Avoid Drowning in Data

In the era of almost daily news accounts of massive retailer credit card data, employer human resources data, and health care provider patient medical data security breaches, the legal and business imperative for data and data system protection needs no explanation. Suffice it to say that privacy and data security are increasingly regulated and the topic of litigation. Data is also a rich source for evidence in litigation and, for many companies, a valuable asset. What is less apparent, however, to many lawyers, business people, and even information professionals, is exactly how to properly manage information and its privacy and security. However, over the past several decades, frameworks, standards, and best practices have been developed for establishing and managing a comprehensive privacy, data protection and information governance program. This article summarizes those learnings to suggest an approach for how to design and run a program that is right for your company.

Program Elements and Framework

For any privacy, data protection, and information governance program to be effective, it requires a multi-disciplinary effort with a mandate from the Board and C-suite, and ongoing assessment and maturement. What is legally required, cost beneficial, and otherwise reasonable under the circumstances will differ based on company size, industry, jurisdictional footprint, and corporate philosophy. Accordingly, data management programs must be developed and evaluated individually ' sadly, there is no boilerplate, one-size-fits-all model. However, there are paradigms, elements and best practices, discussed below, that all good programs have in common.

Privacy and data security are often referred to as opposite sides of the same information governance coin. While this metaphor does help visualize the similarities and differences between privacy and data security and their inextricable links to each other, it ignores other aspects of information governance all together. When looked at instead as three indispensable legs of the data management stool, the role of each is better understood:

1. Privacy. Protects an individual's (consumers and employees typically) ability, and in some jurisdictions right, to control the collection, use, and disclosure of their “personal information” or “personally identifiable information” ' terms defined in a number of ways depending upon context and jurisdiction.
2. Information Governance. Protects and manages not just personal information, but all data, including data that is purely business information but may be of even greater sensitivity than personal information (e.g., trade secrets, evidence in a pending litigation, etc.).
3. Data Security. Protects the data itself from unauthorized access, use, loss, corruption or destruction; provides policies, practices, systems, technical and operational controls, and safeguards to enforce access restrictions; and evaluates and monitors this security and responds to suspected or actual security compromises. A violation of privacy, or of information governance policy, may or may not necessarily be a data security incident.

These three subsets of data management all need to be considered together in a collaborative manner, even where, as is typical in large organizations, each has its own domain. This can be accomplished through bringing together all data stakeholders, across domains, and developing collaboratively shared policies, goals and tools. Only in this way can an integrated and overall data management program be developed.

There are a number of frameworks that can be drawn upon to articulate key elements of a data management program. The Federal Trade Commission's (FTC) version of the Fair Information Practice Principles (FIPPs), which are the core of the Privacy Act of 1974, 5 U.S.C. ' 552a, that applies to federal government agency computer systems and records, lists eight: Transparency; Individual Participation; Purpose Specificity; Data Minimization; Use Limitation; Data Quality and Integrity; Security and Accountability; and Auditing.

The Organization for Economic Cooperation and Development's (OECD) Privacy Principles, which tie closely to the European Commission's Data Protection Directive, also have eight, though somewhat differing, principles: Collection Limitation; Data Quality; Purpose Specification; Use Limitation; Security Safeguards; Openness; Individual Participation; and Accountability. The American Institute of Certified Public Accountants (AICPA), along with its Canadian counterparts, have drawn from these and other frameworks to establish 10 Generally Accepted Privacy Principles (GAPP) around which a company's data management policies and practices can be accessed and managed: Management; Notice; Choice and Consent; Collection; Use, Retention and Disposal; Access; Disclosure to Third Parties; Security; Quality; and Monitoring and Enforcement.

Breaking data management framework principles down to the most general topics, a data management program can be organized, evaluated and operated, and risk assessed and mitigated, based on just five categories: Governance; Transparency; Data Subject Participation; Security and Control; and Accountability:

1. Governance. The company understands the data it has, its legal obligations regarding the data, and the business choices it has regarding it. Based on this knowledge, it develops a data management strategy conveyed in a program mission statement, which guides the development and implementation of program policies, procedures, and notices. Program management is vested with appropriate authority and resources to ensure the ability to ensure accountability and ongoing assessment and improvement, with coverage over all parties with access to company data, including vendors and other third parties.
2. Transparency. The company's policies and practices are apparent to data subjects and data stakeholders. Data subjects should have reasonable and accurate notice regarding the collection, use, dissemination, maintenance and security of data about them, with specificity of purpose, particularly in regard to their personal information and any choices available to them regarding such information.
3. Data Subject Participation. Choice and consent may or may not be required by applicable law, depending upon data type and use, industry sector and jurisdiction. To the extent data subjects are required to be given a choice, or it is otherwise offered, the company gives meaningful notice of the choices, a reasonable method for exercising them, and in fact honors those choices.
4. Security and Control. Data security is about data control, and since the 1960's the model of data security has been the C-I-A triad: Confidentiality (prevent unauthorized access); Integrity (prevent unauthorized and unintentional alteration or deletion); and Availability (data remains available to authorized users). A company should appropriately limit the access and use of its data and take reasonable measures, which will depend on the sensitivity of the data, to protect against unauthorized access and use, and from corruption, loss or unintended destruction. Minimizing data collected and retained, and its use, reduces risk. Training and awareness, as well as technical and procedural steps to protect the data, are essential. The company should have an incident management and response plan, train on how to respond to an incident, and evaluate what led to incidents when they occur and how to better prevent future incidents.
5. Accountability. The company communicates its policies and procedures to those it allows to access or maintain its data (including employees, vendors and other third parties), monitors for compliance, and enforces its standards and requirements. The company has known and accessible procedures to address complaints and disputes.

What specific program policies and practices will flesh out each category will depend upon the laws and self-regulatory schemes that may be applicable to a company, as well as business judgment decisions as to how protective or exploitive a company desires to be of its data, within the limitations of applicable law.

Stakeholders and Their Role

There are typically many data stakeholders, each with different relationships with a company's data, and as such potentially different viewpoints toward how it should be collected, used, shared, protected and maintained. Only through involvement of all these stakeholders will a company be able to implement and maintain a comprehensive data protection program that meets company-wide needs and obligations. It is recommended that a program's mandate and governance structure be established with input from these stakeholders. This will make it more likely that complete information is gathered and all stakeholders' interests are considered. It also makes governance more effective and efficient.

While all these stakeholders need to be intimately involved in program development and operations, frequently through a committee structure, programs work best with ultimate management by a single senior level executive with the responsibility to oversee the program and report directly to the Board, CEO or executive management team. This is more and more frequently a Chief Privacy Officer (CPO) or Chief Information Officer/Chief Information Security Officer (CIO/CISO). An industry analyst has proffered that “digital business innovation risk will bring about the rise of the Digital Risk Officer” to manage company data and information systems. See, Gartner, Innovation Insight: Digital Business Innovation Risk Will Bring About the Rise of the Digital Risk Officer (June 18, 2014). Sometimes, particularly in larger organizations, there is a leadership team comprised of the CIO/CISO, a CPO, and potentially one or more other executives, such as the head of Regulatory Compliance and/or Risk Management. This team may share overall management responsibility, or represent a second level of subject matter management reporting up to a single program leader. Multi-nationals and conglomerates may need various levels of structure, at for instance divisional/subsidiary levels and/or jurisdictional levels. Top-level, umbrella management is still recommended to improve oversight and accountability and help avoid discrepancies not justified by business or legal differences. Each company's size, footprint, management structure, and internal politics will drive what will be the most likely effective governance structure. However, for effective governance and accountability, a program needs both top down and bottom up involvement and the participation of all of the following stakeholders:

• IT. Information technology procures and maintains the company's information systems and vendors. Coordination is essential to ensure privacy and information governance compliance and data security. For technology-driven companies, IT may also be involved with, or responsible for, development of products that have privacy and data protection. As such, it has an essential role in facilitating the gathering of facts for privacy impact assessments and data security assessments, and implementing Privacy by Design ' important data protection program practices described below.
• IS. Information security is responsible for preventing unauthorized access to information systems and for helping ensure that sensitive data is restricted to access-controlled systems. This includes employing privacy and security enhancing technologies and data leakage prevention tools (where permitted by local law; some jurisdictions limit employee monitoring), and educating employees on data protection policies and best practices. IS monitors ongoing access control and is accordingly the first to become aware of potential and actual breaches and incidents, and is crucial to facilitating prompt and appropriate response.
• Privacy. Privacy is a relatively new discipline arising out of data protection laws that impose obligations on companies regarding personal data of individuals. These obligations may include notice, choice, consent, usage limitations, transfer limitations, retention limitations, rights of individuals to access, review, change and/or delete their data and the obligation to reasonably secure the data and give notice of unauthorized access or use. There is much other important company data, such as trade secrets and confidential information, that is beyond the scope of privacy. However, the evolving importance of privacy, including the repercussions of not protecting consumer and employee privacy, justifies companies having a go-to privacy expert that is among the top of the data management staffing hierarchy, and developing an appreciation for privacy considerations at all levels of the organization. This function may be that of a privacy professional with no other responsibilities, or it may be an area of responsibility of an executive with other, typically overlapping, responsibilities.
• Records. All companies have some process for maintaining business records. The management of this function should include records retention and destruction management. Mature records programs are information governance programs and, where well integrated with privacy and security, can potentially serve as the umbrella for all data management program aspects. However, in most companies, records is a relatively low level administrative function, the leadership of which lacks the clout to effectively manage an overall data management program and all of its stakeholders. Nonetheless, records is an essential stakeholder and resource.
• Legal. An in-house or outside counsel expert in privacy and data protection law is necessary to advise on what legal, self-regulatory, and contractual obligations relate to company data, and draft company data practice policies and notices and contractual obligations for company vendors that have access to its data. The expertise of privacy and data protection lawyers should also be called upon to advise on the legal implications of facts arising out of privacy impact and data security assessments and privacy and/or security breaches and other incidents. The expertise of lawyers is also helpful in designing appropriate record retention and destruction policies, and advising on how data policies and practices may impact the rights of consumers and employees. Using outside counsel to manage assessments may protect some of the resulting workproduct with the benefit of the attorney-client privilege.
• Internal Audit. Public companies may have a semi-independent audit group reporting to the Board, the Board having ultimate responsibility for data protection. If so, internal auditors can be helpful with assessments, audits and program evaluations.
• Regulatory Compliance/Ethics. Regulatory compliance and ethics groups help establish and enforce the external and internal legal and regulatory obligations applicable to the company's activities, and those of its employees, suppliers and vendors. Privacy and data protection obligations should be part of his group's responsibilities.
• HR. Human resources is typically the repository of vast amounts of personal data of candidates and employees, as much of it sensitive. It also is the primary voice for most companies to communicate employee policy. Human resources professionals also have a training role, and can be crucial in helping educate employees on data protection policies and practices. HR can serve as an effective reporting structure for policy violations and for incidents, especially where an employee's complaint or report would implicate a supervisor. Finally, HR professionals should have knowledge of employee privacy rights under applicable laws.
• Security. Physical security is as important as informational security in maintaining effective data protection. Involvement of security leadership, or if none exists, of facilities operations leadership, is important.
• Marketing and Business Development. The marketing group likely collects, maintains, and exploits data on consumers, and sophisticated companies maintain customer relationship management databases. Even B-to-B companies collect and exploit personal information databases of customer contacts. More and more, marketing uses technology to collect data about consumers and target them based on that data. These practices are increasingly being regulated and scrutinized. Much of what marketing does will have significant privacy and data security implications. To a lesser degree, business development and/or sales may engage in similar data activities. Also, business development and sales staff are the first line of communication with clients on a day-to-day basis, and, during crisis, can be called upon to communicate the right message.
• PR/Communications. This group can assist with both internal educational messaging to promote program compliance and external communication in the event of an incident or breach.
• Finance. A successful program needs an adequate budget and the company needs a contingency budget for responding to breaches and other incidents. In smaller companies, finance may also handle the roles of procurement and risk management.
• Procurement. Procurement can communicate to vendors their privacy and data protection obligations and work with legal to ensure contractual commitments and indemnification. The group can also assist in evaluating the capability of vendors and suppliers to meet the company's privacy and data protection obligations.
• Risk Management. Companies with risk management departments may be tasked with evaluating risks and making cost-benefit recommendations, managing a business continuity plan, and/or making decisions as to what insurance, including cyber-liability insurance, the company will maintain and what it will require of its suppliers and vendors.

