How to Profit by Safeguarding Privacy

CPAs can help businesses boost customer relations and, at the same time, meet regulatory requirements.
BY ROBERT G. PARKER

EXECUTIVE SUMMARY
PROTECTING THE PRIVACY of personal information is no longer optional for organizations that collect, use and distribute it. Federal law now requires entities to take responsibility for safeguarding the data they gather from customers and patients.

ORGANIZATIONS THAT ACCEPT AND FULFILL their privacy-related obligations will find it easier to develop close business relationships with consumers who prefer them to competitors that don’t make privacy a priority.

THE COMPLEXITY OF PRIVACY COMPLIANCE and the allure of turning a regulatory burden into a competitive advantage combine to create a consulting opportunity for CPAs who know the regulations and can help companies satisfy them and, thus, attract and retain customers.

CPAs LEADING A COMPLIANCE PROJECT, whether as employees or consultants, should adopt a systematic approach that identifies and resolves deficiencies in the organization’s privacy policies and practices.

TO DO THIS EFFECTIVELY, CPAs should follow a four-phase plan in which they assess the entity’s current compliance level, design a remedial strategy, implement the plan and then monitor its ongoing effectiveness.

CPAs SHOULD FAMILIARIZE THEMSELVES with the provisions of major federal privacy legislation, including the Health Insurance Portability and Accountability Act of 1996, the Gramm-Leach-Bliley Act of 1999 and the Children’s Online Privacy Protection Act of 1998.

ROBERT G. PARKER, a chartered accountant and certified information systems auditor, is a partner of Deloitte & Touche LLP, Toronto, and a member of the AICPA-CICA enterprise-wide privacy task force. His e-mail address is rparker@deloitte.ca .

rotecting the privacy of confidential information is quickly becoming a measure of success in the business world—because companies improve their reputation when they take care to safeguard the personal data people entrust to them. These organizations also attract customer loyalty, and that gives them an edge over competitors who don’t make privacy a priority. This article shows CPAs in industry or in public practice how they can help businesses achieve their privacy compliance goals. It also summarizes provisions of the major federal privacy laws (see “ Privacy Protection Is Mandatory ”).

THE CPA AS PRIVACY STRATEGIST
Some businesses may not see privacy compliance as a way to develop a positive corporate image. But CPAs can stress to them that solid policies are good business practices, says Everett C. Johnson, CPA, partner at Deloitte & Touche LLP in Wilton, Connecticut, and chairman of the AICPA enterprise-wide privacy task force. “Privacy matters to people who provide an organization with personal information about themselves,” he adds, “and businesses need to demonstrate their respect for the confidentiality of the data that customers entrust to them.”
A Consumers Want Proof
Nine in ten consumers said they’d do more business with a company whose adherence to its own privacy policy was verified by a third party.

Source: A survey Harris Interactive conducted on behalf of Privacy & American Business, 2002.

To succeed in these engagements, CPAs must be well versed in privacy law and be able to evaluate an entity’s compliance level (see “ Resources for Privacy Consultants ”). To help an organization become privacy compliant, a CPA must understand how it gathers, uses, stores and discloses customer/client data.

A FOUR-PHASE APPROACH
CPAs should assemble a versatile team to design a plan to identify data protection deficiencies, create a strategy and implement and monitor the plan for compliance. Team members should represent various parts of the organization including legal, internal auditing, risk management, finance, information security, human resources and operations. The group will assess the company’s practices and should report to an executive in charge of privacy compliance. These are the team’s responsibilities:

Phase 1: Perform an initial assessment of privacy policies and procedures.

To determine whether the entity follows formal methods to protect data, the team will

Document the type and location of all customer/client data—inside and outside the organization—and all systems that collect, process, use or distribute personal information.

Verify compliance deadlines.

Review and record existing information security and management policies and procedures.

Conduct a “gap analysis” to identify any discrepancies between those policies and procedures and applicable compliance regulations.

