Understanding the Laws and Regulations

Good Privacy Is Good Business

Privacy Risks

Privacy Management Guidance

If a personal information breach occurred in your organization, do you know the  potential consequences you would face? Are you equipped to effectively handle damage control for your clients and customers?

Ranked #5 on the 2006 Top 10 Technologies list—and a completely new entry to the list itself—"Privacy Management" encompasses the rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of personal information. As more information and processes are converted to digital format, it’s increasingly difficult to protect personal information from unauthorized users and from unauthorized usage by those with access to the data.

Back to top

Understanding the Laws and Regulations

A key aspect of privacy management includes complying with local, state, national and international privacy laws and regulations. Organizations need to identify and understand which laws and regulations apply to them in the jurisdictions in which they do business. For example, federal legislation mandates the protection and privacy of personal information for customers, clients, and/or patients in the medical industry. The Health Insurance Portability and Accountability Act (HIPAA) includes a security rule that requires covered entities to follow or address certain information security practices. In the financial services industry, the Gramm-Leach-Bliley Act (GLBA) includes standards for safeguarding customer information that covered entities must follow.

While state legislation requires the protection of personal information, the law is often ambiguous on what type of protection is necessary. California leads the way with its Assembly Bill 1950 (AB 1950) and California State Bill 1386 (SB 1386)—legislation that requires organizations to follow certain privacy practices to protect this information, as well as notify customers within a reasonable period of time if their data is compromised.

As a CPA, how does this concern for privacy and federal/state legislation translate to you and the organization(s) you serve? What kind of assistance/services can you provide?

Back to top

Good Privacy Is Good Business

Numerous surveys have shown that customers are more likely to use and purchase services from organizations that have good privacy policies and practices and do what they say in their privacy notices. Still, other research continues to indicate that consumers have widespread distrust of many organizational business practices, including how companies collect, use and retain personal information. For example, a Consumer WebWatch telephone survey of 1,500 U.S. Internet users featured on Privacy & American Business (www.pandab.org), reported that less than one third (29 percent) of participants trusted Web sites that sell products or services.

The accounting community ranked “Privacy Management” as a top technology for a good reason: Good privacy is good business, and good privacy practices are a key component of corporate governance and accountability.

As business systems and processes become increasingly complex and sophisticated, organizations are collecting more and more personal information. As a result, personal information is vulnerable to a variety of risks, including loss, misuse, unauthorized access, and unauthorized disclosure. Those vulnerabilities raise concerns for organizations, governments, and the public in general.

Back to top

Privacy Risks

Customers expect their privacy to be respected and their personal information to be protected by the organizations with which they do business. They are no longer willing to overlook an organization’s failure to protect their privacy. Therefore, all businesses need to effectively address privacy as a risk management issue. Specific risks of having inadequate privacy policies and procedures include: