Ali Rana, Sr. Manager Internal Audit, Sears Holdings

Nathan Anderson, Director Internal Audit, Sears Holdings

#NACACS

AGENDA

• scope of presentation

• information collection overview

• privacy framework & data breach focus

• state of privacy data breach risks

• privacy tips for success

#NACACS

DISCLAIMER

• we speak on behalf of ourselves only

• operational viewpoint (vs. legal)

• based on experience

– at many organizations

– auditing privacy

– as members of privacy working group

• informed by

– benchmarking & discussions with others in industry and

consulting

#NACACS

SCOPE

in scope

• customer-related information

not in scope

• compliance-related information

– cardholder data

– protected health information

• sensitive non-customer information

– intellectual property

– financial information

– trade secrets

note: concepts for privacy risks & controls apply to

all confidentiality related risks.

#NACACS

INFORMATION COLLECTION OVERVIEW

• organization’s goal

• what is collected and why?

• sensitive information

#NACACS

ORGANIZATION’S GOAL

• organizations want customer information because…

they are evil

they are profit-driven (and evil)

they see how it can be good for everyone

#NACACS

ORGANIZATION’S GOAL

• organizations must:

– focus on what’s truly best for the customer

– value customer trust above all

– be willing to slow down and demonstrate care

the data scientist doesn’t need to know name and street address.

#NACACS

TRUST SCALE¹

Benefits Risk of Harm

Social Financial Physical

¹ cara dearman, senior counsel, sears holdings

#NACACS

POOR CUSTOMER VALUE¹

Risks Benefits

¹ cara dearman, senior counsel, sears holdings

#NACACS

POSITIVE CUSTOMER VALUE¹

Risks Benefits

¹ cara dearman, senior counsel, sears holdings

#NACACS

WHAT IS COLLECTED AND WHY?

• identity and authentication information

• traditional customer information

• sensitive customer information

#NACACS

IDENTITY INFORMATION

• how to identify you?

first & last name social security number username

address (household) driver’s license number ip address

phone number credit card number(s)

email address loyalty number

#NACACS

AUTHENTICATION INFORMATION

• how to confirm your identity?

social security number digital signature ip address

driver’s license number biometric data browser settings

mother’s maiden name phone number geolocation

date of birth password

credit card information

#NACACS

CREEPINESS METER¹

not

creepy

somewhat

creepy super

creepy!!

¹ a theory of creepy:

http://pacscenter.stanford.edu/Theory_of_Creepy_1.pdf

#NACACS

TRADITIONAL CUSTOMER INFORMATION

• what: how can we contact you?

why:

organizations must know how you want to be reached

we will respect you saying “don’t contact me at all”.

#NACACS

TRADITIONAL CUSTOMER INFORMATION

• what: customer order basics

where you live

why:

understand basics of top customers and demand by area

optimize merchandise buying, allocation and logistics

what you bought

#NACACS

SENSITIVE CUSTOMER INFORMATION

• what: sensitive demographic information

religion race¹

why:

potential intentional or unintentional

identification and special treatment based

on sensitive characteristics

¹ www.shutterstock.com/s/different/search-vectors.html

gender

#NACACS

USE OF SENSITIVE INFORMATION

• what: non-protected health information

• organizational response options: do nothing

stop targeting expecting mothers

more sensitive about targeted advertisements

#NACACS

MISHANDLING OF SENSITIVE INFORMATION

#NACACS

“At least once in the last 12

months, more than one-third

(35%) of respondents indicated

that they had decided not to

purchases products or services

from a company because of

privacy concerns.”

“89% [of consumers] say they avoid

companies that do not protect their

privacy.”

“Due to privacy concerns, 29% [of

consumers] stopped using an app in the

last year;

36% stopped using a website”

statistics from 2015 TRUSTe consumer confidence privacy survey

privacy trust engagement

¹ cara dearman, senior counsel, sears holdings

PRIVACY: DAMAGE TO CONSUMER CONFIDENCE

#NACACS

STATE OF PRIVACY DATA BREACH RISKS

• increasing global privacy obligations

• emerging threat: ransomware

#NACACS

INCREASING GLOBAL PRIVACY OBLIGATIONS¹²

new laws in a number of countries

• EU – routine enforcement of national data protection acts &

new regulation is looming

• canada – national PIPEDA & CASL

collection and use of personal data in the US is regulated by

a patchwork of federal and state laws and regulations.