In an actual example of this process, Ken Askelson, CPA, audit manager at J.C. Penney in Plano, Texas, led a team in assessing the company’s privacy and security practices. Using a technique known as “data mapping,” the group’s members tracked the flow of personal information throughout the organization. First they identified various collections of data—such as customer and credit information—and their business uses. Then they classified the information as mission critical and/or confidential, identified who had primary responsibility for safeguarding it, who had access to it, what controls governed its storage and use and what privacy laws applied. As a result, the team was able to identify certain weaknesses in the company’s privacy practices and offer useful advice on how to correct them.

But even when a team such as Askelson’s follows an agreed-upon compliance assessment process, individual group members may interpret its results in widely varying ways. “They often disagree about how great the gap is,” says Stephen W. Head, CPA, a member of the AICPA information technology executive committee. “Here’s where the CPA can build consensus by explaining how other businesses resolve their deficiencies and by helping the team agree on an appropriate plan for improving compliance,” he says.

With a CPA’s guidance, the team must identify risks related to an organization’s failure to protect personal information. Such dangers include potential damage to the corporate image or brand, as well as reduced goodwill, inability to meet contractual obligations, financial losses and the imposition of fines—all of which could have a negative impact on current and future customers, shareholders and employees.

Phase 2: Design a strategic plan for achieving compliance. The team should evaluate the organization’s legal and technology resources, including its employees’ skills in these areas. It may be necessary to hire consultants to ensure the company’s computer systems conform with regulatory requirements in the areas of security, controlling requesters’ access to information and recording and managing individuals’ consent to release their personal data. CPAs can guide the team through the following steps in producing a plan.

Create a privacy policy. This is an official record of the organization’s compliance practices. In clear language it spells out why and what personal information is collected and how it is used, and it places reasonable limits on the kind and extent of data gathered. These controls guide the company’s collection of information for a stated use and should not be unduly restrictive. The policy also explains how and where inquirers can obtain information on the privacy practices, such as what data the entity discloses to related businesses or third parties and for what reasons. It is essential that legal counsel review the privacy policy and procedures to ensure they comply with all regulations. The official policy should

Make someone responsible. The team should name someone in the organization to be the chief privacy officer, taking day-to-day command of the ongoing project, including implementation of new policies and procedures.

Create a consent mechanism. Generally, privacy laws require that an entity obtain a person’s permission to collect, use or disclose information about him or her. Such consent is effective whether it is written, oral (as in speaking with a call center), technology-based (such as a click on a Web site) or implied. Therefore, if a person’s magazine subscription expires and he or she has not canceled it, the publisher may have implied consent to solicit a renewal.

And when an organization wants to change a person’s information or use it for a second purpose, it must obtain additional permission from the individual, who must at all times understand and approve how the entity will use the data. For example, if a bank wanted to “mine” its databases to identify customers who may qualify for a new loan product, it would need the customers’ consent to use their information for that type of solicitation.

Of course, privacy protection must be balanced with practical considerations. That’s why it’s important to tell customers or patients exactly what information they must provide in order to execute a transaction or for them to obtain medical services.

Ensure marketing materials meet the individual’s privacy expectations. The entity must create personal information collection forms that comply with its stated privacy policies. For example, if a privacy policy stated that “personal information will not be used without the individual’s written consent” and that “an individual can withhold consent,” then the forms must contain “opt-in” or “opt-out” options for each data element or group. Customers also should be able to use the form to verify their current consent status and modify it if necessary.
Privacy Protection Is Mandatory

Privacy laws affecting U.S. businesses:

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) ( www.hhs.gov/ocr/combinedregtext.pdf ) created new standards for electronic transactions, data security, unique patient identification numbers and the privacy of individually identifiable health information. The act applies to health plans, health care clearing houses and health care providers.

Covered entities, through the use of contracts and other written agreements, also must ensure business associates’ HIPAA compliance. Covered entities must obtain patients’ written permission to disclose protected health information. Compliance with HIPAA’s privacy provisions became mandatory April 14, 2003.

The Gramm-Leach-Bliley Act of 1999 ( www.ftc.gov/privacy/glbact ) gives guidance on the privacy of consumer information to financial institutions and those giving financial advice. The regulations require organizations to have sent a notice describing the company’s privacy policies and practices prior to July 1, 2001, and to annually notify all individuals as long as they remain customers.

