Chief privacy officers are common in the commercial world and at the agency level. Is there a role for a statewide CPO?
As we become an increasingly data-based society, security breaches and the associated legal risks have escalated. According to the Identity Theft Resource Center, 233 data breach incidents took place this year as of April 14, representing an increase of 18 percent over the same time period in 2013.
Companies like Target, Michaels and Neiman Marcus know firsthand the reputational and financial damage that occurs when customers’ private information is compromised. As a result, private-sector demand for data security and privacy professionals has grown exponentially. Today many large corporations employ a chief privacy officer (CPO) to manage data protection and privacy concerns.
Mike Lettman, Chief Information Security Officer, Arizona
Lettman leads the security, privacy and risk team for the Arizona Strategic Enterprise Technology Office, according to his bio on the ASET website. He ensures and enhances security and safety for the state.
Daren Arnold, Chief Privacy Officer, Ohio
Ohio is dedicated to enhancing the privacy and security of Ohio's data and systems, as proven by its dedicated Privacy and Security Information Center, a division of the CIO's office. The statewide CPO position -- one of the first in the U.S. -- was created in 2007. At this time, Arnold worked in IT law and policy and supported the state's first CPO, and then stepped in to replace him when he took a job in the private sector.
Sallie Milam, Chief Privacy Officer, West Virginia
Milam serves as the first statewide CPO in West Virginia's State Privacy Office. She started out as CPO of the West Virginia Health Care Authority, but was asked by Gov. Earl Ray Tomblin in 2013 to expand her role and lead the privacy-related activities of the executive branch departments.
To Be Determined, Chief Privacy Officer, South Carolina
The Palmetto State is currently searching for a Chief Privacy Officer, who would report to (PDF) the state's Chief Operating Officer in the Division of Technology.
In the public sector, however, only a handful of statewide CPOs exist today. But as big data, Internet-based everything and mobile technology grow, the CPO role could become more commonplace in the public sector.
In the United States, the CPO position was reportedly first established in 1999 when Internet advertising firm AllAdvantage appointed privacy lawyer Ray Everett-Church to the newly created role. The move sparked a trend that quickly spread among major corporations. But the CPO position was truly solidified within the U.S. corporate world in November 2000 when Harriet Pearson was given the role with IBM.
“In late 1999 several of the large IT companies began hiring CPOs,” said Trevor Hughes, CEO of the International Association of Privacy Professionals (IAPP), an organization of privacy officials that was formed in 2000. “There were very few of us then. But as the issue of privacy has grown and technology and business practices have created more and greater risks, the demand for privacy professionals has exploded.”
Today, IAPP counts more than 14,000 members in 83 countries. And while the private sector leads that growth, government employees now represent a fair number of IAPP members, according to Hughes.
“We have over 1,500 public-sector members in the U.S. working in the field of privacy, and those numbers are growing,” he said, adding that the typical CPO role includes elements of law and compliance as well as technological understanding and operational management skills. “More and more state agencies are recognizing the need to better manage privacy, to examine how they handle data within their organization, and to embrace the idea that someone needs to lead this responsibility.”
Many states have employed privacy officers at the agency level for years. The Health Insurance Portability and Accountability Act (HIPAA) was a significant driver of those efforts, as it required states to appoint a privacy officer for each HIPAA-covered entity within a state. The federal government has also helped set the pace. Mary Ellen Callahan served as CPO of the U.S. Department of Homeland Security (DHS) from 2009 until August 2012.
“The DHS position was the first statutorily created CPO role in the federal government,” said Callahan, who is now chair of Jenner & Block’s Privacy and Information Governance Practice.
The DHS CPO reports to the department’s secretary and can approve all required privacy documentation, oversees the department’s privacy practices and maintains an investigatory role.
In 2005, the Department of Justice followed the DHS’ lead and created a CPO position as part of post-9/11 legislation. Its CPO reports to the deputy attorney general.
Photo: Mary Ellen Callahan, former chief privacy officer, U.S. Department of Homeland Security. Credit: Flickr/Oversightandreform
Soon after, the White House mandated that every federal agency have a senior agency official in place with responsibility for privacy. But Callahan said the CPO role and its effectiveness within a federal government agency varies significantly, depending on how the agency structures the role. For example, some federal CPOs sit within the office of legal counsel, while others are housed within a CIO or policy office.
“They tend to be scattered around a bit,” Callahan said, “and the approach can be very different from one place to the next.”
The same can be said for state government. Some states integrate the privacy officer role into the CIO’s job, while others create a statewide privacy officer position or a CPO role within a specific agency like health, education, DMV or tax. But the majority of state government privacy officials today sit at the agency level rather than the state level.
“There are a number of privacy officials in state government, but there are very few state CPOs,” said Hughes. “When you think about it, it makes sense. There are not many state-level human resources officers either — many of the agencies within a state have their own version of that function. We see a proliferation of privacy professionals at the agency level, certainly within administrative units and within specific agencies like health and higher education. But in terms of a single CPO at the state level, that can be tough given the incredible complexity of issues that a single state sees.”
Ohio created one of the first statewide CPO positions in 2007. Daren Arnold, who worked in IT law and policy issues at the time, supported the state’s first CPO. And when the original CPO left to take a job in the private sector, Arnold stepped up to replace him.
Arnold works in the Office of Information Security and Privacy, a division of the CIO’s office. He said one challenge of the job is helping people understand what he does versus what Chief Information Security Officer (CISO) David Brown does.
