Protecting personal information using
Generally Accepted Privacy Principles
(GAPP) and Continuous Control Monitoring
to enhance corporate governance
Marilyn Prosch
Received (in revised form): 1st March, 2008
School of Global Management and Leadership, Arizona State University, PO Box 37100, Phoenix, AZ
85069, USA; E-mail: marilyn.prosch@asu.edu
Marilyn Prosch PhD is an Associate Professor of
Accounting Information Systems at Arizona State
University. She has met with or spoken to the US
Department of Commerce, US FTC, National Asso-
ciation of Secretaries of State, and the Arizona
Auditor General’s Office on the subject of GAPP,
and has conducted various research studies on
privacy breaches and GAPP.
EXECUTIVE SUMMARY
KEYWORDS: privacy, GAPP, data protection,
continuous monitoring
The first decade of the new millennium may well become
known as the era of data breaches. In a recent speech
given by the Federal Trade Commission’s (FTC) Chief
Privacy Officer, Marc Groman, he emphasised to the
National Association of Secretaries of States to prepare
well because ‘you will have a data breach’ (Washington,
DC, 18th February, 2008). This article discusses the
present privacy crisis and offers a solution to managing
and reducing privacy risk through the use of the AICPA/
CICA’s Generally Accepted Privacy Principles (GAPP).
When the court of public opinion or the FTC is grilling
an organisation regarding a data breach, the best defence
for the organisation is to provide evidence, such as adher-
ence to GAPP criteria or an actual GAPP audit, that
they were diligent and serious about data protection poli-
cies. Recently, the Chair of Her Majesty’s Revenue &
Customs in the UK resigned after 25 million Britons
© 2008 Palgrave Macmillan Ltd. 1741-3591 $30.00 Vol. 5, 2, 153–166
www.palgrave-journals.com/jdg
had their personal information compromised and the inves-
tigation revealed that a mere $102,000 spent on data
redaction would have prevented the snafu (see references 1 and
2). Top management, including CEOs, CFOs, CISOs,
and CPOs all need to be aware of privacy risk manage-
ment issues and techniques to reduce privacy risk.
Researchers need to help advance the development and
measurement of privacy-enhancing techniques and the
implementation of GAPP in order to help move organi-
sations along the Privacy Maturity Model. This article is
written by a member of the AICPA’s Privacy Task Force
and a Certified Information Privacy Professional.
International Journal of Disclosure and Governance
(2008) 5, 153–166. doi:10.1057/jdg.2008.7;
published online 10 April 2008
‘If you haven’t heard of the Generally Accepted
Privacy Principles (GAPP), take stock: They’re
likely to become the most important new
source of requirements for your IT projects
sinceY2k and Sarbanes–Oxley.Why is this? The
accounting industry has closed ranks around
the idea that the GAPP is the best international
framework for assessing the privacy health of an
organization…. What is the GAPP? I have to
agree with the auditors on this one. It’s the best
attempt so far to address the main point of pain
for global chief privacy officers: the growing
complexity of privacy regulations around the
world.’ (Cline3)
International Journal of Disclosure and Governance 153
 Protecting personal information using GAPP and CCM
INTRODUCTION
When new positions are created at the ‘C’
suite level, that action sends the signal that top
management is taking related matters seriously,
hence the rise of the Chief Privacy Officer.
A list of relatively recent ‘first’ appointments
of CPOs could be given, but it would be a
long list. Such new appointments range from
the Department of Homeland Security, to the
State of Arizona, to Microsoft. In 2000, when
IBM named their first CPO, a Gartner analyst,
Bill Malik declared ‘The Chief Privacy Officer
is a trend whose time has come’.4 About the
same time that CPOs began to expand their
presence in corporate boardrooms, the Amer-
ican Institute of Certified Public Accountants
jointly with the Canadian Institute of Char-
tered Accountants (AICPA/CICA5) responded
by creating a Privacy Task Force in 2001 that
ultimately ended up developing what is now
known as Generally Accepted Privacy Prin-
ciples (GAPP). GAPP is a comprehensive
framework that provides specific criteria that
CPOs and other privacy and security experts
can use to assess, build, and monitor privacy
programmes. Ultimately, GAPP can be used to
perform privacy audits.
What is the driving force behind CPO
appointments and the development of GAPP?
The plain and simple answer is loss and theft
of personal information (PI). A plague of data
breaches has affected organisations of all types.
According to many sources at the time, 2005
was considered to be the worst year by far in
terms of the sheer number of privacy breaches
experienced by organisations.6 Unfortunately,
the negative trend has not ebbed. According
to the Identity Theft Resource Center, data
breaches in the US reached a record number
in 2007 with more than 79 million records
reported compromised.These data breaches have
significant costs and they are rising. According
to a study of actual data breaches conducted by
the Ponemon Institute, the average total per-
incident costs in 2007 for the US were $6.3m,
compared to an average per incident cost of
$4.8m in 2006. In the UK, the average total
154 International Journal of Disclosure and Governance Vol. 5, 2, 153–166
per incident cost was lower, but still quite high
at Ł1.4m for 2007. Organisations of all types
are falling victim to these breaches. According
to the Privacy Rights Clearinghouse data, the
types of data breaches publicly reported for
2007 in the US affected the following types
of organisations:
• 95 government and non-profit agencies;
• 87 educational institutions;
• 51 healthcare organisations;
• 93 for-profit organisations.
In the UK, data breaches have also plagued
organisations. For example, in 2007 two com-
puter discs went missing from Her Majesty’s
Revenue & Customs. They contained the
personal details of all 25 million UK families
claiming a child benefit. The data were not
encrypted and contained information including
names, addresses, dates of birth, national insur-
ance numbers, and bank and building society
account details. Actually, data breaches occurred
before this ‘privacy storm’ began; however, new
data breach notification laws, such as Califor-
nia’s Civil Code Sections 1798.29 and 1798.82,
require that organisations notify the victims.
Such notification laws have now been enacted
in 38 US states. As discussed later, the EU has
historically been a leader in data protection
regulation; however, data breach notification
laws are still pending.
As the cost of data collection, storage, and
processing increasingly declines due to software
and hardware enhancements, the ability of indi-
viduals to control data kept by business and gov-
ernment entities also declines. Managing this
data becomes an important corporate govern-
ance issue because all organisations that collect,
use, or store PI face privacy risk. What is con-
sidered a precious asset by many organisations
is the object of concern by many individuals.
For example, in the past, businesses collected
data primarily about customers based on their
purchasing history. These same businesses, along
with ever-changing technology, now have web-
based and wireless capabilities that allow them
© 2008 Palgrave Macmillan Ltd. 1741-3591 $30.00

