In today’s world, great importance and attention are placed on personal privacy and, importantly, privacy over an individual’s personal information and data. The highly electronically connected world and easy availability of information on the internet and through information sharing between organizations raise the concern as to how individuals’ personal information and data are protected. There is also the concern as to how organizations that hold individuals’ personal information honor the privacy of that information.
The focus of this article is on personal information, also referred to as personally identifiable information (PII). PII is defined by the Department of Homeland Security as, “any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual…”
A proper security program and security standards implemented by an organization provide for maintaining the privacy of individuals’ personal information. Privacy cannot be attained without security.
What is Privacy?
Merriam-Webster defines it as freedom from unauthorized intrusion. The International Association of Privacy Professionals (IAPP) describes it as the right to be let alone or freedom from interference or intrusion. The IAPP goes on to say, information privacy is the right to have some control over how your personal information is collected and used.
With current privacy regulations across the world, privacy relates to rights an individual has to control their personal information and how it is used.
What is Security?
Merriam-Webster defines it as the quality or state of being secure.
In the case of this blog, we are interested in security over data. The objective of security over data is to protect the data in terms of access, collection, storage, usage, and transmission. This is accomplished through policies, procedures, compliance programs, and configuration of the IT environment in which the data resides.
Security, in relation to privacy, refers to how an individual’s PII is guarded and protected.
Why are Security & Privacy Important?
A common concern in today’s world is the security and privacy of one’s data. If you think about it, data about an individual is as important as a birth certificate, social security card, or passport. Personal data represents and identifies an individual and is used to validate an individual and allow the individual to perform certain activities such as getting a job, obtaining a home or auto loan, purchasing goods online, etc. If this personal information falls into the wrong hands, it can potentially be used to the detriment of the data owner, such as with identity theft. We hear of the loss of personal data through data breaches of major corporations on a regular basis. The repercussions of lost personal data are far-ranging.
What Is More Important: Security or Privacy?
One cannot say if security or privacy is more important. If an organization’s objective is to protect the privacy of its personnels’, vendors’, and customers’ personal data, a well-defined, effective security program must be in place in order to provide for privacy over individuals’ personal data.
Practices for Protecting Privacy
There are general business and security practices that help protect privacy:
- Completing a risk assessment that includes considerations of privacy and security risks to the organization’s activities
- Configuring, implementing, and monitoring logical security at the infrastructure, database, application, and personal device layer.
- Configuring, implementing, and monitoring a physical security program regarding access to company devices and hardcopy data and information.
- Implementing a strong incident management program that addresses privacy breaches
- Creating a Privacy Committee that is responsible for addressing privacy-related activities and incidents and determining the privacy stance for the company.
- Implementing a security program that includes cybersecurity. Cybersecurity is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information (Cybersecurity and Infrastructure Security Agency).
- Implementing a compliance program that includes both privacy and security training (i.e. security awareness training) of company personnel and monitoring of security and privacy activities.
Vital Components for a Strong Security Program
The following are components that, when appropriately implemented, aid in building a strong security program that addresses privacy risks and concerns:
Policies and Communications
- Internal privacy and security procedures, policies, and communications have been implemented that address the protection of personal information against unauthorized access, both physical and logical.
- The Company’s Privacy Policy/Notice has been published that informs individuals that administrative, technical, and physical security measures are used to protect the individual’s personal information
Information Security Program
- The program includes administrative, technical, and physical safeguards to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction.
- Risks in relation to privacy are considered when determining security measures to implement.
- Internal training is rolled out to employees and non-employees that addresses the components of privacy and protection of personal information that the company has implemented and expectations of its personnel.
- Check out our article on the roles and responsibilities of information security to learn more.
Incident Management Program
- The incident management program addresses steps to be taken to identify, assess, mitigate, and report on breaches in relation to the privacy and protection of personal information
- A Privacy Committee has been created which holds the responsibility for defining and managing the privacy components for the company.
Logical Access Controls
- Logical access to personal information is restricted to users and systems consistent with legitimate business needs.
Physical Access Controls
- Physical access to personal information is restricted to personnel with legitimate business needs for access.
- After business hours and on weekends, all hardcopy personal information is stored in a cabinet secured by a key lock.
Environmental Safeguards
- A business continuity plan has been implemented which includes measures to protect against environmental factors (e.g., fire, flood, dust, power failure, and excessive heat and humidity) based on its risk assessment and prevents accidental disclosure of personal information in the event of an environmental incident.
Transmitted Personal Information
- Systems and procedures are in place to:
- Define minimum levels of encryption and controls,
- employ industry-standard encryption technology for transferring and receiving personal information, and
- protect personal information in both hardcopy and electronic forms sent by mail, courier, or other physical means.
Personal Information on Portable Media
- Policies, systems, and procedures are in place to address the transfer of personal information to portable media or personal devices and cloud services.
Testing Security Safeguards
- Systems and procedures are in place to:
- Periodically undertake independent audits of security controls using either internal or external auditors,
- document and test disaster recovery and contingency plans to monitor their viability, and
- periodically undertake threat and vulnerability testing such as internal vulnerability testing and external penetration tests.
Application Security
- Application security requires a user ID and password or some form of multi-factor/two-factor authentication.
