• United States



sarah d_scalet
Senior Editor

Five Things Every CSO Needs to Know About the Chief Privacy Officer

Feb 01, 200516 mins
IT JobsPrivacy

CPOs and CSOs need to cultivate common ground between security and privacy

It was the annual crunch time between Thanksgiving and the new year, and Nuala O’Connor Kelly had just sent to the printer the first-ever report to Congress by a chief privacy officer.

This was it, the historic reporta 40-page description of what O’Connor Kelly had been doing during her first year as the first CPO of the U.S. Department of Homeland Security. Like addressing concerns about DHS’s policies with privacy officers from other countries. Examining the department’s growing use of biometrics. And reading irate e-mails from the public about controversial initiatives like the Transportation Security Administration’s passenger screening program. If O’Connor Kelly was nervous about the grilling she was likely

to get once members of Congress got their mitts on her report, she wasn’t letting on.

“It’s actually a great moment for the [privacy] office to sit back and take stock of where we are now and where we’re going for the next two, three, four, five years,” says O’Connor Kelly, dashing from one meeting to the next with one of her staff members.

At the time, O’Connor Kelly was the only federal government CPO whose position was mandated by law and who was required to file an annual report to Congress. But this seemed on the brink of change. Congress’s consolidated 2005 appropriations bill, signed by President Bush in December, contains a provision thatdepending on how the White House’s Office of Management and Budget interprets itwould create a handful or more of CPOs at federal agencies.

These new CPOs would be charged with protecting privacy within their own agencies, evaluating proposed laws and regulations, training employees about privacy policies and ensuring compliance with applicable laws. They would have to report on their progress annually to Congress. And every other year, their agency’s Inspector General would have to hire “a recognized leader in privacy consulting” to do an independent review of their program’s effectiveness.

The law would do a lot more than create a crew of federal CPOs in O’Connor Kelly’s image. In the private sector, government demand for privacy expertise is expected to lead to greater awareness, more stringent certifications and stricter standards around privacy.

And for CSOs, it ensures that their best friend and nemesis, the CPO, is not going away.

“There are some conflicts between the philosophical approaches to the two positions,” says Lynn Mattice, vice president and CSO at Boston Scientific. “The CSO’s responsibility is to ensure that the business enterprise is safeguarded, and the privacy officer is primarily concerned with safeguarding the individual’s privacy. That’s where you can have some points of contention.”

The CSO and CPO are necessary, if sometimes uncomfortable, bedfellows. Although they may be at odds when it comes to issues such as surveillance and background investigations, they rely upon one another in a fundamental way: the CPO for help protecting information that the company has promised is private, and the CSO for help articulating the need for information assurance. Looking at one another is a little like looking in a funhouse mirror. The image, though familiar, is distorted. Understanding the nature of these distortions is a key to both groups’ success.

Here, then, are five things about the role of chief privacy officer that every CSO should understand.1. The CPO’s history parallels the CSO’s own emergence.Flash back to the mid to late 1990s, when businesses first started hiring CPOs. The new position was hailed as a sign that corporate America was going to start paying attention to the privacy of both employee and customer information. Somebody finally gave a damn.

Sound familiar? That’s because the emergence of the CPO has much in common with that of the CSO.

Back then, the privacy provisions of the Gramm-Leach-Bliley Act for the financial services industry were just taking effect. In health care, the privacy rule of the Health Insurance Portability and Accountability Act even stipulated that organizations had to name a privacy officer. Hiring a CPO became either a regulatory necessity or a way of sticking a flag in the ground that said, “Customer data protected here.”

Then, however, the role seemed to falter. Starting with a souring economy and culminating with the aftermath of the 9/11 attacks, companies began diverting money away from privacy and toward security and risk management.

“The abundance of resources simply dried up,” recalls Alan Westin, the well-known cofounder of the think tank Privacy & American Business, which founded a trade group, the Association of Corporate Privacy Officers (ACPO). “When we would talk to many of the privacy officers that had been active, they would come in and say their budget had been cut; their staff had been cut.”

Now, however, observers such as Westin are optimistic of a second coming for CPOs. Growing concern about identity theft is bringing privacy to the forefront, and lawmakers are responding. Meanwhile, the International Association of Privacy Professionals (IAPP), created when Westin’s group merged with another privacy association, has issued the profession’s first certification. The test covers everything from legal compliance to workplace screening to website disclosure. It’s not a technical certification, but it does require a basic understanding of how data is handled by IT systems.

“This field is coming to a certain maturity,” says Harriet Pearson, the CPO of IBM, who became a certified information privacy professional in the first-ever IAPP test. Now, she says, “You can add CIPP after my name.”

Of course, not all the people earning this certification or serving as privacy officers are true strategic privacy executivesjust as not all those with CISSPs, CPPs or the “security officer” moniker are true strategic security executives. But for Pearson, that’s beside the point. She points to IAPP’s membershipalmost 1,500as a positive sign.

