Protecting Customer Privacy

Edited by Michael D. Marinaccio

A special request from the CEO requires a chief audit executive to champion development of a "best practices" customer privacy policy, raising questions about his ability to maintain audit objectivity.

Carol is the chief audit executive for CyberSales, a US $3 billion online retailer that operates numerous retail Web sites in North America and across the globe. The company serves its customers primarily through these sites and focuses on offering them selection, price, and convenience. It also enables seller customers to offer products on CyberSales’ Web sites or via their own branded sites.

Carol’s internal audit department consists of six audit professionals, including herself. She reports functionally to the audit committee and administratively to the chief financial officer. Throughout her work, Carol strives to ensure stakeholders perceive the audit function as a value-added service to management.

CyberSales' rapid growth has made the company difficult to manage, primarily due to its increasingly complex business operations. This complexity has also created a need for greater awareness of risks related to the collection, storage, use, and disclosure of its customers’ personal information.

The company's CEO knows that privacy is an important consideration for Web-based businesses. In fact, CyberSales has recently adopted the motto, “We care about your privacy.” However, it does not have a privacy or compliance officer and does not plan to hire one. Instead, the CEO has asked the internal audit function to draft a best practices privacy policy to help manage issues related to customer data. He’s asked Carol to lead the policy development effort and ensure the privacy documentation is finalized and implemented as soon as possible.

What steps should Carol undertake and what areas of the company should she engage to participate in the project? What best practice privacy resources are available for her research and consideration? How should she present the results to the CEO?

Brad Curley, Partner
Internal Audit, Regulatory, and Compliance Services

First and foremost, Carol needs to inform the CEO that she cannot lead this effort. She and her team will more than likely need to assess the effectiveness of privacy policies in their audit plan, and involvement in policy development could impair her objectivity.

Nonetheless, Carol can still contribute to the process by making observations during development and offering recommended improvements. Representatives from customer service, IT, and legal, among others from the business, should also be involved. An appropriate cross-functional focus is necessary to fully understand the customer needs, IT infrastructure, and regulatory requirements that continually evolve in this area.

CyberSales may also want to engage a consultant who specializes in privacy and security for enterprises that do business via the Web. A qualified consultant will likely be aware of the key risks privacy issues present, as well as lessons learned from other companies’ mistakes. The consultant’s perspective can also help the organization apply an appropriate level of cost/benefit consideration to the policy effort and related practices.

Some resources available to Carol as she researches best practices include the Center for Internet Security, the Electronic Privacy Information Center, and the Financial Services Information Sharing and Analysis Center. She should keep in mind, however, that while these resources can provide information about known security risks and impending privacy legislation, they do not provide insight into a company's preparedness to deal with these issues. To increase the likelihood of identifying and addressing threats in a timely manner, Carol should consider facilitating the introduction of periodic security and privacy risk assessments.

In her presentation to the CEO, Carol should describe privacy risks identified, as well as the policies and practices that have been developed to address those risks. A summary of privacy best practices and those that can be adopted by the company would also be beneficial to the CEO. 

Michael J. Anoli, CIA
Director of Internal Audit
Genzyme Corp.

Carol first needs to determine whether taking on this consulting engagement is acceptable under The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards). Relevant factors to consider include potential impairments to independence and objectivity and whether the internal audit function possesses the required knowledge, skills, and competencies to perform the engagement. Also, Carol should explain to the CEO that someone else in the organization must take ownership of the final policy and its implementation. Acting otherwise would be unacceptable under The IIA’s Standards. In the absence of a privacy or compliance officer/function, the information security department or legal department might be the best candidates for this role. 

Once Carol clears these potential hurdles, she should engage the appropriate internal and external resources rather than drafting the policy in a silo. These resources should include internal and external legal counsel, information security, IT, industry peers, and external data privacy consultants. The company’s seller customers should also be engaged in this process, as they may have unique data privacy requirements.

Once Carol has assembled the appropriate resources, she should work with these groups to assemble a comprehensive listing of all relevant data privacy regulations and best practice guidelines to evaluate for potential inclusion in the policy. There are a myriad of federal, state, and international regulations for the team to consider. Moreover, Carol should be sure to reference best practice guidelines, including The IIA’s Practice Advisory 2130-A1-2: Evaluating an Organization’s Privacy Framework, the American Institute of Certified Public Accountants’ Generally Accepted Privacy Principles, the Payment Card Industry Data Security Standards, and the International Association of Privacy Professionals guidelines.

