Who is a privacy professional’s BFF (best friend forever)? Is it the CFO or the General Counsel (GC)?
They’re both great folks to know and work closely with, but not the right answer in my book. I’d say the Chief Privacy Officer (CPO) needs to be best friends with the Chief Security Officer (CSO). I know CSOs can be a little intimidating. I knew one who would roam the halls looking for open, unattended computers. When found, he would swoop in, change the password, and lock the computer. What a kidder. But the CSO is so critical for the CPO’s success that I guarantee that if you send this article to your CPO, they will take you out for a free lunch the next day. And here are four good reasons they will pick up the tab.
Think of the CSO as the CPO’s own privacy NORAD giving real-time insight to potential dangers. The CSO is the early warning system for losses of personal information. Know how most companies know they’ve had a breach? They get a phone call – it could be from a customer, a regulator, or a credit card issuer. This is NOT how you want to learn of the problem. The CPO wants a CSO who knows how to get a hold of her fast, just like a good BFF should. And the CSO needs to know what to look for. The CPO wants to make privacy concerns part of the CSO’s thought process.
Here are some ways the CSO can think like a BFF.
Scenario #1, Stolen Laptop: Fred from finance has his laptop stolen when his house is broken into. The CSO focuses on getting Fred a new laptop and restoring info from back up. But does he think about what data was on the laptop? Does the information match definitions of personal identifiable information (PII) or personal health information (PHI)? How does that relate to the data breach regulations affecting the company? The CSO hears lost laptop but the CPO thinks lost information. The CPO wants to lead the CSO down the path to privacy righteousness.
Scenario #2, Malware: Malware is detected on the HR and Engineering servers and log files show files have been accessed by an IP address assigned to an ISP in Kazakhstan. The CSO focuses on closing the vulnerability and ridding the system of malware. How fast does he also determine which files have been accessed and what was in those files? Bet it will be faster if he knows how important it is for the CPO to determine if the intruder made off with PII or PHI.
Scenario #3, Insider Threat: Your network monitoring tool throws an alert that Rissa the receptionist has been removing files from the CFO’s laptop just as your company is set to announce quarterly results. The CSO may think their job is done when they report Rissa to HR and she’s marched out of the building. Will they think of analyzing Rissa’s computer to see where that information might have been sent? The CPO will certainly want to know.
Reason #1 why the CPO wants to be the CSO’s BFF is the CSO has skills and staff resources the CPO doesn’t. Does the CPO know how to analyze a log file or take an image of a disk? Unlikely.
The CSO’s team is the only source for answering four questions required to determine if a breach has occurred in the eyes of state and federal regulators. First, a breach is generally only reportable if information is accessed or acquired. That analysis is clearly in the CSO’s domain. Second, if the information was accessed or acquired, was it encrypted at the time? The answer is complicated when you consider the loss may have occurred when the data was in transit or at rest. This will take serious forensic footwork. Third, what information was accessed or acquired? State breach notice laws define personal information. If the information accessed or acquired doesn’t meet the definition then you’re not required to report.
The CSO is the gatekeeper to the files the CPO will need to review to determine if they contain personal information. The CPO will also need to know where these people live because you look at individual’s state residency to determine applicable state law for breach notices. The CSO has the tools and technology to provide the information needed to determine if you have a reportable breach on your hands.
Reason #2 why the CPO wants to be the CSO’s BFF is that by collaborating, both parties are strategic to the business with real impact on the customer or client experience. The CSO has a hand in the company’s mobile, social media and cloud strategies but needs the CPO’s guidance in launching these strategies. For example, a health care organization realizes doctors are communicating with patients on the doctors’ personal unencrypted email accounts. The CSO wants to roll out a patient site for communications with doctors in a secure environment. A number of vendors offer such patient sites, but which will keep the company on the right side of HIPAA/HITECH?
The CPO may not know log files, but they know HIPAA. When they take a seat at the table next to the CSO for purposes of patient interaction you have promoted each other from tactical to strategic contributors.
Reason #3 why the CPO wants to be the CSO’s BFF is that the CSO has money. I know that sounds a tad shallow, but privacy offices are not known for lavish budgets. Some in management feel that traditional compliance functions should be kept on a strict fiscal diet so they don’t become strong enough to hamper the business.
IT and security don’t suffer from such reduced rations. Network security is red hot these days and money is being spent. Got a tool that helps the CSO identify privacy issues in everyday security incidents? The CPO may find the CSO’s budget a lot easier to tap than their own.
Is the CPO still intimidated? They shouldn’t be. Just think of all the insight they’ll be getting, the strategies they’ll learn, and the skills they’ll walk away with – just by becoming the CSO’s BFF. And don’t forget the last part; the CSO has the dough to implement those security prevention programs that may just save your company at some point in the near future. Now, how about that lunch?