“To me, that’s a heck of a lot of people who’ve declared that they want to join us,” Pearson says. She, for one, thinks privacy professionals are here to stay.2. The CPO role is as much about business as privacy.So who exactly are these chief privacy officers, the CSO’s brethren in information protection? Even as the CPO role takes root, it is not evolving as many privacy activists hoped it might. Rather than acting as staunch protectors of privacy at any cost, CPOs are finding that in order to be successful, they must instead be savvy negotiators, navigating the conflicting interests of business needs, customer expectations and legal requirements.

Whereas security officers are positioning themselves as experts on risk rather than security, CPOs are positioning themselves as mediators, not protectors, in regard to privacy.

This means that in the CPO, security executives will find an ally who has similar concerns about gaining a reputation as someone who always puts the brakes on business.

Consider for a moment Sandy Hughes, the global privacy executive for the consumer goods giant Procter & Gamble. Hughes is spending a lot of her time these days talking about radio frequency ID tags, or RFIDs. That’s no surprise, since there’s no more contentious topic in privacy circles right now than the uses and possible misuses of these inventory tracking devices. Hughes’s goal, however, isn’t to determine whether Procter & Gamble should use RFIDs. It’s to find the right way for P&G to use RFIDs.

Part of that involves reassuring the public. “Nobody yet that I’m aware of is planning any widespread use of these tags on any consumer products, but still you see the concern about [companies doing things like] tracking consumers by satellite,” says Hughes, who’s involved with EPCglobal, a nonprofit industry association developing standards for the use of RFIDs for electronic product codes. “That’s not even in the plan, but [customers are] concerned about it. And because they’re concerned about it, we have to address it.”

“Procter & Gamble has to move forward for competitive reasons and implement RFIDs,” explains Stephanie Perrin, a senior fellow for the Electronic Privacy Information Center (EPIC), a watchdog group. “If Sandy Hughes says, ‘We’re not ready for this RFID thing,’ that’s going to get nowhere with the board.”

Hughes’s mission, then? To help her company formulate a business strategy that takes those concerns into account.

CSOs have heard that sentiment somewhere before.

Here’s another snapshot. At E-Loan, an Internet startup that sold $153 million in loans in 2003, CPO Tess Koleczek says she is focused on solutions, not problems. She can’t just say no.

“If something comes up that might compromise our policy, I can’t go in and say, ‘You can’t do that,'” Koleczek says. “I can’t be a cop. I have to come up with a couple different solutions.”

For instance, if a business partner is asking for information about customers, Koleczek says it’s her job to try to find another solution. “I say, ‘Why do you want all that information on a specific customer?'” she explains. “They say, ‘Oh, we don’t. We want the information on what [customers in general are] doing.’ Then I might say, ‘Why don’t we give you that aggregate information?’ You just have to get to the core of what they’re asking for. Why do they want the information and how can we help them get what they need out of it?”

As with the CSO, the success of the CPO depends on his or her ability to make a business case for the protection of information. “There have been some CPOs who have really done a very good job in showing how privacy affects the bottom line,” says Ari Schwartz, associate director of the Center for Democracy & Technology, a consumer advocacy group. “Those have been the ones that have been most successful.”

But this business focus has made some in the CPO community wary even of calling themselves “privacy advocates.”

“‘Advocacy’ seems to be sometimes like protesters or flag-burners,” P&G’s Hughes says carefully when asked how she views her mission. “But [I’m an] advocate for doing the right thing, absolutely.”

Perhaps for the survival of the role, that’s a necessary caveat. “Privacy officers aren’t necessarily civil rights activists,” points out Brian Tretick, who leads privacy services for the Americas at Ernst & Young. “These are businesspeople, business executives, who are looking out for the success of the company. And if that success requires the use of information, they want to make sure it’s done according to policy and the rights and obligations of its subjects.”

CPOs are working within the system.3. In the data world, security and privacy go hand in hand.Not only have the roles of cpo and CSO grown up in similar ways, within the narrow confines of the information technology world, the two disciplines are tightly intertwined. As they say, you can’t have privacy without security. It doesn’t do much good for a company to promise, for instance, that it won’t sell customer information to a marketing company if hackers can access all the files anyway.

But this close association leads to confusion. “It’s a bit deceptive because sometimes privacy will surface as a security error,” EPIC’s Perrin says. What’s more, the privacy officer’s job often begins with a focus on IT, and morphs from there. That’s what happened to Jay Cline, anyway, when he first took over as data privacy officer at the Carlson Cos. The Minneapolis-based company, which operates Radisson Hotels, had Cline’s job located within the CIO’s office, and his focus was on information technologies. The company had determined that strong information security was a core foundation of privacy.

“Data privacy and data security have one thing in common: data,” Cline says. “For us, what that meant was, we needed to find out where the data was and who was responsible for it.”

Now that the company’s information security program has matured and Cline knows the answers to those questions, he is part of the audit function rather than the IT department. But Cline’s manager, Director of IT Audit Blake Pool, is responsible for auditing information security as well as data privacy, and both men still see the disciplines as closely aligned.

“Ultimately you’re striving for the same thing: to find the right way to optimize the use of information for the betterment of the business,” Pool says. “[Security and privacy] may have different angles, but they’re really trying to arrive at the same answers. If there is a tension, I think it’s a healthy one.”