A program needs the participation of all of these stakeholders to be successful, and a governance structure to manage their participation and hold them accountable.

Understanding Company Data and Data Obligations and Practices

It is crucial that the company, and its data stakeholders (especially those involved in program development and governance) understand the “who,” “what,” “where,” “when” and “why” of its data. More particularly, what data it has, how it is collected, where it resides, its appropriate purposes and life cycle, what third parties have what interest in it, access to and involvement with it, how the company ensures appropriate protection and compliance with legal and other obligations, and that it is not inappropriately accessed, used or transferred. This is accomplished initially through inventories and assessments of data, data practices, and data obligations, and then application of appropriate controls on various data. This understanding is necessary to properly establish the company's overall strategic data protection mission, as well as to reflect that in a policy and to implement a policy through program management.

This process of inventorying, if not previously done, is a logical initial step for program development once the stakeholders are identified and organized. Thereafter, ongoing inventory updating is critical to keep a program effective. There are a number of tools that can be used to conduct such inventories. Software tools are available to search for and identify certain types of sensitive data so that it can be ensured that those databases have the appropriate security and access controls. However, that alone is insufficient as the company still needs to know the purpose of that data, how it is used and by whom, and to establish rules around its retention, destruction, access, use and transfer. This can be done through surveys or interviews. An example of a resource for conducting this due diligence is the online data practices survey tool offered by Jordan Lawrence (www.jordanlawrence.com). Jordan Lawrence offers industry and department function specific standard survey questions, which can be supplemented with custom questions as well. The end results are reports that identify data types, locations and use practices. These results can then be accessed to help evaluate program compliance and to identify issues that need to be addressed. There are also a number of consultants, such as accounting firms and data protection consultants, that offer similar auditing and surveying tools and services.

Strategic Mission and Program Mission Statement

As discussed, given the various data stakeholders and their different roles regarding company data, a company can only develop and mature a data protection program if there is an overall, company-wide policy statement that explains how data is to be treated in order to meet the company's overall strategic business goals. This will articulate the company's organizational objectives and values and inform employees and contractors generally how company data is to be collected, processed, used, shared, transferred, updated, retained, destroyed and made available to data subjects, employees, contractors, and others.

Considerations in developing an overall strategic policy include:

What kinds of data the company collects and maintains, its purposes, and the related degrees of sensitivity;

What legal obligations apply to company data;

Industry self-regulatory obligations; and

The degree to which the company needs or desires to be privacy-protective and/or maintain industry-leading data security to protect its brand and customer relationships.

Some companies may wish to merely comply with applicable legal and industry self-regulatory obligations and contractual commitments (which may include obligations imposed by insurers, customers or even service providers such as credit card companies), while others may seek to establish best practices and use that as a market differentiator. Companies operating only in the U.S. will have differing, usually lower, legal obligations than those with international operations, especially where European or similar laws apply. Even in the U.S., companies in industry sectors that have heightened data protection regulatory schemes, such as financial services, health care, and those collecting personal information from children, will be mandated to meet higher levels of data protection than those that are not subject to sectorial data protection laws.

There will be a multitude of company policies and notices that will reflect the overall company policy, including employee/contractor computer use (including “Bring Your Own Device”) and social media policies, consumer privacy notices (including website and specific product privacy notices), a written information security policy (WISP), a data security breach preparedness and response plan, a policy of requiring privacy impact assessments for new or changed data practices or events, etc. This second level of policies all should reflect the companies' overall strategic data protection policy.

Developing and Implementing Program Framework

Developing a program framework will help in the articulation of the broad umbrella policy and its implementation through more specific polices and notices. Part of the framework is the governance structure. From the program management group come the second level of governance ' policies, procedures, processes, guidance documents, educational programs, compliance and request reporting mechanisms, guidance documents and checklists, and incident response plans that will enable policy implementation and compliance. Some aspects of the framework will be company-wide and some specific to products, services or functions. Here, having the input and participation of all stakeholders in program governance will help ensure effective implementation and ongoing assessment and refinement, which in turn helps reduce the risk data leakage or misuse that could cause economic and/or reputational harm to the company.

A program framework can be developed from applicable established standards. In some cases, certain standards will be required by law or contract to be applied to at least certain data sets. Examples include: legally imposed frameworks such as the requirements of U.S. sectorial data protection laws, including the Health Insurance Portability and Accountability Act (HIPAA) and related regulations; the National Institute of Standards and Technology (NIST) security and data controls applicable to U.S. government systems and organizations (NIST SP 800-53 Rev.4); framework obligations imposed by international laws, where applicable, such as the EU Data Protection Directive (and guidance from local data protection authorities); the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA); the Massachusetts' data protection law (which, among other things, requires companies with certain types of personal information of its citizens to have a written information security policy and to require the same of their vendors); and industry and contractual mandated frameworks such as the Payment Card Industry Data Security Standard (PCI DSS). Even if not legally required, these provide valuable standards for consideration.

There are also best practices for privacy and data security that are recommended by the Federal Trade Commission and the California and other states' Attorney Generals, and the concept of Privacy by Design (PbD), which has been adopted in various forms as either required or recommended by various data protection authorities worldwide. In short, PbD sets privacy and security as the default and implements reasonable security, limitations on data collection, use, and retention, and methods of ensuring data accuracy at all stages of development of data-using products and services. In addition, a number of data protection standards have been set by standards organizations that can be instructive, such as the American Institute of CPAs' Generally Accepted Privacy Principles, and the International Organization for Standardization (ISO) 27000 series of information security standards. Public companies should also develop data protection frameworks keeping their obligation under Section 404 of Sarbanes Oxley, which requires management and external auditors to report on the adequacy of the company's internal controls on financial reporting, firmly in mind.

