an effective incident response plan well in advance of an actual attack.  Those of you involved in ERM will be familiar with each of these steps; taken together they demonstrate due diligence and should lessen legal liability somewhat should an unpreventable  breech occur.  This is important because customers and investors alike quickly lose confidence in proportion to any negative corporate news but especially when it’s perceived that the due diligence required to safeguard customer information was absent.  A major event can cause a corporation to lose credibility and business to a competitor  This obviously effects share price which in turn can lead to a sell-off by investors.  Such an occurrence can be devastating to a corporation , possibly to the extent that it cannot recover.

Public policy, embodied in current law, requires that organizations must notify their customers and clients when privacy breeches occur.  These notifications are usually accompanied by a year of free credit bureau oversight or credit watch services so customers can monitor their credit reports for evidence of identity theft; all this remediation is costly and embarrassing and just the sort of situation the privacy impact analysis is designed to prevent.

A final point has to do with employees.  Knowledge is power.  If employees are aware of how identify theft of customer data occurs and succeeds, they can take many steps, as part of their routine daily duties, to prevent it.  So don’t exclude the privacy awareness level of the work force as a critical score element from the privacy impact analysis; if there are identified privacy related weaknesses involving corporate staff, don’t hesitate to address them and quickly.  The ACFE has emphasized in study after study that work force fraud awareness training is one of the most effective fraud deterrence tools there is.

Comments are closed.