How to profit by safeguarding privacy: CPAs can help businesses boost customer relations and, at the same time, meet regulatory requirements.EXECUTIVE SUMMARY * PROTECTING THE PRIVACY of personal information is no longer optional for organizations that collect, use and distribute it. Federal law now requires entities to take responsibility for safeguarding the data they gather from customers and patients. * ORGANIZATIONS THAT ACCEPT AND FULFILL their privacy-related obligations will find it easier to develop close business relationships with consumers who prefer them to competitors that don't make privacy a priority. * THE COMPLEXITY OF PRIVACY COMPLIANCE and the allure of turning a regulatory burden into a competitive advantage combine to create a consulting opportunity for CPAs who know the regulations and can help companies satisfy them and, thus, attract and retain customers. * CPAs LEADING A COMPLIANCE PROJECT, whether as employees or consultants, should adopt a systematic approach that identifies and resolves deficiencies in the organization's privacy policies and practices. * TO DO THIS EFFECTIVELY, CPAs should follow a four-phase plan in which they assess the entity's current compliance level, design a remedial strategy, implement the plan and then monitor its ongoing effectiveness. * CPAs SHOULD FAMILIARIZE THEMSELVES with the provisions of major federal privacy legislation, including the Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when of 1996, the Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), is an Act of the United States Congress which repealed the Glass-Steagall Act, opening up competition of 1999 and the Children's Online Privacy Protection Act Not to be confused with the Child Online Protection Act. The Children's Online Privacy Protection Act of 1998[1] (COPPA)[2] is a United States federal law, located at Title 15, Section 6501, et seq., of the United States Code. of 1998. Protecting the privacy of confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job" steer, tip, wind, hint, lead is quickly becoming a measure of success in the business world--because companies improve their reputation when they take care to safeguard the personal data people entrust to them. These organizations also attract customer loyalty, and that gives them an edge over competitors who don't make privacy a priority. This article shows CPAs in industry or in public practice how they can help businesses achieve their privacy compliance goals. It also summarizes provisions of the major federal privacy laws (see "Privacy Protection Is Mandatory," page 49). THE CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. AS PRIVACY STRATEGIST strat·e·gist n. One who is skilled in strategy. Noun 1. strategist - an expert in strategy (especially in warfare) strategian market strategist - someone skilled in planning marketing campaigns Some businesses may not see privacy compliance as a way to develop a positive corporate image. But CPAs can stress to them that solid policies are good business practices, says Everett C. Johnson, CPA, partner at Deloitte & Touche LLP LLP - Lower Layer Protocol in Wilton, Connecticut Wilton is a town in Fairfield County, Connecticut, in the United States. As of the 2000 census, the town population was 17,633. It is one of the most affluent communities in the United States. , and chairman of the AICPA AICPA See American Institute of Certified Public Accountants (AICPA). enterprise-wide privacy task force. "Privacy matters to people who provide an organization with personal information about themselves," he adds, "and businesses need to demonstrate their respect for the confidentiality of the data that customers entrust to them." To succeed in these engagements, CPAs must be well versed Versed® Midazolam Pharmacology A preoperative sedative in privacy law and be able to evaluate an entity's compliance level (see "Resources for Privacy Consultants," page 52). To help an organization become privacy compliant, a CPA must understand how it gathers, uses, stores and discloses customer/client data. A FOUR-PHASE APPROACH CPAs should assemble a versatile team to design a plan to identify data protection deficiencies, create a strategy and implement and monitor the plan for compliance. Team members should represent various parts of the organization including legal, internal auditing, risk management, finance, information security, human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. and operations. The group will assess the company's practices and should report to an executive in charge of privacy compliance. These are the team's responsibilities: Phase 1: Perform an initial assessment of privacy policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental . To determine whether the entity follows formal methods to protect data, the team will * Document the type and location of all customer/client data--inside and outside the organization--and all systems that collect, process, use or distribute personal information. * Verify compliance deadlines. * Review and record existing information security and management policies and procedures. * Conduct a "gap analysis" to identify any discrepancies between those policies and procedures and applicable compliance regulations. In an actual example of this process, Ken Askelson, CPA, audit manager at J.C. Penney in Plano, Texas Plano (IPA: /ˈpleɪnoʊ/) is a wealthy suburb of Dallas, Texas, located to the north, mainly within Collin County, but also extending into Denton County. According to the 2000 U.S. , led a team in assessing the company's privacy and security practices. Using a technique known as "data mapping Data mapping is the process of creating data element mappings between two distinct data models. Data mapping is used as a first step for a wide variety of data integration tasks including:
