powered by smartpros powered by: smartpros title slide adp lunch & learn cpe program protecting...

Powered by SmartProsPowered by: SmartPros

Title Slide

ADP LUNCH & LEARN CPE PROGRAM

Protecting Your Data Is More than a Good Idea - It's the Law

Authored and adapted for CPE accreditation by SmartPros Ltd. (www.smartpros.com) Powered by:

The ADP Logo is a registered trademark of ADP of North America, Inc.

V.1109a


Today’s Agenda

CPE Presentation Short Group Discussion Review of Program Reference Material Review Instructions to Complete Course on ADP’s

Accountant Web site

2


Course Overview & Objectives

Overview:CPAs collect and retain confidential data about their clients’ businesses. Today we’ll discuss the serious nature of possessing such data and the legal requirements to protect it. This issue is also extremely important to your clients. As their most trusted business advisor, you are in a position to help your clients audit their businesses to insure both their well-being and their compliance.

Objectives: Upon completing this segment, you will be able to:

Explain why companies need to protect their confidential data Identify strategies for minimizing the loss of proprietary information Advise your clients on the importance and need to protect their data

3


To Consider…

“Companies are reluctant to put these data protection issues on the front burner. They are reluctant because you are asking them to expose security flaws. I am telling clients: Look at ChoicePoint; look at MasterCard; look at the headlines on The New York Times. If you can picture yourself on the front page of The New York Times with a massive data security breach, and if you can picture how you will feel on that day, you will likely put that issue on the front burner for your company.”

William HellerExpert SmartPros CommentatorWilliam Heller is the chair of the intellectual property and information technology law group at the firm of McCarter and English, where he helps businesses protect their data and intangible property

4


Discussion Questions:

1. Have you recently considered, or discussed with your clients, compliance issues involved with protecting confidential data?

2. If so, have you encountered the type of reluctance noted by the commentator, or are you or your clients putting this issue, as the commentator recommends, on the front burner?

5


I. Corporate Security Background

Modern technology provides obvious benefits to the way we conduct business today. For example:

It leads to better, more cost-effective communication.

It creates more efficiency in everyday business process.

It can reduce the cost to produce products and services.

It gives us new ways to distribute products and services.

6



Modern technology creates new security issues, such as:

Increased opportunity for “white-collar” and cyber crime.

Cell phones provide undetected communications. Cheap micro-technology for spying and copying

data. Increase of data stored on larger computer networks

with more access points. The ability to take work home on a laptop.

7



Organizations must be aware that: Home-based access to corporate data systems is a

common weak point. Lack of formalized monitoring of network and data

access is extremely dangerous. Expert advice and security measures are typically

essential at some point, even in small businesses.

KEY POINT: It is important to note that most computer fraud is NOT committed by “outsider hackers.” Most computer fraud is actually committed from within the organization.

8



Corporate data responsibilities are dictated by:

Internal control requirements of Sarbanes-Oxley.

Federal law like the Computer Fraud and Abuse Act (CFAA).

State statutes on privacy protection. Common law negligence doctrine.

9


II. Data Theft and Security

As noted, most data theft comes from inside an organization. Higher risk situations include:

Disgruntled employees. Pending adverse employment actions. Employees terminating employment, but still have

access to critical data.

KEY POINT: IT, HR, Finance and Compliance/Legal departments in a company need to work together to implement very defined protocols in dealing with these higher-risk employment situations.

10



There is also considerable risk in providing database access to:

Suppliers Distributors Customers Dealers Salespeople Producers

KEY POINT: It is essential that contracts with third-party providers are designed to hold them responsible for protecting the data and confidentiality of that data prior to accessing it.

11



Temporary workers and contractors: Often have access to confidential data sources. Should sign non-disclosure and confidentiality

agreements. Should be provided with a written definition of the

type and scope of data they can access.

KEY POINT: Temporary workers often leave with the experience you gave them -- and use that experience to get jobs with your competitors!

12



Outsourcing dangers: Ask yourself these questions when weighing risk/reward:

Are you allowing third-parties to host your proprietary data or intellectual property on their network? If so, how secure is it?