“We [security and privacy] work closely together still,” Cline says. This is especially the case on issues such as creating the company’s security and privacy policies and vetting vendors to ensure that they will adequately protect information.

But Cline’s prediction, at least, is that the more mature both security and privacy get, the more separate they are bound to become. “Once the company knows where the data is and who’s responsible for it, the overlap between the roles will start to diminish,” he says.

Maybe the easiest way to think of all this is that security is just step one to privacy.

Or a component of it, anyway. For instance, when E-Loan decided to send some of its loan processing to offshore outsourcers, CPO Koleczek worked on developing a policy that would give consumers the option of keeping their data in the United States. Meanwhile, Steve Abatangle, director of information security, worked on tying down the information that did go overseas as much as possible so that workers in other countries could only view, not copy, customer data.

“A good chunk of privacy is about securing the information, even a little more broadly than we allow our CISOs to secure information,” Ernst & Young’s Tretick says. “We want the CISOs typically to protect access to information, and to allow access only to people who are authorized. But [with the CISO], we never get to the granularity of: What is appropriate use?”

The more the CPO gets into issues of fair use, the more his job veers away from security. And the more the CSO focuses on security, broadly writ, the more vivid the differences between security and privacy become.4. Outside of the data world, security and privacy are tough to reconcile.Let’s riff on this point for a minute. Suppose that an employee is about to be fired. And suppose that employee may have spent the better part of the past week copying files off the server and onto diskettes. Is it a violation of the employee’s right to privacy to monitor how he’s spending his megahertz? Or is it a risk to the company’s security stance not to know that the employee has been stealing corporate secrets?

Oh, and what if the employee isn’t in the United States, but in a country with stronger employee protection laws?

In scenarios such as this, the philosophical divide between CPOs and CSOs really begins to manifest itself.

“You get into a lot of discussions,” acknowledges Boston Scientific’s Mattice, after posing the preceding scenario as an example of the kind of conversation he might have with his legal department over privacy issues. (His inclination, by the way, is that if employees are using company resources, why shouldn’t the company be able to monitor what they’re doing?)

Mattice, and others, insist that in their own particular case, the relationship between security and privacy is amiable. “These are business issues, and there’s certainly nothing personal,” he says. “I hope they’re not contentious discussionsalthough I’m very passionate about what I do, and I love to debate.”

But it would be naive to think that such relationships are always harmonious. The fact is: CSOs and CPOs come from very different cultures. While many CSOs have a background in law enforcement, CPOs tend to come up through marketing. The two don’t always see eye to eye.

“Security officers are a bit like lawyers in that there’s no piece of information they don’t think they should have,” EPIC’s Perrin says. “They want to know what’s going on. If they have video surveillance tapes, they just want to keep them in case they need to know what’s going on. A privacy person will look at those videotapes more from the individual’s point of view. Security goes in the opposite direction of privacy in many respects.”

Yet many in the privacy community are trying to find common ground between security and privacy, even in these murky spaces. This is especially true in the government, where CPOs find themselves under a steady barrage of attacks from observers who believe that the government is trampling on citizens’ privacy in the name of national security. Indeed, the topic is one of O’Connor Kelly’s favorite talking points.

“I’d like to strike the word balance from everyone’s vocabulary,” O’Connor Kelly says passionately, when asked about the inherent conflicts between security and privacy. “I don’t think privacy and security are an either/or position. People always view the dichotomyis it privacy or security?and I say it’s not about one or the other.”

For instance, much of O’Connor Kelly’s attention in the past year has been on DHS’s controversial US-Visit program, which uses biometric identifiers to screen foreign visitors to the United States. The program has been lambasted by civil rights activists as an invasion of privacy. But O’Connor Kelly thinks that the privacy department, by being involved with the program, can actually help improve the effectiveness of the system from a security perspective.

“I’m not positioning the privacy officer as against any collection of information, but I think the collection of information has to be well-thought-out, limited and relevant to the information at hand,” O’Connor Kelly says. “We’re actually helping fine-tune programs to make better decisions for privacy, and to make better programs themselves. We can be enhancers of the business.”5. Security and privacy executives will depend upon each other for success.One thing is certain: going forward, the two executives will continue to be dependent upon each otherhowever that future may look.

“It’s my contention, frankly, that the role of the CPO will transition, and we won’t recognize the CPO of the future in the way we will today,” says Richard Purcell, a former CPO of Microsoft who went on to found a consultancy, the Corporate Privacy Group. “Security and information management and legal compliance will combine into a differently structured role than we see today. I think that the two groups not only have to work together but that they will become a single group.” This may happen under the umbrella of emerging risk management departments.

Or it may be that the CPOs themselves morph. O’Connor Kelly, for one, already wonders if “privacy” might be too confining a concept for what she does.

“Years ago, people said privacy might be the wrong word, [that] it’s really about information management,” she says. “I think more and more that may be the right way to look at it. I wouldn’t say that privacy is the wrong word, but I think that privacy may be limited. We’re looking at bigger issues of the responsible use of information.”

That’s a conversation that the CSO certainly doesn’t want to miss.