Privacy sheriffs – CPOs saddle up to protect information assets
Much like in the Old West when the town sheriff and a
few deputies did their best to keep the local citizens safe from the
black-hatted bad guys who inhabited the surrounding empty land, today’s chief
privacy officer (CPO) must keep data locked down at companies, organizations or
government entities and beyond the reach of cybercriminals.
A bevy of stunning privacy breaches (think Facebook and FEMA)
coupled with a greater urgency to comply with regulations (think GDPR) and an
increasingly proactive approach to protecting data have prompted many
organizations to mull and even elevate the position of CPO. A quick search on
LinkedIn, Monster or any job site turns up a huge number of openings for CPOs
and the even larger number of data breaches that have exposed the personal
information of billions of people around the world certainly speaks to the
desperate need for someone to be in charge, though the qualifications seem to
vary depending on the organization.
What exactly are the duties of a CPO? Should he or she
have cybersecurity tasks similar to that of a CISO? Is the role an offshoot or
subset of a company’s CIO?
Paul Iagnocco, senior
privacy consultant at TrustArc, says a CPO should be an organization’s champion
of privacy tasked with not only determining what data needs protecting, but
instilling the importance of keeping the corporate jewels safe to everyone in
the organization, from the newest trainee to the C-suite. To accomplish this
Iagnocco sees a CPO not as a technology-oriented position, but instead
encompassing many roles ranging from teacher to cheerleader.
Peter Lefkowitz, chief privacy and digital risk officer at
the software firm Citrix, agrees, but also tosses in a few more hats for the
CPO wear. As his title suggests, risk and privacy go hand in hand at Citrix and
Lefkowitz believes there is also a legal component to the position.
“There is so much accountability needed now as data is
taking on a greater role in companies,” he says.
This means the CPO role is no longer a luxury, but a
necessity.
With almost every
company maintaining some amount of either customer or worker data that needs to
be protected, Lefkowitz believes that a dedicated CPO is necessary or at the
very least someone at the firm must be tasked with keeping an eye on the
situation in addition to their normal duties.
“Every company needs somebody overseeing personal data due
to legal and regulatory compliance,” he says, even more so in any company that
deals with the European Union and must comply with GDPR.
Patrice Ettinger, Pfizer’s CPO and member of the board of
directors of the International Association of Privacy Professionals (IAPP),
notes a privacy point person is needed simply to keep track of all that is
going on.
“The CPO plays a key role in ensuring that personal data
is used appropriately and helps business leadership think strategically about
data use under today’s rapidly evolving technology and regulatory landscape and
consider expectations of individuals who entrust them with their personal
data,” she says.
Another very tangible reason to have someone assigned to
the job is to avoid the financial and reputational repercussions that can be
incurred by those organizations that do not properly protect the data in their
charge.
Violating the terms
of GDPR is no joke and can result in substantial fines between to €10 million,
or two percent to €20 million or four percent of the worldwide annual revenue
of the prior financial year, whichever is higher, according to the GDPR
statutes.
On top of any fines, a breached company can take a massive
stock hit. Iagnocco looked back at what happened to Target after its 2013 data
breach. Not only did the retailer have to pay out $18.5 million in legal fines
for having allowed 41 million payment cards to be accessed by an outside entity
resulting in the loss of the personal data of 70 million shoppers. Overall,
Target’s execs estimated the breach cost the company $148 million and that does
not count the massive hit the company’s stock took in the months following the
breach being revealed.
And it’s just not private institutions that need to worry
about protecting data. Government agencies that operate in the nation’s
smallest villages up to the largest federal departments control extremely vital
information that if obtained by a malicious actor can result in a terrible
financial loss. There have been a steady stream of incidents in recent years
ranging from the massive Office of Personnel Management breach to ransomware
attacks against rural towns and counties that may have resulted in data being
compromised in addition to the files being locked up.
“There is often an expectation by the public that these
institutions are automatically protecting their data, but that is not always
true. People think the government is always buttoned up, but it also needs a
CPO to keep guard,” Iagnocco says.
