In her novel, Everybody’s Autobiography, Gertrude Stein famously lamented “there, there is no there there.” Stein was referring to the house in Oakland, California in which she had grown up and no longer existed. Since then, Stein’s oft quoted line has become a metaphor for that which is lacking; an absence; a signifier with no signified.
Privacy, a term often bandied about, has become overused to the point that its definition has become ethereal, its “there” uncertain. It’s also a hot topic, a buzz word for personal information that is off limits. But without a more practical understanding of the types of personal information collected, stored and shared, organizations are at risk to not adequately address privacy in their day-to-day activities and practices. When it comes to privacy, it is imperative to put the house in order.
Failing to address privacy can have serious consequences. I counsel clients that no network is ‘breach proof’ and often note that it’s not a question of whether a network can be breached, but rather when it will be breached. To this point, as reported by the Identity Theft Resource Center, the “number of U.S. data breaches tracked in 2014 hit a record high of 783 in 2014…[t]his represents a substantial hike of 27.5 percent over the number of breaches reported in 2013 and a significant increase of 18.3 percent over the previous high of 662 breaches tracked in 2010.” As the recent breach at Sony has dramatically shown, the threat posed by the theft of donor or constituent information, or even the organization’s data including private employee information, can have a devastating impact upon operations, finances and the reputation of that organization.
Given this, it is prudent to consider implementing practices that minimize these risks. The good news is that many breaches are avoidable and mitigating privacy risk doesn’t have to be too great a drain on resources. Implementing certain safeguards and practices today will limit the likelihood and minimize the impact of a data breach. The first step is to perform a privacy audit to conceptualize, legitimize and institutionalize privacy within the organization.
A privacy audit is essentially a process to identify, across the organization, the types of personal information collected, the ways in which it is protected, and with whom such information is shared. The following risk assessment methodology is a good place to start.
- Inventory Locate the places in the organization (and vendors operating on its behalf) that house/store Personally Identifying Information (“PII”), identifying both electronic files/databases and physical files.
- Safeguards Assess the safeguards in place – including the physical, administrative and technical controls – and whether they are adequate and reasonable considering the type of PII being stored (SSN vs. email address for example might have different levels of protection).
- Gaps Determine the compliance gap – essentially the difference between that what it should be doing, and the organizations actual practices.
- Risk Assessment For most organizations there will be a number of gaps. As a first step, for the PII held in various locations and with various vendors, assess the risk of non-compliance, determine the impact of non-compliance and likelihood of risk occurrence, and use this to help prioritize compliance efforts.
- Remediation Depending upon the finding/conclusions in the previous steps, remediation should be a joint effort among various members of the organization to address and remedy any identified shortfalls/gaps.
The above are general guidelines –a more detailed checklist is more helpful in guiding organizations through the audit process. In future posts, I will offer tips in working with vendors who collect, store and/or hold PII on behalf of an organization. In the meantime, a privacy audit should be considered as a critical first step in getting the privacy “house” in order.