Establishing Goals and Measuring Performance

Once policy is established and has begun to be implemented, the governance system should set measurable goals to gauge program performance. Tracking and benchmarking indicators of program performance and maturity can help establish what is working and where improvements are necessary. In doing so, it is important to select enough relevant metrics and ensure they are objectively measured and accurately reported. For more information on examples of developing appropriate data protection performance measurement tools, see the best practices of the NIST Interagency Report 7564: “Directions in Security Metrics Research” and Chapter 3 (Performance Measurement) in the International Association of Privacy Professionals (IAPP) Privacy Program Management ' Tools for Managing Privacy Within Your Organization (available from Google Books at http://bit.ly/1O7kFIM). Relevant metrics include: adequacy of notice at collection; consistency of access and use with policy; conformity with retention/destruction policies; results of security assessments; use of privacy impact assessments; employee policy knowledge; and number and severity of incidents and response time and effectiveness.

Accessing, Protecting, Sustaining and Responding

The operational functions of a data management program are often categorized by the literature on the subject as accessing, protecting, sustaining, and responding, and are applied across an operational lifecycle. The four phases represent key tasks, and lifecycle means not birth, growth, death and rebirth in the ecological sense, but that there is a process of constant evaluation and refinement as opposed to a one-time assessment and fix. Good programs are intended to continuously evolve and improve.

Assessment is a critical initial step to new program creation (as well as crucial to existing program evaluation), to the evaluation of the impact of each new product and service, and of changes in facts, law or practices. Assessment enables the company to understand its corporate goals, legal obligations, and the facts regarding data and data practices. It also enables the company to identify and fill in gaps, evaluate program success and failings, and establish return on investment data. All areas of a company that touch data, and all of the company's data stakeholders, need ongoing assessment. This can be institutionalized through the adoption of various assessment models and tools, including software tools, physical inspections, surveys and questionnaires, internal and third party audits, impact assessment forms, and other fact-marshalling devices that provide input necessary for a meaningful analysis. Essentially, fact gathering by use of these tools is the monitoring function, and assessment is the analysis and conclusions and recommendations that come from monitoring activities.

There are well developed models for accessing overall program development. One is the now 20-year tested AICPA Privacy Maturity Model. It uses benchmarks to rate activities and programs to five maturity levels: ad hoc, repeatable, defined, managed and optimized. The AICPA offers an affordable software tool called the Privacy Principles Scoreboard that companies and their advisors can use to conduct privacy risk and maturity assessments. Two real values of engaging in such an exercise are that it helps track growth and success, and can also be used as an objective measure of return on investment.

An assessment model used less for rating a program, but for operating it, is the concept of “Privacy by Design,” pioneered in the 1990s by Ontario Canada Privacy Commissioner Ann Cavourkian. This much refined and time-tested approach has been recommended by the FTC in many of its privacy and data security guidance and policy documents, and is essentially codified in the European Union. In its true form, privacy is the default and products and services should be developed from conceptualization through exploitation to minimize privacy and data security impact and maximize consumer privacy, control and safety. Even if a company's policy is not consumer friendly, and it operates only in jurisdictions like the United Sates ' and there in minimally regulated industry where acceptable ' the process of evaluating privacy and data security impacts all stages of product and services development and exploitation, rather than as an afterthought, has great value and helps avoids unnecessary inefficiencies and risks and costly last minute workarounds. For more information, see, www.privacybydesign.ca.

Returning to the life cycle metaphor, protection of data can also be seen in this manner, and Data Life Cycle Management (DLM) is a common information governance approach to tracking and managing data from creation to destruction. DLM is concerned with how data is handled, retained, processed, stored, shared and destroyed. Data retention policies are important to comply with legal requirements, and to minimize risk associated with data retention beyond what is necessary or beneficial. Both privacy compliance and data security are also crucial to data protection throughout the data life cycle. As previously explained, although different requirements and frameworks may apply depending on the company and its data, established frameworks that may not be legally required are nonetheless good standards to draw from.

Sustainment is essentially about evaluating, enforcing, refining and educating. This flows out of monitoring and assessment. To sustain a program, monitoring and assessment needs to be ongoing. Compliance-monitoring, which requires systems to solicit, respond to, track and learn from complaints and mistakes, is an excellent way to sustain program goals. Indeed, part of sustainment is accountability. There should be trusted people and mechanisms for making complaints, requests, recommendations and whistle blowing. There also need to be procedures for responding to and resolving issues and repercussions for non-compliance. Finally, employee and vendor training is essential. Anyone that touches, or has access to, company data or data systems needs some level of data protection sensitivity, which can only be had through ongoing education. Education is more than merely promulgating operational practices policies; it also includes educating people about the issues, why they are important, and how they relate to their particular role in the company and their daily activities. Some education is of a general nature and relevant to all, while other training should be function-specific and tailored to the relevant audiences.

In order to respond, there must be knowledge of an issue in need of response. The first three elements assist in this regard. Data protection programs need to be designed to respond to requests, inquiries, compliance failures, security breaches, disasters and other business interruption. There should be preparedness plans and systems in place for all. Also, companies should consider various cyber-liability and business interruption insurance policies to help mitigate the costs of inevitable issues.

Key to the ability to respond is preparedness, which is not only having well-conceived plans and procedures, but practical exercise to build the experience necessary to respond effectively when the time comes. This can be done through table-top exercises, which put response team members through likely scenarios, including internal and external breaches and natural and man-made disasters. In this regard, data protection incident response is similar in many respects to a good business continuity and disaster response plan, and indeed is a component of such planning. Furthermore, state laws and federal and state health care information laws may require data security incidents to be reported to regulators, data subjects and the public. These laws are far from consistent and may result in different obligations from state-to-state under identical facts, so having the ability to expeditiously address those requirements in the event of an incident, typically through outside legal counsel, is part of response preparedness.

Conclusion

In today's digital age, all companies have data assets and obligations. Legal, IT/IS, and compliance leaders need to work together with other data stakeholders, within a defined and accountable governance structure, to develop a robust program for assessing that data and its corresponding obligations, protecting the data and evaluating and minimizing data-related risks. A good data management and protection program should be in a constant state of self-evaluation and improvement.

Alan Friel, CIPP and CIPM, is a partner at Baker Hostetler in its Los Angeles office and a member of the Board of Editors of e-Commerce Law & Strategy, a LJN sibling of this newsletter. He may be reached at [email protected].