to monitor and record other types of behaviour,
such as browsing activity, frequently without
the knowledge or consent of the individual.
‘The computer has been accused of harboring
a potential for increased surveillance of the
citizen by the state, and the consumer by the
corporation’.7
The objective of this paper is threefold.
First, a discussion of the cultural lag8 in the
management of PI that has resulted from the
advances in technology accelerating faster than
the capacity to control such information is
presented. The second objective is to intro-
duce the AICPA/CICA’s GAPP and to discuss
how these principles can be used in enhancing
corporate governance over PI by developing
and implementing Continuous Control Moni-
toring (CCM) environments that contain PI.
The benefits of using the criteria in GAPP and
incorporating them into CCM environments
are also discussed. Finally, a privacy maturity
model is presented to help guide researchers
and members of industry enhance data protec-
tion techniques.
TECHNOLOGY, PRIVACY, AND
CULTURAL LAG
Privacy issues, including both security and
corporate abuse of PI, are hotly debated in
the US between consumer advocacy groups,
privacy advocacy groups, legislators, regulators,
industry groups, and the press. Most state leg-
islators, frustrated with the lack of federal leg-
islation, have increasingly been enacting their
own legislation, with California often leading
the way. Internationally, the US has far less pri-
vacy protection for consumers and employees
than the EU, Canada, Australia, Switzerland, and
Argentina, among others.
As we consider the value of privacy pro-
tection of PI, one important question posed
by businesses as they are confronted by various
groups to invest in data protection and pri-
vacy enhancing technologies and processes is
this — what is in it for us? Cavoukian and
Hamilton9 espouse the benefits of the privacy
payoff to businesses, asserting that ‘being exposed
© 2008 Palgrave Macmillan Ltd. 1741-3591 $30.00 Vol. 5, 2, 153–166
Prosch
as a privacy misfit can damage your company’s
reputation, lead to costly litigation and send your
customers running to the competition’.That book
was written by two Canadians, one of whom was
the Privacy Commissioner of Ontario at about
the same time that wide-sweeping federal legis-
lation was being phased in for all organisations
operating in Canada. The Canadian legislation,
Personal Information Protection and Electronic
Documents Act (PIPEDA), was largely based on
the European Commission’s 1995 Data Protec-
tion Directive. Increasingly, Canadian companies
find themselves with a competitive advantage
simply because they keep their customers’ data
in Canada and specifically are not sending it to
the US because it is considered to be better pro-
tected in Canada.10
A fundamental difference between the Euro-
pean Commission’s widely recognised and
pioneering EU Data Protection Directive and
the US privacy regime regarding employee PI
is succinctly stated as employer data collection
requirements (US) vs employee privacy rights
(EU). Anti-discrimination laws and worker
safety laws in the US require that employees
collect all types of PI, whereas the collection
of such data in the EU is generally strictly
prohibited. Consider that while Canada and its
provinces and the EU and its member countries
all have some form of Privacy Commissioner’s
office, the US has no equivalent position at the
federal level, and few at the state level.11
Regarding customers, the EU provides data
protection for all consumers that requires that
personal data on the internet be:
• processed fairly and lawfully;
• collected and processed for specified,
explicit legitimate purpose;
• accurate and current; and
• kept no longer than deemed necessary to
fulfil the stated purpose.
Further, users have the following rights:
• access to personal data;
• correction, erasure, or blocking of information;
International Journal of Disclosure and Governance 155
 Protecting personal information using GAPP and CCM
• objection to usage;
• objection to automated individual decisions;
and
• judicial remedy and compensation.
Since consumers in the US do not have the
same sort of data protection mandated in the
EU and Canada, among other countries, the
question to businesses is whether this pri-
vacy is valued. Millions of data transfers occur
every day between the US and EU, and the
EU Directive gives its member countries essen-
tially ‘a global reach’ with an attached liability
for noncompliance. Basically, non-European
companies have to meet the EU’s Directive
if they want to conduct electronic commerce
in Europe or risk legal action. In response to
the EU’s Directive, the US Department of
Commerce and the European Commission
developed a ‘safe harbour’ framework in July
2000 that allows US organisations to satisfy
specific requirements and ensure that personal
data flows to the United States are not inter-
rupted. The safe harbour framework provides
a solution to the differences between the EU
and US approaches to privacy protection and
ensures greater protection for EU citizen’s PI.
Many US privacy advocates are upset that the
implementation of safe harbour provisions by
US firms results in greater privacy rights for
foreign citizens than for the US’s own citizens.
To date, over 1,500 US companies have signed
up for Safe Harbour.
The cultural differences in these countries
have had a profound impact on the evolution
of privacy protection requirements. Cultural
differences can shape expectations, and expec-
tations can, to some extent, shape legislation
and regulatory requirements.12 Technology as
an enabler of the silent erosion of a reasonable
expectation of privacy is arguably occurring
in the US12 and to a lesser extent, in the EU
and Canada. The difference is likely due to the
cultural expectations of the two populations
and the approaches by government and regu-
latory agencies to either protect the consumer
(EU) or to protect business (US). The resulting
156 International Journal of Disclosure and Governance Vol. 5, 2, 153–166
fundamental differences in privacy environ-
ments and privacy practices between these dif-
ferent cultures are reminiscent of a sentiment
made by Tinker13 that no reason exists ‘why
the social environment should be treated as
inevitable and immutable; it has to be created,
together with the institutions that populate it’.
Society’s expectations about privacy can actu-
ally be eroded.12
At this juncture in the US, the trajectory
that privacy issues will take, both now and in
the future, is uncertain. What is certain is that if
technological solutions are not offered in a cost-
effective manner in a largely self-regulated envi-
ronment, then the solutions offered will not be
embraced by organisations.The US is not alone,
however, in the concern by its citizens regarding
technological privacy protection, even though
it lags behind many other countries in privacy
legislation. A recent survey indicates that people
in Canada (66 per cent), Spain (62 per cent)
and the US (60 per cent) are similarly worried
about providing PI on websites.14
Marshall15 notes that the rapid rise of the
internet and electronic commerce has not
allowed the ethical support theory and imple-
mentation to develop at a fast enough rate to
maintain a proper balance between technology
and individual rights. This phenomenon can be
best understood when framed in Ogburn’s16
cultural lag theory where rapid technological
progress occurs with inadequate develop-
ment of ethical support for new technology.8
Rapid technological advances that easily allow
privacy infringements are widely in use, yet
little progress has been made enhancing pri-
vacy through technology.17 Data security and
flagrant breaches of privacy have reached an
epidemic stage, and consumers are begin-
ning to question whether they want to accept
the erosion of their privacy by the business
community.
Ethicists and groups, such as the Center for
Democracy and Technology, have been cham-
pioning privacy efforts since technology first
became available that easily and cheaply allows
e-surveillance; however, ‘until a technology has
© 2008 Palgrave Macmillan Ltd. 1741-3591 $30.00

