Computerworld - In 1999 and 2000, a new title made its way into many executive suites: chief privacy officer. Reaction was mixed. Some CIOs and analysts welcomed the concept of a corporate privacy czar, while skeptics viewed the CPO boomlet as public relations gloss whose sole function was to assuage consumers' privacy fears.
The economic downturn of 2000-03 brought the CPO trend to an inglorious halt. "Over the last few years, the economy made it hard to bring in people except in industries where CPOs were mandated," says Herman Collins, CEO of Privacy Leaders, a Las Vegas-based executive search firm that focuses on privacy professionals.
But the worm has turned. The economy is percolating, hiring bans are easing -- and U.S. companies face an imposing array of privacy-related regulations, including the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act.
Against this changing backdrop, it's time to check in on the status of CPOs.
Regulatory Surprise
According to corporate privacy experts, federal regulations such as HIPAA, the Sarbanes-Oxley Act, the Fair Credit Reporting Act and Gramm-Leach-Bliley are affecting enterprises in significant, but perhaps counterintuitive, ways. Far from creating a second CPO boom, these regulations may actually be splitting privacy measures between two camps:
• Those in the "CPO Classic" camp advocate hiring genuine corporate officers charged with proactively considering the ethical, competitive and strategic implications of privacy.
• The "Compliance Is King" camp is narrowly focused on meeting the letter of the various federal, industry and state privacy regulations.
There is widespread agreement, especially among disappointed CPO Classic advocates, that the explosion of privacy regulations, combined with limited resources, has produced heavy emphasis on compliance. "Most companies have shifted from a privacy approach that would be based on proactive steps, competitive-edge orientation and customer trust building to a narrow legal-compliance priority," says Alan F. Westin, president of the Hackensack, N.J.-based nonprofit organization Privacy & American Business. "This shifts power to the legal folks ... and away from CPOs, and it also leads companies to spend tight dollars on outside legal counsel, again, for narrow law compliance."
Richard Purcell, CEO of Corporate Privacy Group, a Seattle consulting firm, agrees. Purcell pushed for creation of the CPO position at Microsoft Corp. and served as that vendor's first CPO from 2000 until early 2003.
"Unfortunately, the response to [regulations like] HIPAA has been to make privacy officer a compliance job, not proactive or strategic," Purcell says. "I'd argue that that's in conflict with the initial focus, which was more entrepreneurial."
A perfect example of compliance-driven privacy measures is the HIPAA mandate that any health-care-related business name a privacy officer. That includes major hospital chains, but also "a seven-person dental office," Purcell says. Thus the roster of CPOs is growing, but it's hard to see how the new title -- which in thousands of small medical offices is likely to be awarded to an already overworked assistant -- will advance the cause.
Membership in the leading CPO group, the Philadelphia-based International Association of Privacy Professionals, is about 1,000. Because of mergers among privacy groups, apples-to-apples comparisons are difficult to come by, but Westin says the growth in strategic CPOs plateaued in 2001; he believes that there are about 2,000 CPOs in the U.S. but that most of those are sops to HIPAA compliance.
Still, the CPO field isn't without heavy hitters: Privacy Leadership Group, part of Privacy & American Business, is composed of 16 CPO Classics -- Westin calls them "strategically oriented CPOs" -- from organizations such as Citigroup Inc., American Express Co., Bank of America Corp., the U.S. Postal Service, Nationwide Mutual Insurance Co., Equifax Inc., Hewlett-Packard Co. and Microsoft. Nearly all of these enterprises have had CPOs since 2001.
Clout Is Critical
In the Information Age, it seems clear that the relationship between a CPO and his employer's IT organization is critical. The Ponemon Institute LLC, a Tucson, Ariz., think tank focused on corporate privacy issues, recently surveyed 64 companies that have CPOs. According to institute Chairman Larry Ponemon, companies whose "CPO has at least a dotted-line relationship to the CIO tend to have more effective privacy programs."
The key reason, Ponemon adds, is that privacy is so tied into IT functions that even the best privacy policies are fruitless unless they can be implemented -- reliably and repeatably -- by the IT group. Indeed, Westin says, "Many of the hard issues facing companies are shifting also to CIOs. Their systems must track opts, do-not-call lists, etc., and must try to develop more secure customer and consumer identification -- especially to control ID theft."
Former CPOs and privacy experts say this relationship varies widely from company to company, relying almost totally on the CPO's background and personality.
"I'd call those relationships 'intensely variant,' " says former Microsoft CPO Purcell. "People in IT have titles and credentials that are provable. ... They often have a hard time with a privacy person because there's no objective credentials. A CPO could be from legal, compliance, HR, anything." Partly because of this disconnect, many CIOs are unsure of their role, "unless a smart CPO creates a working committee that brings the CIO into a privacy task force," Westin says.
One thing seems clear: As Westin says, regardless of the future of the CPO, "in smart companies, CIOs are front and center" where privacy is concerned.
Ulfelder is a Computerworld contributing writer in Southboro, Mass. Contact him at sulfelder@charter.net.
Read more about Security in Computerworld's Security Topic Center.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