In the era of almost daily news accounts of massive retailer credit card data, employer human resources data, and health care provider patient medical data security breaches, the legal and business imperative for data and data system protection needs no explanation. Suffice it to say that privacy and data security are increasingly regulated and the topic of litigation. Data is also a rich source for evidence in litigation and, for many companies, a valuable asset. What is less apparent, however, to many lawyers, business people, and even information professionals, is exactly how to properly manage information and its privacy and security. However, over the past several decades, frameworks, standards, and best practices have been developed for establishing and managing a comprehensive privacy, data protection and information governance program. This article summarizes those learnings to suggest an approach for how to design and run a program that is right for your company.

Program Elements and Framework

For any privacy, data protection, and information governance program to be effective, it requires a multi-disciplinary effort with a mandate from the Board and C-suite, and ongoing assessment and maturement. What is legally required, cost beneficial, and otherwise reasonable under the circumstances will differ based on company size, industry, jurisdictional footprint, and corporate philosophy. Accordingly, data management programs must be developed and evaluated individually ' sadly, there is no boilerplate, one-size-fits-all model. However, there are paradigms, elements and best practices, discussed below, that all good programs have in common.

Privacy and data security are often referred to as opposite sides of the same information governance coin. While this metaphor does help visualize the similarities and differences between privacy and data security and their inextricable links to each other, it ignores other aspects of information governance all together. When looked at instead as three indispensable legs of the data management stool, the role of each is better understood:

1. Privacy. Protects an individual's (consumers and employees typically) ability, and in some jurisdictions right, to control the collection, use, and disclosure of their “personal information” or “personally identifiable information” ' terms defined in a number of ways depending upon context and jurisdiction.
2. Information Governance. Protects and manages not just personal information, but all data, including data that is purely business information but may be of even greater sensitivity than personal information (e.g., trade secrets, evidence in a pending litigation, etc.).
3. Data Security. Protects the data itself from unauthorized access, use, loss, corruption or destruction; provides policies, practices, systems, technical and operational controls, and safeguards to enforce access restrictions; and evaluates and monitors this security and responds to suspected or actual security compromises. A violation of privacy, or of information governance policy, may or may not necessarily be a data security incident.

These three subsets of data management all need to be considered together in a collaborative manner, even where, as is typical in large organizations, each has its own domain. This can be accomplished through bringing together all data stakeholders, across domains, and developing collaboratively shared policies, goals and tools. Only in this way can an integrated and overall data management program be developed.

There are a number of frameworks that can be drawn upon to articulate key elements of a data management program. The Federal Trade Commission's (FTC) version of the Fair Information Practice Principles (FIPPs), which are the core of the Privacy Act of 1974, 5 U.S.C. ' 552a, that applies to federal government agency computer systems and records, lists eight: Transparency; Individual Participation; Purpose Specificity; Data Minimization; Use Limitation; Data Quality and Integrity; Security and Accountability; and Auditing.

The Organization for Economic Cooperation and Development's (OECD) Privacy Principles, which tie closely to the European Commission's Data Protection Directive, also have eight, though somewhat differing, principles: Collection Limitation; Data Quality; Purpose Specification; Use Limitation; Security Safeguards; Openness; Individual Participation; and Accountability. The American Institute of Certified Public Accountants (AICPA), along with its Canadian counterparts, have drawn from these and other frameworks to establish 10 Generally Accepted Privacy Principles (GAPP) around which a company's data management policies and practices can be accessed and managed: Management; Notice; Choice and Consent; Collection; Use, Retention and Disposal; Access; Disclosure to Third Parties; Security; Quality; and Monitoring and Enforcement.

Breaking data management framework principles down to the most general topics, a data management program can be organized, evaluated and operated, and risk assessed and mitigated, based on just five categories: Governance; Transparency; Data Subject Participation; Security and Control; and Accountability:

1. Governance. The company understands the data it has, its legal obligations regarding the data, and the business choices it has regarding it. Based on this knowledge, it develops a data management strategy conveyed in a program mission statement, which guides the development and implementation of program policies, procedures, and notices. Program management is vested with appropriate authority and resources to ensure the ability to ensure accountability and ongoing assessment and improvement, with coverage over all parties with access to company data, including vendors and other third parties.
2. Transparency. The company's policies and practices are apparent to data subjects and data stakeholders. Data subjects should have reasonable and accurate notice regarding the collection, use, dissemination, maintenance and security of data about them, with specificity of purpose, particularly in regard to their personal information and any choices available to them regarding such information.
3. Data Subject Participation. Choice and consent may or may not be required by applicable law, depending upon data type and use, industry sector and jurisdiction. To the extent data subjects are required to be given a choice, or it is otherwise offered, the company gives meaningful notice of the choices, a reasonable method for exercising them, and in fact honors those choices.
4. Security and Control. Data security is about data control, and since the 1960's the model of data security has been the C-I-A triad: Confidentiality (prevent unauthorized access); Integrity (prevent unauthorized and unintentional alteration or deletion); and Availability (data remains available to authorized users). A company should appropriately limit the access and use of its data and take reasonable measures, which will depend on the sensitivity of the data, to protect against unauthorized access and use, and from corruption, loss or unintended destruction. Minimizing data collected and retained, and its use, reduces risk. Training and awareness, as well as technical and procedural steps to protect the data, are essential. The company should have an incident management and response plan, train on how to respond to an incident, and evaluate what led to incidents when they occur and how to better prevent future incidents.
5. Accountability. The company communicates its policies and procedures to those it allows to access or maintain its data (including employees, vendors and other third parties), monitors for compliance, and enforces its standards and requirements. The company has known and accessible procedures to address complaints and disputes.

What specific program policies and practices will flesh out each category will depend upon the laws and self-regulatory schemes that may be applicable to a company, as well as business judgment decisions as to how protective or exploitive a company desires to be of its data, within the limitations of applicable law.

Stakeholders and Their Role

There are typically many data stakeholders, each with different relationships with a company's data, and as such potentially different viewpoints toward how it should be collected, used, shared, protected and maintained. Only through involvement of all these stakeholders will a company be able to implement and maintain a comprehensive data protection program that meets company-wide needs and obligations. It is recommended that a program's mandate and governance structure be established with input from these stakeholders. This will make it more likely that complete information is gathered and all stakeholders' interests are considered. It also makes governance more effective and efficient.

