Abstract

The first decade of the new millennium may well become known as the era of data breaches. In a recent speech given by the Federal Trade Commission's (FTC) Chief Privacy Officer, Marc Groman, he emphasised to the National Association of Secretaries of States to prepare well because ‘you will have a data breach’ (Washington, DC, 18th February, 2008). This article discusses the present privacy crisis and offers a solution to managing and reducing privacy risk through the use of the AICPA/CICA's Generally Accepted Privacy Principles (GAPP). When the court of public opinion or the FTC is grilling an organisation regarding a data breach, the best defence for the organisation is to provide evidence, such as adherence to GAPP criteria or an actual GAPP audit, that they were diligent and serious about data protection policies. Recently, the Chair of Her Majesty's Revenue & Customs in the UK resigned after 25 million Britons had their personal information compromised and the investigation revealed that a mere $102,000 spent on data redaction would have prevented the snafu (see references 1 and 2). Top management, including CEOs, CFOs, CISOs, and CPOs all need to be aware of privacy risk management issues and techniques to reduce privacy risk. Researchers need to help advance the development and measurement of privacy-enhancing techniques and the implementation of GAPP in order to help move organisations along the Privacy Maturity Model. This article is written by a member of the AICPA's Privacy Task Force and a Certified Information Privacy Professional.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.