“There are distinctions in the security and privacy areas that people often confuse,” Arnold said. “I work closely with our CISO and rely on him to work on the information security part of privacy as well as all the other information security pieces. He relies heavily on me to help him understand compliance requirements, breach identification, identify theft protection services, etc.”
Under Ohio law, each state agency must have a data privacy point of contact. Those individuals coordinate their agency’s privacy efforts and ensure compliance with Ohio laws around privacy and access to personal information. Each agency must also complete an annual privacy impact assessment. Among other things, Arnold’s office helps agencies assess their risks and identify privacy protections they need to take.
“Privacy professionals are really here to help state government navigate the waters, whether it’s on the compliance side or just pointing out big issues and guiding them in making decisions,” Arnold said. “There is a misconception there sometimes, sort of a reputational problem. We aren’t there to always say no, but to help agencies complete the work in a way that respects people’s privacy and their personal information.”
In West Virginia, Sallie Milam serves as the first statewide CPO. Milam started out as CPO of the West Virginia Health Care Authority leading compliance efforts for HIPAA. But in 2013, Gov. Earl Ray Tomblin asked Milam to expand her role and lead the privacy-related activities of the executive branch departments. In addition, each department was assigned a privacy officer to communicate policies with their agencies and employees, and to further operationalize the program. An enterprisewide Privacy Management Team was then established to promote privacy protection. The team comprises privacy officers from each executive branch department, the state CISO and others.
“The CISO role and the CPO role go together,” Milam said. “Without good security, you won’t have privacy. Security is an essential part of the equation; it’s the other side of the coin. So we are a tight partnership — we collaborate, we attend each other’s team meetings and we support each other’s priorities.”
Milam’s office and the Privacy Management Team work together to develop privacy policies and procedures for the executive branch departments, while the CISO and other subject-matter experts lend their expertise to support the team’s objectives.
“In government, you are bound by laws — what you can disclose and to whom,” Milam said. “Changes often require updated policies and training. We do that on a yearly basis. We set policy and issue it. Then the departments implement it and we assist them with implementation. We also provide online privacy awareness training that’s delivered to every employee during the onboarding process.”
Milam’s office also assists agencies with incident response, helping them evaluate an incident and determine the type of response warranted.
“Continual assessment and refinement is key to the CPO role,” she said. “The laws change, the technology changes, needs change and people’s expectations change. At one level it’s about compliance to law, but at another level it’s managing risks and trying to meet the public’s expectations for the privacy of their data.”
California originally started down the statewide CPO path, but has since changed course. The state’s standalone office for privacy protection became an independent agency 12 years ago, but was absorbed into the attorney general’s office as part of 2012 budget cuts. Its original CPO, Joanne McNabb, is now the director of privacy education and policy within the Office of the Attorney General in the California Department of Justice.
The California Privacy Enforcement and Protection Unit has multiple missions, including: enforcing state and federal privacy laws; empowering Californians by showing them how to better control their personal information when they use innovative technologies; promoting smart online behavior by offering timely resources for consumers, parents and educators; working with companies on privacy trends and best practice guidance; and advising the attorney general on privacy matters. McNabb’s role therefore focuses on consumer privacy, individual privacy and civil liberties rather than ensuring state compliance to privacy regulations like the CPO roles in Ohio and West Virginia.
While California’s statewide CPO role was eliminated, the state simultaneously stepped up efforts to place privacy officers at the agency level. “In the last four years or so, policies have been developed and resources provided to give more training and more guidance to the privacy coordinator program in California,” McNabb said. “By policy, not by law, agencies are now required to have privacy coordinators responsible for coordinating privacy programs within each state agency. This includes making sure key privacy elements are in place throughout the agency.”
Some believe the low number of statewide CPOs is due primarily to limited state budgets over the last several years. Now that budgets are improving, the position may grow. South Carolina, for example, is searching for a statewide privacy officer.
“The budget situation hampered states in terms of appointing CPOs, as new positions were hard to come by,” Arnold said. “But in addition to that, I think state and local government tend to be just a little bit behind the curve. The CPO role by and large was developed in the private sector and to a certain degree in the federal government. The potential for it to catch on at the state level is certainly there.”
Milam thinks the statewide CPO role will grow due to changing and evolving technology. “As more data becomes electronic, the risks get vastly greater, and that can trigger a lot more laws that govern the data,” she said. “At the same time, the public’s expectations are growing and compliance obligations are expanding. I imagine state governments will respond by putting more CPOs in place.”
Photo credit: APimages.com
Regardless of whether governments employ a statewide CPO or keep the privacy coordination and compliance function at the agency level, the bigger issue is ensuring that states have experienced privacy professionals in place to incorporate privacy protection into the earliest stages of planning, also commonly referred to as “privacy by design.”
“With big data and the use of both government information and private-sector information, it’s really important to have clear privacy guidelines,” Callahan said. “The critical issue is making sure privacy issues are integrated into the program life cycle — developing and integrating privacy throughout the agency and throughout all the decision-making processes. In a bureaucracy, that’s the whole goal: If you integrate good privacy practices into your processes from the get-go, it’s difficult to unintegrate them.”
Meanwhile, Hughes said the unprecedented growth of IAPP demonstrates the enormous demand for privacy leaders. He recommends that any upwardly mobile person ensure they have a strong base of knowledge in privacy as it becomes increasingly important to the private and public sectors.
“We see privacy as not only an area of growth, but [also] an area of need,” he said. “Today there is recognition in the marketplace that privacy knowledge is an absolute mandatory skill set in order to manage the risks of the information economy. If organizations are not immediately demanding this today, we are very confident they will be in the near future.”