But even when a team such as Askelson's follows an agreed-upon compliance assessment process, individual group members may interpret its results in widely varying ways. "They often disagree about how great the gap is," says Stephen W. Head, CPA, a member of the AICPA information technology executive committee. "Here's where the CPA can build consensus by explaining how other businesses resolve their deficiencies and by helping the team agree on an appropriate plan for improving compliance," he says. With a CPA's guidance, the team must identify risks related to an organization's failure to protect personal information. Such dangers include potential damage to the corporate image or brand, as well as reduced goodwill, inability to meet contractual obligations, financial losses and the imposition of fines--all of which could have a negative impact on current and future customers, shareholders and employees. Phase 2: Design a strategic plan for achieving compliance. The team should evaluate the organization's legal and technology resources, including its employees' skills in these areas. It may be necessary to hire consultants to ensure the company's computer systems conform with regulatory requirements Regulatory requirements are part of the process of drug discovery and drug development. Regulatory requirements describe what is necessary for a new drug to be approved for marketing in any particular country. in the areas of security, controlling requesters' access to information and recording and managing individuals' consent to release their personal data. CPAs can guide the team through the following steps in producing a plan. Create a privacy policy. This is an official record of the organization's compliance practices. In clear language it spells out why and what personal information is collected and how it is used, and it places reasonable limits on the kind and extent of data gathered. These controls guide the company's collection of information for a stated use and should not be unduly restrictive. The policy also explains how and where inquirers can obtain information on the privacy practices, such as what data the entity discloses to related businesses or third parties and for what reasons. It is essential that legal counsel review the privacy policy and procedures to ensure they comply with all regulations. The official policy should * Make someone responsible. The team should name someone in the organization to be the chief privacy officer, taking day-to-day command of the ongoing project, including implementation of new policies and procedures. * Create a consent mechanism. Generally, privacy laws require that an entity obtain a person's permission to collect, use or disclose information about him or her. Such consent is effective whether it is written, oral (as in speaking with a call center), technology-based (such as a click on a Web site) or implied. Therefore, if a person's magazine subscription expires and he or she not canceled it, the publisher may have implied consent Consent that is inferred from signs, actions, or facts, or by inaction or silence. Implied consent differs from express consent, which is communicated by the spoken or written word. Implied consent is a broadly based legal concept. to solicit a renewal. And when an organization wants to change a person's information or use it for a second purpose, it must obtain additional permission from the individual, who must at all times understand and approve how the entity will use the data. For example, if a bank wanted to "mine" its databases to identify customers who may qualify for a new loan product, it would need the customers' consent to use their information for that type of solicitation solicitation In criminal law, the act of asking, inducing, or directing someone to commit a crime. The person soliciting another becomes an accomplice to the crime. The term also refers to the act of obtaining bribes, as well as to the crime of a prostitute who offers sexual . Of course, privacy protection must be balanced with practical considerations. That's why it's important to tell customers or patients exactly what information they must provide in order to execute a transaction or for them to obtain medical services. * Ensure marketing materials meet the individual's privacy expectations. The entity must create personal information collection forms that comply with its stated privacy policies. For example, if a privacy policy stated that "personal information will not be used without the individual's written consent" and that "an individual can withhold with·hold v. with·held , with·hold·ing, with·holds v.tr. 1. To keep in check; restrain. 