By: K Royal, technology columnist for AccDocket.com, and vice president, AGC privacy, and compliance/privacy officer at CellTrust Corp.
With an ever-increasing number of managing vendors who handle personal data or assure customers that they are a trustworthy with personal data, there are many choices on how to seek and/or provide assurance. Often, customers start asking for a SOC2 — and they don’t even know what it is, just that it’s a phrase being tossed around in compliance or privacy circles. Are there alternatives to a SOC2? Do certifications have to be done by a third party? And more questions follow. Let’s discuss some basics about how to “prove” safe and adequate personal data protection handling.
The first thing to understand is that there is very little that can “prove” that any company (whether an individual, government entity, corporation, etc.) is engaged in safe or adequate data handling processes. Handling personal data properly is something that should be baked into a company’s culture. Proof would require actually watching the company and its personnel over time and in various activities. Instead, we engage in due diligence (or we should).
Due diligence is the process of vetting a company to gauge whether they have the proper controls in place and determining if the company is a well-established organization that is stable and worth engaging as a vendor. Due diligence should be done for any vendor you engage with, but you should have a risk-based priority list. Part of the risk consideration should be whether the vendor handles personal data, and if so, whether there are any specifics about that data that requires an increased level of protection, such as medical, race or ethnicity, or financial — or is it data on minors or in a geographical area that provides for greater protection. Due diligence includes ongoing monitoring and you should make sure in the contract that you have audit rights on vendors that are in risky categories.
Now, let’s get to assurances of safe data handling that you should be looking for when doing your due diligence.
Audit reports can be first, second, or third party reports. First is what you do to look at your own company using internal audit or a similar process. Second party audits occur when you review a vendor, or a customer reviews you. Third-party audits are those performed by a (hopefully) independent third party with credentials to make an objective finding. These findings may result in a certification, report, seal, license, award, or similar types of recognition.
Audits should be conducted against a set of standards that the company should adhere to that are generally accepted in the industry. In this short article, I do not pretend to know or list all the types of audit frameworks, but will address the most common ones I see in practice.
SOC stands for Service Organization Control and was developed by the AICPA (American Institute of Certified Professional Accountants). SOC reports evolved from the prior SAS70 reports and now come in three main flavors. SOC1 is essentially the SAS70 and serves to gauge a company’s control over financial reporting. SOC2 was developed because customers wanted some type of official report and kept asking vendors for SAS70s even when there was no financial reporting or involvement. SOC2 reviews a company’s controls on security, availability, processing integrity, confidentiality, or privacy related to personal data. SOC3 is a more basic form of SOC2 and should be used when you don’t really understand the controls being evaluated and you just want a basic report that provides the essentials.
Both SOC1 and SOC2 come in a Type 1 and Type 2. Both provide a description of the system and suitability of design. The difference is Type 2 adds operating effectiveness of controls. Thus, the most detailed report for financial reporting is SOC1, Type 2 and for personal data protection SOC2, Type 2.
Some common standards/frameworks include both developed standards and regulations/laws that require certain controls and where applicable, the most common part for personal data protection is listed even though there are many more standards available:
- COBIT: Personal Information Protection and Electronic Documents Act (Canadian private sector); and,
SOX: Sarbanes-Oxley Act (US public companies).
This is only a partial list. Most third-party audit companies will audit against a set of standards, which may be captured in regulations or laws, or they will use a common set of standards (NIST, ISO) as their baseline. The types of personal data involved, location of either the company or individuals whose personal data is involved, or the industry will drive the standards you want to know if the company follows.
Keep in mind that in most cases, you will only receive a snapshot of a moment in time where the auditor reviewed the controls and perhaps interviewed key personnel. Diligent companies, especially with SOX, will be audited annually and should provide you with an adequate report for your due diligence.
There are a couple of special issues to also note. One, companies that use a collocated data center —where the data center vendor owns the building and provides all the security and management, but the company owns the equipment for data storage and processing — may rely on the audit report on the data center. This is good that they perform due diligence on their vendor, but it does not speak to the controls of the actual company. You need both.
Next, if you want to work with a vendor and they don’t have these reports, you will need to determine how to address that. You can do your own audit; you can hire an independent firm to do an audit; you can put it in the contract that they will obtain an audit (and provide specifics if you want specifics and follow up); or you can rely on other indicators of their controls. You need to make sure that your due diligence is adequate for the personal data involved and that you would not be found to be negligent if you did not perform a certain level of diligence or require a certain level of controls in place.
To further reading about the data security and privacy practices of six companies with global operations, download the ACC primer on "Leading Practices in Privacy and Data Security: Compliance Programs Across the Globe". Organizations featured in this primer describe practices and approaches for working through the matrix of varying and changing requirements across multiple jurisdictions, as well as integrating policies and practices with systems and security features.