Establishing Trust with U.S. Privacy Regulators
Privacy regulators from state and federal agencies share insight on how businesses can cultivate a strong relationship to help bolster a working dialogue and curb regulatory action
By Jedidiah Bracy, CIPP/US, CIPP/E
“Privacy drives trust.”
That was the mantra during Thursday’s Practical Privacy Series Financial Services track in New York City. Privacy drives trust with your consumers, your employees and the regulators, said HSBC Chief Privacy Officer Al Silipigni, CIPP/US.
And building trust with regulators—both at the federal and state levels—can go a long way in keeping your company out of litigation and press headlines.
To illustrate, Fulbright & Jaworski Partner Pamela Jones Harbour shared an anecdote involving an unnamed organization whose chief privacy officer had regularly reached out and built a relationship with the Federal Trade Commission (FTC)—an agency with an open door policy: Over time, she said, the CPO of said company had created a working relationship with the federal agency. Later, the organization was hit with a privacy breach. The CPO proactively reached out to the FTC through a relationship already built on trust, and avoided the headlines and an FTC consent decree—not to mention a biennial audit, monetary penalties, litigation cost and brand damage.
William M. Rubenstein, Connecticut’s Commissioner of Consumer Protection, went further. Calling them the “building blocks of trust,” Rubenstein presented four distinct tips for bolstering a trusting relationship with a regulator.
“Trust begins at home,” he said. “There has to be a corporate commitment that is there even when no one is looking.” The culture matters and businesses need to recognize that viewing privacy simply through a compliance lens is not enough. Training employees on privacy from top to bottom will help an organization “put its money where its mouth is.”
Establishing a respectful relationship with a regulator is another building block to build trust. “Assume that regulators are knowledgeable, sophisticated, cooperative and practical,” Rubinstein said. “If you don’t go into it with these in mind,” he warned, “it creates an aura of arrogance and disdain.”
But, these attitudes are not a one-way street. Regulators should also maintain a respectful relationship, he allowed. To help, reach out to regulators to introduce your business, share your problems, identify contacts, show an interest and seek input.
Inclusion is another key. “Don’t go behind a regulator’s back” if you’re already working with one, he warned. It’s okay to go over an official’s head if an incident needs to be escalated or brought elsewhere, but communicating that before doing so will go a long way in maintaining that trust.
Rubinstein also stressed that working with regulators is not a deposition. Openness, self-reporting breaches with regular updates and discussing your internal processes and consumer protection initiatives are essential.
Self-reporting is also one of four tenets in a recent Consumer Financial Protection Bureau (CFPB) bulletin on responsible business conduct. “One thing about self-reporting,” said CFPB Deputy Enforcement Director Deborah Morris, “it’s a sign you may have good internal procedures.”
Elizabeth Anne Khalil, senior compliance policy analyst at the FDIC, echoed Morris’ sentiment. “Be open,” she said, “be transparent. When examiners ask for information, be forthcoming and accurate.” Often, Khalil noted, an executive will step in to try to assuage the issue, but that can confuse the investigatory process. “Make sure the correct people in your organization are providing answers,” she said.
Katherine Armstrong, an attorney with the FTC’s Division of Privacy and Identity Protection, added, “If we come to your door, be nice. If you don’t know the answer to something, don’t guess. Tell us your story so we don’t have to guess.”
And guessing games aside, businesses can also leverage established trust with other regulatory agencies, Connecticut’s Consumer Protection Commissioner Rubenstein said. There are so many regulatory bodies, it’s impossible to create relationships with everyone. But regulators talk with one another, so a strong relationship with one can help forge strong relationships with others.
The consequence of not establishing trust can lead to a lot of miscommunication, Rubenstein added. “It’s not that regulators are vindictive,” he explained, “but it may seem so” to an organization. “For regulators, we often don’t know how big the iceberg is—so what you tend to want to do is turn over every stone” to see how deep the privacy problem within an organization really is. Additionally, you’ll often get a more compulsory process—meaning subpoenas, he said.
In effect, the consequence of not building trust with a regulator can drive an agency “to use more formal and coercive processes,” he said, adding, however, “Lack of trust doesn’t necessarily mean this will happen, but it impels” such a reaction.
Read more by Jedidiah Bracy:
Federal and State Regulators Talk Data Security Lessons
Hack the Trackers Taps Into the Post-Snowden Zeitgeist
U.S. Intel Officials Defend Programs; EU Fallout Continues
FTC’s Brill to Technologists: This Is Your Call to Arms