Privacy experts from the Information Governance, Privacy & Security practice within FTI Consulting’s Technology segment were engaged to conduct a biennial privacy and data protection assessment for a large, global technology company.

As an independent assessor, FTI Technology examined the client’s privacy program, privacy risk assessment process, internal trainings and the design and operating effectiveness of the client’s data protection controls. The team then delivered a comprehensive written assessment of the client’s privacy program as required by the consent order with the Federal Trade Commission (FTC).

Situation

The client became subject to an investigation into their privacy practices, which was ultimately settled by entering into a multi-year consent order. The client agreed to meet specific privacy and data protection requirements including establishing and implementing, and thereafter maintaining, a comprehensive privacy program designed to (1) address privacy risks related to the development and management of new and existing products and services, and (2) protect the privacy and confidentiality of personal information. The client was required to undergo an assessment by a qualified, objective, independent third-party privacy and data protection professional, following procedures and standards generally accepted in the profession. In these types of matters, the FTC requires independent assessors to be pre-approved and demonstrate the technical and policy expertise needed to evaluate the company’s performance across privacy safeguards, internal privacy expertise and leadership, employee training, access controls and a range of additional data protection measures.

Given FTI Technology’s deep experience with global, national, regional and industry-specific data privacy regulations, the team was able to meet the FTC’s criteria while ensuring its approach was relevant to the client’s unique risk position. FTI Technology differentiated from other assessors by offering a customized framework designed specifically for the client and the parameters of its consent order.

Our Role

FTI Technology’s assessment, methodology and findings were based on the team’s professional judgement, experience and industry knowledge. The assessment included risk-based sampling and validation to evaluate controls, using the following techniques:

  • Document review across policies, procedures and supporting evidence to verify the existence and use of privacy practices and required controls. This included comparing existing privacy procedures against recognized standards such as NIST and GAPP.
  • Stakeholder interviews across numerous business units in the client’s organization, to understand and document privacy and data protection controls.
  • Observation and walkthroughs of the client’s privacy controls to assess the design of the client’s privacy controls and to determine whether those controls were operating effectively throughout the required reporting timeframe.

The results of these reviews were documented and distilled in a detailed report that was provided to the client—which it then delivered to the FTC as required by the consent order.

Our Impact

Independent domain expertise

FTI Technology provided the independent domain expertise necessary for the client to comply with the FTC consent order by offering a tailor-made methodology for assessing privacy practices and defensible processes that met the FTC’s requirements for third-party assessors.

Risk-based audit and review program

The team’s expertise in executing a risk-based audit and review program enabled a comprehensive audit of privacy controls and practices across the client’s environment, while avoiding excessive cost, unnecessary document production and minimized disruption to the client’s day-to-day operations.