Recent large-scale data breaches provide a stark reminder of the risks and challenges associated with today’s data-driven economy. The exploding number of devices connected to the Internet and amount of information collected about people by organizations make it increasingly important for officers, directors, and senior management to fully understand the privacy and data security risks faced by their organizations.

One of the most effective techniques for managing those risks is conducting a comprehensive privacy and data security risk assessment. Organizations use such risk assessments to maintain appropriate risk profiles based on the organization’s contractual, regulatory, and governance obligations. Regulatory schemes in some industries, including health¹ and finance,² may require risk assessments for compliance. Organizations that collect payment information to process payments as merchants or payment processors³ or deal with data collected about individuals residing in specific states⁴ may also have risk assessment obligations. Organizations commonly tailor risk assessments to meet these types of obligations for their risk tolerance and profile. A comprehensive risk assessment may include considerations of scope, documentation, timing, management, and oversight.⁵

Scope

The most effective assessments begin by defining the scope appropriately. The scope will vary depending on an organization’s regulatory and contractual compliance obligations, data practices, and risk tolerance. A particular risk assessment may cover only certain business areas, functions, and/or products or services. For example, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires an assessment covering the “confidentiality, availability, and integrity of all electronic [protected] health information a covered entity creates, receives, maintains, or transmits.”⁶ The HIPAA-required assessment does not cover data that is not “electronic” protected health information, although organizations commonly include all protected health information in an assessment because of its potential sensitivity and the potentially high costs of a failure to protect such information.

An organization may also consider including employee human resources information or other personal information collected from consumers in its assessment based on the organization’s risk profile.

Key Elements

A privacy and data security risk assessment typically includes the identification and analysis of the following key elements:

• Policy and Contract Obligations. Promises made in contracts and privacy policies
• Data Flows. Data collected, used, processed, maintained, and disclosed by the organization and the locations where it is maintained
• Third Parties. Any applications or third parties using or accessing the data
• Threat Analysis. Potential threats to and vulnerabilities of the data and the organization, including their likelihood and potential impact on the organization
• Safeguards Review. Administrative, physical, and technical measures in place to protect the data and the organization

Documentation

Documenting the risk assessment process and findings helps to ensure the consistency of repeated assessments, effective oversight, successful remediation of potential issues, and a reduction of risk to the organization.

Timing

Risk assessments provide more value when conducted on a regular basis. Organizations often determine the specific frequency based on the scope of the assessments, the nature of the data, and the risks to the organization. Many organizations conduct assessments on an annual basis. Organizations also perform ad hoc assessments after any material changes to the internal operations of the organization or to the external business, regulatory, economic, or legal environments in which the organization operates.

Management and Oversight

Organizations can assign a specific individual or group of individuals with responsibility for implementing the risk assessment process, conducting the assessments, and managing any resulting remediation. The risk assessment process may also necessitate reports to senior management about the results and subsequent remediation activities.

In addition to the fundamental elements discussed above, many organizations engage outside counsel when conducting assessments due to increasing litigation and regulatory investigations resulting from privacy and data security issues. Besides offering added expertise, the engagement of outside counsel provides for the potential availability of attorney-client privilege and work-product protections.

High-profile data breaches and government investigations have brought privacy and information security risks to the attention of boards of directors, investors, and consumers like never before. Risk assessments can be a valuable tool for organizations to reduce the risks associated with these increasingly complex issues.

¹ See Health Insurance Portability and Accountability Act of 1996 (HIPAA), Administrative Safeguards, 45 C.F.R. § 164.308(a)(1)(ii)(A).

² See Gramm-Leach-Bliley Act (GLBA), Standards for Safeguarding Customer Information, 16 U.S.C. § 314.4.

³ See PCI Security Standards Council, Information Supplement: PCI DSS Risk Assessment Guidelines (November 2012), available at https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Assmt_Guidelines_v1.pdf.

⁴ See Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 C.M.R. § 17.03(2)(b).

⁵ Standards are available that provide details for specific activities involved with each of the fundamental areas, including the recent Framework for Improving Critical Infrastructure Cybersecurity. See National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity 22-23 (February 12, 2014), available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf (providing a list of risk assessment activities and links to the treatment of risk assessments by other standards such as ISO/IEC 27001:2013 and NIST SP 800-53 Rev. 4).

⁶ Department of Health & Human Services, Basics of Risk Analysis and Risk Management, 2 HIPAA Security Series 6 (March 2007), available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf.