Using Safe Harbor to Develop an

1
Using Safe Harbor to Develop an Integrated,
Global Assessment Approach August 20, 2008
2
Panelists

• Lael Bellamy, Chief Counsel - IT, IP Privacy
• ING Americas (formerly with The Home Depot)
• Laurie Smaldon, CIPP, Manager, Privacy and
  Identity Theft Practice, PricewaterhouseCoopers
  LLP

PwC

• Click to edit Master subtitle style

3
Agenda

• Safe Harbor Certification Overview
• Integrated Assessment Approach
• Key Benefits Case Study
• Questions Answers

4
Safe Harbor Certification Overview
5
Safe Harbor Certification Basics

• Requires certification with US Department of
  Commerce
• One stop shop - adequacy determination from all
  EEA member states without any further approval
• Must agree to abide by 7 data privacy principles
• Notice, Choice, Access, Security, Onward
  Transfer, Data Integrity and Enforcement
• Limits enforcement to the FTC instead of each of
  the 27 DPAs in EEA
• DPAs have not investigated US Safe Harbor Pharma
  companies
• FTC has not brought any case against a US company
  in 5 years
• No 3rd party beneficiary rights, but dispute
  resolution mechanism required
• Must use DPAs for disputes regarding employee PII
• May use independent US 3rd party for all other
  disputes
• Allows flexibility to support evolving business
  models and relationships
• Not available for financial services companies

6
What it means to be a Safe Harbor company 7
Principles

• Certification Requirements. In order to certify
  under the Safe Harbor Accord, a company must
  assess and put in place mechanisms to maintain
  compliance with the seven (7) Safe Harbor
  Principles. Key steps include
• Develop and maintain a Privacy or Safe Harbor
  Policy. The policy will be based on the seven
  (7) Principles for certification under the Safe
  Harbor Accord.
• 1. Notice. Safe Harbor Companies update or
  prepare a global or EU applicable privacy policy
  or EU notice statements for the data subject of
  the certification to ensure such policy or notice
  is accurate, comprehensive, and visible to data
  subjects. Also, such companies often
  simultaneously aim to improve awareness so that
  both data subjects and management have comfort
  that employees are aware of the appropriate
  operating practices.
• 2. Choice. The policy will also cover areas where
  consent, permission, data use limitations/opt-out
  strategies and special treatment for "Sensitive
  Personal Data are applicable.
• 3, 4 5. Access, data integrity and enforcement.
  The policy also addresses other areas related to
  existing processes or controls, if applicable, to
  meet Access, Data Integrity and Enforcement
  requirements needed to cover a Safe Harbor
  election.

7
What it means to be a Safe Harbor company 7
Principles

• Security. A Safe Harbor company must maintain
  adequate and reasonable administrative, technical
  and administrative safeguards and controls
  designed to address appropriate security
  requirements for US and EU applications that
  capture or process data subject to the
  certification.
• Onward transfer. A Safe Harbor Company must
  maintain administrative safeguards (i.e.,
  contractual protections) such that any onward
  transferee or any third party that can access the
  data subject to the certification will maintain
  safeguards comparable to those of the certifying
  company or the vendor/third party is also a
  company that has made a Safe Harbor election.
• Annual re-certification. Under the Safe Harbor
  Accord, Safe Harbor companies must annually
  recertify that they are abiding by the principles
  of the Safe Harbor accord. In order to make such
  a certification, Safe Harbor companies typically
  develop a Safe Harbor annual assessment and
  training program.

8
Survey and Gap Analysis

• Our approach performs a security and privacy
  assessment with the 7 Data Protection Principles
• The objective is to identify and analyze
• existing data transfers (including PI received or
  accessible in the US)
• privacy and data handling compliance
• security and data handling risks and
• gaps against the Safe Harbor Principles,
  including reasonable security with respect to
  identified Safe Harbor applications, systems and
  databases.
• Must have reasonable security as well as controls
  that enable verification of reasonable compliance
  with the privacy requirements and related
  guidance.
• The approach assesses compliance against
  recommended privacy practices and a reasonable
  security framework based on industry practices.

9
Survey and Gap Analysis - Details

• The details of the phased approach include an
  inventory of applicable Safe Harbor Applications
  and Systems utilizing our that is designed to
  identify
• (i) applicable systems, applications and
  databases that will be the subject to the Safe
  Harbor certification
• (ii) data elements being used and maintained in
  such systems, applications and databases, and
• (iii) any internal and external transfers of the
  data.
• Based on the results of the survey, key
  applications and systems are identified that
  contain PI transferred from the EEA to the US,
  along with the types of PI contained in such
  systems and onward transferees.
• To gather further information and clarify our
  understanding regarding the data flows associated
  with identified systems and applications,
  interviews are also conducted with key system,
  application and business owners to validate our
  understanding and findings.

