VIEWPOINT: Your CEO's Privacy Agenda
Alan Charles Raul
This is an excerpt from Raul's March 9 keynote at the IAPP Privacy Summit 07 in Washington D.C.
Scott McNealy of Sun Microsystems told attendees of the IAPP Privacy Summit last month how to get their CEOs' attention: Feed their home security cameras straight to YouTube and then post their tax returns on the Internet.
Okay, so now that you have the CEO's attention on privacy, what do you want them to do with it?
1. First things first, the CEO ought to HAVE a privacy agenda and it better be impressive.
The issue of privacy is vitally important to consumers, employees, patients, account holders, communicators, travelers, libertarians, parents and ultimately even children and grandparents. Something this big warrants the CEO's personal time, passion and leadership within the company and the broader community. So what should the term "privacy" mean for the CEO? How broad should he or she be encouraged to construe the term?
In fact, perhaps we should start using the more expansive term the EU prefers, "data protection." This would not only give the Europeans their due for making everybody in America worry about data flows among different offices of the same organization, but it would also recognize that "privacy" per se is the tip of the iceberg.
Most obviously, Americans -okay Californians - have put information security on the global map. The Europeans are starting to realize themselves that there is more to privacy than just making companies register corporate databases of personal information with regulatory commissars, and entering into convoluted agreements with one's own corporate self.
2. The CEO's data protection agenda should bring related areas of "information management" together, namely:
- Safeguarding privacy, information security, and confidential and proprietary business information;
- Mandating thoughtful records retention policies;
- Adopting procedures for dealing with the new federal electronic discovery obligations;
- Fending off cybercrimes; and, of course,
- Avoiding spying on your fellow board members and other lame-brain information disasters.
3. Related to the last point, the CEO has got to break down personnel silos within the corporation.
Who else can bring the CPO, CIO, IT staff, HR, legal, marketing, security, outsourcing managers, risk management personnel and others to bear on the company's crown jewels - its information assets?
Foremost, the CEO has to make sure the Privacy Officer - who we will now call, for fun, the Chief Data Protection Officer - talks to the IT gurus and vice versa. The CEO also needs to keep the Board of Directors in the loop. In the Sarbanes-Oxley, Federal Trade Commission-intensive, Hewlett-Packard pretexting era that we live in today, many data protection issues must properly be of acute
interest to corporate directors.
4. The CEO has to know where and what her data are, and who and where are her people.
That is not so easy to pin down these days.
Data and personnel are remote, and linked to the mother ship with less bright lines than in the past. But there is no escaping the risk of responsibility - reputational, at least - for remote problems with a company's information in India, in the hands of partners, agents or brokers, on BlackBerries and PDAs, on lost or stolen laptops, or even home computers that are long forgotten and donated to the trash collectors.
5. The CEO has to send the message that there is no real benefit in taking an ostrich approach to risk assessment.
In general, it is better to look for gaps in protection and try to fix them than to adopt a "create no potential adverse piece of paper" mentality. If an information crisis befalls a company that tried to anticipate and prevent that crisis, the CEO will look better and liability may be mitigated. Of course, talk to your lawyers first. They can figure out how to plan a risk assessment that can do the most good with the least damage.
6. Think ahead. Not just of potential crises, but also of potential solutions.
The CEO needs to talk to his data protection team often enough to make sure you all stay creative and ahead of the curve. Make sure your CEO is ready for problems. CEOs must task their teams to develop contingency and communication plans for company-shocking data breaches, cybercrimes and profound technical glitches.
7. Serve up some GOOD data stories for the CEO so that privacy, data protection and information doesn't always seem so downright geeky.
For example, why shouldn't the data protection team go to the CEO with exciting new ideas for putting the "e" into personal health records, and making them more electronically accessible for the convenience of the data subjects as well as for their medical well-being and peace of mind?
8. CEOs should rise up against make-work privacy obligations.
Does anyone really believe that GLB privacy notices do as much good as they cost, or that the EU's elaborate "model contract" scheme that multinational organizations need to enter into with themselves makes much sense?
9. Get the CEO involved in the public policy debate over privacy in the U.S. and around the world.
Tell your CEOs that they cannot leave these policy matters to just the techies . . . and the Senators . . . or Congressmen. The Hill needs to hear from practical and regulated business people who face conflicting laws, myriad enforcers and eager plaintiffs. Having a balkanized, unintelligible privacy regime does no one any good except litigation junkies - and perhaps some benighted Euro-critics of America.
Our economy and our culture are simply too dependent on information flowing freely. We cannot afford to embed trade barriers, irrational prejudices and knee jerk over-reactions into our privacy laws, regulations and cultural expectations. But the "fair information practices" familiar to everyone are
actually pretty much universally admired. These standards were developed in 1973, in the United States believe it or not, by a task force at the Department of Health, Education and Welfare (HEW), the predecessor of today's Department of Health and Human Services. The HEW task force was intent on developing policies that would allow the benefits of computerization to go forward, while protecting personal privacy at the same time.
It focused on principles of: openness, disclosure, secondary use, correction and security. Then, in 1980, the Organization of Economic Cooperation and Development adopted "Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data" to "harmonize national privacy legislation and . . . uphol[d] . . . human rights, [and] at the same time prevent interruptions in international flows of data."
Let's rationalize standards everywhere around these universal principles without layering on undue additional regulatory complexities. Experience suggests that it is not always a helpful thing in a regulation for it to be unique.
In reality, many of the regulatory distinctions and restrictions that have sprung up among countries and states are idiosyncratic. They are not necessarily rooted in material, substantive differences.
To promote harmonization of U.S. and global data protection principles, I would recommend that CEOs use their weight to encourage the development of a comprehensive Restatement of the Law of Data Protection and Information Privacy.
This is the sort of thing that the American Law Institute does in order "to promote the clarification and simplification of the law and its better adaptation to social needs."
Wouldn't the current state of U.S. and international privacy law benefit from such an exercise in "clarification and simplification of the law and its better adaptation to social needs?"
10. CEOs should go through their company's full scale privacy and information security training.
Once your CEO goes through your training, he or she will become magically enlightened, inspired and informed enough to give privacy professionals the salaries, resources and budgets they need to do our increasingly exalted and important work.