News Stay informed about the latest enterprise technology news and product updates.

CPO: An enterprise point-person for privacy

Many companies are formally creating privacy officers to ensure the confidentiality of data transferred between companies, business partners and customers.

Two years ago, Greg Warner became chief privacy officer of Siemens Medical Solutions and Health Services of Malvern, Pa. But the new title merely formalized much of what he was doing for 14 years.

An attorney by training, Warner is also a corporate counsel (he answers to the general counsel). He sees his background as advantageous to his new position because he didn't come up through the ranks of a particular product group or division. "I am independent of any product chain of command," he said.

In many organizations, the duties of the chief privacy officer are nothing new. What is new is the responsibility for these duties being formally tied to a person holding the CPO title.

Over the last few years, companies have seen the need to put one person in charge of privacy and confidentiality issues, in many cases prompted by state and federal regulations. Financial services and health care companies particularly have gone down the CPO road given regulations such as the Gramm Leach Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA, European Union privacy regulations and to a lesser extent GLB all require a point person on privacy matters. Companies don't have to use the CPO moniker but can use other titles such as "privacy professional," said Ray Everett-Church, CPO of Philadelphia-based, a privacy-consulting firm, which often advises CPOs.

Where the CPO (or similar privacy professional) fits into the corporate organization is probably more important than the specific title. The CPO needs to be high enough in the organization to be able "to look over the entire corporate structure," Everett-Church said.

A certain level of independence is also critical. If CPOs are tied too closely to business units, then they won't be effective when influencing company-wide policy. "In other words, they shouldn't be relegated to the bowels of the marketing team," Everett-Church said.

On the other hand, CPOs shouldn't gain the reputation of saying "no" to every request. "They will stop coming to them and stop including them in the processes, He said. "CPOs have to find ways to say 'yes' to things."

Warner is very conscious of not being known for saying "no" to everything. He tries hard to find practical ways to do what people request, but with an eye toward confidentiality. For example, the company does not allow patient information to be sent over the Internet. Yet there are times when such information needs to be transferred on the Net. That led Warner to institute a secured FTP [file transfer protocol] system that can accommodate such times.

Such independence comes in handy for Warner as his work cuts across every facet of the business. He is responsibility for drafting and instituting corporate privacy policy and making sure employees are trained in it. He also conducts risk assessments of processes that are exposed to sensitive data. For example, Siemens sells medical software. Company employees need to be aware of privacy concerns when doing software maintenance on customer's systems because a database may have access to patient information, he said.

Beyond just policy guidelines, there are checks in place. For example, firewall rules allow the company to look for and stop sensitive data such as patient information from being sent. Warner sees his mission as interdependent on security. "You can't have one without the other," he said, noting he is in daily contact with Siemens Medical's chief security officer.

One of the reasons Tom Warga was named CPO of New York Life was to come up with a blanket privacy statement that could cut across all the company's lines of business. They company didn't want, for example, a customer who bought a mutual fund and an annuity with the company to get two, potentially contradictory privacy statements, Warga said. "It was a question of our brand image."

Regulation also played a role in the creation of the CPO position at New York Life. The New York State Insurance Department requires companies have a single point of authority for privacy matters. Yet privacy controls and procedures have been in place at New York Life for at least 20 years. "That's as far back as we can check," Warga said. "But I have been here 31 years and privacy and confidentiality has always been a concern."

Like Warner, Warga didn't come from the product ranks. In addition to being CPO, he is also the general auditor. He reports to the auditing board but the company's CEO is his immediate supervisor. His background is an advantage as it gave him the opportunity to learn "all operations of the company," he said. "I know who to go to and how the businesses are run," he said.

Yet Warga isn't afraid to say "no" to proposals that would infringe on customers' privacy. For example, he was asked once if the company could buy customer data from other companies to complement the data New York Life already has, a practice often used in direct mail companies. "I said 'No way, we can't do that,' " he said, adding the company would need to get permission from customers before doing it. "I have no problem saying no."

FOR MORE INFORMATION: news exclusive: "Companies creating more chief privacy officer jobs"

Best Web Links on security career information

  • FEEDBACK: Does your company have a CPO?
    Let News Writer Ed Hurley know.

Dig Deeper on HIPAA: Laws and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.