Presentation on data privacy by Nate Anderson and Ali Rana at the ISACA North American CACS (NACACS) conference in 2016.

1. Ali Rana, Sr. Manager Internal Audit, Sears Holdings
Nathan Anderson, Director Internal Audit, Sears Holdings

2. #NACACS
AGENDA
• scope of presentation
• information collection overview
• privacy framework & data breach focus
• state of privacy data breach risks
• privacy tips for success

3. #NACACS
DISCLAIMER
• we speak on behalf of ourselves only
• operational viewpoint (vs. legal)
• based on experience
– at many organizations
– auditing privacy
– as members of privacy working group
• informed by
– benchmarking & discussions with others in industry and
consulting

4. #NACACS
SCOPE
in scope
• customer-related information
not in scope
• compliance-related information
– cardholder data
– protected health information
• sensitive non-customer information
– intellectual property
– financial information
– trade secrets
note: concepts for privacy risks & controls apply to
all confidentiality related risks.

5. #NACACS
INFORMATION COLLECTION OVERVIEW
• organization’s goal
• what is collected and why?
• sensitive information

6. #NACACS
ORGANIZATION’S GOAL
• organizations want customer information because…
 they are evil
 they are profit-driven (and evil)
 they see how it can be good for everyone

7. #NACACS
ORGANIZATION’S GOAL
• organizations must:
– focus on what’s truly best for the customer
– value customer trust above all
– be willing to slow down and demonstrate care
the data scientist doesn’t need to know name and street address.

8. #NACACS
TRUST SCALE¹
BenefitsRisk of Harm
Social Financial Physical
¹ cara dearman, senior counsel, sears holdings

9. #NACACS
POOR CUSTOMER VALUE¹
Risks Benefits
¹ cara dearman, senior counsel, sears holdings

10. #NACACS
POSITIVE CUSTOMER VALUE¹
Risks
Benefits
¹ cara dearman, senior counsel, sears holdings

11. #NACACS
WHAT IS COLLECTED AND WHY?
• identity and authentication information
• traditional customer information
• sensitive customer information

12. #NACACS
IDENTITY INFORMATION
• how to identify you?
first & last name social security number username
address (household) driver’s license number ip address
phone number credit card number(s)
email address loyalty number

13. #NACACS
AUTHENTICATION INFORMATION
• how to confirm your identity?
social security number digital signature ip address
driver’s license number biometric data browser settings
mother’s maiden name phone number geolocation
date of birth password
credit card information

14. #NACACS
CREEPINESS METER¹
not
creepy
somewhat
creepy
super
creepy!!
¹ a theory of creepy:
http://pacscenter.stanford.edu/Theory_of_Creepy_1.pdf

15. #NACACS
TRADITIONAL CUSTOMER INFORMATION
• what: how can we contact you?
 why:
 organizations must know how you want to be reached
 we will respect you saying “don’t contact me at all”.

16. #NACACS
TRADITIONAL CUSTOMER INFORMATION
• what: customer order basics
where you live
 why:
 understand basics of top customers and demand by area
 optimize merchandise buying, allocation and logistics
what you bought

17. #NACACS
SENSITIVE CUSTOMER INFORMATION
• what: sensitive demographic information
religion race¹
why:
potential intentional or unintentional
identification and special treatment based
on sensitive characteristics
¹ www.shutterstock.com/s/different/search-vectors.html
gender

18. #NACACS
USE OF SENSITIVE INFORMATION
• what: non-protected health information
• organizational response options:
 do nothing
 stop targeting expecting mothers
 more sensitive about targeted advertisements

19. #NACACS
MISHANDLING OF SENSITIVE INFORMATION

20. #NACACS
“At least once in the last 12
months, more than one-third
(35%) of respondents indicated
that they had decided not to
purchases products or services
from a company because of
privacy concerns.”
“89% [of consumers] say they avoid
companies that do not protect their
privacy.”
“Due to privacy concerns, 29% [of
consumers] stopped using an app in the
last year;
36% stopped using a website”
statistics from 2015 TRUSTe consumer confidence privacy survey
privacy trust engagement
¹ cara dearman, senior counsel, sears holdings
PRIVACY: DAMAGE TO CONSUMER CONFIDENCE

21. #NACACS
STATE OF PRIVACY DATA BREACH RISKS
• increasing global privacy obligations
• emerging threat: ransomware

22. #NACACS
INCREASING GLOBAL PRIVACY OBLIGATIONS¹²
new laws in a number of countries
• EU – routine enforcement of national data protection acts &
new regulation is looming
• canada – national PIPEDA & CASL
collection and use of personal data in the US is regulated by
a patchwork of federal and state laws and regulations.
• governmental agencies and industry groups have created
guidelines and frameworks that are considered "best practices“
and have accountability and enforcement components
• regulatory agencies (FTC, HHS, FCC, CFPD) and state
attorney generals are using these guidelines to escalate
enforcement of sectoral laws and standards of due care
¹ PwC Chicago CAE Network Roundtable, May 5th, 2015
² See appendix A for additional guidance from PwC on privacy
regulations in the US and abroad.

