The best privacy consultancies

Like curling is to the Winter Olympics, privacy is to the consulting business: a curious oddity slotted in where it's least disruptive. That is, until recently.

Within the past few years, privacy consulting has grown into a $400 million market in the U.S., and at least a dozen American law firms and each of the Big Four auditors have come to boast of a robust privacy practice. But to corporate executives, these consultancies can all sound like they're selling the same thing: the master plan for keeping the company's name out of Computerworld's privacy breach roundup. So which ones can you turn to for the best advice?

That's the question I posed to more than 100 of my fellow corporate privacy leaders last month. It wasn't a scientific survey by any stretch, but some clear themes emerged through all of the responses. What did these chief privacy officers (CPO) say?

Survey Results

First, law firms garnered the lion's share of the votes. This tells me American corporations are still primarily concerned with minimizing legal liability when it comes to privacy and aren't yet focused on meeting the often-higher standard of customer expectations. Among this group, Hunton & Williams stood head and shoulders above the rest. A cadre of firms—Morrison & Foerster, Baker & McKenzie, DLA Piper Rudnick, and Faegre & Benson—tied for second, with a large number of sometimes-passionate references.

What about the audit and consulting firms? Ernst & Young, Deloitte & Touche and PricewaterhouseCoopers captured about the same number of votes, but given the small sample size, they weren't significantly higher than for KPMG. For a list of all of the top vote-getting firms, see the accompanying charts.

So why did CPOs rank these firms best-of-breed? Their comments had eight common themes:

1. Expertise: The firm's staff consistently demonstrates a high-caliber command of privacy and are well respected in the field.

2. Practical: Their advice isn't theoretical but realistic and actionable, sensitive to business constraints.

3. Professional: Their work is timely and thorough, and their staff is accessible and personable.

4. Global: They have staff or affiliates in many countries with a command of their local scenes and a consistent global framework of advice.

5. Business-minded: They take the time to understand clients' businesses and deliver advice from the business perspective.

6. Connections: They have an extensive network of government and industry ties that clients can access and that broadens their expertise.

7. Interdisciplinary: The firm's privacy practice leverages other functions within the firm to provide more comprehensive advice.

8. Affordable: Their firm charges reasonable rates and its staff works efficiently.

Another factor that separated the top firms from their peers was the presence of at least one nationally recognized privacy expert. In fact, nearly half the responses seemed to be a vote for an individual as much as for a firm.

Names that repeatedly were mentioned include the following: Becky Burr of WilmerHale; Kirk Nahra of Wiley Rein & Fielding; Christine Varney and Mary Ellen Callahan of Hogan & Hartson; Marty Abrams, Lisa Sotto and Chris Kuner of Hunton & Williams; Miriam Wugmeister and Rick Fisher of Morrison & Foerster; Brian Hengesbaugh and Ruth Hill Bro of Baker & McKenzie; Stu Ingis and Jim Halpert of DLA Piper Rudnick; Cate Boschee and Robert Bond of Faegre & Benson; Benita Kahn of Vorys Sater; Brian Tretick of Ernst & Young; Rena Mears of Deloitte; Jim Koenig of PricewaterhouseCoopers; and boutique-firm founders Peggy Eisenhauer, Richard Purcell, Larry Ponemon, Gary Clayton and Alan Westin. Each of these leaders has developed some fiercely loyal clients.

Some veteran CPOs noted that very few firms have actually built a comprehensive practice around all facets of privacy. So these privacy officers have taken the approach of hiring several firms for their niche expertise. For example, they hire Hogan & Hartson for help with California litigation and Federal Trade Commission investigations; Covington & Burling for European Union privacy; and PricewaterhouseCoopers for Health Information Portability and Accountability Act (HIPAA) privacy.

Most Popular Services

What types of privacy services are companies seeking outside help for? The top things I noticed in the responses from both CPOs and consultancies were what you'd expect of a relatively new area of business:

1. Strategies for basic legal compliance, with a focus on the Gramm-Leach-Bliley Act (GLBA), HIPAA, Do Not Call, and EU transborder data flows.

2. Creation of privacy audit and governance programs.

3. Creation of privacy policies.

4. Assistance with contractual negotiations, particularly with outsourcing and offshoring agreements.

5. Emergency assistance to respond to data breaches and litigation.

6. Integration of information privacy and security controls.

7. Assistance with direct-marketing campaigns.

But about 20% of the corporate privacy leaders who responded said they don't use any outside help on privacy issues. Either they saw no need for it or had been burned by bad experiences. "I'm not impressed" with the Big Four auditors, said one Fortune 100 CPO, while another stated, "They come to us for advice more than we go to them." There was a common perception among this group that current CPOs have more expertise than outside consultancies. So they tend to participate in forums where CPOs collaborate, such as Hunton & Williams' Center for Information Policy Leadership and the Ponemon Institute's Responsible Information Management Council.

The Outlook for Privacy Consultancies

So, what's the future of privacy consulting? Is it just a fad, like the bubble of business process re-engineering consulting in the 1990s, or is it here to stay? To get at that answer, you need to look at what's currently driving the market for hired privacy guns and ask if these factors are changing.

First and foremost, it's all about legal compliance. Within the past five years, new privacy laws have papered the industrialized world, and multinationals are searching for help to sort out their compliance plans. I see the next five years bringing more refinements and extensions of existing privacy laws that will only increase the number of variances between state, federal and international privacy standards. Variance means that global companies will have a harder time complying.

As a result, some of our experts don't see any letup in the lawyering. "Privacy used to be a quirky little niche," Boschee says. "But not anymore. Privacy's on the table now for mergers and acquisitions, marketing initiatives, outsourcing, cross-border deals—you name it."

Halpert echoes this sentiment: "Companies can't avoid privacy law these days, and lawmakers impose new regulation almost every year."

The second driver I see is the changing nature of the market. Business models have become more risky from a privacy perspective. In the past five years, companies have steadily outsourced their noncore functions, Web-ified their business applications and globalized their operations, all in an environment of a global war on terrorism and increasingly sophisticated hackers, malware producers, phishers and identity-theft rings. I don't see any of these trends abating in the next five years, short of a wholesale societal rejection of online conveniences.

Eisenhauer agrees: "It used to be the case that only certain industries had to worry about privacy compliance, but now all companies need to think about how privacy and security considerations affect their information-handling practices."

But will companies keep turning to privacy consultants to solve these problems for them? Or will they bring these functions in-house? The financial, health care and technology industries have done both—formed internal privacy offices with budgets for external consulting. But outside these sectors, it's a mixed story, and the future outlook is uncertain.

Companies facing tight earnings this year may be holding back from investing in this hard-to-understand area. With qualified CPOs in short supply, since few people have the needed backgrounds in law, technology and business, their base salaries at Fortune 500 companies are easily topping $200,000 this year. Privacy consultants are charging similarly high rates—typically $300 per hour for consultants, $550 for privacy lawyers and $700 for senior partners, with a significant range on either side of these medians.

Sotto sees privacy evolving like environmental law did in the 1970s, becoming so regulated that it becomes an in-house function in every company.

My prediction: By 2010, half of the Fortune 500 will have made a public notification of security breach and subsequently hired a chief information protection officer overseeing both privacy and security. And insurance companies will force the other half to follow suit. The U.S.-EU privacy Safe Harbor will more than double its membership to 2,000 companies, and negotiations will commence for an International Safe Harbor. The best law schools and MIS programs in the country will have a discipline in data protection. And somewhere, somehow, a chief privacy officer will become CEO, as the reality sinks in that the future of business is data.

1pixclear.gif

Table 1: Leading American law firms with privacy consultancies

Law Firm

Privacy full-time employees

Privacy specialties

Baker & McKenzie

60

medium_orange_bullet.gif
Global compliance & data transfers

medium_orange_bullet.gif
Offshoring, outsourcing & third-party

medium_orange_bullet.gif
Internet privacy

Covington & Burling

15 to 20

medium_orange_bullet.gif
Internet, financial, health & employee

medium_orange_bullet.gif
State, federal & international

medium_orange_bullet.gif
Legislation, litigation & transactions

DLA Piper Rudnick

38

medium_orange_bullet.gif
Global compliance

medium_orange_bullet.gif
Legislative & regulatory

medium_orange_bullet.gif
Litigation
Faegre & Benson12
medium_orange_bullet.gif
Global compliance & data transfers

medium_orange_bullet.gif
E-commerce & direct marketing

medium_orange_bullet.gif
Financial, health & employee
Hogan & Hartson18 to 20
medium_orange_bullet.gif
Privacy & security audits

medium_orange_bullet.gif
International compliance

medium_orange_bullet.gif
Financial & health
Hunton & Williams 21
medium_orange_bullet.gif
Global data protection

medium_orange_bullet.gif
Information security

medium_orange_bullet.gif
Financial & health
Jones Day10 to 20
medium_orange_bullet.gif
Cross-border data transfers

medium_orange_bullet.gif
Health care privacy

medium_orange_bullet.gif
Global compliance programs
Morrison & Foerster60
medium_orange_bullet.gif
Privacy & data security advice

medium_orange_bullet.gif
Technology & sourcing transactions

medium_orange_bullet.gif
Litigation & dispute resolution
Privacy & Information Management Services2
medium_orange_bullet.gif
International data protection

medium_orange_bullet.gif
Targeted marketing

medium_orange_bullet.gif
Privacy assessments & incident response
White & Case12 to 14
medium_orange_bullet.gif
Cross-border data transfers

medium_orange_bullet.gif
Privacy audits

medium_orange_bullet.gif
Ad hoc privacy advice
Wiley, Rein & Fielding 5
medium_orange_bullet.gif
Financial & health

medium_orange_bullet.gif
Do Not Call

medium_orange_bullet.gif
Cross-border data transfers
WilmerHale10 to 14
medium_orange_bullet.gif
International compliance

medium_orange_bullet.gif
Incident response

medium_orange_bullet.gif
Investigations & litigation
Base: 157 responses of predominantly U.S.-based corporate privacy officers to the question: “Which firm provides the best privacy advice?” Notes: The top vote-getting firms are listed in alphabetical order. Many more firms with robust privacy practices received votes but weren’t included in these tables due to space constraints. The firms provided their own descriptions of their privacy specialties.

Source: Jay Cline

1 2 Page 1
Page 1 of 2
Download: EMM vendor comparison chart 2019
  
Shop Tech Products at Amazon