Skip to main content
SpringerLink
Log in

Protecting personal information using Generally Accepted Privacy Principles (GAPP) and Continuous Control Monitoring to enhance corporate governance

  • Paper
  • Published:
International Journal of Disclosure and Governance Aims and scope Submit manuscript

EXECUTIVE SUMMARY

The first decade of the new millennium may well become known as the era of data breaches. In a recent speech given by the Federal Trade Commission's (FTC) Chief Privacy Officer, Marc Groman, he emphasised to the National Association of Secretaries of States to prepare well because ‘you will have a data breach’ (Washington, DC, 18th February, 2008). This article discusses the present privacy crisis and offers a solution to managing and reducing privacy risk through the use of the AICPA/CICA's Generally Accepted Privacy Principles (GAPP). When the court of public opinion or the FTC is grilling an organisation regarding a data breach, the best defence for the organisation is to provide evidence, such as adherence to GAPP criteria or an actual GAPP audit, that they were diligent and serious about data protection policies. Recently, the Chair of Her Majesty's Revenue & Customs in the UK resigned after 25 million Britons had their personal information compromised and the investigation revealed that a mere $102,000 spent on data redaction would have prevented the snafu (see references 1 and 2). Top management, including CEOs, CFOs, CISOs, and CPOs all need to be aware of privacy risk management issues and techniques to reduce privacy risk. Researchers need to help advance the development and measurement of privacy-enhancing techniques and the implementation of GAPP in order to help move organisations along the Privacy Maturity Model. This article is written by a member of the AICPA's Privacy Task Force and a Certified Information Privacy Professional.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Figure 1
Figure 2
Figure 3

Similar content being viewed by others

References

  • Leatham, S. (2007) ‘Data breach affects 25 million Britons’, Ireland IT Newsletter, 22nd November, 2007. http://www.enn.ie/article/10123479.html.

  • Shifrin, T. (2007) ‘UK data breach: Stripping the data “would have not have been costly,”’, Computerworld Online, 6th December, 2007.

  • Cline, J. (2007) ‘Mind the GAPP: Accountants bring GAAP-like principles to the privacy sphere’, Computerworld Online, 6th December, 2007.

  • Wilcox, J. (2000) ‘IBM appoints chief privacy officer’, news.com, 28th November, 2000, http://www.news.com/IBM-appoints-chief-privacy-officer/2100-1001_3-249135.html.

  • AICPA/CICA (2006). Generally Accepted Privacy Principles, AICPA/CICA, New York, NY.

  • Lemos, R. (2005) ‘Data security moves front and center in 2005’, Security Focus’, 29th December, 2005, http://www.securityfocus.com/news/11366.

  • Clarke, R. A. (1988) ‘Information technology and dataveillance’, Communications of the ACM, 31 (5), 498–512.

    Article  Google Scholar 

  • Ogburn, W. F. (1966). Social Change, Dell Publishing, New York, NY.

    Google Scholar 

  • Cavoukian, A. and Hamilton, T. (2002). Privacy Payoff, McGraw-Hill, New York.

    Google Scholar 

  • McQuay, T. (2006) ‘Privacy is changing outsourcing in Canada’, Globeandmail.com, 27 July.

  • The Patriot Act of 2002 created a Chief Privacy Officer under the Department of Homeland Security; however, this position is not considered equivalent because of where it is housed.

  • Shapiro, B. and Baker, C. R. (2001) ‘Information technology and the social construction of information privacy’, Journal of Accounting and Public Policy, 20, 295–322.

    Article  Google Scholar 

  • Tinker, T. (1988) ‘Panglossian accounting theories: The science of apologizing in style’, Accounting, Organisations and Society, 13 (2), 165–189.

    Article  Google Scholar 

  • Zureik, E., Stalker, L., Smith, E., Lyon, D. and Chan, Y. (2008). Privacy, Surveillance, and the Globalization of PI: International Comparisons, McGill-Queens University Press, Kingston, forthcoming.

    Google Scholar 

  • Marshall, K. (1999) ‘Has technology introduced new ethical problems?’, Journal of Business Ethics, 19, 81–90.

    Article  Google Scholar 

  • Ogburn, W. F. (1957) ‘Cultural lag as theory’, Sociology and Social Research, 41, 167–174.

    Google Scholar 

  • Karat, C. M., Brodie, C. and Karat, J. (2006) ‘Usable privacy and security for personal information management’, Communications of the ACM, 49 (1), 56–57.

    Article  Google Scholar 

  • Brinkman, R. L. and Brinkman, J. E. (2005) ‘Cultural lag: A framework for social justice’, International Journal of Social Economics, 32 (3), 228–249.

    Article  Google Scholar 

  • Ponemon Institute and Vontu, Inc (2006). 2006 Cost of Data Breach Study, Vontu, San Francisco, CA.

  • Weiss, T. (2006) ‘Customers don’t want data handled by outside vendors: They’ll likely go elsewhere if a data breach occurs’, Computerworld Online, 24th October, 2006.

  • Prosch, M. (2008) ‘Preventing identify theft throughout the entire data life cycle’, Working Paper, Arizona State University.

  • Greenstein, M. and Hunton, J. (2003) ‘Extending the accounting brand to privacy services’, Journal of Information Systems, 17 (2), 87–110.

    Article  Google Scholar 

  • These criteria meet the definition of ‘criteria established by a recognized body’ described in the third general standard for attestation engagements in the United States in Chapter 1 of Statement on Standards for Attestation Engagements No. 10, Attestation Engagements: Revision and Recodification (AICPA, Professional Standards, vol. 1, AT sec. 101.24), as amended, and in the standards for assurance engagements in Canada (CICA Handbook, paragraph 5025.41).

  • Alles, M., Kogan, A., Vasarhelyi, M. A. and Warren Jr., J. D. (2007). BNA Accounting Policy and Practice Portfolios. Buchanan Ingersoll & Rooney PC, ISSN 1933-0243.

  • Ponemon Institute and Vontu, Inc (2007). 2007 Cost of Data Breach Study, Vontu, San Franscisco, CA.

  • Greenstein, M. and Ray, A. (2002) ‘Holistic, continuous assurance integration: E-business opportunities and challenges’, Journal of Information Systems, 16, 1–20.

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Global Management and Leadership, Arizona State University, PO Box 37100, Phoenix, 85069, AZ, USA

    Marilyn Prosch

Authors
  1. Marilyn Prosch
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Marilyn Prosch.

Additional information

1PhD is an Associate Professor of Accounting Information Systems at Arizona State University. She has met with or spoken to the US Department of Commerce, US FTC, National Association of Secretaries of State, and the Arizona Auditor General's Office on the subject of GAPP, and has conducted various research studies on privacy breaches and GAPP.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Prosch, M. Protecting personal information using Generally Accepted Privacy Principles (GAPP) and Continuous Control Monitoring to enhance corporate governance. Int J Discl Gov 5, 153–166 (2008). https://doi.org/10.1057/jdg.2008.7

Download citation

  • Received:

  • Revised:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1057/jdg.2008.7

Keywords

Search

Navigation