Privacy, GRCs Blind Spot

Governance, risk management and compliance (GRC), the functions within the organization that ensure it stays on the straight and narrow, are structured in variety of ways, but it generally breaks down into the following areas:

• Audit and Compliance ensure that policies match practices
• Risk Management ensures everyone understands the likelihood and cost of unfortunate occurrences
• Information Security protects data from unauthorized use or dissemination
• Information Technology implements and maintains necessary control mechanisms on technology
• Legal ensures that all of the aforementioned functions understand legal and regulatory requirements and contractual obligations

When implemented and managed well, this traditional structure is effective in safeguarding organizations against straying from their legal and regulatory obligations. Unfortunately privacy requires something more nuanced than strict compliance with applicable laws and regulations, and that means for the GRC functions in most organizations mitigating privacy risks is in a blind spot.

Specifically, this blind spot is a lack of controls to make sure organizations don’t surprise the consumer in the way they collect, process or store personal information. This gap is a primary responsibility of the strategic privacy officer – with emphasis on the word strategic – and most organizations do not employ one.

Note: A mid-level privacy officer whose responsibilities do not extend beyond compliance with HIPAA, PCI or whatever regulations are specific to that organization’s industry or geographic location is not “strategic.” They have important and often difficult jobs, but that is not the job I’m describing.

What’s the Harm in Surprising the Consumer? #

If the organization is compliant, where is the risk in doing something that surprises the consumer? Without getting too deep into the particulars of law and policy matters, there are forces that are creating an increasing risk in doing unexpected things with the consumer’s data. First, recognize that the concept of notice and consent is not an effective mechanism for educating the consumer about how the organization is using and protecting the data they steward, yet most privacy laws and regulations have this as the fundamental mechanism for doing just that.

Secondly, regulators are not blind to this fact and they are starting to exert their authority in ways that shift the burden from the consumer, who under notice and consent is expect to educate themselves and make informed decisions, to one that pushes accountability back to the organization. (For a more detailed explanation, see a transcript of a recent presentation of mine and this earlier blog post.)

Parsing that out its not hard to recognize that situations now exist where an organization may find themselves the result of a lawsuit by doing something that the consumer did not expect, even if it they have provided clear notice and a mechanism for consent. Consider the case against Google:

In 2007, on the whim of an engineer, and for no apparent business purpose, Google’s Street View vehicles, in addition to taking pictures and mapping locations, began to collect unsecured wifi router traffic. The collection was done on public streets, not private property, and the data collected was readily available to anyone with a simple, inexpensive and easily obtained device. Yet, Google was successfully sued for violations of wiretapping laws. There are various interpretations of the case, but it essentially boils down to the court’s recognition that it is not reasonable to expect the general public to understand (and properly secure) the data their wifi routers are transmitting, and Google should be held accountable for not considering that.

And the case against Wyndham:

Between 2008 and 2010 Wyndham Worldwide suffered a series of data breaches that resulted in the loss over more than 500k records that included personal information and credit card data. A significant breach, and they suffered the sort of legal and regulatory attention that accompanies a breach of that scale, but in addition to that the FTC brought suit against them. Essentially the FTC claimed that since Wyndham was such a large organization, when customers transact business with them they expect a certain level of protection and Wyndham failed to meet those expectations. Wyndham fought back claiming the FTC does not have the authority to make that case, but a New Jersey district court decided to allow the case to move forward.

These are both recent cases and relatively rare, but they do indicate a trend. It is only a matter of time before more organizations are held accountable to their actions and to properly mitigate this risk you need more than the services that the traditional GRC functions provide. You need a strategic privacy officer.

A strategic privacy officer is someone who will act within the organization as the single point of accountability for all things privacy related. To accomplish that this person will have to work across disciplines and departments. Specifically, they must understand privacy law and policy, understand technology and security, understand strategic business objectives and not only work across these disciplines but have the necessary leadership and communications skills required to effectively employ those cross-disciplinary functions.

The bad news is that while there are people out there with this set of skills and experience, I estimate there are less than 300 of these people on the planet at the moment. So unless you are at a company that has some interesting challenges, an innovative culture, a strong desire for a privacy position, and the money to properly compensate one of these individuals who are in high demand, good luck convincing one to work for you.

It is for this reason I suggest you consider hiring someone with less experience now and not wait until some event occurs that requires you to hire some heavy hitter to clean up. The good news is that someone with some experience (but not all) is much easier to find. You are better off getting a privacy officer in place now rather than waiting until you desperately need one, and the trends clearly indicate that if you steward personal information it will become a critical issue for you and probably sooner rather than later.

If you do decide to procrastinate and wait until you really need the position you are going to pay a premium for someone with the requisite experience – that much is clear. Fortunately, there are many great minds out there who have some of the skills and experience required for the position, but will need some time to grow and develop. If you hire them into an environment that isn’t in the midst some “fire that needs to be put out,” where they have the space and time to learn the organization’s goals, get to know key staff and otherwise come up to speed you will have a much greater probability of success.