|
This article presents a series of frequently asked questions regarding privacy and privacy services.
What is privacy?
What is personal information?
How does the privacy initiative differ from WebTrust?
What is privacy-related risk?
What are value-added privacy services?
Why are CPAs uniquely qualified to independently verify a company's privacy practices?
What is identity theft?
What are the current privacy trends among consumers?
What can businesses do to build trust among consumers?
What is the most important thing a business can do to make customers feel more comfortable about how the business protects their privacy?
What does independent verification mean? What does it entail?
What do consumers want independently verified?
How long have CPA firms been doing privacy examinations?
Why are CPAs performing privacy examinations? What are the benefits to businesses? What are the benefits to consumers?
Are privacy examinations part of a CPA's responsibility to a client or employer? Are they qualified to perform them?
Why is it better for a CPA firm to examine a company's privacy practices than for the company to self-declare that it complies with its privacy policies?
Can't laws or regulations get companies to comply with their privacy policies? Isn't this sufficient for consumers to trust the company?
What is privacy?
Privacy encompasses the rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of personal information.
Back to top
What is personal information?
Personal information is information about an identifiable individual that includes any factual or subjective data, recorded or not, in any form. Personal information might include, for example:
· Name, identification numbers, address, income, or hair color
· Evaluations, comments, credit history or driving records
· Employee files, credit records, loan records, existence of a dispute between a consumer and a merchant, and intentions to acquire goods or services
Some personal information is considered sensitive and therefore prone to abuse if handled improperly. Sensitive personal information might include information on medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and sexual preference.
Back to top
How does the privacy initiative differ from WebTrust?
The Privacy Initiative is much broader in scope than the AICPA/CICA WebTrust Online Privacy Program, which focuses primarily on Web-based electronic commerce. This Privacy Initiative encompasses any form of the collection, use, disclosure, and retention of personal information, including both online and offline. Some specific differences between WebTrust and the new Privacy Initiative are:
· The Privacy Service will encompass the protection of personal information, in any format, as it being collected, processed, used, and maintained. Thus, it provides guidance in the protection of all forms of electronically and paper-based data collection, storage, and use.
· The Privacy Service will include the protection of employee data in addition to customer data.
· The Privacy Service provides guidance on data retention and data destruction policies.
Back to top
What is privacy-related risk?
The specific risks of being noncompliant, having an inadequate privacy policy, or having a good privacy policy that is not properly implemented are:
· Damage to the organization's reputation and business relationships
· Legal liability and industry sanctions
· Charges of deceptive business practices
· Customer and employee distrust
· Denial of consent to use personal information for business purposes
· Lost business and consequential reduction in profits and market share
Back to top
What are value-added privacy services?
Assurance practitioners can provide a number of value-added services, for example:
· Developing a privacy philosophy and strategy
· Providing privacy advice and training
· Preparing and reviewing privacy policies
· Assessing and managing privacy risk
· Facilitating the development and implementation of privacy compliance programs, such as the existing WebTrust Seal of Assurance, to help protect online privacy
· Providing assurance on the effectiveness of privacy control systems
Back to top
Why are CPAs uniquely qualified to independently verify a company's privacy practices?
CPAs represent the only profession with a set of standards for the examination and reporting on controls, ethical standards for the conduct of the work, and requirements for independence in appearance and fact from the entity for which they issue the report. These examination standards are expanding to include specific criteria for practitioners to evaluate new trust issues, such as privacy.
Back to top
What is identity theft?
The personal information of individuals that is in the custodianship of an organization needs to be protected from unauthorized users both inside and outside the organization. Potentially, these unauthorized individuals may use the information to act on behalf of the customer. If the data is not adequately protected, then the organization faces the risk of incurring fraudulent charges made by the data thief.
A sound privacy practice allows consumers to access their data and request that changes be made or errors be corrected when necessary. Without proper authentication techniques to accompany such access policies, criminals may assume the identity of a party relatively easily and conduct a variety of transactions in that party's name.
Back to top
What are the current privacy trends among consumers?
Today, consumers appear to have become more concerned about privacy and to take more steps to protect their privacy accordingly. The proportion of consumers who are "privacy fundamentalists"-that is, the most concerned about privacy issues-has increased since 1999. Also, fewer consumers today feel that most businesses handle information properly and confidentially and that existing laws provide enough privacy protection for consumers. However, a consistent trend has been observed over the last three years-nearly 80 percent of consumers continue to believe that they have lost all control over how their personal information is collected and used by companies. This trend has held virtually steady despite recent efforts by companies to build consumer confidence-for example, through privacy policies, chief privacy officers (CPOs), and compliance with recently enacted privacy laws.
Back to top
What can businesses do to build trust among consumers?
A recent Harris Interactive survey showed that consumers want companies to provide clear and effective privacy practices that may include some of the following components: a dispute resolution program, a CPO consumers can go to if a problem arises, proof of membership in a privacy association (showing the company is active in the privacy debate), and independent verification.
Back to top
What is the most important thing a business can do to make customers feel more comfortable about how the business protects their privacy?
The most important thing a company can do to make its customers feel more comfortable about their privacy is to have its privacy practices independently verified by an outside third party. Having a clear and accessible privacy policy and a responsible Chief Privacy Officer are important and necessary first steps towards earning independent verification reports.
