Data privacy and security

Group workshop during the Global New Partners seminar at Deloitte University.

Committed to securing client and Deloitte information

Few organizations are as active as Deloitte in helping business and government institutions fight online attacks and build cyber resilience. Our vigilance begins at home, where it's critical that we protect our own data and can assure privacy for our people and member firm clients.

Like many companies, DTTL and its member firms are reviewing new technologies and services and have established robust processes to assess the suitability of cloud and other solutions to ensure they can meet our internal privacy and security standards.

Built-in compliance

DTTL and its member firms have moved rapidly to keep their privacy and security policies and practices up-to-date with global mandates and stakeholder expectations. DTTL's global policy on information security requires member firms to institute a wide range of security measures, covering areas such as virus protection, data backup and recovery, encryption, password authentication, access to systems, and network security.

Deloitte member firm compliance with security policies is tracked through an annual IT Standards, Risk and Maturity Assessment. Compliance with security policies at the global hosting center level is monitored through the Global Technology Services (GTS) Security Forum.

During FY2013, DTTL developed a privacy self-assessment system to monitor privacy program maturity across our organization using 20 different criteria. This will help DTTL and the member firms understand which tools, if any, could further strengthen information protection and privacy within Deloitte. DTTL's information security specialists provide guidance to member firms to strengthen their information security regimes when necessary.

The DTTL Global Information Security Office released a series of short videos to Deloitte professionals around the world to reinforce the safe use of online social networks such as LinkedIn, Facebook, and others. The U.S. member firm created additional videos on phishing, as well as laptop and PDA security, that were made available to all member firms. Additionally, role-based security, privacy, and ethics roadmaps with sample courseware and other materials have been developed for member firms to use as a framework upon which to build local awareness curricula.

Safe Harbor Certification

In November 2012, Deloitte Touche Tohmatsu Services, Inc. (DTTS), recertified its adherence to the Safe Harbor Framework, which bridges differences between U.S. and European Union privacy laws. DTTS goes through an extensive privacy-verification process each year before making this annual recertification for Safe Harbor. The Safe Harbor Framework between the U.S. Department of Commerce and the European Commission gives U.S. organizations a set of requirements for complying with the European Directive on Data Protection, which governs the transfer of personal information from the European Union (EU) to third countries such as the United States, among other issues. This framework is designed to bridge differences between the privacy protection approaches of the United States and the EU.

During FY2013, improvements were made to internal safe harbor privacy compliance verification processes, including the development of an automated system to assess compliance with policy and safe harbor requirements. Our new tools make it possible to maintain better historical records, make year-over-year comparisons, and identify and retrieve privacy information on demand.

During the past year, DTTL has also moved forward significantly on a new effort to further strengthen its compliance processes to facilitate the movement of internal and member firm client data in line with global legal requirements.