Privacy Officers: Security Types Need Convincing

Last week in Washington, DC., (good news never starts out like this) a panel of security executives and technologists sat down to explore the challenges awaiting a new crop of chief privacy officers who will be appointed to federal agencies in response to new law.

Unfortunately, from the tone of some of the discussion, the first challenge for these CPOs will be to explain why they are relevant in the first place.

The panel is part of a group convened by the National Institute of Standards and Technology (NIST) to advise the Bush administration on security and privacy issues. Panel members had invited a handful of corporate CPOs to explain what it is they do for a living.

The reason for the sudden interest? A new federal appropriations law requires all government agencies to hire privacy officers, as well as engaging third-party auditors to watch over the shoulders of these new CPOs.

According to a recent report, the NIST committee’s task is to summarize current ”best practices” for federal CPOs. But, reportedly, the committee is considering recommending against the implementation of mandatory outside audits. Why? Due to the odd wording of the law, the auditors would be evaluating the work of the CPO, not the practices of the department.

Rebecca Leng, deputy assistant inspector general for information technology and computer security at the U.S. Transportation Department, was quoted as saying the appropriations language does not outline the criteria for such audits. The law simply says inspectors general must hire auditors to check the CPOs’ activities.

”At this point in time, nobody knows what good practices are in the [privacy] field,” she reportedly said.

Perhaps nobody she knows in the security field knows what good privacy practices are these days, but it doesn’t take a rocket scientist to appreciate that security audits might have an analog over in the privacy side of an organization.

First, let me state for the record that I am not opposed to clarifying badly written laws. If the committee’s point was to question the wording of the appropriations bill, then they have raised a valid point. But if they are questioning the more fundamental need for privacy audits — or even the need for privacy officers in general — then they are barking up the wrong tree.

I’ve spent much of the last six or seven years promoting the importance of privacy officers. Much to my dismay, over the course of the years, some of the greatest skepticism I’ve met has come from security professionals.

Much of the skepticism boils down to some basic misconceptions about the relationship between privacy and security, and fears that privacy officers are just going to be competing for the same organizational ”turf”. But as I have sat with security professionals to explain why the role of the privacy officer is complimentary, but fundamentally different, the concerns and misconceptions are easily dispelled.

Indeed, many security executives quickly realize that privacy officers get to deal with many of the murkier, subjective, and often politically-charged issues that many security officers try to avoid being drawn into — such as marketing strategies or legal and regulatory compliance.

But let’s not miss the bigger point here.

Assuming Congress could fix the law so it would require the auditing of privacy practices, instead of the day-to-day work of the privacy officer, this is something that should be encouraged. A critical element of the Federal Trade Commission’s enforcement actions in the realm of privacy has been the requirement that companies bring in outside auditors to oversee their privacy fixes and ongoing practices.

If this panel believes you should only audit after a problem is discovered, then they don’t appear to have a good grasp on the reality of today’s privacy methodology in use at the most enlightened organizations the world over.

The methodology is pretty simple… I ought to know. I helped develop it.
The four elements of a coherent privacy program are: