Five Things Every CSO Needs to Know About the Chief Privacy Officer

CPOs and CSOs need to cultivate common ground between security and privacy

It was the annual crunch time between Thanksgiving and the new year, and Nuala O'Connor Kelly had just sent to the printer the first-ever report to Congress by a chief privacy officer.

This was it, the historic reporta 40-page description of what O'Connor Kelly had been doing during her first year as the first CPO of the U.S. Department of Homeland Security. Like addressing concerns about DHS's policies with privacy officers from other countries. Examining the department's growing use of biometrics. And reading irate e-mails from the public about controversial initiatives like the Transportation Security Administration's passenger screening program. If O'Connor Kelly was nervous about the grilling she was likely

to get once members of Congress got their mitts on her report, she wasn't letting on.

"It's actually a great moment for the [privacy] office to sit back and take stock of where we are now and where we're going for the next two, three, four, five years," says O'Connor Kelly, dashing from one meeting to the next with one of her staff members.

At the time, O'Connor Kelly was the only federal government CPO whose position was mandated by law and who was required to file an annual report to Congress. But this seemed on the brink of change. Congress's consolidated 2005 appropriations bill, signed by President Bush in December, contains a provision thatdepending on how the White House's Office of Management and Budget interprets itwould create a handful or more of CPOs at federal agencies.

These new CPOs would be charged with protecting privacy within their own agencies, evaluating proposed laws and regulations, training employees about privacy policies and ensuring compliance with applicable laws. They would have to report on their progress annually to Congress. And every other year, their agency's Inspector General would have to hire "a recognized leader in privacy consulting" to do an independent review of their program's effectiveness.

The law would do a lot more than create a crew of federal CPOs in O'Connor Kelly's image. In the private sector, government demand for privacy expertise is expected to lead to greater awareness, more stringent certifications and stricter standards around privacy.

And for CSOs, it ensures that their best friend and nemesis, the CPO, is not going away.

"There are some conflicts between the philosophical approaches to the two positions," says Lynn Mattice, vice president and CSO at Boston Scientific. "The CSO's responsibility is to ensure that the business enterprise is safeguarded, and the privacy officer is primarily concerned with safeguarding the individual's privacy. That's where you can have some points of contention."

The CSO and CPO are necessary, if sometimes uncomfortable, bedfellows. Although they may be at odds when it comes to issues such as surveillance and background investigations, they rely upon one another in a fundamental way: the CPO for help protecting information that the company has promised is private, and the CSO for help articulating the need for information assurance. Looking at one another is a little like looking in a funhouse mirror. The image, though familiar, is distorted. Understanding the nature of these distortions is a key to both groups' success.

Here, then, are five things about the role of chief privacy officer that every CSO should understand.1. The CPO's history parallels the CSO's own emergence.Flash back to the mid to late 1990s, when businesses first started hiring CPOs. The new position was hailed as a sign that corporate America was going to start paying attention to the privacy of both employee and customer information. Somebody finally gave a damn.

Sound familiar? That's because the emergence of the CPO has much in common with that of the CSO.

Back then, the privacy provisions of the Gramm-Leach-Bliley Act for the financial services industry were just taking effect. In health care, the privacy rule of the Health Insurance Portability and Accountability Act even stipulated that organizations had to name a privacy officer. Hiring a CPO became either a regulatory necessity or a way of sticking a flag in the ground that said, "Customer data protected here."

Then, however, the role seemed to falter. Starting with a souring economy and culminating with the aftermath of the 9/11 attacks, companies began diverting money away from privacy and toward security and risk management.

"The abundance of resources simply dried up," recalls Alan Westin, the well-known cofounder of the think tank Privacy & American Business, which founded a trade group, the Association of Corporate Privacy Officers (ACPO). "When we would talk to many of the privacy officers that had been active, they would come in and say their budget had been cut; their staff had been cut."

Now, however, observers such as Westin are optimistic of a second coming for CPOs. Growing concern about identity theft is bringing privacy to the forefront, and lawmakers are responding. Meanwhile, the International Association of Privacy Professionals (IAPP), created when Westin's group merged with another privacy association, has issued the profession's first certification. The test covers everything from legal compliance to workplace screening to website disclosure. It's not a technical certification, but it does require a basic understanding of how data is handled by IT systems.

"This field is coming to a certain maturity," says Harriet Pearson, the CPO of IBM, who became a certified information privacy professional in the first-ever IAPP test. Now, she says, "You can add CIPP after my name."

Of course, not all the people earning this certification or serving as privacy officers are true strategic privacy executivesjust as not all those with CISSPs, CPPs or the "security officer" moniker are true strategic security executives. But for Pearson, that's beside the point. She points to IAPP's membershipalmost 1,500as a positive sign.

"To me, that's a heck of a lot of people who've declared that they want to join us," Pearson says. She, for one, thinks privacy professionals are here to stay.2. The CPO role is as much about business as privacy.So who exactly are these chief privacy officers, the CSO's brethren in information protection? Even as the CPO role takes root, it is not evolving as many privacy activists hoped it might. Rather than acting as staunch protectors of privacy at any cost, CPOs are finding that in order to be successful, they must instead be savvy negotiators, navigating the conflicting interests of business needs, customer expectations and legal requirements.

