Hypersecurity LLC Privacy Audit Services

What is a Privacy Audit?

A privacy audit is a technique for assuring that an organization's goals and promises of privacy and confidentiality are supported by its practices, thereby protecting confidential information from abuse and the organization from liability and public relations problems. An audit ensures that information processing procedures meet privacy requirements by examining how information about library users and employees is collected, stored, shared, used and destroyed. Privacy auditing is a process, not a one-time solution, as services, data needs, and technology change.

 

Why is it necessary?

 

In the US, there are some federal and state laws applicable to privacy audits.  A key piece of US federal legislation was the passage of the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which mandates the protection and privacy of personal information of patients in the health care industry. In the financial services industry, there is the Gramm-Leach-Bliley Act (GLBA) of 1999. It mandates certain standards related to privacy of PPI for customers. There are many intricate details in GLBA, such as the fact that the monitoring and enforcement of PPI involves industry regulators, the US Federal Trade Commission (FTC) and the US Securities Exchange Commission (SEC). Other potentially relevant laws include the Children’s Online Privacy Protection Act (COPPA) and the Privacy Act of 1974.

 

Many states legislate the requirement.

 

State laws also affect privacy audits. The genesis of state laws is California’s SB 1386 of 2002. This act requires entities that have experienced a security breach of PPI, where the customers/clients are residents of California, to notify each customer/ client of the breach. The California law became the template and motivation for other states. The various state laws, however, do vary in terms of the requirements. Thus, the auditor needs to not only be aware of the California law, but research the laws in each state affected by a breach, if one occurs. At last count, 44 US states have similar laws. Here in Texas, HB 300 and SB 11 are applicable.

 

What we do.

 

Hypersecurity LLC will work with you to designate a Privacy Officer to help coordinate the audit because all stakeholders and all aspects of privacy need to be represented, from information technology to public relations. The audit process needs to be capable of dealing with the full extent of the information system. The audit process begins by evaluating the organization's existing policies and procedures for legality and consistency with the organization's mission and image. When policies have been reviewed (or established), the data collected can be categorized according to the degree of security necessary. The audit assesses the sensitivity, security risks, and public perceptions of the information the organization collects.

 

 The audit examines the necessity for each type of data, how it is collected, and what notice and options are provided to the individuals identified by the information. Mapping how data flows through the organization for access, storage, and disposal can reveal security needs, both electronic and physical. The audit process itself must be managed so that it does not increase risks and its recommendations must be addressed quickly once risks are revealed. Hypersecurity’s team of privacy compliance consultants have extensive experience in assessing, base-lining, and making recommendations against the statutory framework used by organizations of any size.

 

Our consultants are expert level security professionals, certified to make assessments using the specified framework with the designation of CISA or CISM. Our professionals have a wide variety of experience creating, developing, and assessing against the many state privacy frameworks for the retail industry, financial institutions, healthcare organizations, educational institutions, private companies, public companies, and for government agencies.

 

Back