While all these stakeholders need to be intimately involved in program development and operations, frequently through a committee structure, programs work best with ultimate management by a single senior level executive with the responsibility to oversee the program and report directly to the Board, CEO or executive management team. This is more and more frequently a Chief Privacy Officer (CPO) or Chief Information Officer/Chief Information Security Officer (CIO/CISO). An industry analyst has proffered that “digital business innovation risk will bring about the rise of the Digital Risk Officer” to manage company data and information systems. See, Gartner, Innovation Insight: Digital Business Innovation Risk Will Bring About the Rise of the Digital Risk Officer (June 18, 2014). Sometimes, particularly in larger organizations, there is a leadership team comprised of the CIO/CISO, a CPO, and potentially one or more other executives, such as the head of Regulatory Compliance and/or Risk Management. This team may share overall management responsibility, or represent a second level of subject matter management reporting up to a single program leader. Multi-nationals and conglomerates may need various levels of structure, at for instance divisional/subsidiary levels and/or jurisdictional levels. Top-level, umbrella management is still recommended to improve oversight and accountability and help avoid discrepancies not justified by business or legal differences. Each company's size, footprint, management structure, and internal politics will drive what will be the most likely effective governance structure. However, for effective governance and accountability, a program needs both top down and bottom up involvement and the participation of all of the following stakeholders:

• IT. Information technology procures and maintains the company's information systems and vendors. Coordination is essential to ensure privacy and information governance compliance and data security. For technology-driven companies, IT may also be involved with, or responsible for, development of products that have privacy and data protection. As such, it has an essential role in facilitating the gathering of facts for privacy impact assessments and data security assessments, and implementing Privacy by Design ' important data protection program practices described below.
• IS. Information security is responsible for preventing unauthorized access to information systems and for helping ensure that sensitive data is restricted to access-controlled systems. This includes employing privacy and security enhancing technologies and data leakage prevention tools (where permitted by local law; some jurisdictions limit employee monitoring), and educating employees on data protection policies and best practices. IS monitors ongoing access control and is accordingly the first to become aware of potential and actual breaches and incidents, and is crucial to facilitating prompt and appropriate response.
• Privacy. Privacy is a relatively new discipline arising out of data protection laws that impose obligations on companies regarding personal data of individuals. These obligations may include notice, choice, consent, usage limitations, transfer limitations, retention limitations, rights of individuals to access, review, change and/or delete their data and the obligation to reasonably secure the data and give notice of unauthorized access or use. There is much other important company data, such as trade secrets and confidential information, that is beyond the scope of privacy. However, the evolving importance of privacy, including the repercussions of not protecting consumer and employee privacy, justifies companies having a go-to privacy expert that is among the top of the data management staffing hierarchy, and developing an appreciation for privacy considerations at all levels of the organization. This function may be that of a privacy professional with no other responsibilities, or it may be an area of responsibility of an executive with other, typically overlapping, responsibilities.
• Records. All companies have some process for maintaining business records. The management of this function should include records retention and destruction management. Mature records programs are information governance programs and, where well integrated with privacy and security, can potentially serve as the umbrella for all data management program aspects. However, in most companies, records is a relatively low level administrative function, the leadership of which lacks the clout to effectively manage an overall data management program and all of its stakeholders. Nonetheless, records is an essential stakeholder and resource.
• Legal. An in-house or outside counsel expert in privacy and data protection law is necessary to advise on what legal, self-regulatory, and contractual obligations relate to company data, and draft company data practice policies and notices and contractual obligations for company vendors that have access to its data. The expertise of privacy and data protection lawyers should also be called upon to advise on the legal implications of facts arising out of privacy impact and data security assessments and privacy and/or security breaches and other incidents. The expertise of lawyers is also helpful in designing appropriate record retention and destruction policies, and advising on how data policies and practices may impact the rights of consumers and employees. Using outside counsel to manage assessments may protect some of the resulting workproduct with the benefit of the attorney-client privilege.
• Internal Audit. Public companies may have a semi-independent audit group reporting to the Board, the Board having ultimate responsibility for data protection. If so, internal auditors can be helpful with assessments, audits and program evaluations.
• Regulatory Compliance/Ethics. Regulatory compliance and ethics groups help establish and enforce the external and internal legal and regulatory obligations applicable to the company's activities, and those of its employees, suppliers and vendors. Privacy and data protection obligations should be part of his group's responsibilities.
• HR. Human resources is typically the repository of vast amounts of personal data of candidates and employees, as much of it sensitive. It also is the primary voice for most companies to communicate employee policy. Human resources professionals also have a training role, and can be crucial in helping educate employees on data protection policies and practices. HR can serve as an effective reporting structure for policy violations and for incidents, especially where an employee's complaint or report would implicate a supervisor. Finally, HR professionals should have knowledge of employee privacy rights under applicable laws.
• Security. Physical security is as important as informational security in maintaining effective data protection. Involvement of security leadership, or if none exists, of facilities operations leadership, is important.
• Marketing and Business Development. The marketing group likely collects, maintains, and exploits data on consumers, and sophisticated companies maintain customer relationship management databases. Even B-to-B companies collect and exploit personal information databases of customer contacts. More and more, marketing uses technology to collect data about consumers and target them based on that data. These practices are increasingly being regulated and scrutinized. Much of what marketing does will have significant privacy and data security implications. To a lesser degree, business development and/or sales may engage in similar data activities. Also, business development and sales staff are the first line of communication with clients on a day-to-day basis, and, during crisis, can be called upon to communicate the right message.
• PR/Communications. This group can assist with both internal educational messaging to promote program compliance and external communication in the event of an incident or breach.
• Finance. A successful program needs an adequate budget and the company needs a contingency budget for responding to breaches and other incidents. In smaller companies, finance may also handle the roles of procurement and risk management.
• Procurement. Procurement can communicate to vendors their privacy and data protection obligations and work with legal to ensure contractual commitments and indemnification. The group can also assist in evaluating the capability of vendors and suppliers to meet the company's privacy and data protection obligations.
• Risk Management. Companies with risk management departments may be tasked with evaluating risks and making cost-benefit recommendations, managing a business continuity plan, and/or making decisions as to what insurance, including cyber-liability insurance, the company will maintain and what it will require of its suppliers and vendors.

