By the time the Gramm-Leach-Bliley Act (GLBA) passed in 1999, Nationwide Insurance Companies' Kirk Herath was already a privacy veteran studying the European Union's strict privacy laws. Given that the insurer handled more than 16 million policies, any one of which was a potential security liability, that experience was crucial.
Then there were the agents to consider. Nationwide had some 8,000 who collected and maintained private client information. Though the agents operated as independent representatives, "we were the custodians of their data," Herath says.
Nationwide could not take risks. Two years prior to GLBA's passage, Nationwide put in place a working group of departments, all of which touched some issue related to data privacy. Management supported the group's initial efforts with funding, explains Herath, chief privacy officer (CPO) and associate general counsel at Nationwide.
And two years after GLBA went on the books, Nationwide created an official privacy department with a staff of three -- now seven -- and operationalized GLBA's privacy and security directives. The company first examined the terms of GLBA, then mapped out a privacy statement that delineated all the actions the company would take to regulate the sharing of private data about Nationwide customers.
The biggest task was conducting a data-flow analysis. The process took six months, with the help of PriceWaterhouseCoopers providing data-collection methodologies, and 30 Nationwide staff assigned to conduct surveys and lead discussions company-wide.
In the first three years since the law passed, Herath erred on the side of sharing no data as Nationwide assessed GLBA's impact. Nor did the company have a customer opt-out system. "We didn't know whether we wanted to go the expense of creating one," Herath says.
Like other CPOs, Herath cites the importance of close relationships with peers in the risk-assessment, IT, security and legal departments. He and Jack Jones, Nationwide's CISO, "are the best of friends. I don't know how I would do my job without him, and I don't know how people in my job get their job done in the unfortunate event where they find themselves at odds with their CISO."
"I see privacy as being inherently legal, and security as inherently technological," Herath says. "If there are two of you in separate organizations fighting for the same thing, you have twice the clout -- and two sources of funding, too."
Jones agrees. "I firmly believe that technology can and does play an important role in an effective information risk management program, but I believe it's a mistake to view technology as anything more than one of the many necessary tools for solving the problem. The scope of an effective information risk management program must also engage the people and process elements."