There may be many tasks a CPO must have the skill to
undertake, teacher, expert on the legal ramifications of privacy compliance and
even a detective to dig out all the possible hiding places data may be
squirreled away, but what is not needed are countless certifications nor even a
degree in computer science or cybersecurity.
Citrix’s Lefkowitz says a CPO needs a different knowledge
base and while a more than passing familiarity with cybersecurity operations is
required, such a person does not need the skillset of a CIO or CISO. In fact,
he sees many of those becoming CPOs coming from legal, accounting and auditing
backgrounds.
Iagnocco agrees,
adding, “A CPO does not need to have 48 certs, but needs to be able to have a
conversation with the CISO. He needs to know what needs to be done, but not how
to do it.”
Making sure everyone in the company understands that is
very important. So much so that Lefkowitz believes defining the role of a CPO
should be one of the first things a company does when it is creating the
position.
The powers that be need to determine to whom the CPO will
report and how senior of a position it will be in the company.
Specifically the CPO position must be clearly separated
from the responsibilities of the CISO and CIO, but it also must be known all
three share a common goal.
“The CPO is focused on “use” of data, and less on
infrastructure, applications and security that typically fall under the domain
of the CIO or CSO. Certainly the three
will best serve their company if they collaborate and work together, as there
are areas of dependency and overlap,” Ettinger says.
It should also be made clear that a CISO or the head of
the IT department is not in charge of privacy nor should corporate executives
make the mistake of believing these people will take care of privacy issues as
part of their regular job.
Once all those points are hammered out and someone is
hired, that person’s number one priority needs to be figuring out what data and
level of risk is being handled, said Iagnocco, and not just the data retained
inside the organization, but also by third-party vendors. Without this
knowledge a CPO cannot function.
After the potential threats are determined, a CPO needs to
come up with a privacy program tailored to the institution and this should
include working with the other stakeholders and keeping an eye on worldwide
developments, says Ettinger.
“The CPO needs to engage on a regular basis with the
business and stay informed on how data might be used, and to stay current on
external privacy developments, including the new and strengthened privacy laws
that we are seeing globally, including in the U.S.,” she says.
This is particularly important, Iagnocco says, because so
much that can impact a company’s privacy standing can come from the outside.
“I think a CPO has to be a strategic thinker, not
tactical. The CPO must look at what might happen one or two years down the
road,” he says, unlike a CISO who needs to worry about what is happening that
second.
The legal ramifications that could result from a privacy
breach also need to be regularly discussed, Lefkowitz says, so meeting with the
C-suite and corporate counsel should be a regular occurrence for any CPO.
One of the conversations that needs to be held, says Mark
Eggleston, VP, CISO and Privacy Officer at Health Partners Plans, is instilling
privacy by design principles into new systems, and employing a mature framework
to select and implement security controls.
Iagnocco is also keen that the human side of the CPO’s job
not be forgotten. As stated earlier this includes being a cheerleader and
teacher, making it everyone’s responsibility to protect not only their own
privacy, but that of their customers, essentially creating a positive culture
for privacy in the company.
“Job number one is to evangelize the importance of privacy
inside and outside of the organization. When I was at Kellogg we held seminars
and made sure what we were saying was understandable to staffers,” he
says.
CPO resume
Candidate
123 Main St.
Anywhere, USA
Education
The School of Corporate Hard Knocks
Experience
• Five years experience in a position protecting the privacy of the customers and wokers at a business with 100-employees that did extensive work with entities in the EU. Used my accounting, auditing and legal knowledge to create a framework from which I ensured no privacy breached occurred.
• Held regular meetings with the IT and cybersecurity department heads.
• Set up a seminar program to teach employees about the importance of meeting our privacy standards.
• Familiar with cybersecurity terms and basic practices.
• Experience with building, implementing, and maintaining a global privacy program and monitoring advancements in information privacy technologies to ensure improvement, adaptation, and compliance.
Skills
• Agile in responding to the changing role of the CPO and of the privacy environment. Capable of staying engaged with both the business itself and up to date on external privacy developments, including the new and strengthened privacy law.
• A great communicator capable of explaining the need of
maintaining privacy to anyone thus helping secure the firm from
fines and reputational damage.
• Privacy certification (CIPP or CHPC).
• CHC Compliance Certification.
Gloss