achieved a critical level of social diffusion suf-
ficient to engender popular controversy, broad
social attention is seldom given’.15 The relation-
ship between technology, social culture, and pri-
vacy controls is illustrated using an adaptation of
Ogburn’s cultural lag diagram in Figure 1.
Typically, Ogburn’s cultural lag theory is cat-
egorised as one of four types of cultural lags:
material culture accelerates faster than nonma-
terial culture, material culture accelerates faster
than other types of material culture, social cul-
ture accelerates faster than material culture, or
nonmaterial culture accelerates faster than other
types of nonmaterial culture.18 In explaining
the inter-relationships between privacy, tech-
nology, and consumer’s expectations, three ele-
ments are presented:
(1) material culture — technologies, such as
the internet and wireless devices, such as
RFID technologies;
(2) social culture — consumer’s expectations
of privacy; and
(3) material culture — privacy-enhancing tech-
nologies and controls, such as appointing
a CPO, image scrambling algorithms, and
encryption of PI both during data transmis-
sion and for data at rest.
a b
Technology
Social Culture
(Privacy Expectations)
Privacy-enhancing
Technologies & controls
Adjusted
Figure 1: Ogburn’s sequential time-paradigm of cultural lag technology, social culture, and
privacy controls
© 2008 Palgrave Macmillan Ltd. 1741-3591 $30.00 Vol. 5, 2, 153–166
Prosch
The relationship among these three elements is
illustrated in Figure 1. Up until time a, tech-
nology, privacy expectations, and privacy con-
trols are all fairly congruent. New technologies
(such as clickstream data capture, global posi-
tioning systems (GPS), and wireless devices)
begin to get introduced at time a, at which
point in time social expectations and controls
over the new technologies became lagging
behind the new technologies. Then as mem-
bers of society begin to realise that the data
are being collected, shared, generated, and sold
among companies, and that the data are not well
protected against theft or loss, cries for greater
protection begin to be made at time b. During
the period between points b and c, the aware-
ness of privacy issues is raised and the increased
privacy expectations cause the community to
seek enhanced material culture in the form of
privacy-enhancing technologies and controls.
At this point in time, our society is some-
where between time periods b and c in
Figure 1. In 2005, 81 per cent of firms surveyed
experienced the loss of one or more laptops
containing sensitive information during the past
12 months (Ponemon Institute and Vontu19), 4
per cent of all Americans were affected by iden-
tity fraud in 2005,20 and well over 300 privacy
c
Maladjusted Adjusted
Time
International Journal of Disclosure and Governance 157
 Protecting personal information using GAPP and CCM