23. #NACACS
RANSOMWARE: NON-SENSITIVE PII SCENARIO
1
attacker exploits sql
injection vuln on website
2
attackers gain access
to online order data
3
attacker emails sample of
data with ransom demand
4
if no payment, attacker
posts customer data

24. #NACACS
PRIVACY FRAMEWORK & DATA BREACH FOCUS
• generally accepted privacy principles (gapp)
• fines and lawsuits by privacy control failure

25. #NACACS
GENERALLY ACCEPTED PRIVACY PRINCIPLES¹
Principle Description
Management Define, document, communicate, and assign accountability for privacy policies and procedures.
Notice Provide notice about privacy policies & procedures and identify purposes for which personal
information (PI) is collected, used, retained, disclosed.
Choice & Consent Describe choices available to the individual and obtain implicit or explicit consent for collection,
use, and disclosure of personal information.
Collection Collect personal information only for the purposes identified in the notice.
Use, Retention &
Disposal
Limit use of PI to purposes identified in the notice and for which the individual has provided implicit
or explicit consent. Retain PI only as long as necessary to fulfill stated purposes or as required by
law or regulations and thereafter appropriately disposes of it.
Access Provide individuals with access to their personal information for review and update.
Disclosure to 3rd
Parties
Disclose PI to third parties only for purposes identified in notice and with the implicit or explicit
consent of the individual.
Security for
Privacy
Protect personal information against unauthorized access (both physical and logical).
Quality Maintain accurate, complete, relevant PI for purposes identified in the notice.
Monitoring for
Enforcement
Monitor compliance with privacy policies and procedures and have procedures to address privacy
related inquiries, complaints and disputes.
our focus: data breach
¹ aicpa gapp practitioner guide: http://bit.ly/1L9E5Bp
primary risk of lawsuit

26. #NACACS
FINES AND LAWSUITS BY CONTROL FAILURE
¹ PwC Chicago CAE Network Roundtable, May 5th, 2015
primary audit focus
secondary audit focus

27. #NACACS
PRACTICAL CONTROL SOLUTIONS
• establish your definition for privacy
• implement efficient and effective controls
– build customer data system & asset inventory
– focus on monitoring extractions and understanding use
– onboarding and granting access
– access reviews

28. #NACACS
ESTABLISH YOUR DEFINITION FOR PRIVACY¹
• consider laws applicable to you
• start with defining combinations of:
– identity, and/or
– authentication, and/or
– sensitive information
¹ refer to appendices C & D for guidance from Baker Hostetler
on defining personally identifiable information (PII) and for
understanding specific elements of state privacy laws.

29. #NACACS
PROCESS-DRIVEN INVENTORY - ASSETS
data entry
points
intermediate
systems
primary
repositories
analytics &
interactions
¹ NIST Protecting PII: http://1.usa.gov/1DgxrRy

30. #NACACS
PROCESS-DRIVEN INVENTORY – THIRD PARTIES
collection use processing retention

31. #NACACS
REGEX-BASED DISCOVERY
data loss
protection
regular
expressions
{ sensitive
data
discovery
results }
social security number:
^(d{3}-?d{2}-?d{4}|XXX-XX-XXXX)$

32. #NACACS
DATA EXTRACTIONS: COMMON STATE
1
user selects abnormal # of
records of sensitive data
no alerts to owner,
security, audit
4 If anything goes wrong, we’ll
find out from external source
May or may not log
event; not reviewed
2
3
?
? ? ?