• governmental agencies and industry groups have created

guidelines and frameworks that are considered "best practices“

and have accountability and enforcement components

• regulatory agencies (FTC, HHS, FCC, CFPD) and state

attorney generals are using these guidelines to escalate

enforcement of sectoral laws and standards of due care

¹ PwC Chicago CAE Network Roundtable, May 5th, 2015

² See appendix A for additional guidance from PwC on privacy

regulations in the US and abroad.

#NACACS

RANSOMWARE: NON-SENSITIVE PII SCENARIO

1 attacker exploits sql

injection vuln on website 2

attackers gain access

to online order data

3 attacker emails sample of

data with ransom demand 4

if no payment, attacker

posts customer data

#NACACS

PRIVACY FRAMEWORK & DATA BREACH FOCUS

• generally accepted privacy principles (gapp)

• fines and lawsuits by privacy control failure

#NACACS

GENERALLY ACCEPTED PRIVACY PRINCIPLES¹

Principle Description

Management Define, document, communicate, and assign accountability for privacy policies and procedures.

Notice Provide notice about privacy policies & procedures and identify purposes for which personal

information (PI) is collected, used, retained, disclosed.

Choice & Consent Describe choices available to the individual and obtain implicit or explicit consent for collection,

use, and disclosure of personal information.

Collection Collect personal information only for the purposes identified in the notice.

Use, Retention &

Disposal

Limit use of PI to purposes identified in the notice and for which the individual has provided implicit

or explicit consent. Retain PI only as long as necessary to fulfill stated purposes or as required by

law or regulations and thereafter appropriately disposes of it.

Access Provide individuals with access to their personal information for review and update.

Disclosure to 3rd

Parties

Disclose PI to third parties only for purposes identified in notice and with the implicit or explicit

consent of the individual.

Security for

Privacy

Protect personal information against unauthorized access (both physical and logical).

Quality Maintain accurate, complete, relevant PI for purposes identified in the notice.

Monitoring for

Enforcement

Monitor compliance with privacy policies and procedures and have procedures to address privacy

related inquiries, complaints and disputes.

our focus: data breach

¹ aicpa gapp practitioner guide: http://bit.ly/1L9E5Bp

primary risk of lawsuit

#NACACS

FINES AND LAWSUITS BY CONTROL FAILURE

¹ PwC Chicago CAE Network Roundtable, May 5th, 2015

primary audit focus

secondary audit focus

#NACACS

PRACTICAL CONTROL SOLUTIONS

• establish your definition for privacy

• implement efficient and effective controls

– build customer data system & asset inventory

– focus on monitoring extractions and understanding use

– onboarding and granting access

– access reviews

#NACACS

ESTABLISH YOUR DEFINITION FOR PRIVACY¹

• consider laws applicable to you

• start with defining combinations of:

– identity, and/or

– authentication, and/or

– sensitive information

¹ refer to appendices C & D for guidance from Baker Hostetler

on defining personally identifiable information (PII) and for

understanding specific elements of state privacy laws.

#NACACS

PROCESS-DRIVEN INVENTORY - ASSETS

data entry

points

intermediate

systems

primary

repositories

analytics &

interactions

¹ NIST Protecting PII: http://1.usa.gov/1DgxrRy

#NACACS

PROCESS-DRIVEN INVENTORY – THIRD PARTIES

collection use processing retention

#NACACS

REGEX-BASED DISCOVERY

data loss

protection

regular

expressions

{ sensitive

data

discovery

results }

social security number:

^(\d{3}-?\d{2}-?\d{4}|XXX-XX-XXXX)$

#NACACS

DATA EXTRACTIONS: COMMON STATE

1 user selects abnormal # of

records of sensitive data

no alerts to owner,

security, audit

4 If anything goes wrong, we’ll

find out from external source

May or may not log

event; not reviewed 2

3

?

? ? ?

#NACACS

DATA EXTRACTIONS: TARGET STATE

primary nist controls:

au-6, ir-4, ir-5, ir-5, ir-9, cm-8, ia-3, pm-5, ra-2

1 user selects abnormal # of

records of sensitive data

if anomaly event, alert sent to

data owner, security

4 ticket auto-created; user

populates form; owner review

log event for review

by security, audit 2

3

#NACACS

ACCESS REQUEST: COMMON STATE

1 user creates

access request 3

audit / security periodically sample

users with access for valid approval

2 access approval

requested

challenge:

- recently approved requests

- are they appropriate?

