Management, compliance & auditing

How privacy laws have changed security auditor requirements

Patrick Mallory
July 3, 2019 by
Patrick Mallory

Introduction

At the outset of 2018, it was hard to predict what the year ahead would have in store for consumer privacy. Between revelations of user data-sharing relationships between Facebook and Cambridge Analytica and Google and Mastercard as well as the implementation of the Global Data Privacy Regulation (GDPR) by the European Union, privacy has never been so public. 

In the wake of these events, U.S. companies are finally beginning to warm to the concept of federal privacy regulations. After working through their representatives for years to fend them off, companies and industry coalitions such as the Information Technology Industry Council — which represents firms like Facebook, Amazon, Google and Salesforce — are beginning to work with policy makers to help shape the potential new federal privacy regulations. 

But it shouldn’t take comprehensive federal legislation to motivate a company to examine how they handle customer data and enable personal privacy. Instead, companies can elevate the role that their security auditors play, step up their privacy practices and work to understand the regulatory environment of today while planning for what’s in store for tomorrow. 


Why do companies conduct privacy audits?

Audits are nothing new for many businesses, but privacy audits are a different kind of experience. Broader in scope than an information technology audit or an annual tax review, the objective of a privacy audit is to evaluate an organization’s privacy protection posture against not only regulatory requirements and best practices of their industry, but also their own privacy-related policies. 

Because some organizations security auditors interact with often have access to very deeply personal information about customers that expect a high level of responsibility to protect their data, privacy audits involve evaluating procedures throughout the information life cycle. This includes ensuring internal mechanisms and third-party partners have the needed safeguards in place. Furthermore, these safeguards must be enforced in information creation or receipt, information distribution, use, maintenance and, eventually, disposal. 

These privacy audits should be transparent and demonstrate that the organizations are doing what they claim, especially as customer information has evolved from being scarce to incredibly abundant. In the end, the privacy audit presents the status of risks associated with potential privacy issues, recommends mitigations or initiatives to limit liability and establishes a plan for continued evaluation. The results of this audit can then be used to enhance an organization’s reputation or consumer trust, comply with contractual requirements or provide assurances to regulators. 

How is privacy different from confidentiality?

While seemingly synonymous and frequently used interchangeably, privacy and confidentiality have different meanings in this context. 

Confidentiality refers to protecting information from unauthorized disclosure, while privacy is the proper handling of data according to the relevant consent and regulatory obligations associated with a set of information. This includes how data is shared, collected and stored. 

In practice, an organization can put the proper security measures in place to keep data safe from hackers, but that doesn’t necessarily mean that the organization is compliance with data privacy regulations and the expectations of the data owners.

What are the basic security and privacy laws, regulations and guidelines?

In the wake of the GDPR in the European Union and the debates in the United States at the federal and state level, data privacy laws seem to be in the news nearly every day. However, one of the biggest challenges posed by these debates and developments in the laws and regulations is to fully understand their history and just how differently it is handled in different jurisdictions. 

For example: In the United States, this challenge is especially acute due to the lack of an overarching data privacy regulation. Instead, the U.S. has a range of different data privacy protections, such as the Health Insurance Portability and Accountability Act (HIPAA) and nearly fifty state-level privacy statutes. 

In addition, the Federal Trade Commission (FTC) plays the role as the default defender of U.S. consumer privacy. The U.S. system, according to the Privacy, Data Protection, and Cybersecurity Law Review, is also relatively flexible and non-prescriptive in nature, “relying more on post hoc government enforcement” than on “detailed prohibitions and rules.” However, there are some common guidelines and standards that must be met, which can vary by industry.

The FTC Act

The FTC is the de facto privacy regulator in the U.S. If a sector-specific federal or state law does not cover a specific type of data, then the FTC’s general authority is the standard. In general, the FTC Act’s Section 5 states that “unfair or deceptive” acts or practices are unlawful; when taken in combination with sector-specific and state-level privacy laws, the U.S. has empowered government agencies to oversee data privacy of individuals, including negligence, tracking, public disclosure or other infringements such as using a personal likeness. 

The FTC also takes the position that organizations must disclose their privacy terms and they must promptly notify users of issues. 

Finally, the FTC has also issued extensive guidance that emphasizes four principles of consumer privacy protection:

  1. Transparency and control, giving meaningful disclosure to consumers, and offering consumers choice about information collection
  2. Maintaining data security and limiting data retention
  3. Express consent before using information in a manner that is materially different from the privacy policy in place when the data was collected
  4. Express consent before using sensitive data for behavioral advertising

Data classification

The FTC defines data as personal if it can be used to contact or distinguish an individual, including IP addresses. Furthermore, sensitive data includes personal health data, credit information and personal information collected online from children under 13. Location data and data that can be used to conduct identity theft or fraud also constitutes sensitive information. 

Federal laws, like the Children’s Online Privacy Protection Act of 1998, and state laws — like those of California, which are viewed as the leading legislator of privacy with its Consumer Privacy Act of 2018 — provide additional definitions and enforcement guidelines. 

Data transfers

While there is no significant or widely-applied data transfer regulation in the United States, the Federal Trade Commission works through the U.S.-EU Privacy Shield framework to set rules on how data is protected when in transit between the two regions. According to the Privacy Shield framework, each country that participates in transatlantic data transfers must annually re-certify that they are in compliance with protecting data from unwarranted view or use..

The FTC also signed a memorandum of understanding with Ireland in June 2013 and with the United Kingdom in 2014, to promote increased cooperation in both agencies’ efforts to protect consumer privacy. In 2012, the United States also became the first participant in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules system.

