Managing Privacy Risk in a Social Media-Driven Society · 2015. 4. 23. · Antonello Gargano,...
Transcript of Managing Privacy Risk in a Social Media-Driven Society · 2015. 4. 23. · Antonello Gargano,...
Antonello Gargano, Protiviti
Managing Privacy Risk in a
Social Media-Driven Society
30 Settembre 2011
© 2011 Protiviti Inc. 2
Discussion Topics
Understanding the Social Media Environment
Challenges Facing Auditors
Scoping and Executing an Audit
Resources
Social Media in the Workplace
Understanding the Social Media
Environment
© 2011 Protiviti Inc. 4
Social Media Revolution
Is social media a fad?
Or……………….
Is it the biggest shift since the Industrial Revolution?
Question
© 2011 Protiviti Inc. 5
Social Media Revolution
Social Media is not a fad - it is a fundamental shift in the
way we communicate.
Answer
Welcome to the revolution!
© 2011 Protiviti Inc. 6
Social Media Landscape
© 2011 Protiviti Inc. 7
The Power of Social Media
GAP, the popular clothes retailer, reinstated its
familiar blue box logo, just one week after
unveiling its new one.
WHY ?
•In a statement, Gap North America cited the
"outpouring of comments" from the online
community for the logo's shelving.
WHAT DOES THIS MEAN ?
•While social media mavens are split on whether
GAP made the right choice to withdraw their logo,
the fact of the matter remains – GAP bowed down
to "the power of social media."
http://www.youtube.com/watch?v=lFZ0z5Fm-Ng
© 2011 Protiviti Inc. 8
“It takes twenty years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently.”
- Warren Buffett
Social Networking Environment
© 2011 Protiviti Inc. 9
© 2011 Protiviti Inc. 10
Social Media Pros & Cons
Social Media: Value added or Serious Concern?
• 51% executives surveyed said they fear social media could reduce employee productivity,
while 49% said that using social media could damage a company's reputation.
• 81% saying social media can improve customer relations and build their brands.
• 70% percent feel social networking can be valuable in recruitment (69%), as a customer
service tool (64%) and used to improve employee morale (46%).
http://marketingcharts.com
http://mashable.com
© 2011 Protiviti Inc. 11
Security Concerns
Social Network Users More Vulnerable To Security
Risks
– 21% accept contact offerings from members they don't
recognize
– More than half let acquaintances or roommates access social
networks on their machines
– 64% click on links offered by community members or contacts
– 26% share files within social networks
– 20% have experienced identity theft
– 47% have been victims of malware infections
– Facebook has been hit with malicious applications and new
version of the Koobface virus, which allows hackers to steal
information from personal profiles
11
http://www.webpronews.com
© 2011 Protiviti Inc. 12
Social Networking Impact
• Do we really understand the power of social
networking and how it has been adopted by
today‟s users?
• Americans spent 73% more time on social
networking sites in 20091.
• Eight out of ten executives believe social media
can enhance customer / client relationships.
• CIO‟s are implementing stricter social
networking policies2.
• Email usage is also blurring the lines between
privacy and company ownership.
1 Russell Herder/Ethos Business Law Study - “Social Media - Embracing the Opportunities, Averting the Risks”
2 Robert Half Technology National CIO Survey - April, 2010
© 2011 Protiviti Inc. 13
Corporate Risk on Display
• Workers at a North Carolina Domino‟s Pizza
posted a YouTube video showing inappropriate
actions.
• A passenger on United Airlines sees his
expensive guitar get smashed by baggage
handlers and retaliates with his video.
• Company executive spouse discusses private
matters via Facebook page.
• Employee is terminated after discussing that her
job is boring on her Facebook page. However,
latest court ruling has sided with the employee.
• Facebook and Twitter social networking sites
used to tout stocks in a classic "pump and
dump" fraud.
• Doctors taking pictures in an operating room
with the cameras on their phones.
© 2011 Protiviti Inc. 14
Regulatory / Legal Environment
• Three Italian Google executives are convicted of
privacy violations.
• The EU Article 29 Working party provided Opinion
5/2009 on social networking.
• Four U.S. Senators call on Facebook to give its
users more control over their personal
information.
• The U.S. Federal Trade Commission (FTC) plans
to create guidelines on Internet privacy to protect
consumers.
• Canada has the Personal Information Protection
and Electronic Documents Act (PIPEDA). Office
of the Privacy Commissioner investigated
Facebook.
© 2011 Protiviti Inc. 15
Regulatory / Legal Environment (cont.)
• The European Union (EU) Data Protection
Directive provides a broad legislative basis for
privacy protection.
• At least 44 states in the US, District of Columbia,
and Puerto Rico have privacy laws.
• Mexico‟s Senate approved the Federal Data
Protection Act. The law establishes the rights
and principles of data protection in the private
sector.
