EXECUTIVE SUMMARY
The first decade of the new millennium may well become known as the era of data breaches. In a recent speech given by the Federal Trade Commission's (FTC) Chief Privacy Officer, Marc Groman, he emphasised to the National Association of Secretaries of States to prepare well because ‘you will have a data breach’ (Washington, DC, 18th February, 2008). This article discusses the present privacy crisis and offers a solution to managing and reducing privacy risk through the use of the AICPA/CICA's Generally Accepted Privacy Principles (GAPP). When the court of public opinion or the FTC is grilling an organisation regarding a data breach, the best defence for the organisation is to provide evidence, such as adherence to GAPP criteria or an actual GAPP audit, that they were diligent and serious about data protection policies. Recently, the Chair of Her Majesty's Revenue & Customs in the UK resigned after 25 million Britons had their personal information compromised and the investigation revealed that a mere $102,000 spent on data redaction would have prevented the snafu (see references 1 and 2). Top management, including CEOs, CFOs, CISOs, and CPOs all need to be aware of privacy risk management issues and techniques to reduce privacy risk. Researchers need to help advance the development and measurement of privacy-enhancing techniques and the implementation of GAPP in order to help move organisations along the Privacy Maturity Model. This article is written by a member of the AICPA's Privacy Task Force and a Certified Information Privacy Professional.
Similar content being viewed by others
References
Leatham, S. (2007) ‘Data breach affects 25 million Britons’, Ireland IT Newsletter, 22nd November, 2007. http://www.enn.ie/article/10123479.html.
Shifrin, T. (2007) ‘UK data breach: Stripping the data “would have not have been costly,”’, Computerworld Online, 6th December, 2007.
Cline, J. (2007) ‘Mind the GAPP: Accountants bring GAAP-like principles to the privacy sphere’, Computerworld Online, 6th December, 2007.
Wilcox, J. (2000) ‘IBM appoints chief privacy officer’, news.com, 28th November, 2000, http://www.news.com/IBM-appoints-chief-privacy-officer/2100-1001_3-249135.html.
AICPA/CICA (2006). Generally Accepted Privacy Principles, AICPA/CICA, New York, NY.
Lemos, R. (2005) ‘Data security moves front and center in 2005’, Security Focus’, 29th December, 2005, http://www.securityfocus.com/news/11366.
Clarke, R. A. (1988) ‘Information technology and dataveillance’, Communications of the ACM, 31 (5), 498–512.
Ogburn, W. F. (1966). Social Change, Dell Publishing, New York, NY.
Cavoukian, A. and Hamilton, T. (2002). Privacy Payoff, McGraw-Hill, New York.
McQuay, T. (2006) ‘Privacy is changing outsourcing in Canada’, Globeandmail.com, 27 July.
The Patriot Act of 2002 created a Chief Privacy Officer under the Department of Homeland Security; however, this position is not considered equivalent because of where it is housed.
Shapiro, B. and Baker, C. R. (2001) ‘Information technology and the social construction of information privacy’, Journal of Accounting and Public Policy, 20, 295–322.
Tinker, T. (1988) ‘Panglossian accounting theories: The science of apologizing in style’, Accounting, Organisations and Society, 13 (2), 165–189.
Zureik, E., Stalker, L., Smith, E., Lyon, D. and Chan, Y. (2008). Privacy, Surveillance, and the Globalization of PI: International Comparisons, McGill-Queens University Press, Kingston, forthcoming.
Marshall, K. (1999) ‘Has technology introduced new ethical problems?’, Journal of Business Ethics, 19, 81–90.
Ogburn, W. F. (1957) ‘Cultural lag as theory’, Sociology and Social Research, 41, 167–174.
Karat, C. M., Brodie, C. and Karat, J. (2006) ‘Usable privacy and security for personal information management’, Communications of the ACM, 49 (1), 56–57.
Brinkman, R. L. and Brinkman, J. E. (2005) ‘Cultural lag: A framework for social justice’, International Journal of Social Economics, 32 (3), 228–249.
Ponemon Institute and Vontu, Inc (2006). 2006 Cost of Data Breach Study, Vontu, San Francisco, CA.
Weiss, T. (2006) ‘Customers don’t want data handled by outside vendors: They’ll likely go elsewhere if a data breach occurs’, Computerworld Online, 24th October, 2006.
Prosch, M. (2008) ‘Preventing identify theft throughout the entire data life cycle’, Working Paper, Arizona State University.
Greenstein, M. and Hunton, J. (2003) ‘Extending the accounting brand to privacy services’, Journal of Information Systems, 17 (2), 87–110.
These criteria meet the definition of ‘criteria established by a recognized body’ described in the third general standard for attestation engagements in the United States in Chapter 1 of Statement on Standards for Attestation Engagements No. 10, Attestation Engagements: Revision and Recodification (AICPA, Professional Standards, vol. 1, AT sec. 101.24), as amended, and in the standards for assurance engagements in Canada (CICA Handbook, paragraph 5025.41).
Alles, M., Kogan, A., Vasarhelyi, M. A. and Warren Jr., J. D. (2007). BNA Accounting Policy and Practice Portfolios. Buchanan Ingersoll & Rooney PC, ISSN 1933-0243.
Ponemon Institute and Vontu, Inc (2007). 2007 Cost of Data Breach Study, Vontu, San Franscisco, CA.
Greenstein, M. and Ray, A. (2002) ‘Holistic, continuous assurance integration: E-business opportunities and challenges’, Journal of Information Systems, 16, 1–20.
Author information
Authors and Affiliations
Corresponding author
Additional information
1PhD is an Associate Professor of Accounting Information Systems at Arizona State University. She has met with or spoken to the US Department of Commerce, US FTC, National Association of Secretaries of State, and the Arizona Auditor General's Office on the subject of GAPP, and has conducted various research studies on privacy breaches and GAPP.
Rights and permissions
About this article
Cite this article
Prosch, M. Protecting personal information using Generally Accepted Privacy Principles (GAPP) and Continuous Control Monitoring to enhance corporate governance. Int J Discl Gov 5, 153–166 (2008). https://doi.org/10.1057/jdg.2008.7
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1057/jdg.2008.7