Once a draft of the policy has been prepared, Carol should facilitate a final review with all stakeholders to determine if additional edits are required. She should then present the policy to the CEO. Once finalized, ownership of the policy should be turned over to the relevant operating management process owner. 
Darren Foley
Senior Audit Manager
Enterprise Risk Management and Control
Akamai Technologies Inc.

Carol should first clarify and define her role in the policy development effort with the CEO. She should recommend the establishment of a task force consisting of representatives from areas of the company impacted by the proposed policy. To maintain her independence for any future auditing of the policy’s effectiveness, Carol should limit her involvement in the task force to performing advisory services.

The first step in formulating the privacy policy should be to identify all applicable domestic and international privacy laws for all jurisdictions in which the company transacts its Web site business. The assistance of legal counsel in this effort can be valuable, especially where the company sells outside U.S. borders. 

Carol should then obtain best practice examples of privacy policies, which can be found on the Web sites of industry peers and various governmental, professional, and institutional organizations. These examples should be used to assist in the development of a draft policy while ensuring all applicable regulatory requirements are addressed. Relevant existing processes should then be examined to tailor the draft policy to the company’s business.

Participation from internal groups such as billing, customer service, and IT will be critical in understanding the nature, value, and life span of customer data as well as the systems and processes used to obtain, transmit, and store this information.  Such cross-functional involvement is also vital in identifying “out of compliance” processes for subsequent remediation. 

Lastly, Carol should meet with the CEO to review any privacy risks and discuss findings from her research. To underscore the importance of an effective policy, her discussion should include real-life examples of companies that have experienced privacy breaches, as well as the consequences of those breaches. She should also explain how the proposed policy would address key risks. Upon completion of the policy, the human resources department should assist in communicating the policy to existing employees and all new hires.

How would you handle this scenario? Continue the discussion by sharing your comments below.

Practical Advice, sans buzz words
If Carol follows the other's advice and first prefaces her limited role, then no one will take her seriously and at best she can hope to be one of the meeting attendees. If the CEO really wants her to lead the effort then she needs to take steps to obtain her/his full support in really being charge. If that doesn't happen, then Interal Audit will simply be blessing the outcome. This is hardly the position a quasi-independent function like internal audit would want to dependend on. As Internal Audit would not generally be in charge of the subsequent auditing of this function, others concerns about "impairing independence" are really just catch phrases for dodging real responsibility or involvement. In all honesty, this isn't really Internal Audits stock and trade, however, the CEO selected Carol so this is an opportunity to shine. Carol should boldly accept this task and know that her continued respect within the organization depends on succeeding. Luckily privacy is easy: 1) "We care about privacy" sounds like it was developed by the marketing department. Dump it because it's hollow, meaningless and no one buys that. 2) If you don't collect data, no one can steal it. As an online retailer, a certain amount of personal information is necessary to process transactions. However, collecting every last detail about a prospective customer is invasive and tends to turn consumers off. Don't do it. Collect enough to process the transaction and purge the data. Gather and retain customers on the basis of something other than storing reams of data about them. Offering quality products or alternatively, effective advertising are two examples of alternative approaches that come to mind. 3) Identify the best IT security people in the organization and involve them in the project from the beginning. They are likely intelligent, capable and generally undervalued so it should be easy to enlist their aid and obtain optimal outputs from them through recognition. Furthermore, listen to them. This is their stock and trade. Do not marginalize them because you don't understand it. Be humble. Get them to teach you instead. 4) Do not collect unneeded information. The natural tendency is to collect as much as you can. Deny this temptation and streamline the customer's order entry process. It turns off customers, exposes you later and most likely will add zero value. 5) With an easy order entry system, you do not need cookies. Avoid them because no one likes them and they create risk exposure (finally an IA area of concern). 6) In an age of information, google and a discerning, intelligent mind are your new best friends.
Posted By: Gringolinho Araujo
2010-05-24 7:32 PM


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.





To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>


Subscribe_June 2014 



IIA Seminars_Nov 2013  




facebook IAO