breaches were reported in 2007 affecting mil-
lions of people, according to the Privacy Rights
Clearinghouse. A study conducted by Javelin
and the Better Business Bureau found that for
a 12-month period ending in early 2006, 8.9
million individuals in the US were victims of
identity fraud. Further, the average amount
per fraud victim was $6,383 and the average
fraud resolution time spent by each victim
was 40 h!
Thus, technology has accelerated faster than
associated controls and monitoring technolo-
gies have been developed and implemented,
and a period of maladjustment has resulted. We
have reached a point where much focus needs
to be placed on good corporate governance
regarding the protection of PI and on creating
and implementing privacy-enhancing tech-
nologies and controls so that the environment
can approach an adjusted state. The next sec-
tions discuss current privacy technologies and
the need for privacy-enhancing technologies
and controls that are designed to be effective,
continuous, measurable, and auditable, so that
members of society can be assured that their
privacy needs are being met.
DATA TOUCHPOINTS AND ASSOCIATED
TECHNOLOGIES
In this section we discuss the technological
changes that have occurred, as indicated in
the line segment ab labelled ‘Technology’ in
Figure 1. This section discusses both the data
touchpoints and the technologies that facili-
tate the collection, use, and disclosure of such
data. Events where data are collected, processed,
stored, or used are considered to be touchpoints.
Figure 2 illustrates such touchpoints and the
many times and ways in which data may be
replicated. Personal data may be collected in
digital format directly from the individual
when he/she is on the internet. For instance,
individuals may enter data to complete online
purchases, register products for warranties, or
subscribe to various services. Data about an

Actions by Initial Organizational Family Affiliate

Individuals Business System Business

Internally
Generated Data Sharing
data Forward Transfer Transaction/
Data entry, operational
browsing database
Data
activity
Entry

Data
Transaction/ Transaction/
operational Sharing operational
Manually
Submitted Data database database

data Entry

Periodic
transfer

In-store Data
Data Data Data Data
purchase Warehouse Warehouse
Sharing Warehouse Sharing

Figure 2: Data touchpoints*

*AICPA’s understanding and implementing privacy services

158 International Journal of Disclosure and Governance Vol. 5, 2, 153–166 © 2008 Palgrave Macmillan Ltd. 1741-3591 $30.00

