Antonello Gargano, Protiviti

Managing Privacy Risk in a

Social Media-Driven Society

30 Settembre 2011

© 2011 Protiviti Inc. 2

Discussion Topics

Understanding the Social Media Environment

Challenges Facing Auditors

Scoping and Executing an Audit

Resources

Social Media in the Workplace

Understanding the Social Media

Environment

© 2011 Protiviti Inc. 4

Social Media Revolution

Is social media a fad?

Or……………….

Is it the biggest shift since the Industrial Revolution?

Question

© 2011 Protiviti Inc. 5

Social Media Revolution

Social Media is not a fad - it is a fundamental shift in the

way we communicate.

Answer

Welcome to the revolution!

© 2011 Protiviti Inc. 6

Social Media Landscape

© 2011 Protiviti Inc. 7

The Power of Social Media

GAP, the popular clothes retailer, reinstated its

familiar blue box logo, just one week after

unveiling its new one.

WHY ?

•In a statement, Gap North America cited the

"outpouring of comments" from the online

community for the logo's shelving.

WHAT DOES THIS MEAN ?

•While social media mavens are split on whether

GAP made the right choice to withdraw their logo,

the fact of the matter remains – GAP bowed down

to "the power of social media."

http://www.youtube.com/watch?v=lFZ0z5Fm-Ng

© 2011 Protiviti Inc. 8

“It takes twenty years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently.”

- Warren Buffett

Social Networking Environment

© 2011 Protiviti Inc. 9

© 2011 Protiviti Inc. 10

Social Media Pros & Cons

Social Media: Value added or Serious Concern?

• 51% executives surveyed said they fear social media could reduce employee productivity,

while 49% said that using social media could damage a company's reputation.

• 81% saying social media can improve customer relations and build their brands.

• 70% percent feel social networking can be valuable in recruitment (69%), as a customer

service tool (64%) and used to improve employee morale (46%).

http://marketingcharts.com

http://mashable.com

© 2011 Protiviti Inc. 11

Security Concerns

Social Network Users More Vulnerable To Security

Risks

– 21% accept contact offerings from members they don't

recognize

– More than half let acquaintances or roommates access social

networks on their machines

– 64% click on links offered by community members or contacts

– 26% share files within social networks

– 20% have experienced identity theft

– 47% have been victims of malware infections

– Facebook has been hit with malicious applications and new

version of the Koobface virus, which allows hackers to steal

information from personal profiles

11

http://www.webpronews.com

© 2011 Protiviti Inc. 12

Social Networking Impact

• Do we really understand the power of social

networking and how it has been adopted by

today‟s users?

• Americans spent 73% more time on social

networking sites in 20091.

• Eight out of ten executives believe social media

can enhance customer / client relationships.

• CIO‟s are implementing stricter social

networking policies2.

• Email usage is also blurring the lines between

privacy and company ownership.

1 Russell Herder/Ethos Business Law Study - “Social Media - Embracing the Opportunities, Averting the Risks”

2 Robert Half Technology National CIO Survey - April, 2010

© 2011 Protiviti Inc. 13

Corporate Risk on Display

• Workers at a North Carolina Domino‟s Pizza

posted a YouTube video showing inappropriate

actions.

• A passenger on United Airlines sees his

expensive guitar get smashed by baggage

handlers and retaliates with his video.

• Company executive spouse discusses private

matters via Facebook page.

• Employee is terminated after discussing that her

job is boring on her Facebook page. However,

latest court ruling has sided with the employee.

• Facebook and Twitter social networking sites

used to tout stocks in a classic "pump and

dump" fraud.

• Doctors taking pictures in an operating room

with the cameras on their phones.

© 2011 Protiviti Inc. 14

Regulatory / Legal Environment

• Three Italian Google executives are convicted of

privacy violations.

• The EU Article 29 Working party provided Opinion

5/2009 on social networking.

• Four U.S. Senators call on Facebook to give its

users more control over their personal

information.

• The U.S. Federal Trade Commission (FTC) plans

to create guidelines on Internet privacy to protect

consumers.

• Canada has the Personal Information Protection

and Electronic Documents Act (PIPEDA). Office

of the Privacy Commissioner investigated

Facebook.

© 2011 Protiviti Inc. 15

Regulatory / Legal Environment (cont.)

• The European Union (EU) Data Protection

Directive provides a broad legislative basis for

privacy protection.

• At least 44 states in the US, District of Columbia,

and Puerto Rico have privacy laws.

• Mexico‟s Senate approved the Federal Data

Protection Act. The law establishes the rights

and principles of data protection in the private

sector.

• The Asia-Pacific Economic Cooperation (APEC)

Framework falls between the EU and US models.

