KnowledgeNet - Privacy Pros Track Through Spring Snow for Boston KnowledgeNet Meeting
Ann E. Donlan
Boston's April KnowledgeNet meeting provided a forum for 25 privacy pros to share privacy practices across industries - including healthcare, pharmaceutical and data storage - as Ernst & Young hosted the group on a snowy April afternoon.
The group gathered in the company's downtown office in the John Hancock Tower for a discussion titled, "Privacy: A Universal Language? A Discussion of Privacy Across Industries." The panel for the discussion was comprised of Jean-Paul Hepp, CIPP, Company Privacy Officer, Pfizer, Inc., and an IAPP board member; Jack Burke, Vice President, Corporate Compliance Programs, Harvard Pilgrim Health Care; Clare Dever, CIPP, Director of Privacy and Compliance, Iron Mountain, Inc.; and Mary Helen Gillespie, President, Gillespie Interactive.
Jeannette Frey, Privacy Officer for Tufts Health Plan, kicked off the meeting with praise for the IAPP.
"One of the many things that I like about the IAPP is there are so many different industries represented," Frey said. "And that's our goal - to learn from each other and about the different privacy challenges."
During the next 90 minutes, participants covered diverse privacy issues related to HIPAA, cross-border data transfers, mobile data security policies and breaches, RFID and financial services.
The theft or loss of company laptops produced a lively discussion about how companies have handled these types of breaches as well as suggestions on the best way to avoid jeopardizing customer information and damaging a company's reputation.
In response to a question about what types of controls do companies have in place to minimize the risk of laptop-related breaches, Burke of Harvard Pilgrim described the aftermath of a theft of an employee's laptop from a locked car.
Burke noted that the HP does have a policy about laptops which led to disciplinary action for the employee. Although the computer was password-protected and the likelihood of the thief accessing any subscriber data was minimal, Burke described how he opted to send letters to a small number of affected customers.
"I would rather go on record and say, "The risk is low," than to not say anything and hope for the best," Burke said. "That's what you do."
Hepp mentioned the increasingly urgent risk of harm brought on by vendors who lose laptops - and then may fail to notify the company that hired them about the theft.
"Encryption, I think, is the best way to go," Hepp said.
Gillespie, who previously worked in the financial services industry before launching her privacy consultancy business, offered a practical solution reminiscent of the days when taking reams of employee data home was not an option.
"Leave it all there," Gillespie said, referring to the workplace. "Go home and relax. You can do your job better."
The group also devoted some time to a discussion of the best way to interact with customers and instill the importance of privacy among all employees.
"Opting in is the much-preferred method of interacting with your customer," Burke said. "It's the equivalent of informed consent. It comes down to how you want to engage your customer."
Dever said Iron Mountain supports the opt-in approach and expounded on the challenges of doing business in
multiple countries with different privacy and security laws. Iron Mountain does business in 24 countries, and as result, she touched on the challenges of abiding by diverse laws, including the Gramm-Leach-Bliley Act, Canada's Personal Information Protection and Electronic Documents Act and European Data Protection laws - to name a few.
To track the regulations, Dever said she developed a matrix that indicates which countries companies may export data from, which ones do not allow data transfer and the various restrictions. For example, Italy requires prior approval and a security plan, she said.
"My life became a nightmare when we started into the electronic arena," Dever said.
Dever said part of a privacy officer's success relies on good relationships with the IT governance group, system security engineers, product development and management to ensure that security and privacy issues are "reviewed up-front."
The goal, she said, is for the privacy officer to avoid this scenario: "What's this new press release I just read about?"
Dever acknowledged the constant challenges she faces - especially with a company that "continues to have a very aggressive merger and acquisition strategy." But those challenges, she noted, are what makes her job exciting.
Hepp asked Dever whether Iron Mountain was contemplating setting up regional offices in Europe where data transfer and privacy laws present complexities for multinational companies.
"That's the direction in which we are definitely moving," Dever said.
Gillespie detailed the cascade of laws and regulations faced by the financial services industry - at one point astutely reminding the privacy pros that "all of the AGs want to run for the Senate or governor."
However, Gillespie advised privacy pros to divert their attention from outside regulators to the marketing offices inside their company "because your marketers want to touch your customers in every way."
Furthermore, Gillespie stressed the importance of training employees about the importance of privacy. "Every one of them in the building is a privacy ambassador," Gillespie said. "That means training, training, training."
Gillespie also recommended:
- Organizing a "cross-functional" privacy task force to meet regularly and then respond on an emergency basis in the event of a breach.
- Align internal and external messages to achieve "branding across all channels" so privacy looks the same on the business Web site, pamphlets and other material.
Gillespie concluded by stressing the advantages of linking marketing and privacy. "Privacy is a marketing tool that cannot only recruit, but retain, customers," Gillespie said.