In addition to financial institutions’ core business functions, the act also governs tax planning, estate planning, wealth management, real estate settlement and closing activities and debt collection. CPA firms, lawyers and others dealing with personal financial information all fall within the act’s purview.

The Corporate Child Online Privacy Protection Act of 1998 (COPPA) ( www.ftc.gov/os/1999/9910/64fr59888.htm ) prohibits Internet marketing to children younger than 13 years of age. Under COPPA the Federal Trade Commission has prosecuted a number of companies for collecting and using personal information from children.

Give people access to their personal information. Most privacy legislation requires that, upon an individual’s request, an organization must supply any personal data it possesses and reveal how it uses and discloses such information. Best practices include quickly informing an inquirer whether the entity has any information about him or her, permitting access to it in readable and understandable form, appropriately restricting the release of personal information (for example, allowing only medical practitioners to release medical records), giving customers an account of how the organization has used their information and identifying third parties to whom the entity has disclosed it.

Provide effective security. Privacy policies and procedures must adequately safeguard the information from theft, loss and unauthorized copying, modification or disclosure. Companies must limit access even to employees who have a legitimate use for the information, safely store it and destroy it when no longer needed. An entity also must train its employees in privacy risk management including maintaining the confidentiality of such records. Such training must explain the organization’s privacy policies and procedures and identify contact personnel. Staff that deals directly with customers must understand privacy issues, know how to resolve them and continually monitor compliance.

As part of the plan the team also should develop and recommend criteria for answering information requests. These include response time frames, sources for requested information, procedures for validating the correctness and completeness of data and security processes to ensure authorized inquirers receive only information they are entitled to. The entity must confirm the validity of parties requesting personal information and ensure its disclosure does not violate anyone’s privacy.

A process known as “authentication” ensures the requester is who he or she purports to be. Proof of identity comes in three verifiable forms: something one knows (for example, a password), something one can present (such as an identification card) or a measurable personal characteristic (for example, a fingerprint, voice or retina scan).

Ensure the accuracy of information and consent. A company must keep personal information as complete, accurate and up-to-date as is necessary to achieve the objectives for which it collected the data. If an organization releases—even to an authorized party—inaccurate or outdated information about an individual, that person’s reputation could be damaged or he or she could be denied credit or a job promotion. Therefore, the team should establish criteria the organization can use to identify and avoid problematic situations in which, for example, a customer claims that his or her credit rating contains errors or that the organization disclosed personal information without the person’s knowledge and consent.

Limit use, disclosure and retention. Businesses do not have the right to use personal information for uses other than the stated purposes for which they collected it. CPAs should advise companies to devise storage systems that identify the specific consent they obtained from customers or patients as well as the minimum/maximum periods they can retain the data, so they do not illegally use or disclose information or have to employ costly searches to confirm consent. Systems also should allow people appropriate access to their records. CPAs can assist in the design and development of such systems by assessing their efficiency, documenting the flow of data throughout the organization and proposing modifications—such as mandating monthly changing of employee and customer passwords—that would better safeguard privacy.

The Virtues of Independence

T hird-party verification is emerging as a best practice for business leaders and policy makers alike. Each of the two leading privacy bills of the 107th Congress, S 2201 and HR 4678, provided that companies were presumed to be in compliance with the provisions of the legislation if they participated in a Federal Trade Commission (FTC)-approved self-regulatory program that included regular independent confirmation that they followed the program’s privacy policies. Lawmakers are likely to introduce comparable legislation in the 108th Congress.

Regulators, too, are using independent verification as a legal settlement tool, forcing companies to obtain outside audits in cases involving alleged privacy and security violations. Last year the FTC entered into settlement agreements with two Fortune 500 companies, requiring them to undergo regular security and privacy audits. In addition the settlement of a civil privacy case against a well-known online network advertiser required an audit. And as part of a settlement agreement with the attorneys general of Vermont, New York and California in a case involving an Internet security breach, a prominent technology publisher agreed to an external review of its online systems.

CPAs can use two AICPA assurance services to help businesses comply with privacy requirements: WebTrust ( www.cpawebtrust.org ) verifies whether a company’s Web site meets e-commerce standards—some of which relate to privacy—that are based on internationally accepted best practices, and SysTrust ( www.aicpa.org/assurance/systrust/index.htm ) evaluates the availability, security, integrity and maintainability of an organization’s computer systems.

