It will never happen here-our data will not be disclosed!" Unfortunately, it can happen, and it has. Every month there are new stories about data that has been compromised or stolen. For example, in May 2011 the big news item was Sony-the company shut down internet services in many countries, including Canada, after more than 100 million customers had their data compromised. Gaming systems and online shopping sites (such as the company's eShop cellular telephone store) were affected. New systems providing automated services, such as ATMlike drug kiosks, hold customer data that needs to be protected. Auditors could help these organizations design and tes privacy policies and practices. A privacy assurance engagement includes examining how information is used, accessed, stored, and retrieved. For example, how are passwords managed, and how is information encrypted when stored on removable devices or transmitted to remote locations? Effective password management and encryption address both risks of privacy violation and other risks of data exposure.
APPLYING YOUR PROFESSIONAL JUDGMENT
1. What are some of the ways that information could be accessed from a gaming system or an automated drugdispensing machine?
2. What types of skills would be required of a professional team called upon to do a privacy assurance engagementat Sony?
3. What types of auditors could complete a privacy assurance engagement?