2. To refrain from giving, granting, or permitting. See Synonyms at keep. 3. consent," then the forms must contain "opt-in" or "opt-out" options for each data element or group. Customers also should be able to use the form to verify their current consent status and modify it if necessary. * Give people access to their personal information. Most privacy legislation requires that, upon an individual's request, an organization must supply any personal data it possesses and reveal how it uses and discloses such information. Best practices include quickly informing an inquirer whether the entity has any information about him or her, permitting access to it in readable and understandable form, appropriately restricting the release of personal information (for example, allowing only medical practitioners to release medical records), giving customers an account of how the' organization has used their information and identifying third parties to whom the entity has disclosed it. * Provide effective security. Privacy policies and procedures must adequately safeguard the information from theft, loss and unauthorized copying, modification or disclosure. Companies must limit access even to employees who have a legitimate use for the information, safely store it and destroy it when no longer needed. An entity also must train its employees in privacy risk management including maintaining the confidentiality of such records. Such training must explain the organization's privacy policies and procedures and identify contact personnel. Staff that deals directly with customers must understand privacy issues, know how to resolve them and continually monitor compliance. As part of the plan the team also should develop and recommend criteria for answering information requests. These include response time frames, sources for requested information, procedures for validating the correctness and completeness of data and security processes to ensure authorized au·thor·ize tr.v. au·thor·ized, au·thor·iz·ing, au·thor·iz·es 1. To grant authority or power to. 2. To give permission for; sanction: inquirers receive only information they are entitled en·ti·tle tr.v. en·ti·tled, en·ti·tling, en·ti·tles 1. To give a name or title to. 2. To furnish with a right or claim to something: to. The entity must confirm the validity of parties requesting personal information and ensure its disclosure does not violate anyone's privacy. A process known as "authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. " ensures the requester is who he or she purports to be. Proof of identity comes in three verifiable forms: something one knows (for example, a password), something one can present (such as an identification card) or a measurable personal characteristic (for example, a fingerprint fingerprint, an impression of the underside of the end of a finger or thumb, used for identification because the arrangement of ridges in any fingerprint is thought to be unique and permanent with each person (no two persons having the same prints have ever been , voice or retina scan). * Ensure the accuracy of information and consent. A company must keep personal information as complete, accurate and up-to-date as is necessary to achieve the objectives for which it collected the data. If an organization releases--even to an authorized party--inaccurate or outdated information about an individual, that person's reputation could be damaged or he or she could be denied credit or a job promotion. Therefore, the team should establish criteria the organization can use to identify and avoid problematic situations in which, for example, a customer claims that his or her credit rating contains errors or that the organization disclosed personal information without the person's knowledge and consent. * Limit use, disclosure and retention. Businesses do not have the right to use personal information for uses other than the stated purposes for which they collected it. CPAs should advise companies to devise storage systems that identify the specific consent they obtained from customers or patients as well as the minimum/maximum periods they can retain the data, so they do not illegally use or disclose information or have to employ costly searches to confirm consent. Systems also should allow people appropriate access to their records. CPAs can assist in the design and development of such systems by assessing their efficiency, documenting the flow of data throughout the organization and proposing modifications--such as mandating monthly changing of employee and customer passwords--that would better safeguard privacy. Phase 3: Implement planned changes One of the foundational definitions in the field of organizational development (aka OD) is planned change: “Organization Development is an effort planned, organization-wide, and managed from the top, to increase organization effectiveness and health through planned . Once the team has a strategic plan, it must oversee any changes in the systems, procedures, forms, brochures or other elements related to privacy. This might include modifying and testing computer software, scheduling systems upgrades to handle new forms and procedures, devising appropriate procedures for maintaining, as well as destroying, personal information records and training employees who directly interact with customers. During the implementation phase CPAs also can help the business modify its human resources, accounting, travel and expense and other organizational practices to make them fully compliant with regulators' privacy requirements. "This is a huge undertaking" says Marilyn Greenstein, PhD, an associate professor of accounting and information systems at Arizona State University Arizona State University, at Tempe; coeducational; opened 1886 as a normal school, became 1925 Tempe State Teachers College, renamed 1945 Arizona State College at Tempe. Its present name was adopted in 1958. and a member of the AICPA's privacy task force. "To do the job properly, you have to understand how each department in the organization collects, uses and discloses information, and you must be well versed in data integrity and internal controls. The CPA knows all that and can ensure the business implements its privacy plan fully and effectively." Phase 4: Monitor systems and procedures. The CPA can identify the key actions to take in monitoring