33. #NACACS
DATA EXTRACTIONS: TARGET STATE
primary nist controls:
au-6, ir-4, ir-5, ir-5, ir-9, cm-8, ia-3, pm-5, ra-2
1
user selects abnormal # of
records of sensitive data
if anomaly event, alert sent to
data owner, security
4 ticket auto-created; user
populates form; owner review
log event for review
by security, audit
2
3

34. #NACACS
ACCESS REQUEST: COMMON STATE
1
user creates
access request
3
audit / security periodically sample
users with access for valid approval
2
access approval
requested
challenge:
- recently approved requests
- are they appropriate?
- has any request ever been rejected?
jim stall digital content mgr online
janet lane sr analyst finance
lisa chu sr director pricing

35. #NACACS
ACCESS REQUEST: TARGET STATE
1
user creates
access request
3
user must complete detailed profile:
- what’s my role?
- what’s my specific need?
- who will I provide this data to?
2
if sensitive access
is not needed, go
to step 5.
note: always offer less
than sensitive access
to the sensitive
repositories.
4 data owner review: was information
provided adequate (knowing that I
will be audited on this)?
5 access approval requested
key: emphasis on use case, not approval

36. #NACACS
ACCESS REVIEWS: COMMON STATE
1 review in process over sensitive access
name title bus unit active? approp? comment
nicole lee director hr yes yes approved by j.d.
steven lang analyst it yes no no longer needed
robert diaz manager audit yes yes required for job
opr_04 n/a n/a n/a yes required for job
what problems do you see?

37. #NACACS
ACCESS REVIEWS: IDEAL STATE
1 review in process over sensitive access
name last
login
max/avg
extract
active? role desc use desc who knows
password?
nicole lee last week 9m / 8m yes <completed> <completed> n/a
steven lang never 0 / 0 no <blank> <blank> n/a
robert diaz 180 days
ago
33m / 1m yes <completed> <completed> n/a
opr_04 today 33m / 33m n/a <completed> <completed> tkoh5, jlin1
what data would tell you:
- account risk based on activity
- active employee/contractor
- valid use case
- ownership of system account

38. #NACACS
PRIVACY TIPS FOR SUCCESS
• establish your definition for privacy
• conduct process-driven system, asset and 3rd party inventories
• implement effective and efficient controls
• engage with privacy group, business and IT leaders

39. #NACACS
QUESTIONS?

40. #NACACS
THANK YOU
ali rana ali.rana@searshc.com
nate anderson nate.anderson@searshc.com

41. #NACACS
APPENDIX: REFERENCE MATERIALS

42. #NACACS
A. INCREASING GLOBAL PRIVACY OBLIGATIONS¹
• canada – national pipeda & casl laws; emerging privacy enforcement and class
actions
• eu – routine enforcement of national data protection acts with small fines. new
eu regulation is looming
• new laws in mexico, south america, china, south korea, india, russia, africa,
australia, new zealand, the philippines, and asia-pacific overall.
• usa –
1) ftc, hhs, fcc, cfpb and state attorney generals have escalated enforcement of
sectoral laws and standards of due care (since a federal law doesn’t exist)
2) a number of federal privacy bills have been introduced in 20152:
• S. 1158 (Consumer Privacy Protection Act)
• H.R. 2092 (Student Digital Privacy and Parental Rights Act)
• S. 668 (Data Broker Accountability and Transparency Act)
¹ PwC Chicago CAE Network Roundtable, May 5th, 2015
2 Practical Law: US Data Protection Overview

43. #NACACS
A. ACTIVE ENFORCEMENT WITHIN THE U.S.¹
the FTC continues to be an active enforcer of privacy and data security laws and
regulations. In 2014-15, the federal agency:
• charged a company that tracked consumers' physical locations in stores with
failing to provide an in-store mechanism for opting out of the tracking, and
failing to tell consumers when they were being tracked in stores.
• charged two data brokers with posting unencrypted spreadsheets on the
Internet containing consumers' bank account and credit card numbers, birth
dates, contact information, employers' names, and information about debts the
consumers allegedly owed.
• announced a settlement with a popular social media messaging platform and
mobile application that allegedly:
– collected geo-location data despite a privacy policy to the contrary;
– collected users' contacts information from their address books without
notice or permission.
¹ Practical Law: US Data Protection Overview

44. #NACACS
B. PONEMAN STUDY ON PRIVACY¹
• the study included 350 companies in 11 countries and found:
– $3.79 million is the average total cost of data breach
– 23% increase in total cost of data breach since 2013
– $154 is the average cost per lost or stolen record
– 12% percent increase in per capita cost since 2013
• notification costs remain low, but costs associated with lost business steadily
increase.
• lost business costs are abnormal turnover of customers, increased customer
acquisition activities, reputation losses and diminished good will. the average
cost has increased from $1.45 million in 2014 to $1.57 million in 2015.
• time to identify and contain a data breach affects the cost.
¹ Poneman Study: 2015 Cost of Data Breach Study

45. #NACACS
B. PONEMAN STUDY ON PRIVACY¹
• data breaches cost the most in the US and Germany and the lowest in Brazil
and India.
– average per capita cost of data breach is $217 in the US and $211 in Germany.
– average total organizational cost in the US is $6.5 million and in Germany $4.9 million.
– the lowest organizational cost is in Brazil ($1.8 million) and India ($1.5 million).
• the cost of data breach varies by industry. the average global cost of data breach
per lost or stolen record is $154. healthcare and education has the highest while
transportation and public sector have the lowest.
– cost associated with acquiring customers
• 47% of all breaches in the 2015 study were caused by malicious or criminal
attacks.
• board involvement reduces the cost by $5.5 per record. insurance protection
reduces the cost by $4.4 per record.
http://www-01.ibm.com/2015-cost-of-data-breach-study

46. #NACACS
C. STATE DEFINITION OF PERSONALLY IDENTIFIABLE
INFORMATION (PII)
• general definition¹:
– " any information about an individual maintained by an agency,
including:
(1) any information that can be used to distinguish or trace an
individual‘s identity, such as name, social security number, date
and place of birth, mother‘s maiden name, or biometric records;
and
(2) any other information that is linked or linkable to an
individual, such as medical, educational, financial, and
employment information." – NIST
¹ NIST: http://csrc.nist.gov

47. #NACACS
• technical definition (common definition for US only)¹ ²:
– An individual’s first name or first initial and last name plus one or more of
the following data elements: (i) Social Security number, (ii) driver’s license
number or state issued ID card number, (iii) account number, credit card
number or debit card number combined with any security code, access code,
PIN or password needed to access an account and generally applies to
computerized data that includes personal information.
– Personal Information shall not include publicly available information that
is lawfully made available to the general public from federal, state or local
government records, or widely distributed media. In addition, Personal
Information shall not include publicly available information that is
lawfully made available to the general public from federal, state, or local
government records. ”
¹ baker hostetler: http://bit.ly/1U3AXZr
² baker hostetler international: http://bit.ly/1ORrjod
C. STATE DEFINITION OF PERSONALLY IDENTIFIABLE
INFORMATION (PII)

48. #NACACS
• technical definition continued¹ ²:
– common definition must be supplemented with the following exceptions for
a holistic view of privacy laws:
• states with broader definition for “personal information”
• states that trigger notification by access
• states that require a risk of harm analysis
• states that require notice to attorney general or state agency
• states that require notification within a specific time frame
• states that permit a private cause of action
• states with an encryption safe harbor
• states where the statute is triggered by a breach of security in
electronic and/or paper records
¹ baker hostetler: http://bit.ly/1U3AXZr
² specific definitions vary for certain states
C. STATE DEFINITION OF PERSONALLY IDENTIFIABLE
INFORMATION (PII)

49. #NACACS
D. STATE LAW EXAMPLE: BREACH OF SECURITY
• Breach of Security Definition¹:
– The unlawful and unauthorized acquisition of personal
information that compromises the security, confidentiality, or
integrity of personal information.
– State Law Example: Wisconsin
– Individual’s last name & first name or first initial, in combination with and linked to
any of the following elements, if the element is not publicly available information and is
not encrypted, redacted, or altered in a manner that renders the element unreadable:
– (1) Social Security number; (2) driver’s license number or state identification number;
– (3) financial account number, including a credit or debit card account number, or any
security code, access code, or password that would permit access to financial account;
– (4) DNA profile; (5) the individual’s unique biometric data, including fingerprint, voice
print, retina or iris image, or any other unique physical representation.
¹ baker hostetler: http://bit.ly/1U3AXZr

50. #NACACS
D. STATE LAW EXAMPLE: BREACH OF SECURITY
• Breach of Security Definition Contined¹:
– Wisconsin Legal Requirements for Privacy Incidents:
• Requires risk of harm analysis in determining when notification is
triggered. Notification is not required if the acquisition of personal
information does not create a material risk of identity theft or fraud to
the subject of the personal information.
• If one of the data elements linked to an individual’s name is encrypted,
redacted, or altered in a manner that renders the element unreadable,
it is not considered personal information, meaning no notice is
required.
• This statute does not define a “breach of security”, and its definition of
“personal information” is not restricted to computerized information
alone.
¹ baker hostetler: http://bit.ly/1U3AXZr

51. #NACACS
ICON CREDITS¹
¹ thenounproject.com
icon credit Icon credit icon credit
shop website sharon showalter cloud server icon 54 white database anton outkine
folders thi dieu lin black database sergio luna black file thomas bruck
report aldredo hernandez white server mister pixel
text sms @daosme pc user creative stall
email edward boatman building lil squid
server w/legs chameleon design cash register icon 54
elephant ted mitchner mag glass viktor vorobyev