control, and governance
Protecting Customer Privacy
Edited by Michael D. Marinaccio
Carol is the chief audit executive for CyberSales, a US $3 billion online retailer that operates numerous retail Web sites in North America and across the globe. The company serves its customers primarily through these sites and focuses on offering them selection, price, and convenience. It also enables seller customers to offer products on CyberSales’ Web sites or via their own branded sites.
Carol’s internal audit department consists of six audit professionals, including herself. She reports functionally to the audit committee and administratively to the chief financial officer. Throughout her work, Carol strives to ensure stakeholders perceive the audit function as a value-added service to management.
CyberSales' rapid growth has made the company difficult to manage, primarily due to its increasingly complex business operations. This complexity has also created a need for greater awareness of risks related to the collection, storage, use, and disclosure of its customers’ personal information.
What steps should Carol undertake and what areas of the company should she engage to participate in the project? What best practice privacy resources are available for her research and consideration? How should she present the results to the CEO?
First and foremost, Carol needs to inform the CEO that she cannot lead this effort. She and her team will more than likely need to assess the effectiveness of privacy policies in their audit plan, and involvement in policy development could impair her objectivity.
Nonetheless, Carol can still contribute to the process by making observations during development and offering recommended improvements. Representatives from customer service, IT, and legal, among others from the business, should also be involved. An appropriate cross-functional focus is necessary to fully understand the customer needs, IT infrastructure, and regulatory requirements that continually evolve in this area.
CyberSales may also want to engage a consultant who specializes in privacy and security for enterprises that do business via the Web. A qualified consultant will likely be aware of the key risks privacy issues present, as well as lessons learned from other companies’ mistakes. The consultant’s perspective can also help the organization apply an appropriate level of cost/benefit consideration to the policy effort and related practices.
Some resources available to Carol as she researches best practices include the Center for Internet Security, the Electronic Privacy Information Center, and the Financial Services Information Sharing and Analysis Center. She should keep in mind, however, that while these resources can provide information about known security risks and impending privacy legislation, they do not provide insight into a company's preparedness to deal with these issues. To increase the likelihood of identifying and addressing threats in a timely manner, Carol should consider facilitating the introduction of periodic security and privacy risk assessments.
In her presentation to the CEO, Carol should describe privacy risks identified, as well as the policies and practices that have been developed to address those risks. A summary of privacy best practices and those that can be adopted by the company would also be beneficial to the CEO.
Michael J. Anoli, CIA
Director of Internal Audit
Carol first needs to determine whether taking on this consulting engagement is acceptable under The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards). Relevant factors to consider include potential impairments to independence and objectivity and whether the internal audit function possesses the required knowledge, skills, and competencies to perform the engagement. Also, Carol should explain to the CEO that someone else in the organization must take ownership of the final policy and its implementation. Acting otherwise would be unacceptable under The IIA’s Standards. In the absence of a privacy or compliance officer/function, the information security department or legal department might be the best candidates for this role.
Once Carol clears these potential hurdles, she should engage the appropriate internal and external resources rather than drafting the policy in a silo. These resources should include internal and external legal counsel, information security, IT, industry peers, and external data privacy consultants. The company’s seller customers should also be engaged in this process, as they may have unique data privacy requirements.
Once Carol has assembled the appropriate resources, she should work with these groups to assemble a comprehensive listing of all relevant data privacy regulations and best practice guidelines to evaluate for potential inclusion in the policy. There are a myriad of federal, state, and international regulations for the team to consider. Moreover, Carol should be sure to reference best practice guidelines, including The IIA’s Practice Advisory 2130-A1-2: Evaluating an Organization’s Privacy Framework, the American Institute of Certified Public Accountants’ Generally Accepted Privacy Principles, the Payment Card Industry Data Security Standards, and the International Association of Privacy Professionals guidelines.
Carol should first clarify and define her role in the policy development effort with the CEO. She should recommend the establishment of a task force consisting of representatives from areas of the company impacted by the proposed policy. To maintain her independence for any future auditing of the policy’s effectiveness, Carol should limit her involvement in the task force to performing advisory services.
Carol should then obtain best practice examples of privacy policies, which can be found on the Web sites of industry peers and various governmental, professional, and institutional organizations. These examples should be used to assist in the development of a draft policy while ensuring all applicable regulatory requirements are addressed. Relevant existing processes should then be examined to tailor the draft policy to the company’s business.
Participation from internal groups such as billing, customer service, and IT will be critical in understanding the nature, value, and life span of customer data as well as the systems and processes used to obtain, transmit, and store this information. Such cross-functional involvement is also vital in identifying “out of compliance” processes for subsequent remediation.
Lastly, Carol should meet with the CEO to review any privacy risks and discuss findings from her research. To underscore the importance of an effective policy, her discussion should include real-life examples of companies that have experienced privacy breaches, as well as the consequences of those breaches. She should also explain how the proposed policy would address key risks. Upon completion of the policy, the human resources department should assist in communicating the policy to existing employees and all new hires.
How would you handle this scenario? Continue the discussion by sharing your comments below.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.