privacy initiatives. These include procedures to * Verify that the company adheres to its privacy policies and processes. * Track and comply with applicable legislative and regulatory changes. * Document complaints, because customer dissatisfaction may indicate problems with the organization's processes and warn of potential litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute. When a person begins a civil lawsuit, the person enters into a process called litigation. . * Identify and refer to the chief privacy officer all problematic cases, such as the organization's unauthorized use or disclosure of personal information, to ensure they receive adequate attention and that requesters obtain authorized information without involving regulators or the media. * Develop criteria for identifying high-visibility situations that require management's attention and allow adequate time for due diligence Research; analysis; your homework. This term has caught on in all industries, because it sounds so "wired." Who would want to do analysis or research when they can do due diligence. See wired. reviews of any new privacy systems or procedures. * Ensure company Web sites earn professional security certifications--such as those offered in conjunction with the enterprise-wide privacy audit offered under the AICPA's trust services. CPAs also can recommend establishing a program to survey requesters to determine their satisfaction level and whether company responses were timely. In addition, practitioners should advise companies to conduct periodic compliance audits. As internal or external auditors The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. or consultants, CPAs can help by monitoring policies, processes and the supporting technology. THE CPA EDGE The complexity and evolution of privacy regulations can make it difficult for organizations to ensure their computer systems, business practices, corporate policies and administrative processes are fully compliant. But CPAs experienced in these contexts who also are conversant CONVERSANT. One who is in the habit of being in a particular place, is said to be conversant there. Barnes, 162. with the latest regulatory developments can help their clients or employers identify and address situations and factors that threaten privacy. These are valuable skills in today's business Today's Business is a show on CNBC that aired in the early morning, 5 to 7AM ET timeslot, hosted by Liz Claman and Bob Sellers, and it was replaced by Wake Up Call on Feb 4, 2002. environment, where any organization that breaches privacy regulations or fails to meet the public's confidentiality expectations will lose customers, suffer adverse press and perhaps face litigation and/or penalties as a result of individuals filing complaints with federal or state agencies such as the Federal Trade Commission. "We're at the beginning of a mini rebellion in which public concerns about privacy are growing rapidly," says Don H. Hansen, CPA, a partner with Moss Adams Moss Adams LLP is the 12th largest public accounting firm in the United States and provides accounting, tax and consulting services to public and private middle-market enterprises in many different industries. LLP in Everett, Washington  This page is currently protected from editing to deal with vandalism. Protection is not an endorsement of the current [ version] . "But," he adds, "with the help of CPAs, companies can manage this effectively and say to their customers, 'We're protecting the privacy of your information.' And that's great publicity." Consumers Want Proof Nine in ten consumers said they'd do more business with a company whose adherence to its own privacy policy was verified by a third party. Source: A survey Harris Interactive Harris Interactive (NASDAQ: HPOL) is an American market research company that specializes in public opinion research using both telephone and surveys on online panels. The company is the product of a 1996 merger between the Gordon S. Black Company and Louis Harris & Associates. conducted on behalf of Privacy & American Business, 2002. RELATED ARTICLE: Privacy protection is mandatory. Privacy laws affecting U.S. businesses: * The Health Insurance Portability and Accountability Act of 1996 (HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, ) (www.hhs.gov/ocr/combinedregtext.pdf) created new standards for electronic transactions, data security, unique patient identification numbers and the privacy of individually identifiable health information. The act applies to health plans, health care clearing houses and health care providers. Covered entities, through the use of contracts and other written agreements, also must ensure business associates' HIPAA compliance. Covered entities must obtain patients' written permission to disclose protected health information protected health information Health informatics Any individually identifiable health informatlon that is used or circulated by an entity that falls under the governance of HIPAA; the privacy regulations mandate safeguards for protected health information, and the . Compliance with HIPAA's privacy provisions became mandatory April 14, 2003. * The Gramm-Leach-Bliley Act of 1999 (www.ftc.gov/privacy/glbact) gives guidance on the privacy of consumer information to financial institutions and those giving financial advice. The regulations require organizations to have sent a notice describing the company's privacy policies and practices prior to July 1, 2001, and to annually notify all individuals as long as they remain customers. In addition to financial institutions' core business functions, the