866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

Litmus Leverages Proactive Approach to Privacy to Protect Itself, Clients, & Vendors

Table of Contents

Download the case study

Download the case study

One of the key priorities of any organization is a commitment to client trust, and in this era of advanced technology, privacy remains at the heart of such. At Litmus, they are doing everything possible to protect and reassure their customers while keeping pace with any and all privacy legislation being passed.

Table of Contents

Download the case study

Download the case study

The Rise of Privacy

As the world digitizes and more and more data moves online, the evolving threat environment has prompted a critical demand for better security. Thankfully, some among the greater business landscape have already begun to legislate new standards of protection that will help ensure the safety of consumer data. But despite HIPAA, GLBA, and PCI DSS having existed as U.S.-based, sector-specific data protection for years, the sheer amount of sensitive information that is being collected now has warranted more extensive action by governing bodies who have taken it upon themselves to elevate protection standards. As more and more large-scale data breaches began to emerge across the globe, the EU was among the first to take new steps with the enactment of the groundbreaking General Data Protection Regulation (GDPR), and several other countries and states in the U.S. have followed suit with similar standards as recently as last year. As cyberattacks mature and evolve, so too must data protection—without the appropriate diligence, organizations risk losing their clients’ trust, making progress difficult and potential new business wary of collaboration. 

As more legislation continues to pass, with updates to existing standards releasing weekly in some cases, the privacy landscape can be difficult to maneuver, both in ensuring data protection and remaining compliant with the constantly updating requirements. But as Litmus has demonstrated, a proactive approach and the right partnership can make all the difference.

middle_left_734-wide

Privacy as a Priority

In 2019, Litmus brought in Schellman to discuss options for compliance assessments, and at that time, talks centered around whether a SOC 2 or an ISO 27001 certification would be more suitable. Eventually, Litmus partnered with Schellman for SOC 2 Readiness, Type 1 SOC 2, and Type 2 SOC 2 examinations before extending their relationship for recurring Type 2 examinations. Throughout their initial collaborations, the teams expanded their discussion to include notable data breaches in the news and what that meant for already complicated privacy concerns, as well as what could help bolster what was already a substantial plan in place for maintaining Litmus customer trust.

middle_left_734-wide

“It was within about 18 months of GDPR having gone into effect, and at Litmus, we realized that we could react defensively against all the new regulations and benchmarks for what now constituted a solid security and privacy program, or we could actually go on offense and make this one of our strengths,” says Matt Gore, CTO and Chief Privacy Officer at Litmus. “We decided to lead with this new principal of the business, and that choice has now become a real differentiator for us in our particular market.”

Making privacy a priority required investing a lot of resources from the start, including buyin from leadership and the establishment of a specific team entrusted to support such a robust effort, as well as internal reevaluation of the growing program year after year. “As the evolution of data privacy becomes more focused on the consumer—the end user, the person who is providing the data—there needs to be an appropriate response,” explains Justin Unton, Head of Information Security and Privacy at Litmus. “End user trust is what Litmus is all about. We want to do things the right way.”

Quote
"As the evolution of data privacy becomes more focused on the consumer—the end user, the person who is providing the data—there needs to be an appropriate response."
Justin Unton

Justin Unton | Litmus | Head of Information Security & Privacy

Expanding with Schellman

Given that the two organizations had already established a working relationship, it made sense for Litmus to pivot back to Schellman regarding strengthening their privacy position—especially since the assessor had well proven to be working in good faith. “In our earliest interactions with the Schellman team, we were just looking for some guidance to begin with, and I really appreciated that the fact that they did not try to sell us the most expensive service. They actually looked at what we had and offered the best fit. It created this mutual trust between our teams,” says Gore. This straightforward, honest nature established in the initial talks provided a solid foundation for the later, more complex discussions regarding the auspicious goals for the growing privacy program at Litmus.

When those discussions eventually evolved into an actual privacy assessment Litmus needed completed for a specific client, they looked to Schellman first for help. “Litmus reached out to us because they’d already seen the quality of our work, and they had another need,” says Debbie Zaller, Principal and Privacy Practice Leader at Schellman. “Since we were already their auditors elsewhere, it made the most sense to continue down this new path together.” Unton too confirms as much. “I had such a great experience the first go-around with Schellman during the SOC 2, so when I saw that they were also vendors for privacy attestations, it was a no brainer. We’d already worked with Schellman, we knew the quality of the work they produce, and so we knew what to expect going into another agreement with them.”