• The Asia-Pacific Economic Cooperation (APEC)
Framework falls between the EU and US models.
• Japan has the Personal Information Protection
Act (PIPA).
• Italian “Garante Privacy” released, in 2009, the
brochure "Social network: attenzione agli
effetti collaterali”
Challenges Facing Auditors
© 2011 Protiviti Inc. 17
The Dilemma
• Poneman Institute study concludes financial institutions
have large gaps in their privacy and data protection
programs.
• VeriSign says its research arm, iDefense, has identified
a data black market player called „kirllos‟ who claimed
to have for sale 1.5 million social networking accounts
in bulk quantities.
• Advertisers are using the rich available information
about what people are doing to execute behavioral
targeting steps.
© 2011 Protiviti Inc. 18
Internal Audit Involvement
• Internal auditors have not typically included social
media in risk assessments and audit universe
• Few tools exist to automate the potential audit
steps to be executed
• Social media has been perceived to be outside
the boundaries of company policies and
enforceable actions
• Perception is that if the sites are blocked from
employees, potential risk is mitigated
• Risk to sensitive, non-employee data has been
miscalculated as low risk
© 2011 Protiviti Inc. 19
What‟s the Risk?
Information that is strategic to a company could be
inappropriately released. (“Company A whom I work for is
working on this cool new project to…”)
Strategic
Information Loss
Data that potentially violates regulatory / compliance
requirements could be communicated. (“Celebrity A just came
to the hospital to have this treatment done…”)
Sensitive Data
Loss
Slanderous remarks and comments from a disgruntled
employee could created damaging perceptions. (“If you work
for Company B, you will be mistreated and not respected..”)
Reputation Risk
© 2011 Protiviti Inc. 20
What‟s the Risk? (cont.)
Remarks about company performance could impact stock
price and performance. (“The strategic plan for Company C is
not going to work and results are not going to be good…”)
Financial Risk
Release of information about what someone is doing or where
someone is traveling. (“Our executive team is meeting at
Location Z…”)
Safety Risk
Remarks made by an individual or friends of an individual
could be viewed by others (“I can‟t believe what happened the
other night when I was out for dinner…”)
Personal
Reputation Loss
© 2011 Protiviti Inc. 21
Beware of Features and Capabilities
• TripIt talks about where someone is traveling.
• Connections to other people can be “mined” by others.
• Comments posted on the wall can be viewed by other
“friends”.
• Detailed personal background could be viewed.
• Communications can be viewed by others.
Scoping and Executing an Audit
© 2011 Protiviti Inc. 23
• GLBA
• EU Data Directive
• ISO 17799
• PIPEDA
• HIPAA
• PCI
• AICPA
• Many others…
• Is my data protected?
• Am I in compliance with all applicable privacy laws
and regulations?
• Am I aware of data protection requirements?
Determining the Boundaries
Answer questions about information protection
risks!
Information Protection
Considerations
• Management
• Data Privacy
• Data Security
• Vendor Management
• Incident Response
• Physical Security
• Training & Awareness
Control Categories
© 2011 Protiviti Inc. 24
Defining a Roadmap
Board and Executive Level Reporting
Enterprise-Wide Privacy Management
Privacy Assessment
Data Classification
Secure High Risk Areas
Define Goals and Values
People and Structure
Policy and Processes
Process Development
Privacy Awareness
Data Protection Controls Implementation
Design
Build
Implement
Sample Privacy Protection Controls
• Laptop encryption
• Data Loss Prevention
• Vendor Security Reviews
Metrics Management Reporting
© 2011 Protiviti Inc. 25
Privacy and Social Media Use
Policies
Technic
al In
frastru
ctu
re
Desig
n
Monito
ring a
nd A
lert
Pro
cedure
s
Regula
tory
Tra
ckin
g
Em
plo
yee A
ware
ness
and T
rain
ing
Key Components for Review
© 2011 Protiviti Inc. 26
Tool Considerations
• Teneros Social Sentry provides discovery and
usage monitoring of social media usage by
employees as well as customized rules for
evaluating sensitive company information.
• Radian6 does similar analysis and also includes
workflow management around identified potential
company issues.
• Companies are using alert tools such as Google
Alerts to notify them of company news.
Resources
© 2011 Protiviti Inc. 28
Useful Information Sources
The Global Privacy and Information Security Landscape FAQ - www.protiviti.com
DataLossDB - www.datalossdb.org
International Association of Privacy Professionals www.iapp.com
Social Media Governance - www.socialmediagovernance.com/policies.php
Privacy Rights Clearinghouse - www.privacyrights.org
ISACA - www.isaca.org
Stanford Center for Internet and Society - www.whatapp.org
Social Media Explorer - http://www.socialmediaexplorer.com