individual’s online activities, such as which
web pages are examined and/or for how long,
or logs of internet chat sessions may be cap-
tured as well. Medical histories or offline retail
purchase transaction data may be collected on
paper-based forms and later entered into the
computer.
Once personal data are collected, it may be
stored in an organisation’s operational data-
bases and further copied into data warehouses
where it can be accessed and downloaded by
employees for various purposes. Improved tech-
nologies and declining cost of storage make data
replication and data sharing easy and inexpen-
sive. Personal data may be shared with others
either within the Organisational Family system,
as depicted in Figure 2, or with unaffiliated
third parties. Organisations may send personal
data on to affiliate organisations for a variety
of reasons:
• to help process the transaction (eg credit
card company);
• to help fill orders (eg a transportation com-
pany or a supplier that is drop-shipping to
the customer);
• to outsourcers who process data on behalf
of the organisation; and/or
• for marketing or other negotiated pur-
poses.
Organisations that collect personal data should
disclose with whom and why personal data will
be shared. Data replication and data sharing also
present challenges related to data quality. Cor-
rection of erroneous data and destruction of
stale or outdated data becomes especially dif-
ficult once the data have been replicated and
shared with others. Keeping track of the per-
sonal data transferred to affiliates at any given
point in time is very difficult. Over time, an
organisation may have many data sharing agree-
ments with different companies, which further
compounds the problem.
Data backup and recovery procedures can
also add to the difficulty of fulfilling correc-
tion and deletion requests. Data in master or
© 2008 Palgrave Macmillan Ltd. 1741-3591 $30.00
Prosch
reference files that have either been corrected
or deleted since the last backup may have the
errors reintroduced if backup restorations are
made and the updates are lost. Data at rest and
data in transit are both at risk; the number of
laptop thefts/losses as mentioned earlier is at
an unacceptably high level — 81 per cent of
firms surveyed experienced such losses in 2005.
Wireless devices, by definition, are vulnerable to
interception, so PI sent over these devices, like
all other confidential information, needs to be
secured with some form of encryption.
Wireless devices are increasingly equipped
with GPS devices. For instance, technology
has been developed to allow the location of
cell phone users to be identified to allow fire
and police rescue workers to be able to pin-
point 911 callers. Many privacy advocates are
concerned about what businesses will do with
wireless devices that enable the recording of
the device’s location and time. The term auto-
matic location identification (ALI) data has
been coined to represent these type of data.
A concern by many individuals is having their
whereabouts tracked and linked to their per-
sonally identifiable information.
Another related issue being debated by pri-
vacy experts is the use of RFID tags. RFID
tags contain microchips and very small radio
antennas than can be attached to products.
They transmit a unique identifying number to
an electronic reader, which in turn links to a
computer database where information about
the item is stored. Some privacy advocates are
concerned about these devices being placed in
items which can be read very easily from a
distance and personal items being used to track
both the whereabouts of individuals and per-
sonal use patterns of such devices. Here again,
the public is concerned about having PI linked
to devices that can track location. A further
concern is the possibility that such data might
be shared with others. However, on the flip side,
the family of a patient with Alzheimer’s may
find it comforting to know that local hospitals
can immediately read the RFID tag when a
wandering patient is admitted into the hospital.
Vol. 5, 2, 153–166 International Journal of Disclosure and Governance 159
 Protecting personal information using GAPP and CCM
Also, tracking and protecting inventory can be
enhanced with the use of RFID devices, so
the challenge for management is to find a bal-
ance between justifiable business needs and the
protection of PI.
Organisations struggle to find a balance
between organisational goals of improved
efficiency and better customer service and
the individual’s desire for protection of per-
sonal privacy. Top management must consider
these trade-offs. For example, if a marketing
firm ‘learns’ that an individual travels a certain
route everyday, it could send them a wire-
less advertisement or coupon codes for gas
stations, restaurants, or bars located on the
route. Depending on whom you ask, this
could be construed as intelligent marketing or
an annoying invasion of privacy. In terms of
‘good’ privacy practices, such advertisements
should only be sent if the individual has agreed
to have their locations tracked and if they
want to receive such advertisements. Data
quality, including age and accuracy of data,
should be considered by management. Storing
data just because ‘you can’ may actually increase
privacy risk.
Given the developments in technology that
allow organisations to collect a multitude of
types of PI, as well as requirements by some
industries, states, and other countries, many
software consortiums and vendors have already
developed privacy-enhancing technologies.The
current reality is that many privacy-enhancing
technologies exist and are available for imme-
diate implementation. Prosch21 discusses the
need to protect PI from ‘cradle to grave’ as well
as the types of technologies currently available
for each phase of the data lifecycle. Existing
technologies can help to move the Privacy,
Social Culture, and Privacy Controls environ-
ment from a period of maladjustment to adjust-
ment as indicated by point c in Figure 1 where
harmony among these three constructs is once
again achieved.
For example, the current marketplace offers
various piecemeal privacy-enhancing technolo-
gies, that when implemented, can dramatically
160 International Journal of Disclosure and Governance Vol. 5, 2, 153–166
reduce the risk of data breaches or loss of PI.
Encryption packages and one-time passwords
are prevalent in practice. Lo-jack protection for
lost or stolen computers is available. Also, soft-
ware is available that can scan files looking for
unprotected, confidential information, monitor
servers examining all files being passed through
servers, and actively block email and web com-
munications that contain confidential data,
including email and web transfers.
GAPP AND ACCOUNTANTS AS
PROVIDERS OF ASSURANCE SERVICES
In 2001, the AICPA formed a Privacy Task
Force to develop a Privacy Framework and
Criteria that resulted in the formulation of
GAPP that can be used by accounting firms
of all sizes to provide privacy services and assur-
ances to their clients. As mentioned previously,
various US and international legislative acts
have been passed. This myriad of legislation
can make privacy assessment and compliance
an overwhelming task. One objective of the
AICPA’s task force is to provide a consistent
framework for developing sound, auditable
privacy practices that when implemented will
likely comply with any applicable legislation.
Accountants are uniquely qualified to provide
and implement comprehensive privacy services.
Greenstein and Hunton22 give the following
reasons why accountants are uniquely qualified
to provide these services. Accountants have the
ability to:
• comprehensively understand both current
and future statutory regulations that may
be applicable to a firm;
• assess the risk faced by a firm for inadequate
privacy policy and practices;
• align systems and infrastructure with devel-
oped policies and close any privacy gaps;
• design both high-level plan and detailed
working documents in order to achieve
privacy compliance;
• identify the various privacy components, as
well as build and implement any necessary
changes to them to close any privacy gaps;
© 2008 Palgrave Macmillan Ltd. 1741-3591 $30.00
 Prosch

• assess the adequacy of privacy policies and
practices of relevant business partners and
service providers;
• monitor the implemented system’s compli-
ance with its stated policies and practices.
Each of these core skill sets is based on activi-
ties that accountants have been performing for
decades in their attest, assurance, and tax advi-
sory services. Further, a major problem with
stated privacy policies is that a consumer has no
real way of knowing whether a firm abides by
them. For example, if a consumer requests that a
firm erase PI from their database, such as items
browsed on a website over the past five years,
they have no way of knowing whether these
data were in fact purged on both its operational
database and its archived databases. Accountants
are uniquely positioned to provide an assurance
function over compliance with stated privacy
practices.
The Federal Trade Commission (FTC) inves-
tigates and sanctions organisations that inad-
equately protect PI, and have required that
some of them, such as Petco, Tower Records,
Microsoft, and ChoicePoint, obtain a third-
party privacy audit every two years for a period
of 10–20 years.While the FTC does not specify
by whom or what standards these audits should
be performed, GAPP provides a sound set of
auditable privacy criteria upon which top man-
agement can rely. GAPP is composed of ten
Privacy Principles and 66 auditable criteria with
examples. GAPP is founded on key concepts
from significant domestic and international pri-
vacy laws, regulations, and guidelines. The ten
principles are listed and defined in Table 1. The
FTC tends to focus on security that is one
of the ten principles of GAPP. Thus, GAPP is
more comprehensive than what is required by
the FTC in its orders to companies that have
experienced data breaches.
GAPP is presented in three-column format.
The first column contains the criteria.23 The
second column, which contains illustrations and
explanations, is designed to enhance the under-
standing of the criteria. The illustrations are not
intended to be comprehensive, nor are any of the
illustrations required for an entity to have met
the privacy criteria. The third column contains