Back to top
What does independent verification mean? What does it entail?
Verification of privacy policies involves testing the people, processes, technology, and controls that ensure a company is following its stated privacy policies. An independent verification report provides assurance that a company is doing what it says. Independent means performing the verification objectively and without conflicts of interest.
CPAs are in the business of providing assurance services, the most well recognized of which is the financial statement examination. An examination report signed by a CPA is valued because CPAs are knowledgeable about financial accounting and assurance matters and are recognized for their independence, integrity, objectivity, and discretion.
Financial statement assurance is only one of the many kinds of assurance services that CPAs provide. They also provide assurance on subject matter such as internal controls and compliance with specified criteria.
The business and professional experience, subject matter expertise (privacy, security, and control), and professional characteristics (independence, integrity, objectivity, and discretion) needed for such engagements are the same key attributes that enable a CPA to comprehensively and objectively assess the risks and controls associated with systems reliability. In addition, CPAs are required to follow comprehensive ethics rules and professional standards when providing professional services.
Back to top
What do consumers want independently verified?
A recent Harris Interactive study indicates that consumers want the following items related to a company's privacy practices independently verified:
· Maintenance of security procedures to protect personal data;
· Release of personal data not made to third parties without consumer consent;
· Collection and sharing of personal information in conformance with the company's privacy policy; and
· Maintenance of internal controls to limit access to personal information to authorized users.
By definition, independent verification requires that each of these actions must be verified against a set of standards for performance. The CPA profession is the only one that uses a set of standards for the examination and reporting on controls, ethical standards for the conduct of the work, and requirements for independence in appearance and fact from the entity for which they issue the report. These examination standards are expanding to include specific criteria for practitioners to evaluate new trust issues, such as privacy.
Back to top
How long have CPA firms been doing privacy examinations?
It varies among firms. Privacy has been a trust issue on which CPAs have been advising clients for many years. CPAs have been contributing to the privacy debate, standards organizations, and thought leadership since its inception. It is a natural fit for CPAs to provide advice to clients about their internal controls and data protection. Personally identifiable information is just another data set with which CPAs have worked to help clients manage and control more effectively.
Back to top
Why are CPAs performing privacy examinations? What are the benefits to businesses? What are the benefits to consumers?
CPAs are in the business of helping build trust-around financial statements, and now issues like privacy-and this is a natural evolution of the services they provide to clients. In the normal course of financial statement audits, CPAs examine the controls over the processing and protection of financial data. CPAs have developed the skills necessary to evaluate these information management processes. Clients are asking CPAs to examine other data management processes such as those supporting privacy policies.
Benefits to businesses are that they can establish trust with consumers, build their brand, and manage risks associated with privacy.
Benefits to consumers are that they have increased confidence and trust in a company that has had its privacy practices independently verified.
Back to top
Are privacy examinations part of a CPA's responsibility to a client or employer? Are they qualified to perform them?
The examination of privacy policies is not typically included in the examination of financial statements. In the normal course of the financial statement audit, CPAs often examine the controls over the processing and protection of financial data. CPAs have developed the skills necessary to effectively examine these information management processes. Organizations are asking CPAs to examine other data management processes such as those supporting privacy policies.
Back to top
Why is it better for a CPA firm to examine a company's privacy practices than for the company to self-declare that it complies with its privacy policies?
One of the key issues for consumers is that they do not trust a company's stated privacy practices. They are concerned about privacy breaches or inappropriate use of personal information and are skeptical that organizations are upholding their processes. It is important for a company to make declarations of its practices to its consumers, but the consumer trust issue is not fully addressed until the company can get the customer to believe it is following the process.
A CPA firm can provide assurance through independent verification that a company complies with acceptable privacy standards and does what it says it does with private information.
Back to top
Can't laws or regulations get companies to comply with their privacy policies? Isn't this sufficient for consumers to trust the company?
A recent study conducted by Harris Interactive for Privacy and American Business and sponsored by the AICPA and Ernst and Young has shown that existing efforts by companies have not done enough in alleviating the public's privacy concerns, including their compliance with privacy laws or regulations. Consumers indicated that they are most trusting of companies that have also undergone independent verification of their privacy practices.
Laws to date have not been effective in building trust and confidence among consumers, and the survey reinforces this point. Leading companies and those seeking to be winners in the economic recovery are taking a proactive, robust, and holistic approach to privacy. Leaders treat the personally identifiable information collected from consumers and employees as a strategic asset.
Forward-thinking companies invest in and maintain the processes for this data's collection, protection, and destruction as critical infrastructure processes. Leaders are active in their communication of their privacy policies and practices and are focused on communicating their trustworthiness to their stakeholders as a matter of brand image and demonstrated leadership.
Leading companies develop privacy policies that reflect their corporate philosophies, business models, and the needs of their target market. They understand what kinds of information they are collecting, how they use such information, how they share it, and whether they really need it. They benchmark these policies not only against industry-specific laws but also against accepted fair information principles and any self-regulation programs that the company has pledged to meet. Leaders design their policies and practices to attract and retain consumers, not just to meet minimum compliance requirements. Laws will continue to change to try to address the greatest concerns of the public. Leading organizations do not wait for the issues that prevent the active participation of their consumers to get to the point of requiring regulated responses.
Back to top
|