EXECUTIVE
SUMMARY | COMPANIES REQUIRE
HELP understanding and
complying with the confusing array of
privacy rules, and CPAs can meet that
need.
HIGHLY PUBLICIZED
CORPORATE FAILURES to protect
confidential data have heightened
consumers’ awareness of threats to their
privacy.
CONSUMERS SURVEYED
SAID they would rather do
business with companies that safeguard
customers’ personal information,
underscoring privacy’s effect on the
bottom line.
IN THE UNITED
STATES compliance is
particularly difficult because each
industry has its own privacy
regulations. American companies that
want to compete globally will have to
observe international privacy standards
as well. A coordinated approach to these
diverse requirements is essential to
effective compliance with them.
THE AICPA PRIVACY
TASK FORCE will issue in the
third quarter an exposure draft of a
comprehensive framework of privacy best
practices. CPAs can use them to help
their clients and employers maximize
compliance and minimize privacy-related
risks.
WHILE CPAs MAY BE
MORE QUALIFIED than other
professionals to provide guidance on
privacy compliance, they should be ready
to display their skills in the face of
strong competition from lawyers, as well
as e-business and security consultants.
CPA FIRMS SHOULD
INTEGRATE their privacy and
attest services to avoid potential
restrictions on providing both assurance
and consulting services to public
clients. | J. LOUIS MATHERNE, CPA, and
ERIN P. MACKLER, CPA, are AICPA employees.
Mr. Matherne is director of business
assurance and advisory services and Ms.
Mackler is a research and innovation
technical manager and staff liaison for
the Institute’s enterprisewide privacy
task force. Their views, as expressed in
this article, do not necessarily reflect
the views of the Institute. Official
positions are determined through certain
specific committee procedures, due process
and deliberation.
|
ost companies are just beginning to
realize they should implement a sound privacy
policy. Some have learned the hard way—through
negative publicity and lawsuits—like the
pharmaceutical giant that mistakenly revealed the
e-mail addresses of more than 700 people who had
signed up for prescription refill reminders or the
Web marketer that planned, by means of cookies, to
track Internet users’ online shopping habits.
Accidents and judgment errors like these can harm
millions of consumers when they do business with
companies lacking a comprehensive plan to
safeguard privacy. And while lawmakers and trade
groups may aim to prevent Web spamming, unwanted
sales calls or unauthorized disclosures of private
information, “the current inconsistency of rules,
regulations and voluntary practices is confusing
and provides uneven levels of protection for
consumers,” said Mary Grace Davenport, a partner
in PricewaterhouseCoopers’ financial services
privacy practice. In response, the AICPA
is creating a privacy framework of best practices
that CPAs can implement for their clients and
employers. “It is clearly in the public interest
for companies to have sound privacy practices,”
said Everett C. Johnson, a partner in Deloitte
& Touche’s enterprise risk services practice
and chairman of the AICPA enterprisewide privacy
task force. “It also is in the best interest of
every company that interacts with the public. The
framework addresses both needs.” This
article explains how the upcoming framework will
serve as a coordinated source of reliable
information CPAs can use to help their employers
and clients comply with the growing body of
overlapping privacy regulations.
SURVEY DOCUMENTS PUBLIC CONCERN
Recently, Harris Interactive
conducted a study for the nonprofit
organization, Privacy & American
Business, with funding from the AICPA and
Ernst & Young LLP. The researchers
found three out of four consumers feared
their personal information would be sold
without their permission, and 69% worried
hackers would steal their personal data
from online retail sites. But the issue
goes well beyond Internet transactions.
Eighty-three percent of respondents said
they would stop doing business entirely
with any company that had misused their
personal information—on or off the Web.
Half of all respondents said they would
buy more frequently and in greater volume
from businesses that had established
strong, trustworthy privacy practices. And
a whopping 91% said they would be more
likely to do business with a company that
had verified its privacy practices with an
auditing firm. |
Consumers Say
Companies Are Weak on Privacy
Businesses take
appropriate measures to protect
the confidentiality of personal
information they collect from
customers.
*Due to
rounding, total exceeds 100%.