Whereas security officers are positioning themselves as experts on risk rather than security, CPOs are positioning themselves as mediators, not protectors, in regard to privacy.

This means that in the CPO, security executives will find an ally who has similar concerns about gaining a reputation as someone who always puts the brakes on business.

Consider for a moment Sandy Hughes, the global privacy executive for the consumer goods giant Procter & Gamble. Hughes is spending a lot of her time these days talking about radio frequency ID tags, or RFIDs. That's no surprise, since there's no more contentious topic in privacy circles right now than the uses and possible misuses of these inventory tracking devices. Hughes's goal, however, isn't to determine whether Procter & Gamble should use RFIDs. It's to find the right way for P&G to use RFIDs.

Part of that involves reassuring the public. "Nobody yet that I'm aware of is planning any widespread use of these tags on any consumer products, but still you see the concern about [companies doing things like] tracking consumers by satellite," says Hughes, who's involved with EPCglobal, a nonprofit industry association developing standards for the use of RFIDs for electronic product codes. "That's not even in the plan, but [customers are] concerned about it. And because they're concerned about it, we have to address it."

"Procter & Gamble has to move forward for competitive reasons and implement RFIDs," explains Stephanie Perrin, a senior fellow for the Electronic Privacy Information Center (EPIC), a watchdog group. "If Sandy Hughes says, 'We're not ready for this RFID thing,' that's going to get nowhere with the board."

Hughes's mission, then? To help her company formulate a business strategy that takes those concerns into account.

CSOs have heard that sentiment somewhere before.

Here's another snapshot. At E-Loan, an Internet startup that sold $153 million in loans in 2003, CPO Tess Koleczek says she is focused on solutions, not problems. She can't just say no.

"If something comes up that might compromise our policy, I can't go in and say, 'You can't do that,'" Koleczek says. "I can't be a cop. I have to come up with a couple different solutions."

For instance, if a business partner is asking for information about customers, Koleczek says it's her job to try to find another solution. "I say, 'Why do you want all that information on a specific customer?'" she explains. "They say, 'Oh, we don't. We want the information on what [customers in general are] doing.' Then I might say, 'Why don't we give you that aggregate information?' You just have to get to the core of what they're asking for. Why do they want the information and how can we help them get what they need out of it?"

As with the CSO, the success of the CPO depends on his or her ability to make a business case for the protection of information. "There have been some CPOs who have really done a very good job in showing how privacy affects the bottom line," says Ari Schwartz, associate director of the Center for Democracy & Technology, a consumer advocacy group. "Those have been the ones that have been most successful."

But this business focus has made some in the CPO community wary even of calling themselves "privacy advocates."

"'Advocacy' seems to be sometimes like protesters or flag-burners," P&G's Hughes says carefully when asked how she views her mission. "But [I'm an] advocate for doing the right thing, absolutely."

Perhaps for the survival of the role, that's a necessary caveat. "Privacy officers aren't necessarily civil rights activists," points out Brian Tretick, who leads privacy services for the Americas at Ernst & Young. "These are businesspeople, business executives, who are looking out for the success of the company. And if that success requires the use of information, they want to make sure it's done according to policy and the rights and obligations of its subjects."

CPOs are working within the system.3. In the data world, security and privacy go hand in hand.Not only have the roles of cpo and CSO grown up in similar ways, within the narrow confines of the information technology world, the two disciplines are tightly intertwined. As they say, you can't have privacy without security. It doesn't do much good for a company to promise, for instance, that it won't sell customer information to a marketing company if hackers can access all the files anyway.

But this close association leads to confusion. "It's a bit deceptive because sometimes privacy will surface as a security error," EPIC's Perrin says. What's more, the privacy officer's job often begins with a focus on IT, and morphs from there. That's what happened to Jay Cline, anyway, when he first took over as data privacy officer at the Carlson Cos. The Minneapolis-based company, which operates Radisson Hotels, had Cline's job located within the CIO's office, and his focus was on information technologies. The company had determined that strong information security was a core foundation of privacy.

"Data privacy and data security have one thing in common: data," Cline says. "For us, what that meant was, we needed to find out where the data was and who was responsible for it."

Now that the company's information security program has matured and Cline knows the answers to those questions, he is part of the audit function rather than the IT department. But Cline's manager, Director of IT Audit Blake Pool, is responsible for auditing information security as well as data privacy, and both men still see the disciplines as closely aligned.

"Ultimately you're striving for the same thing: to find the right way to optimize the use of information for the betterment of the business," Pool says. "[Security and privacy] may have different angles, but they're really trying to arrive at the same answers. If there is a tension, I think it's a healthy one."

"We [security and privacy] work closely together still," Cline says. This is especially the case on issues such as creating the company's security and privacy policies and vetting vendors to ensure that they will adequately protect information.

But Cline's prediction, at least, is that the more mature both security and privacy get, the more separate they are bound to become. "Once the company knows where the data is and who's responsible for it, the overlap between the roles will start to diminish," he says.

Maybe the easiest way to think of all this is that security is just step one to privacy.

1 2 Page
Join the discussion
Be the first to comment on this article. Our Commenting Policies