ERE Information Security Auditors
Home | Site Map | Contact Us |  Resource Center
This text is replaced by the Flash movie.
list of IT security and compliance audit steps
ERE Differentiators from other vendors

Your clients need to understand how privacy regulation applies to them

Ron Lepofsky
January 30, 2004

People are justifiably concerned about their identity being stolen by perpetrators of fraud. Victims of identity theft suffer disruption of lifestyle, severe emotional stress and financial losses.

In this age of corporate accountability, employees and private individuals are entrusting companies with holding their personal information and keeping it confidential and secure — and therefore not susceptible to being compromised for use in identity-theft-related fraud.

To combat identity theft, and to protect the privacy of individuals, the governments of Canada and the United States are passing laws compelling corporations to protect personal information under their custodial responsibility.

Legal counsel should play an important role in educating their clients how privacy regulations apply to them, and then helping them to write the appropriate policies so that their clients will comply with the privacy legislation.

Counsel may need to take further initiatives to educate their clients who may not understand that they are not already compliant.

However, a policy alone is not enough to ensure compliance to regulations. A policy that is not enforced uniformly is in reality not a policy at all.

It is therefore incumbent upon the executives of a client organization to monitor how well their employees are complying with the policy, and to implement modifications to procedures, in order to alleviate instances of non-compliance.

The space between counsel writing a privacy policy and counsel hearing from their clients when there is a problem with non-compliance is where a compliance auditing firm can be of valuable assistance.

A compliance auditing firm should identify non-compliance and make recommendations to mitigate procedural problems before they fester into legal liability problems.

Some executives have preconceived notions that they do not need to spend any money on implementing a privacy policy because their organizations must already be compliant.

Counsel can perform a valuable service to those executives, by recommending a service that would provide proof to their executive clients that their organizations are indeed non-compliant with privacy legislation, and that the executives need to engage the services of counsel to create the appropriate policy. Providing this “evidence of non-compliance before the fact” is another situation in which a compliance auditor may be of service.

The key to successful compliance is creating an internal compliance process. This process should include the client’s executive management team, a designated privacy officer, an outside privacy/security audit firm and the education, understanding and full co-operation of all employees. The key elements of the process are:

  1. Clear communication and articulation by senior management of policy expectations to employees.
  2. Ongoing regular third party auditing to ensure policy compliance.
  3. Identifying and dealing with non-compliant behaviour in a consistent manner.
  4. Instituting a regular communications mechanism to executives about the status of the policy’s implementation and enforcement.

In addition, management needs to:

  1. Appoint a privacy officer.
  2. Publish the appropriate paraphrased policy sections, in layman’s language, to employee groups and to third parties such as information contributors.
  3. Create a policy awareness program.
  4. Inform all concerned that the senior executive team will audit and enforce compliance.

The auditor provides an impartial, third-party view of both employee compliance with the policy and the security of the underlying personal information.

The auditor will report any infractions of the policy and any security vulnerabilities to the privacy officer and to the executive committee. The privacy officer then must work with human resources to deal with behavioural infractions. The privacy officer may need to consult legal counsel about modifying the corporate privacy policy and modifying employee contracts with respect to the privacy policy, court decisions and regulatory changes that affect the corporate privacy policy.

The new privacy laws will work only if corporations engage their counsel to create effective privacy policies, tuned to the specifications of each organization. A policy is only effective if it is uniformly enforced by the executives who are responsible for implementing the policy.


Contact Us

905 764 3246

  Budgetary Price Quote
  10 minute scope definition call
  ROI Calculation for your next Audit 
  Sanitized Statement of Work
  Sanitized Audit Report
  Product Literature  
  White Papers and Published Articles
  Please see Ron Lepofsky’s book,
The Manager’s Guide to Web Application Security,
published by Apress Media

The Manager's Guide to Web Application Security is a concise, information-packed guide to application security risks every organization faces, written in plain language, with guidance on how to deal with those issues quickly and effectively.

Home | Technology Audits | Compliance Audits | Process Audits | Doc Audit/Authorship| | 7x24 Monitoring | Knowledge Transfer
ERE Differentiators | About Us | Site map | Contact Us | |   | Resource Center
Copyrights © 2007-2008. All rights reserved.  

   AddThis Social Bookmark Button