—Robert Tie

Robert Tie is a senior editor with the JofA . His e-mail address is rtie@aicpa.org .

Phase 3: Implement planned changes. Once the team has a strategic plan, it must oversee any changes in the systems, procedures, forms, brochures or other elements related to privacy. This might include modifying and testing computer software, scheduling systems upgrades to handle new forms and procedures, devising appropriate procedures for maintaining, as well as destroying, personal information records and training employees who directly interact with customers.

During the implementation phase CPAs also can help the business modify its human resources, accounting, travel and expense and other organizational practices to make them fully compliant with regulators’ privacy requirements. “This is a huge undertaking,” says Marilyn Greenstein, PhD, an associate professor of accounting and information systems at Arizona State University and a member of the AICPA’s privacy task force. “To do the job properly, you have to understand how each department in the organization collects, uses and discloses information, and you must be well versed in data integrity and internal controls. The CPA knows all that and can ensure the business implements its privacy plan fully and effectively.”

Phase 4: Monitor systems and procedures. The CPA can identify the key actions to take in monitoring privacy initiatives. These include procedures to

Verify that the company adheres to its privacy policies and processes.

Track and comply with applicable legislative and regulatory changes.

Document complaints, because customer dissatisfaction may indicate problems with the organization’s processes and warn of potential litigation.

Identify and refer to the chief privacy officer all problematic cases, such as the organization’s unauthorized use or disclosure of personal information, to ensure they receive adequate attention and that requesters obtain authorized information without involving regulators or the media.

Develop criteria for identifying high-visibility situations that require management’s attention and allow adequate time for due diligence reviews of any new privacy systems or procedures.

Ensure company Web sites earn professional security certifications—such as those offered in conjunction with the enterprise-wide privacy audit offered under the AICPA’s trust services.

CPAs also can recommend establishing a program to survey requesters to determine their satisfaction level and whether company responses were timely. In addition, practitioners should advise companies to conduct periodic compliance audits. As internal or external auditors or consultants, CPAs can help by monitoring policies, processes and the supporting technology.

THE CPA EDGE
The complexity and evolution of privacy regulations can make it difficult for organizations to ensure their computer systems, business practices, corporate policies and administrative processes are fully compliant. But CPAs experienced in these contexts who also are conversant with the latest regulatory developments can help their clients or employers identify and address situations and factors that threaten privacy. These are valuable skills in today’s business environment, where any organization that breaches privacy regulations or fails to meet the public’s confidentiality expectations will lose customers, suffer adverse press and perhaps face litigation and/or penalties as a result of individuals filing complaints with federal or state agencies such as the Federal Trade Commission.

“We’re at the beginning of a mini rebellion in which public concerns about privacy are growing rapidly,” says Don H. Hansen, CPA, a partner with Moss Adams LLP in Everett, Washington. “But,” he adds, “with the help of CPAs, companies can manage this effectively and say to their customers, ‘We’re protecting the privacy of your information.’ And that’s great publicity.”

Resources for Privacy Consultants
CPAs have access to professional guidelines, including those the AICPA developed as part of its trust services family of products ( www.cpa2biz.com/ResourceCenters/Information+Security/Privacy/default.htm ).

CPAs can use the AICPA Privacy Framework to help businesses design good practices. The framework is part of the AICPA trust services family, whose products include external attestation reports that make it easier for companies to demonstrate their due diligence to customers, suppliers and other third parties. (For more information see “ Privacy Framework Helps CPAs Protect Consumers, JofA , Aug.02, page 79 and www.aicpa.org/innovation/baas/ewp/ .

An AICPA online brochure, “Frequently Asked Questions About Privacy Services,” explains important privacy terms and concepts to help CPAs identify compliance problems, explain them to management and track the progress of corrective measures ( www.cpa2biz.com/ResourceCenters/Information+Security/Privacy/ ).

SPONSORED REPORT

Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.

QUIZ

News quiz: IRS warning on cyberattacks and a change in pension rules

Once again, the IRS sounds the alarm about a threat from cyberthieves. See how much you know about this and other recent news with this short quiz.

CHECKLIST

Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.