10
Integrated Assessment Approach
11
Integrated Assessments Overview

• Pulling it all together
• Many companies operate in vertical silos with
  different frameworks.
• Clients often ask for one-off assessments of
  GLBA, HIPAA, PCI, ID Theft, Security Breach Laws,
  Marketing Laws or Other

• Privacy
• US - Fair Information
• Practices (e.g., HIPAA,
• GLBA)
• Global - Organization of Economic Cooperation and
  Development (e.g., EU Data Protection Directive)

• Technical Standards
• ISO 17799
• COBIT
• PCI
• Others

• Regulatory Technical Standards
• FTC GLBA 501(b) Safeguards Rule
• HIPAA Security

An Integrated Approach

• Risk
• COSO II
• SOX
• Basel II

• Compliance
• Federal Sentencing Guidelines (7 Principles of
  an Effective Compliance Program)

12
Integrated Assessments Overview

• The trend is to search for common requirements
  and points of leverage.

• Common Vulnerabilities and Practices that can
  Compromise Sensitive Data
• Third-party vendor handling and transfers
• Improper access or broad access controls
• Paper handling and dumpster diving
• Phishing, web/email vulnerabilities
• Mobile and home-based workforce
• Call centers and social engineering
• Use of personal information in authentication
  processes with customers (online, phone, fax)
• Back-up tapes
• Peer-to-peer networks (iPods, etc.)
• Collecting/using SSNs and personal info and
• Transportable media.

• Integrated approach. Consider people, process,
  technology and organization perspectives to
  classify privacy and information management
• Key compliance program elements and culture
• Consumer privacy awareness and rights
• Security safeguards
• Key data handling and identity theft risks and
• Organizational design and change.

13
Key Differences and Benefits to New Approach to
Information

• Coordination and Cost Savings. Increasingly
  developing coordinated approaches to compliance
  and information risk management and leveraging
  prior investments especially around technology
  and approaches related to (among several areas)
• Sarbanes-Oxley Controls
• Intellectual Property Protection
• Outsourcing, Procurement, Vendor Management
  and
• International Data Management
• Records Retention
• Information Security
• Payment Card Industry Security Standards
• Privacy Compliance and Identity Theft Prevention

14
Key Benefits Case Study
15
Survey Design

• Survey was developed to quickly assess key
  privacy compliance, identity theft risks and gaps
  against internal and common industry best
  practices.
• The survey was designed to promote efficiency,
  minimize burden and to develop tools that can be
  used for current and ongoing business as usual
  processes and compliance obligations.
• The survey was designed to address multiple
  needs
• Privacy and Identity Theft/Data Mishandling
  Prevention Assessment.
• Data Element Inventory.
• PCI scope confirmation.
• Key Security Controls Assessment and
  Benchmarking.
• Marketing (opt-in/out) Compliance Awareness and
  Compliance Assessment.
• Inventory Third Party Vendors and Transfers
• eDiscovery and Records Benchmarking

16
Integrated Assessment Potential Benefits

• Integrated Approach.
• Ongoing Assessment and Reporting Process. The
  survey questionnaire may serve as a potential
  annual process to reassess highest risk areas,
  priorities and progress.
• FTC (and Other Regulator) Assessment
  Expectations. The FTC has expressed its
  expectation that companies conduct privacy and
  security assessments every other year, and this
  assessment and approach should serve as an effort
  to satisfy that expectation.
• Data Element Approach.
• Breach Response Capabilities. The inventory will
  allow quick identification of the data elements
  involved in the event of a lost laptop or other
  breach and what the resulting US State notice
  obligations involved.
• Data Classification. When data elements are
  baked into data classification scheme, a data
  element inventory will provide the ability to
  quickly classify the required controls.
• Safe Harbor Ongoing Privacy Assessment
• Combines Annual Privacy Assessment and Safe
  Harbor Processes. Both a privacy assessment
  (required by the FTC) and the Safe Harbor
  Assessment (required by the Department of
  Commerce for recertification) could both be
  required activities. The design of the survey
  allows both to be efficiently (and
  cost-effectively) pursued simultaneously.
• Accelerates Safe Harbor Certifications. If a
  company were to decide to pursue Safe Harbor
  certification, the survey would actually position
  them on the road to Safe Harbor (saving months
  and significant fees).

17

• QUESTIONS?