act also governs tax planning Tax planning Devising strategies throughout the year in order to minimize tax liability, for example, by choosing a tax filing status that is most beneficial to the taxpayer. , estate planning Estate Planning The overall planning of a person's wealth, including the preparation of a will and the planning of taxes after the individual's death. Notes: Contrary to popular belief, estate planning involves much more than preparing a will, and it is not only for the , wealth management, real estate settlement and closing activities and debt collection. CPA firms, lawyers and others dealing with personal financial information all fall within the act's purview The part of a statute or a law that delineates its purpose and scope. Purview refers to the enacting part of a statute. It generally begins with the words be it enacted and continues as far as the repealing clause. . * The Corporate Child Online Privacy Protection Act of 1998 (COPPA COPPA Children's Online Privacy Protection Act of 1998 (FTC) ) (www.ftc.gov/os/1999/9910/64fr59888.htm) prohibits Internet marketing See Internet advertising. to children younger than 13 years of age. Under COPPA the Federal Trade Commission has prosecuted a number of companies for collecting and using personal information from children. RELATED ARTICLE: The virtues of independence. Third-party verification TPV (Third party verification) is a process of getting an independent third party company to confirm that the customer is actually requesting a change or ordering a new service or product. is emerging as a best practice for business leaders and policy makers alike. Each of the two leading' privacy bills of the 107th Congress, S 2201 and HR 4678, provided that companies were presumed to be in compliance with the provisions of the legislation if they participated in a Federal Trade Commission (FTC)-approved self-regulatory program that included regular independent confirmation that they followed the program's privacy policies. Law-makers are likely to introduce comparable legislation in the 108th Congress. Regulators, too, are using independent verification as a legal settlement tool, forcing companies to obtain outside audits in cases involving alleged privacy and security violations. Last year the FTC entered into settlement agreements with two Fortune 500 companies, requiring them to undergo regular security and privacy audits. In addition the settlement of a civil privacy case against a well-known online network advertiser required an audit. And as part of a settlement agreement with the attorneys general of Vermont, New York New York, state, United States New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of and California in a case involving an Internet security ''This article or section is being rewritten at Internet security is the process of protecting data and privacy of devices connected to internet from information robbery, hacking, malware infection and unwanted software. breach, a prominent technology publisher agreed to an external review of its online systems. CPAs can use two AICPA assurance services Assurance services have been defined by the American Institute of Certified Public Accountants (AICPA) as 'Independent Professional Services that improve information quality or its context'. to help businesses comply with privacy requirements: WebTrust (www.cpawebtrust.org) verifies whether a company's Web site meets e-commerce standards--some of which relate to privacy--that are based on internationally accepted best practices, and SysTrust (www.aicpa.org/assurance/ systrust/index.htm) evaluates the availability, security, integrity and maintainability of an organization's computer systems. --Robert Tie ROBERT TIE is a senior editor with the JofA. His e-mail address See Internet address. e-mail address - electronic mail address is rtie@aicpa.org. RELATED ARTICLE: Resources for privacy consultants. * CPAs have access to professional guidelines, including those the AICPA developed as part of its trust services family of products (www.cpa2biz biz n. Informal Business. biz Noun Informal business Noun 1. .com/ ResourceCenters/Information+Security/Privacy/default.htm). * CPAs can use the AICPA Privacy Framework to help businesses design good practices. The framework is part of the AICPA trust services family, whose products include external attestation reports Noun 1. attestation report - a consulting service in which a CPA expresses a conclusion about the reliability of a written statement that is the responsibility of someone else attestation service that make it easier for companies to demonstrate their due diligence to customers, suppliers and other third parties. (For more information see "Privacy Framework Helps CPAs Protect Consumers," JofA, Aug.02, page 79 and www.aicpa.org/Innovation/baas/ewp/index.htm.) * An AICPA online brochure, "Frequently Asked Questions About Privacy Services," explains important privacy terms and concepts to help CPAs identify compliance problems, explain them to management and track the progress of corrective measures (www.cpa2biz.com/ ResourceCenters/Information+Security/Privacy/Frequently+ Asked+Questions+About+Privacy+Services.htm). ROBERT G. PARKER, a chartered accountant char·tered accountant n. Chiefly British Abbr. CA A member of one of the institutes of accountants granted a royal charter. and certified information systems auditor, is a partner of Deloitte & Touche LLP, Toronto, and a member of the AICPA-CICA enterprise-wide privacy task force. His e-mail address is rparker@deloitte.ca. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion