Privacy Advisor

Insights from Women in Privacy

May 1, 2013

By Julie Sartain

In the late 1970s and early 1980s, the term and the position of chief privacy officer (CPO) was nonexistent, largely because personal privacy issues were not yet an epidemic. When the digital revolution moved from the Halon-haloed computer rooms to the desktop--then laptop, notebook, tablet, smartphone--environment, the world of privacy redefined itself and swiftly became an entirely different game.

Personally identifiable information (PII) was suddenly available on millions of computers across the globe as consumers use banking services, pay bills and make purchases on thousands of websites from New York to New Zealand. As hackers and identity thieves quickly discover new ways to embezzle funds from corporations and their clients, privacy officers and agencies have grown exponentially to combat these new threats.

History and Balance

In the field’s infancy, privacy positions were almost equally shared by men and women.

Joanne McNabb, CIPP/US, CIPP/G, CIPP/IT, director of privacy education and policy at the Office of the Attorney General for the California Department of Justice, explains, "When I started attending privacy conferences in 2001, there were plenty of men there. However, it seems to me that the percentage of women in this profession has grown considerably over the past decade."

In Their Own Words

"I was delighted to become part of our Attorney General's new Privacy Unit," says Joanne McNabb, CIPP/US, CIPP/G, CIPP/IT. "I think it's a great development for California and for privacy that we are building on our past work; that is, empowering consumers and businesses and, now, adding accountability and enforcement. It seems like the logical evolution of a government's role in a state whose constitution, in Article 1, Section 1, provides an inalienable right to pursue and obtain privacy. I describe the new unit's mission as the three Es: enforcing state and federal privacy laws; educating/empowering consumers regarding their rights and strategies for protecting their privacy, and encouraging businesses to follow privacy best practices."

According to Lillie Coney, as the privacy profession grows, the diversity of positions and employment opportunities will grow as well. Much of the policy work, regarding women in privacy, focused on personal security and the autonomy of women. Now that the nation has a broad, cross-section of interest in the privacy area, the diversity of groups and the base of allotted resources is also growing. It's important these funds are being used, Coney says.

"Organizations such as EPIC, who run summer clerk programs, attract law school students and hopefully spark an interest in privacy law. I would like to see more women in policy positions who come from highly technical backgrounds," says Coney. "I volunteer to meet with Public Leadership Education Network (PLEN) students each year. It's a great program for women in the policy world to encourage and mentor other young women that would be excellent in privacy positions. There are some very bright stars on Capitol Hill working on privacy policy issues, but we can always use more great talent for these future roles."

Pria Chetty, associate director of Tech and Innovation Law Advisory Services at PwC South Africa, believes her CPO colleagues are not only leaders, but innovators who have and will continue to set the tone for other organizations by designing and implementing comprehensive and, often original, privacy programs. "The majority of these women are lawyers," says Chetty, "which has resulted in a compliance-driven approach, plus a strong desire to guide and direct other roles that can and will achieve privacy objectives; a task that is no playing field, but handled well by these past, present and future trendsetting women."

"Privacy is many things," says McNabb. "It's a civil liberties issue, a behavioral and cultural issue, a public policy issue, an economic issue and often a technical issue. Privacy work involves the law, technology, education, training, practical implementation and lots of writing. When asked, I believe that most of us would reply that we do it because we love it."

"I totally agree," says Privacy Rights Clearinghouse’s Beth Givens. "It's an ever-changing landscape, one that continues to fascinate and challenge both myself and our staff."

Are you a woman in the privacy field? We’d love to hear from you. Tell us your story. We’d love to share it with our readers.

"Back in the 1990s and early 2000s, there were actually quite a few men in the profession," says Jennifer Barrett Glasgow, CIPP/US, global privacy and public policy executive at Acxiom. "However, as the demand for privacy officers grew, we saw more women entering the field. This may have happened because the job requires skills that are more common in women than men. Since we are responsible for getting things done across an entire enterprise but don't have the reporting authority to dictate when it happens, it requires excellent negotiating skills. Women, in general, may have a little more patience for this. I find that getting an organization to go along with what they should do is similar, at times, to parenting."

Presently, IAPP membership is nearly half men and half women; recent statistics indicated 312 of these members carry the title of CPO of which 160 are women. Sandra Hughes, who served as CPO for Procter & Gamble, says, "One reason why the privacy profession may be more gender-balanced now is because a large portion of CPOs have law degrees and, since the mid-1990s, the number of women graduating from law school has been fairly equal to men."

She adds, "So yes, I do believe that the privacy profession is more gender balanced than say information security, or, in my experience, to a lesser degree, ethics and compliance. Statistics have revealed that fewer women have technical degrees and, thus, fewer are choosing professions that require a higher understanding of computer science (CS) and/or engineering."

Hughes says that only 13 percent of her classmates graduated with CS or engineering degrees when she received her BS in systems analysis from Miami University. "Fortunately, those statistics are improving drastically," she says. "But I still believe those technical-type degrees are earned predominantly by men."

Lillie Coney, associate director at the Electronic Privacy Information Center (EPIC), says she believes that compared to other public policy areas, women actually hold more prominent, well-established roles that deal with policy; areas that would certainly be male-dominated in other fields.

"
For example, my work at EPIC has involved national security, cyber security, the smart grid, domestic surveillance, voting, telecommunications and computing technology. I have worked on emerging policy and technology issues in collaboration with some of the best, well-known computer technologists and security experts in the nation,” says Coney. "However, now that the field is gaining prominence in policy-making, government and the private sector, there are clear differences regarding which roles women fill. For example, the private and government sectors have fewer women, and they have to work much harder to gain distinction and recognition as privacy professionals. Often, the role of women as privacy professionals is in conflict, especially in those organizations that have strong national security or law enforcement components."

Blazing a Trail

Acxiom’s Glasgow received the IAPP Vanguard award in 2011 and is recognized by the association as the first person to have the title of CPO, which occurred in 1991. "Our CEO, a very perceptive and forward-thinking individual, knew that acquiring a data company meant that we had to think about privacy, so he asked me to figure out what we should do," Glasgow says.

She set up a privacy function and a steering committee, believing that these tasks would take a year or so to initiate and get underway, and then she would move onto something else. There were very few privacy laws even being contemplated in the early 1990s. In the beginning, the privacy officer job was very much a part-time role. Glasgow established a few policies regarding how consumer data that was collected and brought to market should be treated. The company worked with the Direct Marketing Association and helped establish its Privacy Council, which had a basic set of ethical guidelines that Glasgow expanded with privacy provisions.

"We were a founding member of the Information Services Executive Council, which worked with the FTC to create some self-regulatory guidelines for what is known today as the 'people finder' business, since these services involved the use of sensitive data such as Social Security numbers collected from public records, which were not otherwise regulated. In the mid 1990s, we started to see more privacy laws enacted such as the Gramm-Leach-Bliley Act (GLBA), which governs financial data; the Health Insurance Portability and Accountability Act (HIPAA), which governs health data, and the European Union’s Data Protection Directive," says Glasgow.

Toward the end of the 1990s, Acxiom began directly lobbying Congress and a few states—California, Texas and Arkansas—rather than relying on its trade associations to carry its message. Because most of the legislative issues affecting the company related to data, Glasgow took over the government-relations function, which is not common with privacy officers. This meant managing lobbyists and, occasionally, testifying before Congress as privacy and security laws were introduced and passed.

For more information on work in the privacy field, see the IAPP’s 2013 Privacy Professionals Role, Function and Salary Survey.

The first person to hold a government CPO position was Nuala O'Connor, CIPP/US, CIPP/G. This first statutory position was created within the federal government's Department of Homeland Security (DHS), an agency that's heavily influenced by national security, national defense and law enforcement. O'Connor served from 2003 until 2005. After she left the agency, Hugo Teufel served from 2006 to 2009, followed by Mary Ellen Callahan, CIPP/US, in 2009.

Janet Napolitano, the first woman to lead DHS, appointed Callahan, the first woman to serve dual positions of CPO and chief freedom of information act officer. DHS’s Privacy Office is the first statutorily mandated privacy office in any federal agency. "Its mission is to preserve and enhance privacy protections for all individuals, to promote the transparency of Homeland Security operations and to serve as a leader in the federal privacy community," according to its mission statement.

Callahan was one of the 2011 Federal 100 Award recipients for her work that integrated cybersecurity, transparency and privacy at DHS. In addition, she received the Band One Nationwide highest ranking by Chambers USA for Privacy and Data Security and the “Leading Lawyer in Technology: Data Protection and Privacy" recognition by the Legal 500 Series.

Harriet Pearson, CIPP/US, was one of the first individuals appointed CPO at a Fortune 1000 company. She blazed the trail for privacy professionals in 2000 when IBM appointed her as its first CPO. As a partner at Hogan Lovells’ Privacy & Information Management practice, Pearson is globally recognized for her contributions and accomplishments in corporate privacy and data security.

A founding and long-serving board member of the IAPP, Pearson conceived and initiated the profession’s Pro Bono Privacy Initiative. In 2007, the IAPP presented her with the Vanguard Award, an annual honor for “the individual professional who best demonstrates outstanding leadership, knowledge and creativity in the field of privacy and data protection.” And, under Pearson's leadership, who, while at IBM was responsible for the data privacy and security policies and practices affecting more than 400,000 employees and thousands of customers in more than 100 countries, IBM's privacy accomplishments were recognized as one of the company’s top 100 achievements in 2011.

“It is deeply satisfying, now, to use my experience to help companies navigate the increasingly complex privacy and data security legal and regulatory landscape,” says Pearson.


Julie Sartain
, author of Data Networks 101 (Aegis, 2002), has been a freelance journalist for 13 years. She writes for several magazines including Network World, Computerworld, PC World, CIO and The Privacy Advisor.

Read more by Julie Sartain:
Hunters, hackers and safety crackers: One dozen privacy innovations
Analyzing FTC vs. Wyndham
The Masses As Data Controllers: What They Don't Know Could Hurt You
SMB Tips To Consider