Source: Privacy On
and Off the Internet: What
Consumers Want, a poll
of more than 1,500 individuals
conducted by Harris
Interactive Inc. in November
2001 for Privacy &
American Business, a nonprofit
privacy organization in
Hackensack, New Jersey, with
funding from the AICPA and
Ernst & Young LLP.
| |
"It is very clear the misuse of customer
information poses a significant risk to
businesses,” said Mitchell S. Baxter,
vice-president of LegalNet Works, a Falls Church,
Virginia, consulting firm that specializes in risk
management, information security, regulatory
compliance and liability and privacy issues. “Even
when a company generally is following good privacy
practices, the mere absence of a clearly defined
policy with appropriate management involvement and
oversight can expose a company to liability.
Equally important is the risk of customer
dissatisfaction and damage to the company’s
reputation.”
THE NEED FOR A SINGLE FRAMEWORK
A quick glance at the
patchwork of privacy regulations, laws and
guidelines U.S. companies must navigate reveals
the need for an efficient approach to compliance.
Financial services companies must adhere to the
Gramm-Leach-Bliley Act (GLB), while the health
care industry has its own regulations under the
Health Insurance Portability and Accountability
Act (HIPAA). Companies that accumulate online data
from children are subject to the Children’s Online
Privacy Protection Act (COPPA) and those that
contract with a government agency must observe the
Privacy Act of 1974. Domestic retailers follow yet
another set of rules, and any company that does
business internationally likely is subject to the
European Union’s Data Protection Directive. Many
must comply with more than one of these laws
simultaneously. Davenport said American
privacy strategy is behind the times and causing
problems for U.S. corporations. “This
industry-by-industry approach is unique to the
United States,” she said. “We need a single
privacy framework so companies can apply one set
of policies to all their operations.”
AICPA TASK FORCE AIMS TO FILL THE VOID
The Institute’s
enterprisewide privacy task force is developing
strategies to establish the accounting profession
as a key contributor in the effort to protect
consumers’ privacy. An exposure draft of its
Privacy Framework of Practices and Criteria,
designed for companies interested in creating best
practices, is scheduled to be released during the
third quarter of this year. “The framework will
guide CPAs in implementing best practices and act
as a kind of education awareness campaign,” Baxter
said. “CPA firms will be able to create a
compliance module that will review a client’s need
for a privacy policy.” According to
Johnson, the framework will be broad enough for a
CPA to implement a privacy policy covering all of
any company’s operations. “Businesses that choose
to implement privacy policies in accordance with
this framework will meet, and in most cases
exceed, current privacy regulations and reduce
their privacy-related risk,” he said.
Davenport, who along with Baxter is a member of
the privacy task force, pointed out that the
framework covers employees’ personal data, to
which—in the United States—virtually no legal
privacy requirements apply. “This is becoming an
important focus as companies develop global human
resources systems that must observe international
privacy requirements,” she said.
OPPORTUNITY FOR CPAs
Many CPAs believe a
privacy framework will provide them a significant
consulting opportunity with their clients—or their
employers. But practitioners certainly will not
have this field to themselves: The legal community
and e-business and security consultants have
already entered the market, and the Better
Business Bureau, through its BBBOnline Web site,
recently launched a privacy seal of approval
program. But Marilyn Greenstein, an accounting
professor at Arizona State University West, and
James E. Hunton, an accounting professor at the
University of South Florida, agree that CPAs may
have a strategic advantage in the arena. “CPAs
have always focused on serving the public interest
while at the same time helping businesses
implement policies and practices in financial
reporting,” explained Greenstein, who is also a
member of the privacy task force. In
addition to characteristics CPAs share with other
professions, such as the ability to understand
various statutory regulations and to develop a
high-level strategic business plan, Greenstein and
Hunton suggested several reasons why accountants
may be uniquely qualified to provide privacy
services. CPAs have a long history of
Providing attestation, risk
assessment and audit services.
Assessing the adequacy of controls
and determining whether they are operating
effectively.
Assessing the risk a firm faces if
its practices and policies are inadequate.
Monitoring a system’s compliance with
its stated policies and practices and closing any
gaps. Firms that integrate their privacy
monitoring with other attest services may guard
against potential future restrictions on
performing both auditing and consulting
engagements for public companies. Such a strategy
will be prudent for the client as well as the
firm. “The audit is about attestation of
controls and business transactions,” said Brian
Tretick, principal for privacy assurance and
advisory services at Ernst & Young LLP and
another member of the task force. “Having a sound
privacy policy that can stand up to scrutiny can
be as important to a company as making certain its
financial statement complies with generally
accepted accounting principles.” |