- has any request ever been rejected?

jim stall digital content mgr online

janet lane sr analyst finance

lisa chu sr director pricing

#NACACS

ACCESS REQUEST: TARGET STATE

1 user creates

access request 3

user must complete detailed profile:

- what’s my role?

- what’s my specific need?

- who will I provide this data to?

2 if sensitive access

is not needed, go

to step 5.

note: always offer less

than sensitive access

to the sensitive

repositories.

4 data owner review: was information

provided adequate (knowing that I

will be audited on this)?

5 access approval requested

key: emphasis on use case, not approval

#NACACS

ACCESS REVIEWS: COMMON STATE

1 review in process over sensitive access

name title bus unit active? approp? comment

nicole lee director hr yes yes approved by j.d.

steven lang analyst it yes no no longer needed

robert diaz manager audit yes yes required for job

opr_04 n/a n/a n/a yes required for job

what problems do you see?

#NACACS

ACCESS REVIEWS: IDEAL STATE

1 review in process over sensitive access

name last

login

max/avg

extract

active? role desc use desc who knows

password?

nicole lee last week 9m / 8m yes <completed> <completed> n/a

steven lang never 0 / 0 no <blank> <blank> n/a

robert diaz 180 days

ago

33m / 1m yes <completed> <completed> n/a

opr_04 today 33m / 33m n/a <completed> <completed> tkoh5, jlin1

what data would tell you:

- account risk based on activity

- active employee/contractor

- valid use case

- ownership of system account

#NACACS

PRIVACY TIPS FOR SUCCESS

• establish your definition for privacy

• conduct process-driven system, asset and 3rd party inventories

• implement effective and efficient controls

• engage with privacy group, business and IT leaders

#NACACS

QUESTIONS?

#NACACS

THANK YOU

ali rana ali.rana@searshc.com

nate anderson nate.anderson@searshc.com

#NACACS

APPENDIX: REFERENCE MATERIALS

#NACACS

A. INCREASING GLOBAL PRIVACY OBLIGATIONS¹ • canada – national pipeda & casl laws; emerging privacy enforcement and class

actions

• eu – routine enforcement of national data protection acts with small fines. new

eu regulation is looming

• new laws in mexico, south america, china, south korea, india, russia, africa,

australia, new zealand, the philippines, and asia-pacific overall.

• usa –

1) ftc, hhs, fcc, cfpb and state attorney generals have escalated enforcement of

sectoral laws and standards of due care (since a federal law doesn’t exist)

2) a number of federal privacy bills have been introduced in 20152:

• S. 1158 (Consumer Privacy Protection Act)

• H.R. 2092 (Student Digital Privacy and Parental Rights Act)

• S. 668 (Data Broker Accountability and Transparency Act)

¹ PwC Chicago CAE Network Roundtable, May 5th, 2015 2 Practical Law: US Data Protection Overview

#NACACS

A. ACTIVE ENFORCEMENT WITHIN THE U.S.¹

the FTC continues to be an active enforcer of privacy and data security laws and

regulations. In 2014-15, the federal agency:

• charged a company that tracked consumers' physical locations in stores with

failing to provide an in-store mechanism for opting out of the tracking, and

failing to tell consumers when they were being tracked in stores.

• charged two data brokers with posting unencrypted spreadsheets on the

Internet containing consumers' bank account and credit card numbers, birth

dates, contact information, employers' names, and information about debts the

consumers allegedly owed.

• announced a settlement with a popular social media messaging platform and

mobile application that allegedly:

– collected geo-location data despite a privacy policy to the contrary;

– collected users' contacts information from their address books without

notice or permission.

¹ Practical Law: US Data Protection Overview

#NACACS

B. PONEMAN STUDY ON PRIVACY¹

• the study included 350 companies in 11 countries and found:

– $3.79 million is the average total cost of data breach

– 23% increase in total cost of data breach since 2013

– $154 is the average cost per lost or stolen record

– 12% percent increase in per capita cost since 2013

• notification costs remain low, but costs associated with lost business steadily

increase.

• lost business costs are abnormal turnover of customers, increased customer

acquisition activities, reputation losses and diminished good will. the average

cost has increased from $1.45 million in 2014 to $1.57 million in 2015.

• time to identify and contain a data breach affects the cost.

¹ Poneman Study: 2015 Cost of Data Breach Study

#NACACS

B. PONEMAN STUDY ON PRIVACY¹

• data breaches cost the most in the US and Germany and the lowest in Brazil

and India.

– average per capita cost of data breach is $217 in the US and $211 in Germany.

– average total organizational cost in the US is $6.5 million and in Germany $4.9 million.