Quote
"In our earliest interactions with the Schellman team, we were just looking for some guidance to begin with, and I really appreciated that the fact that they did not try to sell us the most expensive service. They actually looked at what we had and offered the best fit. It created this mutual trust between our teams."
mattgore

Matt Gore | Litmus | CTO & Chief Privacy Officer

Privacy Particulars? No Problem with an Experienced Assessor

Not only that, but once immersed in the new process for privacy, the assessor proved itself very equipped to help. Because despite the proactive investment by Litmus into building their program, privacy remains a complicated mountain to climb in compliance, and the extra guidance provided by Schellman in navigating the particulars has made a significant difference so far. “During SOC 2, there’s this process of providing evidence—if there’s no evidence logged, it didn’t happen,” explains Unton. “With privacy, you also have to be able to prove that the actual process of providing evidence is working as it should—that you’re doing what you say you’re doing—and that presents opportunities for new controls and processes here and there.” Thankfully, Schellman fields a broadly experienced team focused entirely on privacy—their expertise helped elevate Litmus’s approach to that initial, client-specific privacy audit while also helping strengthen the overall internal knowledge of the particulars.

middle_right-11-16-3

“Just being able to work with the auditors to help deconstruct and demystify what works and what doesn’t when it comes to privacy is very, very helpful,” says Unton, and Schellman was always ready with the answers to any questions that were raised. “We have a depth of experience in assessing organizations against privacy laws worldwide that I believe sets us apart from competitors,” explains Zaller. “Some organizations choose to focus on particular regions or particular laws, or maybe their personnel aren’t solely focused on privacy regulations, but on the other hand, we field a specific team geared toward this particular practice and only this practice. It helps us make sure our people remain well-immersed and up-to-date regarding all the changing standards so that we can provide our clients the most thorough privacy advice and examinations as possible.” All in all, the partnership between organization and assessor has continued to flourish throughout these more complex collaborations, and Litmus—now well past the first steps toward steadfast confidence in their privacy protection—credits Schellman for their guidance in establishing such.

middle_right-11-16-3
Quote
"Just being able to work with the auditors to help deconstruct and demystify what works and what doesn’t when it comes to privacy is very, very helpful."
Justin Unton

Justin Unton | Litmus | Head of Information Security & Privacy

Outward Effects of Outside Validation

Moreover, these efforts aren’t just to assure Litmus customers that their data is safe, though that remains priority one—it’s also for the organization’s own benefit. “You have to consider the immense responsibility that consumers place on us in giving us their trust, and we take that trust very seriously,” says Gore. “It’s very helpful to have Schellman validate that trust put in us, to give that third-party perspective. Privacy is a different challenge to tackle that requires a different approach—we’re not just answering yet another security questionnaire. I think Schellman coming in to look at everything helps us all sleep better at night because there is an immense amount of responsibility to protect the people you serve well.

Person working on computer

The good news is that the partnership with Schellman and the completed compliance assessments have already seen some returns manifest. “I can’t understate how important this program is for us. We do business with the Top 10 banks in North America, and you can imagine how important privacy is within those discussions,” explains Gore. “Compliance’s reach is so long into our organization. Our entire direct sales team relies on everything that we produce—everything that comes out of this compliance engagement with Schellman—that’s how important this relationship is to us.”

But it’s not just confidence in data protection either—the recalibrated emphasis on compliance and privacy is also helping to entice new business relationships efficiently and effectively for Litmus. “Being able to say, ‘here is our SOC 2, here is our privacy assessment’ as reassurance, I really do think that helps us close deals,” says Unton. “We get to ‘yes’ or ‘no’ much quicker, without an entire team being involved. It helps us stay very lean, and it also helps our bottom line.”

Person working on computer
Quote
"Compliance’s reach is so long into our organization. Our entire direct sales team relies on everything that we produce—everything that comes out of this compliance engagement with Schellman—that’s how important this relationship is to us."
mattgore

Matt Gore | Litmus | CTO & Chief Privacy Officer

The Benefits of Trust

Moving forward, both firms anticipate their collaboration thriving even more, with the familiarity between teams and mutual privacy focus ready to come back into play as Litmus continues to raise the bar higher. “As we have now gone through several audits and we have a multi-year relationship, we know now that we have a partner we can question freely regarding things where we don’t quite know the answer or the best path forward on something,” says Gore. And as Litmus moves to potentially expand their examinations of internal data protection, there are questions to be asked—currently, discussions with Schellman are taking place regarding more varied and more comprehensive privacy assessments. “We are working with them to build a broader program,” confirms Zaller. “Now that we’ve helped them with some initial, client-specific privacy requirements, we are looking to assess them holistically against a larger framework so as to widen their field and help provide further assurances.”

Regardless of how those discussions develop in the end, at present the confidence at Litmus is high, and together with Schellman, they will continue to move towards maintaining a total assurance of end user trust. “Privacy is now a core tenant of what we do, and I feel that our way of following the letters of the law—plus having this third-party confirmation to support us—it really resonates with our customers,” notes Unton. “Having now gone through a privacy process that was very specific to one client, Schellman gave us a lot of good feedback that will help set us up for future success as we progress with the broader program. And when new things come down the line, whether that’s a new privacy law in Brazil, or Virginia, or anywhere in the world, we already have a solid foundation—as things come up, we’ll only need to make minimal changes in order to succeed.” 

Connect with a Schellman specialist.

We are a trusted provider to the world’s leading companies with a service delivery model which allows for optimum quality and client experience for organizations of every size and complexity.

Talk with a Specialist

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.