- Other user password parameters are enabled to further strengthen controls over account access.
- Personal information that the application uses is encrypted at rest and when transmitted. This could be data stored within the production database.
- Access to data in the application is restricted such that individuals can only see data and information related to their account.
Data Loss Prevention (DLP)
- A DLP tool that tracks and regulates the movement of defined personal information or other critical information. A DLP tool, though, can be difficult to implement and maintain and should be implemented to meet specific business needs.
How Does This Relate To the AICPA Trust Services Criteria & SOC 2 Audits?
When considering if the AICPA Trust Services Criteria Privacy should be included in a SOC 2 audit, the guidance states that the Privacy criteria “is not applicable for a service organization that does not directly collect personal information from data subjects.” A company must analyze the data collected on its customers and determine if it meets the criteria of personal information.
In addition, the AICPA Trust Services Criteria states that the Confidentiality criteria is “distinguished from privacy in that privacy applies only to personal information, whereas confidentiality applies to various types of sensitive information. In addition, the privacy objective addresses requirements regarding collection, use, retention, disclosure, and disposal of personal information. Confidential information may include personal information as well as other information, such as trade secrets and intellectual property.”
What Are the Categories of Privacy to Recognize When Considering the AICPA Trust Services Privacy Criteria?
The AICPA Trust Services breaks down privacy into the following areas which closely aligns with the components of general privacy regulation:[LC1]
Notice and Communication of Objectives Related to Privacy
- The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy.
Choice and Consent
- The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to data subjects.
Collection
- Personal information is collected consistent with the entity’s objectives related to privacy.
-
- For information requiring explicit consent, the entity communicates the need for such consent as well as the consequences of a failure to provide consent for the request for personal information and obtains the consent prior to the collection of the information to meet the entity’s objectives related to privacy.
Use, Retention, and Disposal
- The entity limits the use, retention, and disposal of personal information to meet its objectives related to privacy.
- The entity retains personal information consistent with the entity’s objectives related to privacy.
- The entity securely disposes of personal information to meet the entity’s objectives related to privacy.
Access
- The entity grants identified and authenticated data subjects the ability to access their stored personal information for review and, upon request, provides physical or electronic copies of that information to data subjects to meet the entity’s objectives related to privacy. If access is denied, data subjects are informed of the denial and reason for such denial, as required, to meet the entity’s objectives related to privacy.
- The entity corrects, amends, or appends personal information based on information provided by data subjects and communicates such information to third parties, as committed or required, to meet the entity’s objectives related to privacy. If a request for correction is denied, data subjects are informed of the denial and reason for such denial to meet the entity’s objectives related to privacy.
Disclosure and Notification
- The entity discloses personal information to third parties with the explicit consent of data subject and such consent is obtained prior to disclosure to meet the entity’s objectives related to privacy.
- The entity creates and retains a complete, accurate, and timely record of:
-
- Authorized disclosures of personal information to meet the entity’s objectives related to privacy.
- Detected or reported unauthorized disclosures (including breaches) of personal information to meet the entity’s objectives related to privacy.
- The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy.
- The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information.
- The entity provides notification of breaches and incidents to affected data subjects, regulators, and others to meet the entity’s objectives related to privacy.
- The entity provides data subjects with an accounting of the personal information held and disclosure of the data subjects’ personal information, upon the data subjects’ request, to meet the entity’s objectives related to privacy.
Quality
- The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity’s objectives related to privacy.
Monitoring and Enforcement
- The entity provides data subjects with an accounting of the personal information held and disclosure of the data subjects’ personal information, upon the data subjects’ request, to meet the entity’s objectives related to privacy.
As part of the SOC 2 engagement, the auditor will incorporate the testing of privacy into the AICPA Trust Services Security Criteria in the logical and physical security areas described earlier in this article.
Conclusion
Privacy is on the mindset of many individuals in today’s world, is governed by various country privacy regulations, and is reported in the news when cybersecurity breaches occur. As discussed in this article, privacy cannot be achieved without security. Implementation of a strong security program that addresses points raised in this article leads to a more secure stance regarding the protection of personal information.
The AICPA Trust Services Privacy Criteria addresses the considerations for a strong privacy program which is performed in conjunction with the Common Criteria/Security Criteria. The overall objective of the engagement is to determine if a service organization’s controls were designed and implemented (for a Type I SOC 2) and were operating effectively (for a Type II SOC 2) to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria.
Please reach out if you would like to learn more about SOC 2 compliance requirements. Additionally, if you would like to learn more about any of our other audit services, or discuss how Linford & Co can be of assistance to you, please don’t hesitate to contact us.
[LC1]Note the bullets above were taken directly from the AICPA Trust Services Criteria.
Lois started with Linford & Co., LLP in 2020. She began her career in 1990 and has spent her career working in public accounting at Ernst & Young and in the industry focusing on SOC 1 and SOC 2 and other audit activities, ethics & compliance, governance, and privacy. At Linford, Lois specializes in SOC 1, SOC 2, HIPAA, ISO, and CMMC audits. Lois’ goal is to collaboratively serve her clients to provide a valuable and accurate product that meets the needs of her clients and their customers all while adhering to professional standards.