A program needs the participation of all of these stakeholders to be successful, and a governance structure to manage their participation and hold them accountable.

Understanding Company Data and Data Obligations and Practices

It is crucial that the company, and its data stakeholders (especially those involved in program development and governance) understand the “who,” “what,” “where,” “when” and “why” of its data. More particularly, what data it has, how it is collected, where it resides, its appropriate purposes and life cycle, what third parties have what interest in it, access to and involvement with it, how the company ensures appropriate protection and compliance with legal and other obligations, and that it is not inappropriately accessed, used or transferred. This is accomplished initially through inventories and assessments of data, data practices, and data obligations, and then application of appropriate controls on various data. This understanding is necessary to properly establish the company's overall strategic data protection mission, as well as to reflect that in a policy and to implement a policy through program management.

This process of inventorying, if not previously done, is a logical initial step for program development once the stakeholders are identified and organized. Thereafter, ongoing inventory updating is critical to keep a program effective. There are a number of tools that can be used to conduct such inventories. Software tools are available to search for and identify certain types of sensitive data so that it can be ensured that those databases have the appropriate security and access controls. However, that alone is insufficient as the company still needs to know the purpose of that data, how it is used and by whom, and to establish rules around its retention, destruction, access, use and transfer. This can be done through surveys or interviews. An example of a resource for conducting this due diligence is the online data practices survey tool offered by Jordan Lawrence (www.jordanlawrence.com). Jordan Lawrence offers industry and department function specific standard survey questions, which can be supplemented with custom questions as well. The end results are reports that identify data types, locations and use practices. These results can then be accessed to help evaluate program compliance and to identify issues that need to be addressed. There are also a number of consultants, such as accounting firms and data protection consultants, that offer similar auditing and surveying tools and services.

Strategic Mission and Program Mission Statement

As discussed, given the various data stakeholders and their different roles regarding company data, a company can only develop and mature a data protection program if there is an overall, company-wide policy statement that explains how data is to be treated in order to meet the company's overall strategic business goals. This will articulate the company's organizational objectives and values and inform employees and contractors generally how company data is to be collected, processed, used, shared, transferred, updated, retained, destroyed and made available to data subjects, employees, contractors, and others.

Considerations in developing an overall strategic policy include:

What kinds of data the company collects and maintains, its purposes, and the related degrees of sensitivity;

What legal obligations apply to company data;

Industry self-regulatory obligations; and

The degree to which the company needs or desires to be privacy-protective and/or maintain industry-leading data security to protect its brand and customer relationships.

Some companies may wish to merely comply with applicable legal and industry self-regulatory obligations and contractual commitments (which may include obligations imposed by insurers, customers or even service providers such as credit card companies), while others may seek to establish best practices and use that as a market differentiator. Companies operating only in the U.S. will have differing, usually lower, legal obligations than those with international operations, especially where European or similar laws apply. Even in the U.S., companies in industry sectors that have heightened data protection regulatory schemes, such as financial services, health care, and those collecting personal information from children, will be mandated to meet higher levels of data protection than those that are not subject to sectorial data protection laws.

There will be a multitude of company policies and notices that will reflect the overall company policy, including employee/contractor computer use (including “Bring Your Own Device”) and social media policies, consumer privacy notices (including website and specific product privacy notices), a written information security policy (WISP), a data security breach preparedness and response plan, a policy of requiring privacy impact assessments for new or changed data practices or events, etc. This second level of policies all should reflect the companies' overall strategic data protection policy.

Developing and Implementing Program Framework

Developing a program framework will help in the articulation of the broad umbrella policy and its implementation through more specific polices and notices. Part of the framework is the governance structure. From the program management group come the second level of governance ' policies, procedures, processes, guidance documents, educational programs, compliance and request reporting mechanisms, guidance documents and checklists, and incident response plans that will enable policy implementation and compliance. Some aspects of the framework will be company-wide and some specific to products, services or functions. Here, having the input and participation of all stakeholders in program governance will help ensure effective implementation and ongoing assessment and refinement, which in turn helps reduce the risk data leakage or misuse that could cause economic and/or reputational harm to the company.

A program framework can be developed from applicable established standards. In some cases, certain standards will be required by law or contract to be applied to at least certain data sets. Examples include: legally imposed frameworks such as the requirements of U.S. sectorial data protection laws, including the Health Insurance Portability and Accountability Act (HIPAA) and related regulations; the National Institute of Standards and Technology (NIST) security and data controls applicable to U.S. government systems and organizations (NIST SP 800-53 Rev.4); framework obligations imposed by international laws, where applicable, such as the EU Data Protection Directive (and guidance from local data protection authorities); the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA); the Massachusetts' data protection law (which, among other things, requires companies with certain types of personal information of its citizens to have a written information security policy and to require the same of their vendors); and industry and contractual mandated frameworks such as the Payment Card Industry Data Security Standard (PCI DSS). Even if not legally required, these provide valuable standards for consideration.

There are also best practices for privacy and data security that are recommended by the Federal Trade Commission and the California and other states' Attorney Generals, and the concept of Privacy by Design (PbD), which has been adopted in various forms as either required or recommended by various data protection authorities worldwide. In short, PbD sets privacy and security as the default and implements reasonable security, limitations on data collection, use, and retention, and methods of ensuring data accuracy at all stages of development of data-using products and services. In addition, a number of data protection standards have been set by standards organizations that can be instructive, such as the American Institute of CPAs' Generally Accepted Privacy Principles, and the International Organization for Standardization (ISO) 27000 series of information security standards. Public companies should also develop data protection frameworks keeping their obligation under Section 404 of Sarbanes Oxley, which requires management and external auditors to report on the adequacy of the company's internal controls on financial reporting, firmly in mind.