Table 1: AICPA Generally Accepted Privacy Principles

1 Management. The entity defines, documents, communicates, and assigns accountability for its privacy
policies and documents.
2 Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes
for which personal information is collected, used, retained, and disclosed.
3 Choice and consent. The entity described the choices available to the individual and obtains implicit or
explicit consent with respect to the collection, use, retention, and disclosure of personal information.
4 Collection. The entity collects personal information only for the purposes identified in the notice.
5 Use and retention. The entity limits the use of personal information to the purposes identified in the
notice and the information for which the individual has provided implicit or explicit consent. The
entity retains personal information for only as long as necessary to fulfill the stated purposes.
6 Access. The entity provides individuals with access to their personal information for review and update.
7 Disclosure to third parties. The entity discloses personal information to third parties only for the pur-
poses identified in the notice and only with the implicit or explicit consent of the individual.
8 Security. The entity protects personal information against unauthorised access (both physical and logi-
cal.
9 Quality. The entity maintains accurate, complete, and relevant personal information for the purposes
identified in the notice.
10 Monitoring and enforcement. The entity monitors with its privacy policies and procedures to address
privacy-related inquiries and disputes.

© 2008 Palgrave Macmillan Ltd. 1741-3591 $30.00 Vol. 5, 2, 153–166 International Journal of Disclosure and Governance 161
 Protecting personal information using GAPP and CCM
additional considerations, including supplemental
information such as good privacy practices and
selected requirements of specific laws and regula-
tions that pertain to a certain industry or country.
Within each principle, the criteria are organised
as either policies and communications or proce-
dures and controls. The following table illustrates
a breakdown of each component by the number
and type of criteria for each principle.
Criteria Principles
1 2 3 4 5 6 7 8 9 10 Total
Policies and 3 2 3 3 2 2 3 2 2 2 24
communica-
tions
Procedures 7 3 4 3 2 7 4 6 2 4 42
and controls
Total 10 5 7 6 4 9 7 8 4 6 66
CCM ENVIRONMENTS AND GAPP
As mentioned earlier, the ability to collect PI has
accelerated faster than the ability to control and
monitor it. Privacy-enhancing technologies and
methodologies are in their infancy in terms of
adoption. Developing privacy-enhancing tech-
nologies and methodologies with a continuous
monitoring/assurance perspective makes good
business sense given the plethora of recent pri-
vacy breaches, and it will also strengthen gov-
ernance over an organisation’s operations. With
traditional financial audits, ‘the major obstacle
to adopting a continuous process remains the
lack of commitment by organizations to invest
in the technology required to develop and
implement a continuous auditing process’.24
The same arguments are being made on the
privacy assurance front as well. However, great
opportunity exists for companies developing/
enhancing privacy regimes to design continuous
monitoring and reporting components into the
system since we are still in the early development
stages. Practitioners are currently using GAPP as
a consulting framework with the goal of helping
162 International Journal of Disclosure and Governance Vol. 5, 2, 153–166
organisations adopt a best practices mindset.This
will hopefully lead organisations down a path
that will ultimately allow them to meet all of
the relevant GAPP criteria in the future.
GAPP does not specifically have continuous
audit requirements, but it does have many
process-related criteria that lend themselves
well to continuous monitoring and reporting
processes. Thus, while the formal assurance
opinions that can currently be rendered are for
a historical period, the ‘process’ requirements
contain many salient ingredients for a CCM
environment. CCM is a management method-
ology aimed at facilitating corporate operations,
supervision, and meta-supervision through the
constant measurement of corporate activity, its
comparison against standards and the reporting
of discrepancies leading to corrective manage-
ment action.24 Further CCM techniques may
also be used to monitor PI and evaluate it more
frequently than the ‘historical’ perspective.
A PRIVACY LIFECYCLE MATURITY
MODEL
In this section, a Privacy Lifecycle Maturity
Model is presented that can be used to guide
researchers and industry. The Capability Matu-
rity Model (CMM) developed by the Soft-
ware Engineering Institute is the methodology
used as the basis for the proposed model. The
CMM model is a five-level evolutionary path of
increasingly organised and systematically more
mature processes, and its terminology has been
adapted to reflect data protection processes.
The model is graphically depicted in Figure
3. Also depicted in Figure 3 is an estimate of
the number of organisations currently in each
phase and the risk of data breach. Each of these
maturity stages is discussed.
At the initial level, data protection processes
are disorganised, even chaotic. Success is likely
to depend on individual and compartmentalised
efforts. For example, encryption on websites
may occur primarily by happenstance because a
third-party shell site was used, and the payment
page is encrypted by default. Different servers
© 2008 Palgrave Macmillan Ltd. 1741-3591 $30.00

High
Ad hoc
adaption
Number of Organizations
of privacy
enhancing
technologies
& policies
Limited
Privacy
Policies and
Procedures
Developed
Low
Initial Repeatable
High
Figure 3: Privacy Lifecycle Maturity Model
throughout an organisation may not use sim-
ilar encryption methods. Treatment of paper-
based documents with PI may vary widely by
department and branch office. Employee use
and protection of PDA devices that transmit or
store PI may vary widely. The organisation may
not even be fully aware of which employees
are using PDA devices to access business data.
Whatever data protection processes exist are
not considered to be repeatable, because they
are not sufficiently defined and documented to
allow them to be replicated.
The second stage is considered to be the
repeatable level because basic data protection
techniques are established. For example, encryp-
tion of data on laptops may be used in cer-
tain applications. The laptops of all accounting
employees may be required to have the financial
data on it encrypted. However, the laptops of the
sales department may not have this requirement,
and the PI of customers may reside on these
laptops. The successes of encrypting the data
on the accountants’ laptops could be repeated,
© 2008 Palgrave Macmillan Ltd. 1741-3591 $30.00
Prosch
Continuous
Enterprise-wide, Privacy
data life cycle Monitoring
management
GAPP Audit
Defined Managed Optimized
Number of Data Breaches Low
because the requisite processes would have been
established. Thus, in the repeatable phase some
data protection processes are beginning to be
established and deployed in certain parts of the
organisation.
In the next stage, the processes are being
specifically defined. An organisation has devel-
oped its own standard processes through
greater attention to documentation, standardi-
sation, and integration across the entire enter-
prise. With data protection, the weakest link
can be the porthole through which the data
leaks or even pours out. All PI throughout
the entire enterprise must be protected. A
company cannot protect data that it does
not know it has. This stage cannot be met
until a complete inventory of all PI has been
taken and documented — from cradle to grave.
Each and every copy or transfer of data must
be considered. The transfer of data to and
from third parties, as well as the collection
and processing of data by third parties must be
considered as well.
Vol. 5, 2, 153–166 International Journal of Disclosure and Governance 163
 Protecting personal information using GAPP and CCM
At the managed level, an organisation moni-
tors and controls its own processes through
data collection and analysis. Organisations that
outsource any of their data processes need to
have an assurance that each of their third-party
processors have data protection policies at least
equivalent to their own. Merely ‘trusting’ an
outsourcing organisation to comply with its own
privacy policies and or contractual agreements is
not sufficient.While data processing can be out-
sourced, responsibility cannot. According to the
research conducted by the Ponemon Institute,25
breaches by third-party organisations in the US
were reported by 40 per cent of respondents, up
from 29 per cent in 2006. Also, in the UK, one-
third of the breaches studied by the Ponemon
Institute resulted from data being shared with
third parties in the normal course of business.
The implication is that, in order for businesses
to progress along the privacy maturity model,
the third-party data processors must provide
their customers with assurances regarding their
own data protection policies and procedures. In
reality, this will be more efficient for the third-
party processors. Rather than have to deal with
multiple audit teams sent by their customers,
they can choose to hire an auditor to examine
their organisation’s privacy policies and proce-
dures. The auditor can use GAPP as the criteria
for assessment and then they can provide an
assurance opinion that the third-party processor
can share with their customers.
Once an organisation is comprehensively
managing its data protection practices through
data collection and analysis, it will be prepared
to engage an accountant to perform a GAPP
audit. Putting adequate processes in place that
will allow an organisation to ‘pass’ a GAPP
audit should substantially reduce an organi-
sation’s risk of a data breach, but risk cannot
be eliminated. As recently mentioned by the
FTC’s Chief Privacy Officer, Marc Groman, in
a speech to the National Association of Secre-
taries of State (Washington, DC, 18th February,
2008),‘You will have a data breach’. When the
court of public opinion or the FTC is grilling
an organisation regarding a data breach, the best
164 International Journal of Disclosure and Governance Vol. 5, 2, 153–166
defence for the organisation is to provide evi-
dence, such as adherence to GAPP criteria or
an actual GAPP audit, that they were diligent
and serious about data protection policies.
At the optimising level, processes are continu-
ously improved through monitoring feedback
from current processes.The feedback serves two
purposes: monitoring and improvement. Moni-
toring activities encompass both policies and
communications and procedures and controls,
but not necessarily over the same time intervals.
Management has to carefully assess which proc-
esses and controls need to be monitored in real
time and which can be monitored in intervals,
and then determine the appropriate intervals.
Email communications, for example, may be
monitored in real time to verify whether PI
is being transmitted, by whom, and to whom.
Verification checks before sending the message
may or may not be used in real time.
Feedback is also a key component in the
optimising stage. For example, monitoring
techniques may indicate that a piece of data
that is currently being collected is no longer
used in any process, and management may, as a
result, determine that the risk of collecting and
protecting such data is greater than the benefit
of possessing it. For example, a website that
collects clickstream data recording children’s
activities on a website may realise it is not actu-
ally using the data once it becomes older than
a month. At that point, based on the feedback
from the monitoring system, it may choose to
purge the old fields of non-relevant data. A
privacy-enhanced CCM environment has the
potential to greatly reduce privacy risk.
DISCUSSION
The accounting profession has recognised
that protection of PI is an important aspect
of controlling an organisation’s systems and
business environment. Undoubtedly, material
and social lags have occurred between pri-
vacy-invasive technologies, consumers’ aware-
ness and expectations of privacy issues, and
privacy-enhancing technologies. Accountants
© 2008 Palgrave Macmillan Ltd. 1741-3591 $30.00

