Will Privacy Come Of Age in 2015?

Some 43% of companies report knowing that they experienced a data breach last year. Since breaches are hard to detect, it's safe to say that the other 57% can't be sure whether they were breached or not. One thing that's certain, as evidenced by the figures in the lead article of this issue, is that big data breaches were the story of 2014 ' and it seems likely that they will keep coming.

The uptick in breaches has put privacy on top of the agenda from the board's audit committee down to the front-line manager. It also has put a lot of pressure on in-house lawyers who handle privacy, but will it be enough to get corporate privacy programs to grow up?

There's a lot of growing up to do. In late October, 47 heads of privacy gathered with CEB to discuss the state of privacy, its current challenges and the plan going forward. This was the first major step in our effort to support the much-needed maturing of privacy within companies. What came to light in that day's conversations was that this hard-working function is in need of resources, clarity and leadership.

We also learned that most privacy programs often have little structure and a haphazard approach to allocating resources. For example, 75% of companies that employ a named head of privacy still have no privacy budget. They are spraying money at the problem when fires break out.

Taking Ownership'Of Privacy

A lot of fires broke out in 2014 and a lot of money was sprayed, but the fire brigade still isn't very well organized. When we tested the ownership of 10 key privacy activities across 100 companies, no fewer than seven ' and as many as 11 ' different departments were listed as primary owners for each activity among the respondents. For more established legal issues, ownership isn't spread out among a half-dozen or more departments. But for privacy, every activity we tested was still up for grabs.

Worse yet, in far too many cases ownership of key privacy activities is shared between multiple people and functions within a single company. Sometimes this takes the form of a committee or working group, but more often it is just a collection of concerned citizens who are making it up as they go along ' with no budget.

In theory, it can be helpful for issues to be “jointly owned,” but this kind of ad hoc approach means that nobody has true ownership and accountability. Companies can muddle through like this for only so long; eventually there will be a compliance failure that forces the company to grow up.

It's understandable, then, that the majority (75%) of chief privacy officers are either unsatisfied or ambivalent about their programs. Given the importance of privacy and the resources already being expended on it, companies desperately need a more mature approach. Will 2015 be the year when privacy finally comes of age?

We are cautiously optimistic. There is certainly a sizeable wave of progressive companies committed to laying privacy infrastructure: clear roles and responsibilities, articulated budgets, clarified org structures, simplified and improved training, and privacy principles embedded in workflows and product design.

But there are headwinds, too. We see four big issues that will persist in making privacy hard work indeed:

1. The Growth of “Business-Led IT.” The office of the chief information officer doesn't run a command-and-control shop any more. IT is more distributed to business units than ever, and their systems are often hosted by vendors. See, “Harnessing Business-Led IT.” Third parties are a well-known cause of privacy breaches, but most companies have a limited grasp of their privacy implications. It's hard to get your privacy program organized while the company's IT is morphing from a unitary state into a loose confederation.
2. A Mutating Threat Environment. Sixty-nine percent of surveyed executives believe their companies can't keep up with the increasing pace and sophistication of cyberattacks. The effort required to keep up with these threats prevents many companies from maturing their privacy programs.
3. Increasing Strategic Value of Information. The incentive for employees and managers to aggressively use customer info and other sensitive data grows every year. On this trend there's no end in sight.
4. The Changing Work Environment. Employees have more access to data than ever before, collaborate more than ever before, and share information on more devices and in more ways than ever before. This is another centripetal force that pushes sensitive data out into places where it's hard for even the most mature privacy programs to protect it.

Taken together, these forces ensure that we'll be swimming against the tide for several years to come. Yet we see leading privacy departments paving the way. Here are some of the things leaders in privacy practices consistently do:

• Integrate privacy into product development;
• Create privacy policies that are easy to find and easy to apply;
• Build and monitor a privacy-conscious company culture;
• Clearly assign regulatory tracking and update responsibilities;
• Collaborate with others to create a holistic IT strategy;
• Create and rehearse a privacy breach-response protocol;
• Design a privacy diligence and monitoring regime for third parties; and
• Measure the effectiveness of the privacy program.

The full to-do list is much longer. We need to respond to queries, react to problems and generally keep the lights on. But the only way to get out of crisis mode is to build a system that prevents problems and efficiently handles the issues that arise.

More colloquially, we need to stop fighting alligators and start draining the swamp. Hopefully 2015 will be the year when that gets started in earnest.

Dan Currell is an executive director at CEB (www.executiveboard.com) in the Legal, Risk and Compliance practice. He advises executives from Fortune 500 companies and other organizations across the globe on issues related to risk management, governance, enterprise risk, compliance and legal department management. This article also appeared in our ALM sibling, Corporate Counsel.

Some 43% of companies report knowing that they experienced a data breach last year. Since breaches are hard to detect, it's safe to say that the other 57% can't be sure whether they were breached or not. One thing that's certain, as evidenced by the figures in the lead article of this issue, is that big data breaches were the story of 2014 ' and it seems likely that they will keep coming.

The uptick in breaches has put privacy on top of the agenda from the board's audit committee down to the front-line manager. It also has put a lot of pressure on in-house lawyers who handle privacy, but will it be enough to get corporate privacy programs to grow up?

There's a lot of growing up to do. In late October, 47 heads of privacy gathered with CEB to discuss the state of privacy, its current challenges and the plan going forward. This was the first major step in our effort to support the much-needed maturing of privacy within companies. What came to light in that day's conversations was that this hard-working function is in need of resources, clarity and leadership.

We also learned that most privacy programs often have little structure and a haphazard approach to allocating resources. For example, 75% of companies that employ a named head of privacy still have no privacy budget. They are spraying money at the problem when fires break out.

Taking Ownership'Of Privacy

A lot of fires broke out in 2014 and a lot of money was sprayed, but the fire brigade still isn't very well organized. When we tested the ownership of 10 key privacy activities across 100 companies, no fewer than seven ' and as many as 11 ' different departments were listed as primary owners for each activity among the respondents. For more established legal issues, ownership isn't spread out among a half-dozen or more departments. But for privacy, every activity we tested was still up for grabs.

Worse yet, in far too many cases ownership of key privacy activities is shared between multiple people and functions within a single company. Sometimes this takes the form of a committee or working group, but more often it is just a collection of concerned citizens who are making it up as they go along ' with no budget.

In theory, it can be helpful for issues to be “jointly owned,” but this kind of ad hoc approach means that nobody has true ownership and accountability. Companies can muddle through like this for only so long; eventually there will be a compliance failure that forces the company to grow up.

It's understandable, then, that the majority (75%) of chief privacy officers are either unsatisfied or ambivalent about their programs. Given the importance of privacy and the resources already being expended on it, companies desperately need a more mature approach. Will 2015 be the year when privacy finally comes of age?

We are cautiously optimistic. There is certainly a sizeable wave of progressive companies committed to laying privacy infrastructure: clear roles and responsibilities, articulated budgets, clarified org structures, simplified and improved training, and privacy principles embedded in workflows and product design.

But there are headwinds, too. We see four big issues that will persist in making privacy hard work indeed:

1. The Growth of “Business-Led IT.” The office of the chief information officer doesn't run a command-and-control shop any more. IT is more distributed to business units than ever, and their systems are often hosted by vendors. See, “Harnessing Business-Led IT.” Third parties are a well-known cause of privacy breaches, but most companies have a limited grasp of their privacy implications. It's hard to get your privacy program organized while the company's IT is morphing from a unitary state into a loose confederation.
2. A Mutating Threat Environment. Sixty-nine percent of surveyed executives believe their companies can't keep up with the increasing pace and sophistication of cyberattacks. The effort required to keep up with these threats prevents many companies from maturing their privacy programs.
3. Increasing Strategic Value of Information. The incentive for employees and managers to aggressively use customer info and other sensitive data grows every year. On this trend there's no end in sight.
4. The Changing Work Environment. Employees have more access to data than ever before, collaborate more than ever before, and share information on more devices and in more ways than ever before. This is another centripetal force that pushes sensitive data out into places where it's hard for even the most mature privacy programs to protect it.

Taken together, these forces ensure that we'll be swimming against the tide for several years to come. Yet we see leading privacy departments paving the way. Here are some of the things leaders in privacy practices consistently do:

• Integrate privacy into product development;
• Create privacy policies that are easy to find and easy to apply;
• Build and monitor a privacy-conscious company culture;
• Clearly assign regulatory tracking and update responsibilities;
• Collaborate with others to create a holistic IT strategy;
• Create and rehearse a privacy breach-response protocol;
• Design a privacy diligence and monitoring regime for third parties; and
• Measure the effectiveness of the privacy program.

The full to-do list is much longer. We need to respond to queries, react to problems and generally keep the lights on. But the only way to get out of crisis mode is to build a system that prevents problems and efficiently handles the issues that arise.

More colloquially, we need to stop fighting alligators and start draining the swamp. Hopefully 2015 will be the year when that gets started in earnest.

Dan Currell is an executive director at CEB (www.executiveboard.com) in the Legal, Risk and Compliance practice. He advises executives from Fortune 500 companies and other organizations across the globe on issues related to risk management, governance, enterprise risk, compliance and legal department management. This article also appeared in our ALM sibling, Corporate Counsel.