Do THEY use temporary or outsourced labor? What employment/work-for-hire contracts are their

labor force bound by? What laws (especially when outsourcing to foreign

countries) and enforcement options are in place to protect you?

13



To protect your data assets, you should: First, define your assets.

Audit data flows and intellectual property assets. Ask who, what, where, when, and why with respect

to access and control of all major data and IP assets. Establish protocols for data access.

Second, review agreements with: Employees, contractor workers and outsourced vendors.

KEY POINT: As noted, this process often involves coordination between IT, HR, Finance, and Compliance/Legal teams.

14



Computer Fraud and Abuse Act (CFAA) Legislation was originally passed by

Congress in 1986. Amended in ’94, ’95, and again in 2001 as part of the

Patriot Act.

In general, it prohibits accessing computer systems without authorization.

It also says that it is against the law to “exceed authorized access.”

KEY POINT: Just because an employee has physical access to the data, doesn’t mean they have “authorized” access to it.

15



Inform employees what their "authorized" access is.

Define, in writing, both the nature and scope of authorized access.

KEY POINT: Written agreements, specifically those that go beyond general confidentiality agreements, go a long way in empowering a company to pursue employees in cases of intellectual property or data theft. This in itself creates a proactive deterrent against unauthorized access.

16


III. State Identity Theft Statutes

California as an example: To protect consumers’ personal information, the

California state legislature has already enacted more than a dozen laws regulating how businesses and other organizations that collect personal information on California residents must manage private data.

There are nearly two dozen states with similar statutes.

KEY POINT: Laws of other states potentially effect you if you have customers that live in that state and you store their personal data!

17



Corporate negligence & liability It is assumed that companies know about personal

data security and therefore assume responsibility to protect it.

You are negligent if you breach that duty. Companies who experience a breach often bare the

burden of investigation as law enforcement doesn’t have the resources.

NOTE OF INTEREST: This is currently a hot topic for finance executives and risk managers.

18



Unauthorized access to personal information generally requires notification to:

Law enforcement officials. Each state is different: Might be state police, the state

attorney general, or some specialized office. Timing requirements also vary by state.

Individuals whose personal information may have been accessed.

KEY POINT: Depending on the number of individuals exposed, some statutes also require notification to credit reporting agencies.

19


IV. Internal Controls

Sarbanes-Oxley is relevant to data and intellectual property security.

It fits with the general requirement to maintain adequate internal controls and to safeguard a company's confidential information.

Some companies appoint oversight with the corporate compliance officer and in some cases appoint a data security officer.

20


Summary of Today’s Presentation

Today we discussed: The impact of modern technology and the need to

consider both its benefits and the inherent risks. The fact that most data and IP theft comes from

within an organization, including its employees, contractors and vendors.

IT, HR, Finance, and Compliance/Legal all have a duty to work together to create and enforce solid protocols.

Outsourcing creates additional risk opportunity and it needs to be proactively managed.

21


Summary of Today’s Presentation

Continued: There are both federal and state statutes that effect

your responsibilities to protect personal data, and that even if your state does not have statutes, you may be bound if you have clients in states that do.

You are also at risk by wide-reaching negligence liability laws.

Internal controls and protocols to protect both data and intellectual property are a must.

And, as your business clients’ most trusted advisor, there is an opportunity for you to make sure this topic stays on the “front burner.”

22


Discussion Questions

1. To what extent does your organization currently protect its confidential information?

Whose responsibility is it?

23



2. Many companies are being urged to disclose more information to shareholders and other stakeholders.

To what extent does the protection of business data run counter to the objective of transparency?

24



3. What is the relationship between the corporate finance function and security?

How does it work at your organization? What could improve the situation?

25



4. What steps could be taken by your organization to minimize the possibility of computer fraud?

26



5. What would you do if you suspected that computer fraud was occurring, or had occurred, at your organization?

27


Next Steps

Review Handout Material for Additional Content Information

Review CPE Card

Access CPE Certificate by Completing Online Components Through www.accountant.adp.com

Thank you

28

powered by smartpros powered by: smartpros title slide adp lunch & learn cpe program protecting...

Documents

data access

data theft

confidential data

critical data

smartpros discussion

corporate data systems

data protection issues

massive data security