Guarding client confidentiality

A number of high-visibility cyberattacks on well-known global companies in FY2015 not only resulted in the very public dissemination of personal and confidential information, but they also served as reminders to Deloitte that data security begins at home.

As a network, we must be prepared for attempted incursions from every direction. So, DTTL's global policy on information security requires member firms to institute a wide range of security measures, covering areas such as virus protection, data backup and recovery, encryption, password authentication, access to systems, and network security. These actions are critical to safeguarding and appropriately using confidential information, confronting ongoing threats, and meeting member firm client expectations.

Confidentiality is not a one-time investment, or a one-off compliance or risk activity. It is an ongoing, evergreen process that must be done in a holistic way; an accountwide transformation that enhances member firms’ ability to deliver seamless, global client service.

To this end, DTTL currently is rolling out a Confidential Information (CI) program to its member firms around the globe. It is a strategic initiative, driven by network leading practices and consistent standards, aimed at safeguarding confidential information at the client account and engagement levels. Furthermore, the CI program instils a culture of accountability and proactive management of confidential information. The CI program was piloted by Deloitte US in 2014, and since then, it has been implemented in more than 250 member firm client accounts covering close to 1,000 member firm client engagements.

The bigger picture

Deloitte seeks to become the profession's leader in setting the standard for protecting confidential information. The Deloitte network aspires to always operate in accordance with the highest ethical standards and in a manner that fosters trust and inspires confidence in everything we do. Deloitte member firms are intensely active in helping business and government institutions predict, prepare for, and fight online attacks and build cyber resilience. This vigilance begins internally, where it's critical that Deloitte protects its own data and the information it holds on its people and member firm clients.

The regulatory environment is becoming more and more complex. Global organizations are increasingly subject to privacy, cyber, and industry-specific laws impacting how they use and protect information. Privacy and information security, therefore, remain a business imperative for Deloitte and its member firm clients while navigating multiple requirements and striving to ensure that Deloitte consistently protects information across the network.

Deloitte member firm compliance with security policies is tracked through an annual information technology standards, risk, and maturity assessment. Compliance with security policies at the global hosting center level is monitored through the DTTL Global Technology Services (GTS) Security Forum.

Security strategy

DTTL’s Global Chief Information Security Officer works with member firms to drive implementation of a new, more aggressive information security strategy focusing on the protection of member firm clients, Deloitte people, and the Deloitte brand worldwide. The strategy guides Deloitte in:

• Creating a cohesive, worldwide program with common, consistent security services, rather than disparate member firm products and implementations;
• Extending security tools for advanced protection of highly distributed data worldwide;
• Reducing confidential data loss through practitioner actions;
• Investing in security services and concentrating on cost effectiveness through economies of scale, consistency, and cost savings by utilizing shared services;
• Eliciting strong member firm participation in the implementation of the strategy through standardized global security governance and delivery.

A global application-testing framework was adopted in FY2014, allowing greater capability in providing assurance that Deloitte's in-house applications are protecting client data.

Privacy

New data-protection rules planned in Europe are likely to require organizationwide changes. DTTL is currently reviewing many of its internal processes to ensure its privacy program conforms with leading practices in accountability for data-protection compliance. The DTTL privacy office is working closely with its public policy and regulatory teams to monitor and address new privacy developments impacting Deloitte and its member firm clients. DTTL's information security specialists provide guidance to member firms to strengthen their information security regimes when necessary.

Education and awareness

Deloitte continually provides security education programs for member firm practitioners and security professionals. All GTS staff globally are required to fulfill 40 hours of annual learning, and several have obtained globally recognized security certifications. Since October 2013, six annual regional security workshops—two in each of the network’s three regions—have been conducted for in-house Deloitte security professionals. In October 2014, a weeklong global security awareness campaign was held to enhance practitioner security awareness; it reached more than 80 percent of the Deloitte network’s global talent.

Emphasis on confidentiality

As a world-class organization, there are certain things we must do exceptionally well. Safeguarding Deloitte and member firm clients’ confidential information is a key example, and is a fundamental professional responsibility. Deloitte is in the relationship business, and trust is vital—trust that we safeguard and appropriately use confidential information.

The Deloitte network is dedicated to continually improving how it safeguards and protects confidential information by investing in people, processes, and technology. Like many organizations, Deloitte is aggressively assessing, testing, and adopting new technologies and services to understand how it can meet or exceed privacy and security standards.

DTTL added a new Global Confidentiality Office and chief confidentiality officer (CCO) who reports to DTTL’s chief risk officer. The CCO’s mission is to create and sustain a culture of confidentiality, built on Deloitte’s values, with confidentiality embedded in everything Deloitte does.

DTTL is one of the leading organizations in the world that has a CCO. Pursuant to new confidentiality initiatives, most member firms have already appointed and established CCO roles locally to drive confidentiality initiatives at the member firm level.

Protecting information across jurisdictions

Because many member firm clients are multinational organizations that expect seamless and safe data transfers as part of service delivery, Deloitte makes every effort to serve them adeptly and professionally around the world. A core element of this service is managing the movement and transfer of personal information and striving to ensure its protection across all jurisdictions. Deloitte continues to review available mechanisms to facilitate and safeguard data transfers, including Binding Corporate Rules (BCRs), BCRs for Processors, Safe Harbor, Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules, and privacy seals. Member firm clients rightly expect that Deloitte will be able to assist them in complying with privacy laws, both now and in the future.

“Deloitte”, “we”, “us”, and “our” refer to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. See additional information.