The influx of portable computing and memory devices has prompted the Canadian Institute of Chartered Accountants to update their financial accounting.
The expansion of the Generally Accepted Privacy Principles (GAPP), which is jointly drafted by both CICA and the American Institute of Certified Public Accountants, is the first update to the privacy guide since 2006.
Nicolas Cheung, a principal in the assurance services department at CICA, said the focus of the update was to combat the recent spike in identity theft and other financial data breaches. He added that portable devices such as laptops and USB sticks have made it easy for data to leak out of the enterprise.
“In the Canadian environment, as we seem to be heading more toward mandatory breach notification requirements, it just would seem like a natural fit to update privacy principles for breach and incident procedures,” he said, referencing Alberta’s new mandatory breach notification provisions.
The additions to GAPP, which can be found on CICA’s Web site, include guidance and best practices to securing portable devices, strategies behind mitigating the risks that come with a data breach, and how to maintain effective privacy controls. The criterion needed to destroy and dispose personal information is also covered in the guide.
Other recommendations include at least annually identifying new or changed risks to personal information, a requirement to identify the third parties which might be handling the data, restrictions against personal data in systems and process testing, and the development of a privacy awareness program.
CICA said the principles are aimed at chief privacy officers, business executives, compliance officers, legal counsel, and accountants offering technology and IT services to the enterprise.
“The timing of the release of the modifications fits with both legislative and societal expectations,” said Don Sheehy, associated partner of enterprise risk at Deloitte LLP and a member of the AICPA/CICA Privacy Task Force.
“Introducing the criteria and illustrative controls within GAPP now fits into what is becoming a reasonable expectation. And certainly if organizations continue to look at the cost of the solution versus the risk that it needs to remediate, the solutions are definitely more cost effective than they were three or four years ago.”
Portable media being stolen, left on airplanes or misplaced, Sheehy said, is an issue that particularly needed to be addressed.
“The unfortunate thing is that neither the laptop nor the media are encrypted in most cases,” he said. “So, all of the information that has been on that laptop or media device has become available on an unauthorized basis.”
The number of organizations establishing polices on the use of portable devices has been increasingly, but there is still plenty of room for improvement, Sheehy added.
Earlier this year, CICA released another guide aimed at helping SMEs protect the increasing volume of sensitive data they collect. The publication strived to help companies eliminate the costly consequences that come along with a data breach and give organizations the information they need to comply with changing privacy legislation.