Reasonable Security Practices: The AICPA/CICA Privacy Framework

By Ken Askelson

E-mail Story Print Story

Federal legislation mandates the protection and privacy of personal information for customers, clients, and patients. In the healthcare industry, for example, the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to follow or address certain information security practices. The financial services industry has standards introduced by the Gramm-Leach-Bliley Act (GLBA).

While some state laws require the protection of personal information, those laws are often ambiguous as to what type of protection is necessary. For example, California’s recently enacted Assembly Bill 1950 (AB 1950) requires a business that owns personal information about a California resident to “implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification or disclosure.” If the business discloses personal information to a third party, AB 1950 requires that the contract contain a reference to the obligation of the third party to maintain reasonable security practices and procedures appropriate to the nature of the information. Although the bill requires “reasonable” security practices, it does not fully describe what these practices should be.

Components of the Framework

For organizations that are subject to laws and regulations that provide limited guidance on appropriate information-security practices, or organizations that simply want to meet their customers’ expectations for protecting personal information, the Privacy Framework developed by the AICPA and the Canadian Institute of CAs (CICA) forms a comprehensive resource providing guidance on a number of areas related to privacy. The AICPA/CICA Privacy Framework (www.aicpa.org/privacy) offers excellent guidance on defining good privacy and security practices for personal information, organized into 10 different components:

• Management: Assigns accountability for privacy policies and procedures.
• Notice: Provides notice of privacy policies and procedures.
• Choice and consent: Describes choices available to the individual on the collection, use, and disclosure of personal information.
• Collection: Collects personal information only for the purposes identified.
• Use and retention: Limits use of personal information to the purposes identified.
• Access: Provides individuals with access to their personal information.
• Disclosure: Discloses personal information to third parties only for the purposes identified.
• Security: Protects personal information against unauthorized access.
• Quality: Maintains accurate, complete, and relevant personal information.
• Monitoring and enforcement: Monitors compliance with its privacy policies and procedures.

Security Component

The framework’s 10 components are considered a solid benchmark for good privacy practice. The security component focuses on the security practices necessary for the protection of personal information, and aligns with the security principle of the AICPA/CICA “Trust Services Principles and Criteria.” Other elements of these criteria include processing integrity, availability, confidentiality, and privacy.

Within the structure of the AICPA/CICA Privacy Framework are numerous criteria, illustrations, and explanations for each component. Each criterion is measurable, relevant, and objective, and classified in terms of policies and communications or procedures and controls.

Security criteria require an organization to address the security of personal information within its privacy policies, and to ensure that the policies are communicated through a privacy notice that describes the general types of security measures used to protect personal information.

An organization is considered to have good information-security practices if a security program was developed, documented, approved, and implemented that includes administrative, technical, and physical safeguards to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, or destruction.

Examples of items that a security program would address include periodic risk assessments, assignment of responsibility and accountability for security, implementing software upgrades and patches, and allocating training and other resources to support the organization’s security policies. The framework contains examples of other features that a security program should have:

• Logical access controls are in place to restrict access to personal information. These include—
  • Authorizing and registering personnel.
  • Identifying and authenticating personnel.
  • Making changes and updating access profiles.
  • Granting system-access privileges.
  • Preventing individuals from accessing others’ information.
  • Limiting access to personal information to authorized personnel based upon their assigned roles and responsibilities.
  • Distributing output only to authorized personnel.
  • Restricting logical access to offline storage, backup data, systems, and media.
  • Restricting access to system configurations, master passwords, utilities, and security devices.
  • Preventing the introduction of viruses, malicious code, and unauthorized software.
• Physical access is restricted to personal information in any form, including the components of the organization’s system that contain or protect personal information.
• Personal information is protected against unlawful destruction, accidental loss, natural disasters, and environmental hazards.
  n Personal information is protected when transmitted by mail and over a network, by deploying industry-standard encryption technology.
• Tests of the effectiveness of key administrative, technical, and physical safeguards protecting personal information are conducted at least annually (e.g., an independent audit of security controls).

Click here to see an Exhibit.