– the lowest organizational cost is in Brazil ($1.8 million) and India ($1.5 million).

• the cost of data breach varies by industry. the average global cost of data breach

per lost or stolen record is $154. healthcare and education has the highest while

transportation and public sector have the lowest.

– cost associated with acquiring customers

• 47% of all breaches in the 2015 study were caused by malicious or criminal

attacks.

• board involvement reduces the cost by $5.5 per record. insurance protection

reduces the cost by $4.4 per record.

http://www-01.ibm.com/2015-cost-of-data-breach-study

#NACACS

C. STATE DEFINITION OF PERSONALLY IDENTIFIABLE

INFORMATION (PII)

• general definition¹:

– " any information about an individual maintained by an agency,

including:

(1) any information that can be used to distinguish or trace an

individual‘s identity, such as name, social security number, date

and place of birth, mother‘s maiden name, or biometric records;

and

(2) any other information that is linked or linkable to an

individual, such as medical, educational, financial, and

employment information." – NIST

¹ NIST: http://csrc.nist.gov

#NACACS

• technical definition (common definition for US only)¹ ²:

– An individual’s first name or first initial and last name plus one or more of

the following data elements: (i) Social Security number, (ii) driver’s license

number or state issued ID card number, (iii) account number, credit card

number or debit card number combined with any security code, access code,

PIN or password needed to access an account and generally applies to

computerized data that includes personal information.

– Personal Information shall not include publicly available information that

is lawfully made available to the general public from federal, state or local

government records, or widely distributed media. In addition, Personal

Information shall not include publicly available information that is

lawfully made available to the general public from federal, state, or local

government records. ”

¹ baker hostetler: http://bit.ly/1U3AXZr

² baker hostetler international: http://bit.ly/1ORrjod

C. STATE DEFINITION OF PERSONALLY IDENTIFIABLE

INFORMATION (PII)

#NACACS

• technical definition continued¹ ²:

– common definition must be supplemented with the following exceptions for

a holistic view of privacy laws:

• states with broader definition for “personal information”

• states that trigger notification by access

• states that require a risk of harm analysis

• states that require notice to attorney general or state agency

• states that require notification within a specific time frame

• states that permit a private cause of action

• states with an encryption safe harbor

• states where the statute is triggered by a breach of security in

electronic and/or paper records

¹ baker hostetler: http://bit.ly/1U3AXZr

² specific definitions vary for certain states

C. STATE DEFINITION OF PERSONALLY IDENTIFIABLE

INFORMATION (PII)

#NACACS

D. STATE LAW EXAMPLE: BREACH OF SECURITY

• Breach of Security Definition¹:

– The unlawful and unauthorized acquisition of personal

information that compromises the security, confidentiality, or

integrity of personal information.

– State Law Example: Wisconsin – Individual’s last name & first name or first initial, in combination with and linked to

any of the following elements, if the element is not publicly available information and is

not encrypted, redacted, or altered in a manner that renders the element unreadable:

– (1) Social Security number; (2) driver’s license number or state identification number;

– (3) financial account number, including a credit or debit card account number, or any

security code, access code, or password that would permit access to financial account;

– (4) DNA profile; (5) the individual’s unique biometric data, including fingerprint, voice

print, retina or iris image, or any other unique physical representation.

¹ baker hostetler: http://bit.ly/1U3AXZr

#NACACS

D. STATE LAW EXAMPLE: BREACH OF SECURITY

• Breach of Security Definition Contined¹:

– Wisconsin Legal Requirements for Privacy Incidents:

• Requires risk of harm analysis in determining when notification is

triggered. Notification is not required if the acquisition of personal

information does not create a material risk of identity theft or fraud to

the subject of the personal information.

• If one of the data elements linked to an individual’s name is encrypted,

redacted, or altered in a manner that renders the element unreadable,

it is not considered personal information, meaning no notice is

required.

• This statute does not define a “breach of security”, and its definition of

“personal information” is not restricted to computerized information

alone.

¹ baker hostetler: http://bit.ly/1U3AXZr

#NACACS

ICON CREDITS¹

¹ thenounproject.com

icon credit Icon credit icon credit

shop website sharon showalter cloud server icon 54 white database anton outkine

folders thi dieu lin black database sergio luna black file thomas bruck

report aldredo hernandez white server mister pixel

text sms @daosme pc user creative stall

email edward boatman building lil squid

server w/legs chameleon design cash register icon 54

elephant ted mitchner mag glass viktor vorobyev