Correspondence: Marilyn Prosch, School of Global Management and Leadership, Arizona State University, PO Box 37100, Phoenix, AZ85069, USA. E-mail: marilyn.prosch@asu.edu

¹PhD is an Associate Professor of Accounting Information Systems at Arizona State University. She has met with or spoken to the US Department of Commerce, US FTC, National Association of Secretaries of State, and the Arizona Auditor General's Office on the subject of GAPP, and has conducted various research studies on privacy breaches and GAPP.

Received 1 March 2008; Revised 1 March 2008; Published online 10 April 2008.

EXECUTIVE SUMMARY

The first decade of the new millennium may well become known as the era of data breaches. In a recent speech given by the Federal Trade Commission's (FTC) Chief Privacy Officer, Marc Groman, he emphasised to the National Association of Secretaries of States to prepare well because 'you will have a data breach' (Washington, DC, 18th February, 2008). This article discusses the present privacy crisis and offers a solution to managing and reducing privacy risk through the use of the AICPA/CICA's Generally Accepted Privacy Principles (GAPP). When the court of public opinion or the FTC is grilling an organisation regarding a data breach, the best defence for the organisation is to provide evidence, such as adherence to GAPP criteria or an actual GAPP audit, that they were diligent and serious about data protection policies. Recently, the Chair of Her Majesty's Revenue & Customs in the UK resigned after 25 million Britons had their personal information compromised and the investigation revealed that a mere $102,000 spent on data redaction would have prevented the snafu (see references 1 and 2). Top management, including CEOs, CFOs, CISOs, and CPOs all need to be aware of privacy risk management issues and techniques to reduce privacy risk. Researchers need to help advance the development and measurement of privacy-enhancing techniques and the implementation of GAPP in order to help move organisations along the Privacy Maturity Model. This article is written by a member of the AICPA's Privacy Task Force and a Certified Information Privacy Professional.