Industry-specific privacy regulations

Healthcare

The Department of Health and Human Services enforces the protections within HIPAA and those outlined within the Health Information Technology for Economic and Clinical Health Act (HITECH). HIPAA created standards for not only electronic healthcare transactions, but the ability for DHHS to protect the privacy of personal health information. 

At its core, patients have to opt in before their information can be shared by “covered entities,” which include health insurers, data clearinghouses, and providers. Through HITECH, providers also have to make sure their IT systems and third-party providers are also securing patient data. Finally, HIPAA protections do not cover “de-identified” data.

Financial

Regarding financial privacy concerns, the FTC works with the relatively new Consumer Financial Protection Bureau (CFPB) to enforce consumer privacy. Before the Dodd-Frank legislation, the FTC worked through a range of federal banking laws and agencies such as the Financial Services Modernization Act of 1999 (also known as the Gramm-Leach-Bliley Act or GLBA) and the Fair Credit Reporting Act. Today, the CFPB has significant independent enforcement powers. 

The FTC also retains the power to administer the privacy regulations relating to the Fair Credit Reporting Act, protecting both the privacy of personal data stored by financial institutions and the right to dispute information that is incorrect. 

These bodies also require financial institutions to make their information-sharing practices known to their customers and prohibits them from disclosing data to third parties without consent, notice or the ability to opt out. Consumer privacy relating to their credit reports provided by credit reporting agencies is also protected through the Fair and Accurate Credit Transactions Act of 2003.

Communications

For telecommunications privacy, the Federal Communications Commission and the Department of Justice combine to enforce the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, a range of other communications acts and the data protection standards. Among them, there are specific protections for customer information such as phone call records and laws against hacking and other forms of unauthorized access to computer systems. 

These laws protect the privacy of both large companies and the computer networks of private citizens.  

Policies and procedures

While there is no requirement to register what sort of data is collected by an organization in the United States, the FTC considers it deceptive if a company engages in materially different uses of data and personal information without disclosing it in the privacy policy under which the data was collected. However, this has not stopped organizations from looking beyond the letter of existing laws to develop their own policies and privacy practices. Many corporate privacy officers work to respond to their customers’ demands and attempt to predict FTC regulations by looking to other countries, states and legal decisions against peer organizations. 

The Safeguards Rule within the GLBA also requires financial institutions to have policies and written information security procedures to protect customer information and banking data. As part of these plans and policies, organizations need to designate an information security lead, conduct risk assessments and security audits and test their safeguards regularly, including when there are changes in laws, operations or security issues.

How has a security auditor’s job changed?

While U.S. law does not require companies to have a security auditor to protect data privacy, many have them in place either to manage the many responsibilities outlined within industry regulations or to stay ahead of their customers or stockholders. These individuals help to introduce best practices and respond to potential issues. 

Similarly, security audits themselves are not required, but the expectations of the GLBA and HIPAA regulations outline compliance standards that include evaluations of security policies and data safeguards that experienced auditors within an organization can facilitate this process. With the pace of data breaches and hacks, regular employee training and proactive evaluation with security audits are also becoming more common functions.

How can companies position themselves for future changes? 

In addition to investing in the role of a privacy professional, organizations can invest in changes to their computer systems and applications and adjust their security framework to help to keep pace with regulatory and consumer expectations. However, given the complexities of laws, organizations often do not know where to start when it comes to implementing a data privacy program. Some common steps include:

  • Implementing an internationally-recognized cybersecurity framework, such as the National Institute of Science and Technology (NIST) framework, to provide guidance on policies, tools and rules to maintain customer privacy and security
  • Utilizing role-based access control to establish which users or employees can access certain data sets based on their functions, policies or rules
  • Considering data virtualization, which combines data from their sources into a virtual data “layer” based on tags to facilitate operations without exposing data to unauthorized users
  • Establishing privacy notices and policies that speak in layman’s terms and with the spirit of relevant laws and regulations integrated. This will help employees to better govern and use data properly and help customers to understand how their data is being used. Finally, this could assist with making modifications in the future if regulations or expectations change
  • Enabling customers to consent and control their data privacy as much as possible. This could include reminding customers how their data is being used, why it is being collected and how organizations are protecting it. Additionally, customers can be given the ability to easily control their privacy settings and permissions.

Conclusion

As our understanding of privacy and the role that companies play in continues to evolve, so too does the function of security auditors. The methods and tools that are in place to collect data and process it into a powerful asset will only continue to be the new normal, but that does not take away the need to understand how they work, what their impact on customers’ lives is and how to obtain consent for their use. 

As the technology and the regulations passed to monitor it evolves, the roles of the professionals that manage and evaluate must also. Otherwise, the debate about privacy and efficiency will be seen as zero-sum. In other words, companies need to understand the role that privacy professionals play, how privacy audits can assist them in being compliant and the need to understand where regulations and customers are going. Risks will always be present, but privacy risks can be mitigated if they are given the attention they deserve.

 

Sources

  1. Tech Firms, Embattled Over Privacy, Warm to Federal Regulation, The Wall Street Journal
  2. The Privacy, Data Protection and Cybersecurity Law Review, Law Business Research
  3. Assembly Bill No. 375, California Legislative Information
  4. Protecting Privacy in Transatlantic Data Flows: The EU–U.S. Privacy Shield, Federal Trade Commission
Patrick Mallory
Patrick Mallory

Patrick’s background includes cyber risk services consulting experience with Deloitte Consulting and time as an Assistant IT Director for the City of Raleigh. Patrick also has earned the OSCP, CISSP, CISM, and Security+ certifications, holds Master's Degrees in Information Security and Public Management from Carnegie Mellon University, and assists with graduate level teaching in an information security program.

Patrick enjoys staying on top of the latest in IT and cybersecurity news and sharing these updates to help others reach their business and public service goals.