• Japan has the Personal Information Protection

Act (PIPA).

• Italian “Garante Privacy” released, in 2009, the

brochure "Social network: attenzione agli

effetti collaterali”

Challenges Facing Auditors

© 2011 Protiviti Inc. 17

The Dilemma

• Poneman Institute study concludes financial institutions

have large gaps in their privacy and data protection

programs.

• VeriSign says its research arm, iDefense, has identified

a data black market player called „kirllos‟ who claimed

to have for sale 1.5 million social networking accounts

in bulk quantities.

• Advertisers are using the rich available information

about what people are doing to execute behavioral

targeting steps.

© 2011 Protiviti Inc. 18

Internal Audit Involvement

• Internal auditors have not typically included social

media in risk assessments and audit universe

• Few tools exist to automate the potential audit

steps to be executed

• Social media has been perceived to be outside

the boundaries of company policies and

enforceable actions

• Perception is that if the sites are blocked from

employees, potential risk is mitigated

• Risk to sensitive, non-employee data has been

miscalculated as low risk

© 2011 Protiviti Inc. 19

What‟s the Risk?

Information that is strategic to a company could be

inappropriately released. (“Company A whom I work for is

working on this cool new project to…”)

Strategic

Information Loss

Data that potentially violates regulatory / compliance

requirements could be communicated. (“Celebrity A just came

to the hospital to have this treatment done…”)

Sensitive Data

Loss

Slanderous remarks and comments from a disgruntled

employee could created damaging perceptions. (“If you work

for Company B, you will be mistreated and not respected..”)

Reputation Risk

© 2011 Protiviti Inc. 20

What‟s the Risk? (cont.)

Remarks about company performance could impact stock

price and performance. (“The strategic plan for Company C is

not going to work and results are not going to be good…”)

Financial Risk

Release of information about what someone is doing or where

someone is traveling. (“Our executive team is meeting at

Location Z…”)

Safety Risk

Remarks made by an individual or friends of an individual

could be viewed by others (“I can‟t believe what happened the

other night when I was out for dinner…”)

Personal

Reputation Loss

© 2011 Protiviti Inc. 21

Beware of Features and Capabilities

LinkedIn

• TripIt talks about where someone is traveling.

• Connections to other people can be “mined” by others.

Facebook

• Comments posted on the wall can be viewed by other

“friends”.

• Detailed personal background could be viewed.

• Communications can be viewed by others.

Scoping and Executing an Audit

© 2011 Protiviti Inc. 23

• GLBA

• EU Data Directive

• ISO 17799

• PIPEDA

• HIPAA

• PCI

• AICPA

• Many others…

• Is my data protected?

• Am I in compliance with all applicable privacy laws

and regulations?

• Am I aware of data protection requirements?

Determining the Boundaries

Answer questions about information protection

risks!

Information Protection

Considerations

• Management

• Data Privacy

• Data Security

• Vendor Management

• Incident Response

• Physical Security

• Training & Awareness

Control Categories

© 2011 Protiviti Inc. 24

Defining a Roadmap

Board and Executive Level Reporting

Enterprise-Wide Privacy Management

Privacy Assessment

Data Classification

Secure High Risk Areas

Define Goals and Values

People and Structure

Policy and Processes

Process Development

Privacy Awareness

Data Protection Controls Implementation

Design

Build

Implement

Sample Privacy Protection Controls

• Laptop encryption

• Data Loss Prevention

• Vendor Security Reviews

Metrics Management Reporting

© 2011 Protiviti Inc. 25

Privacy and Social Media Use

Policies

Technic

al In

frastru

ctu

re

Desig

n

Monito

ring a

nd A

lert

Pro

cedure

s

Regula

tory

Tra

ckin

g

Em

plo

yee A

ware

ness

and T

rain

ing

Key Components for Review

© 2011 Protiviti Inc. 26

Tool Considerations

• Teneros Social Sentry provides discovery and

usage monitoring of social media usage by

employees as well as customized rules for

evaluating sensitive company information.

• Radian6 does similar analysis and also includes

workflow management around identified potential

company issues.

• Companies are using alert tools such as Google

Alerts to notify them of company news.

Resources

© 2011 Protiviti Inc. 28

Useful Information Sources

The Global Privacy and Information Security Landscape FAQ - www.protiviti.com

DataLossDB - www.datalossdb.org

International Association of Privacy Professionals www.iapp.com

Social Media Governance - www.socialmediagovernance.com/policies.php

Privacy Rights Clearinghouse - www.privacyrights.org

ISACA - www.isaca.org

Stanford Center for Internet and Society - www.whatapp.org

Social Media Explorer - http://www.socialmediaexplorer.com