surrounding their clients’ industries and should educate management as well. Failures and breaks in
            processes could result from gaps in poorly documented policies and procedures.


            Internal policy

            Management should develop P&P related to information, and the ILM should provide a list of items to be
            considered. Monitoring of compliance with P&P should be provided, and compliance monitored through
            the various processes and measures established by management.


            Regulatory

            There are several federal and state regulations related to personally identifiable information
            (PII) that would potentially allow someone access to financial assets or personal medical information.

            From the federal perspective, there is the Health Information Portability and Accountability Act (HIPAA) of
            1996. The Administrative Simplification provisions of HIPAA require health care entities to provide
            reasonable privacy and security for PII for health data. Management of health care entities obviously
                                                                                                5
            need information P&P and monitoring to ensure compliance with this legal requirement.

            Another key federal law is the Gramm-Leach-Bliley Act (GLBA) of 1999, which applies to financial
                                                                                                             6
            institutions such as commercial banks, investment banks, securities firms, and insurance companies.
            Some key aspects of GLBA, however, apply to entities that receive PII, such as credit reporting agencies,
                                                   7
            appraisers, mortgage brokers, and so on.
            One of these relevant information-related aspects is known as the Safeguards Rule, which requires
            financial institutions to design, implement, and maintain safeguards to protect customer information.
            The requirements include a written information security (infosec) plan that describes how the entity plans
            to protect PII, for consumers past or present. Affected management would need to study how they
                                                                                  8
            manage private data and do a risk analysis to properly comply with GLBA.
            The first and probably most influential state law was California SB-1386, California Database Breach Act
            of 2002. Effective July 1, 2003, residents of California whose unencrypted PII was, or is reasonably
            believed to have been, acquired by an unauthorized person must be notified by the entity with the breach.
            In other words, any agency, person, or business that conducts business in California and owns or
                                                                                     9
            licenses digitized PII must disclose any security breach to residents affected.



            5
              See www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/combined-regulation-text/index.html,
            accessed August 28, 2019.
            6  See www.aicpa.org/InterestAreas/InformationTechnology/Resources/Privacy/DownloadableDocuments/
            editedGLBAChecklist_FINAL_OK.doc, accessed August 28, 2019.
            7
              See https://blog.aicpa.org/2017/11/the-gramm-leach-bliley-act-still-applies-to-cpas.html#sthash.oqFOrAko.dpbs,
            accessed August 28, 2019.
            8
              Some of this paragraph is taken from http://en.wikipedia.org/wiki/GLBA.
            9  See https://oag.ca.gov/privacy/databreach/reporting, accessed August 28, 2019.


            © 2019 Association of International Certified Professional Accountants. All rights reserved.    1-8