are already guiding top management in imple-
menting sound ethical and reliable systems,
and corporate accountability for controls has
increased due to Sarbanes–Oxley. Many of
the tasks involved in protecting PI build upon
characteristics and skills that members of the
accounting profession already possess.26 Some
of the complications and potential problems
associated with the use of traditional assurance
methods for businesses with digital operating
environments have been previously discussed
with a call for members of the accounting pro-
fession and researchers to think more holisti-
cally about continuous controls.26 GAPP is a
giant step forward towards continuous controls
in a larger domain area than financial reporting.
Further, the accounting profession has tangibly
responded to the cultural lag by developing a
comprehensive set of auditable privacy criteria,
GAPP, that fosters the enhancement of corpo-
rate governance over PI.
REFERENCES
1 Leatham, S. (2007) ‘Data breach affects
25 million Britons’, Ireland IT Newsletter,
22nd November, 2007.http://www.enn.ie/
article/10123479.html.
2 Shifrin, T. (2007) ‘UK data breach: Stripping
the data “would have not have been costly,”’,
Computerworld Online, 6th December, 2007.
3 Cline, J. (2007) ‘Mind the GAPP: Account-
ants bring GAAP-like principles to the privacy
sphere’, Computerworld Online, 6th December,
2007.
4 Wilcox, J. (2000) ‘IBM appoints chief privacy
officer’, news.com, 28th November, 2000,http://
w w w. n ew s . c o m / I B M - a p p o i n t s - c h i e f -
privacy-officer/2100-1001_3-249135.html.
5 AICPA/CICA (2006). Generally Accepted
Privacy Principles, AICPA/CICA, New York, NY.
6 Lemos, R. (2005) ‘Data security moves front
and center in 2005’, Security Focus’, 29th
December, 2005, http://www.securityfocus.
com/news/11366.
7 Clarke, R. A. (1988) ‘Information technology
and dataveillance’, Communications of the ACM,
31(5), 498–512.
© 2008 Palgrave Macmillan Ltd. 1741-3591 $30.00
Prosch
8 Ogburn, W. F. (1966). Social Change, Dell Pub-
lishing, New York, NY.
9 Cavoukian, A. and Hamilton, T. (2002). Privacy
Payoff, McGraw-Hill, New York.
10 McQuay, T. (2006) ‘Privacy is changing out-
sourcing in Canada’, Globeandmail.com, 27 July.
11 The Patriot Act of 2002 created a Chief Pri-
vacy Officer under the Department of Home-
land Security; however, this position is not
considered equivalent because of where it is
housed.
12 Shapiro, B. and Baker, C. R. (2001) ‘Informa-
tion technology and the social construction of
information privacy’, Journal of Accounting and
Public Policy, 20, 295–322.
13 Tinker, T. (1988) ‘Panglossian accounting
theories: The science of apologizing in style’,
Accounting, Organisations and Society, 13(2),
165–189.
14 Zureik, E., Stalker, L., Smith, E., Lyon, D. and
Chan, Y. (2008). Privacy, Surveillance, and the
Globalization of PI: International Comparisons,
McGill-Queens University Press, Kingston,
forthcoming.
15 Marshall, K. (1999) ‘Has technology intro-
duced new ethical problems?’, Journal of
Business Ethics, 19, 81–90.
16 Ogburn, W. F. (1957) ‘Cultural lag as theory’,
Sociology and Social Research, 41, 167–174.
17 Karat, C. M., Brodie, C. and Karat, J. (2006)
‘Usable privacy and security for personal
information management’, Communications of
the ACM, 49(1), 56–57.
18 Brinkman, R. L. and Brinkman, J. E. (2005)
‘Cultural lag: A framework for social justice’,
International Journal of Social Economics, 32(3),
228–249.
19 Ponemon Institute and Vontu, Inc (2006). 2006
Cost of Data Breach Study,Vontu, San Francisco,
CA.
20 Weiss, T. (2006) ‘Customers don’t want data
handled by outside vendors: They’ll likely go
elsewhere if a data breach occurs’, Computer-
world Online, 24th October, 2006.
21 Prosch, M. (2008) ‘Preventing identify theft
throughout the entire data life cycle’, Working
Paper, Arizona State University.
22 Greenstein, M. and Hunton, J. (2003)
‘Extending the accounting brand to privacy
services’, Journal of Information Systems, 17(2),
87–110.
Vol. 5, 2, 153–166 International Journal of Disclosure and Governance 165
 Protecting personal information using GAPP and CCM
23 These criteria meet the definition of ‘criteria 24
established by a recognized body’ described
in the third general standard for attestation
engagements in the United States in Chapter
1 of Statement on Standards for Attestation 25
Engagements No. 10, Attestation Engagements:
Revision and Recodification (AICPA, Professional
Standards, vol. 1, AT sec. 101.24), as amended, 26
and in the standards for assurance engage-
ments in Canada (CICA Handbook, paragraph
5025.41).
166 International Journal of Disclosure and Governance Vol. 5, 2, 153–166
Alles, M., Kogan, A., Vasarhelyi, M. A. and
Warren Jr., J. D. (2007). BNA Accounting Policy
and Practice Portfolios. Buchanan Ingersoll &
Rooney PC, ISSN 1933-0243.
Ponemon Institute and Vontu, Inc (2007).
2007 Cost of Data Breach Study, Vontu, San
Franscisco, CA.
Greenstein, M. and Ray, A. (2002) ‘Holistic,
continuous assurance integration: E-business
opportunities and challenges’, Journal of Infor-
mation Systems, 16, 1–20.
© 2008 Palgrave Macmillan Ltd. 1741-3591 $30.00