Establishing Goals and Measuring Performance

Once policy is established and has begun to be implemented, the governance system should set measurable goals to gauge program performance. Tracking and benchmarking indicators of program performance and maturity can help establish what is working and where improvements are necessary. In doing so, it is important to select enough relevant metrics and ensure they are objectively measured and accurately reported. For more information on examples of developing appropriate data protection performance measurement tools, see the best practices of the NIST Interagency Report 7564: “Directions in Security Metrics Research” and Chapter 3 (Performance Measurement) in the International Association of Privacy Professionals (IAPP) Privacy Program Management ' Tools for Managing Privacy Within Your Organization (available from Google Books at http://bit.ly/1O7kFIM). Relevant metrics include: adequacy of notice at collection; consistency of access and use with policy; conformity with retention/destruction policies; results of security assessments; use of privacy impact assessments; employee policy knowledge; and number and severity of incidents and response time and effectiveness.

Accessing, Protecting, Sustaining and Responding

The operational functions of a data management program are often categorized by the literature on the subject as accessing, protecting, sustaining, and responding, and are applied across an operational lifecycle. The four phases represent key tasks, and lifecycle means not birth, growth, death and rebirth in the ecological sense, but that there is a process of constant evaluation and refinement as opposed to a one-time assessment and fix. Good programs are intended to continuously evolve and improve.

Assessment is a critical initial step to new program creation (as well as crucial to existing program evaluation), to the evaluation of the impact of each new product and service, and of changes in facts, law or practices. Assessment enables the company to understand its corporate goals, legal obligations, and the facts regarding data and data practices. It also enables the company to identify and fill in gaps, evaluate program success and failings, and establish return on investment data. All areas of a company that touch data, and all of the company's data stakeholders, need ongoing assessment. This can be institutionalized through the adoption of various assessment models and tools, including software tools, physical inspections, surveys and questionnaires, internal and third party audits, impact assessment forms, and other fact-marshalling devices that provide input necessary for a meaningful analysis. Essentially, fact gathering by use of these tools is the monitoring function, and assessment is the analysis and conclusions and recommendations that come from monitoring activities.

There are well developed models for accessing overall program development. One is the now 20-year tested AICPA Privacy Maturity Model. It uses benchmarks to rate activities and programs to five maturity levels: ad hoc, repeatable, defined, managed and optimized. The AICPA offers an affordable software tool called the Privacy Principles Scoreboard that companies and their advisors can use to conduct privacy risk and maturity assessments. Two real values of engaging in such an exercise are that it helps track growth and success, and can also be used as an objective measure of return on investment.

An assessment model used less for rating a program, but for operating it, is the concept of “Privacy by Design,” pioneered in the 1990s by Ontario Canada Privacy Commissioner Ann Cavourkian. This much refined and time-tested approach has been recommended by the FTC in many of its privacy and data security guidance and policy documents, and is essentially codified in the European Union. In its true form, privacy is the default and products and services should be developed from conceptualization through exploitation to minimize privacy and data security impact and maximize consumer privacy, control and safety. Even if a company's policy is not consumer friendly, and it operates only in jurisdictions like the United Sates ' and there in minimally regulated industry where acceptable ' the process of evaluating privacy and data security impacts all stages of product and services development and exploitation, rather than as an afterthought, has great value and helps avoids unnecessary inefficiencies and risks and costly last minute workarounds. For more information, see, www.privacybydesign.ca.

Returning to the life cycle metaphor, protection of data can also be seen in this manner, and Data Life Cycle Management (DLM) is a common information governance approach to tracking and managing data from creation to destruction. DLM is concerned with how data is handled, retained, processed, stored, shared and destroyed. Data retention policies are important to comply with legal requirements, and to minimize risk associated with data retention beyond what is necessary or beneficial. Both privacy compliance and data security are also crucial to data protection throughout the data life cycle. As previously explained, although different requirements and frameworks may apply depending on the company and its data, established frameworks that may not be legally required are nonetheless good standards to draw from.

Sustainment is essentially about evaluating, enforcing, refining and educating. This flows out of monitoring and assessment. To sustain a program, monitoring and assessment needs to be ongoing. Compliance-monitoring, which requires systems to solicit, respond to, track and learn from complaints and mistakes, is an excellent way to sustain program goals. Indeed, part of sustainment is accountability. There should be trusted people and mechanisms for making complaints, requests, recommendations and whistle blowing. There also need to be procedures for responding to and resolving issues and repercussions for non-compliance. Finally, employee and vendor training is essential. Anyone that touches, or has access to, company data or data systems needs some level of data protection sensitivity, which can only be had through ongoing education. Education is more than merely promulgating operational practices policies; it also includes educating people about the issues, why they are important, and how they relate to their particular role in the company and their daily activities. Some education is of a general nature and relevant to all, while other training should be function-specific and tailored to the relevant audiences.

In order to respond, there must be knowledge of an issue in need of response. The first three elements assist in this regard. Data protection programs need to be designed to respond to requests, inquiries, compliance failures, security breaches, disasters and other business interruption. There should be preparedness plans and systems in place for all. Also, companies should consider various cyber-liability and business interruption insurance policies to help mitigate the costs of inevitable issues.

Key to the ability to respond is preparedness, which is not only having well-conceived plans and procedures, but practical exercise to build the experience necessary to respond effectively when the time comes. This can be done through table-top exercises, which put response team members through likely scenarios, including internal and external breaches and natural and man-made disasters. In this regard, data protection incident response is similar in many respects to a good business continuity and disaster response plan, and indeed is a component of such planning. Furthermore, state laws and federal and state health care information laws may require data security incidents to be reported to regulators, data subjects and the public. These laws are far from consistent and may result in different obligations from state-to-state under identical facts, so having the ability to expeditiously address those requirements in the event of an incident, typically through outside legal counsel, is part of response preparedness.

Conclusion

In today's digital age, all companies have data assets and obligations. Legal, IT/IS, and compliance leaders need to work together with other data stakeholders, within a defined and accountable governance structure, to develop a robust program for assessing that data and its corresponding obligations, protecting the data and evaluating and minimizing data-related risks. A good data management and protection program should be in a constant state of self-evaluation and improvement.

Alan Friel, CIPP and CIPM, is a partner at Baker Hostetler in its Los Angeles office and a member of the Board of Editors of e-Commerce Law & Strategy, a LJN sibling of this newsletter. He may be reached at [email protected].