Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

e-Commerce Law & StrategyLJN NewslettersNewsSections

The Roles of Stakeholders for Big Data and Privacy

By Judy Selby and George Viegas
November 30, 2013

Chief privacy officer, chief compliance officer, chief information security officer, chief legal officer (or general counsel) ' as organizations adjust and adapt to keep pace with changing technology, laws, regulations and cyber threats, these roles are developing and changing within organizations. But what duties and responsibilities fall within the job description of each of these stakeholders' positions, and how do these positions relate to each other? Where is the overlap? What can organizations do to avoid excessive siloing, which may impede enterprise-wide data governance and privacy goals?

Despite the continuing nationwide lag in job growth, hiring in the areas of data governance and privacy seems to be strong. But do organizations appreciate the differing roles and responsibilities of the various stakeholders involved with these issues? Our very unscientific research suggests that the answer is no.

For example, organizations looking for new hires often try to combine “security” and “privacy” positions. This may be reflective of an inaccurate assumption that security and privacy are synonymous. They are not, although they are most definitely related. Privacy cannot be attained without adequate security.

Because these are relatively new roles, there also are problems determining the right level within the organization's structure to position these roles. Job descriptions for information security managers read just like those for CISOs. Similarly, “privacy manager” positions read very much like the job that a CPO will do. Is it due to misunderstanding the roles ' or a reluctance to hand off a “C” prefix and title?

CPO, CISO or COO?

Generally speaking, the CPO should develop strategies to protect confidential information within the framework of privacy laws and policies and be responsible for privacy regulation compliance. Creation of an enterprise-wide privacy policy is no easy feat, given the constantly changing regulatory environment domestically and abroad. The role of CPOs is in a somewhat nascent stage, and is being developed to respond to concerns over the use and protection of personal information, including health and financial data, arising from the implementation of statutes such as the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act of 1996, and the Fair Credit Reporting Act.

So far, the CISO is typically responsible for establishing, monitoring and enforcing information security standards and policies, and to protect IT infrastructure and critical business and intellectual property digital data. The CISO should be well-versed in network perimeter security technologies, such as firewalls, proxy servers, intrusion detection/prevention, anti-virus, anti-malware, anti-spam and unified threat management.

A CCO typically is in charge of overseeing and managing the organization's compliance issues, which are driven in large part by the nature of the organization's business, and the extent to which its operations are regulated. Privacy regulations are just one example of the legislative directives with which certain organizations must comply. The CLO/GC is responsible for minimizing the organization's legal risks by advising the company's officers and board members about legal and regulatory issues, including litigation risks. Some corporations combine the roles of chief or assistant legal officer, or general counsel, with the CPO position.

Coordination Among Shareholders

Internal drivers, such as the promotion of effectiveness, consistency and efficiency favor coordination among the various shareholders at play in the data governance and privacy continuum. External drivers, such as the guidance issued by the SEC, advising public companies to disclose to investors the threat and potential impact of cyber attacks that pose a “specific and material” risk, and the process of applying for cyber insurance, applicable to certain privacy and data breach related expenses and liabilities, also require the company to take an enterprise-wide review of its cyber and security risks. This makes these issues a compelling and ripe C-Suite concern.

Take Away Considerations

It is important for security, privacy, compliance and legal to avoid silos and to communicate and work together. This is especially so when handling customer data. For example, incident response plans have historically been thought of as relating to resolving a virus outbreak or a malicious denial-of-service attack. However, those incidents can also give rise to data breaches implicating privacy, compliance and legal concerns. Strong internal planning now should include a comprehensive response plan, requiring all four teams to coordinate and work together, most likely with the assistance of experienced counsel and consultants. Security awareness training must also be sensitive to data privacy issues. Security training and data classification around data that is “confidential” must also include data that is “private.” Thus, an integrated approach is key.

Although the issues and concerns within the realm of the chief security officer, chief privacy officer, chief compliance officer or chief legal officer must be considered separately, they should be integrated together and within the organization's overall goals. Organizations should consider establishment of a steering committee consisting of these four key individuals so that enterprise-wide needs, expectations and concerns can be vetted and resolved synergistically in the most efficient and expedition manner possible.

Judy Selby is a partner at BakerHostetler in New York. She can be reached at [email protected]. Follow her on Twitter @judy_selby. George Viegas is Director, Information Security, at Thomson Reuters, based in Culver City, CA. He can be reached at [email protected].

SPECIAL OFFER: Twitter, LinkedIn, Facebook and Google+ followers can get an online subscription to e-Commerce Law & Strategy for only $299. Click here, select Digital Only and use promo code ECOMOL299 at checkout. This offer is valid for new subscribers only.

'

Chief privacy officer, chief compliance officer, chief information security officer, chief legal officer (or general counsel) ' as organizations adjust and adapt to keep pace with changing technology, laws, regulations and cyber threats, these roles are developing and changing within organizations. But what duties and responsibilities fall within the job description of each of these stakeholders' positions, and how do these positions relate to each other? Where is the overlap? What can organizations do to avoid excessive siloing, which may impede enterprise-wide data governance and privacy goals?

Despite the continuing nationwide lag in job growth, hiring in the areas of data governance and privacy seems to be strong. But do organizations appreciate the differing roles and responsibilities of the various stakeholders involved with these issues? Our very unscientific research suggests that the answer is no.

For example, organizations looking for new hires often try to combine “security” and “privacy” positions. This may be reflective of an inaccurate assumption that security and privacy are synonymous. They are not, although they are most definitely related. Privacy cannot be attained without adequate security.

Because these are relatively new roles, there also are problems determining the right level within the organization's structure to position these roles. Job descriptions for information security managers read just like those for CISOs. Similarly, “privacy manager” positions read very much like the job that a CPO will do. Is it due to misunderstanding the roles ' or a reluctance to hand off a “C” prefix and title?

CPO, CISO or COO?

Generally speaking, the CPO should develop strategies to protect confidential information within the framework of privacy laws and policies and be responsible for privacy regulation compliance. Creation of an enterprise-wide privacy policy is no easy feat, given the constantly changing regulatory environment domestically and abroad. The role of CPOs is in a somewhat nascent stage, and is being developed to respond to concerns over the use and protection of personal information, including health and financial data, arising from the implementation of statutes such as the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act of 1996, and the Fair Credit Reporting Act.

So far, the CISO is typically responsible for establishing, monitoring and enforcing information security standards and policies, and to protect IT infrastructure and critical business and intellectual property digital data. The CISO should be well-versed in network perimeter security technologies, such as firewalls, proxy servers, intrusion detection/prevention, anti-virus, anti-malware, anti-spam and unified threat management.

A CCO typically is in charge of overseeing and managing the organization's compliance issues, which are driven in large part by the nature of the organization's business, and the extent to which its operations are regulated. Privacy regulations are just one example of the legislative directives with which certain organizations must comply. The CLO/GC is responsible for minimizing the organization's legal risks by advising the company's officers and board members about legal and regulatory issues, including litigation risks. Some corporations combine the roles of chief or assistant legal officer, or general counsel, with the CPO position.

Coordination Among Shareholders

Internal drivers, such as the promotion of effectiveness, consistency and efficiency favor coordination among the various shareholders at play in the data governance and privacy continuum. External drivers, such as the guidance issued by the SEC, advising public companies to disclose to investors the threat and potential impact of cyber attacks that pose a “specific and material” risk, and the process of applying for cyber insurance, applicable to certain privacy and data breach related expenses and liabilities, also require the company to take an enterprise-wide review of its cyber and security risks. This makes these issues a compelling and ripe C-Suite concern.

Take Away Considerations

It is important for security, privacy, compliance and legal to avoid silos and to communicate and work together. This is especially so when handling customer data. For example, incident response plans have historically been thought of as relating to resolving a virus outbreak or a malicious denial-of-service attack. However, those incidents can also give rise to data breaches implicating privacy, compliance and legal concerns. Strong internal planning now should include a comprehensive response plan, requiring all four teams to coordinate and work together, most likely with the assistance of experienced counsel and consultants. Security awareness training must also be sensitive to data privacy issues. Security training and data classification around data that is “confidential” must also include data that is “private.” Thus, an integrated approach is key.

Although the issues and concerns within the realm of the chief security officer, chief privacy officer, chief compliance officer or chief legal officer must be considered separately, they should be integrated together and within the organization's overall goals. Organizations should consider establishment of a steering committee consisting of these four key individuals so that enterprise-wide needs, expectations and concerns can be vetted and resolved synergistically in the most efficient and expedition manner possible.

Judy Selby is a partner at BakerHostetler in New York. She can be reached at [email protected]. Follow her on Twitter @judy_selby. George Viegas is Director, Information Security, at Thomson Reuters, based in Culver City, CA. He can be reached at [email protected].

Read These Next
COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

How Secure Is the AI System Your Law Firm Is Using? Image

What Law Firms Need to Know Before Trusting AI Systems with Confidential Information In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.