The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Chief Privacy Officer

  • From Vol. 4 No.38 (Nov. 14, 2018)

    How Privacy Professionals Can Benefit Cybersecurity Programs: Practical Tips From Gap and Privacy Panacea

    Privacy and security go hand in hand but, without a technical background, privacy professionals may feel unprepared to work with and provide oversight to security teams. To help overcome that hurdle, the associate general counsel of Gap Inc., and the president of Privacy Panacea, a boutique privacy advising firm, shared candid and practical tips on overseeing a cybersecurity program for non-technical privacy professionals at IAPP’s Privacy. Security. Risk. 2018 conference. For attorneys in the privacy space, “security has become much more of a legal issue,” Gap’s associate general counsel Dan Koslofsky said. See also “Tech Meets Legal Spotlight: Advice on Working With Information Security” (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 4 No.30 (Sep. 19, 2018)

    Evolving Roles of Privacy and Security Professionals: Operationalizing Policies, Incident Response and Vendor Management

    Clear policies and effective collaboration go a long way toward improving security and privacy efforts across an enterprise. In this three-part series, current and former privacy and security leaders share their insights on how the CPO and CISO can effectuate these practices and protect their organizations. This final installment covers policy ownership and ideal implementation, and includes advice on effective collaboration when preparing for and responding to incidents and when assessing and contracting with third parties. Part two discussed effective governance, including reporting structure and the relationship with the board. Part one addressed how the skills necessary for each function have changed, how to combat ongoing challenges and whether companies should consider a convergence of the roles.

    Read Full Article …
  • From Vol. 4 No.29 (Sep. 12, 2018)

    Evolving Roles of Privacy and Security Professionals: Effective Governance and Board Reporting

    Not only are the roles of the CISO and CPO changing, but so are their relationships within the organization. Many CISOs who used to report to the CIO now report to other functions and, along with the CPO, have a direct or dotted line to the board. In this three-part series, we speak to current and former privacy and security leaders at Citi, AvePoint, Hunton and national retailers about these positions and their integral, and sometimes overlapping, roles in protecting an organization. This second installation discusses effective governance, including reporting structure and the relationship with the board. The final part will cover ideal policy ownership, and will include advice on effective collaboration when preparing for and responding to incidents and when assessing and contracting with third parties. Part one addressed how the skills necessary for each function have changed, how to combat ongoing challenges and whether companies should consider a convergence of the roles. See also “How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part One of Two)” (Dec. 14, 2016); Part Two (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 4 No.28 (Sep. 5, 2018)

    Evolving Roles of Privacy and Security Professionals: Examining Required Skills and Potential Convergence

    With changes in the current regulatory environment, such as the implementation of the GDPR, the NYDFS Cybersecurity Regulation and China’s Cybersecurity Law, the roles of the CPO and CISO are becoming more important and more collaborative. In this three-part series, we speak to current and former privacy and security leaders at Restoration Hardware, Citi, West Marine and AvePoint about these positions and their integral, and sometimes overlapping, roles in protecting an organization. This first installment in the series covers the skills necessary for each function, how those requirements have changed, how to combat ongoing challenges and whether companies should continue to keep these functions separate or perhaps consider a convergence of the roles. Part two will discuss effective governance, including reporting structure, scope of authority and the relationship with the board. The final part will cover how these two teams should collaborate for effective incident preparation and response and on assessing and contracting with third parties. See also “How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part One of Two)” (Dec. 14, 2016); Part Two (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 4 No.11 (May 9, 2018)

    Building a Customer Privacy Program: Lessons from Dupont’s Privacy Leaders

    With the sweeping data breaches of the last few years and the revelation that millions of Facebook users’ private information was harvested by a third party, consumer privacy is on the forefront of corporate and political minds. Companies know protecting data they collect is critical, but integrating privacy policies and practices into organizations – particularly large and complex organizations – can be challenging and costly. At IAPP’s 2018 Global Privacy Summit, Dupont’s privacy leaders shared their experience and provided advice on building a customer privacy program, such as how to start with a pilot business and automating as much as possible. See “Advice From CPOs on Nurturing Privacy Programs on Any Budget” (May 17, 2017).

    Read Full Article …
  • From Vol. 3 No.22 (Nov. 8, 2017)

    Managing Data Privacy Across Multiple Jurisdictions

    Long gone are the days when acceptable privacy programs consist of a policy in an HR handbook. Building an effective and comprehensive privacy program that addresses wide-ranging data sets and dynamic regulations is a challenge for large and small organizations. To provide guidance on what has worked for them, Ropes & Gray teamed up with privacy professionals from Wyndham Worldwide and Facebook on a recent panel at the Privacy + Security Forum. The panelists offered advice on complying with the patchwork of U.S. laws and the growing number of global regulations and offered behind-the-scenes insight on how Wyndham built its global privacy program as well as how Facebook approaches privacy across its products. See also “Tips From Google, Chase and P&G Privacy Officers on Developing Strong Privacy Leadership and When to Use Outside Counsel” (Aug. 23, 2017).

    Read Full Article …
  • From Vol. 3 No.17 (Aug. 23, 2017)

    Tips From Google, Chase and P&G Privacy Officers on Developing Strong Privacy Leadership and When to Use Outside Counsel

    In-house privacy attorneys are constantly challenged to keep abreast of changing legal and regulatory requirements, obtain and maintain executive support, and work with internal stakeholders and outside counsel in economically viable ways. At a recent PLI event, privacy counsel from Google, JPMorgan Chase and Proctor & Gamble Company offered insight on the challenges that come with their roles, how privacy programs have grown, how they can be managed well despite the speed of change and how in-house lawyers can best work both with outside counsel and internal business teams. See also “Strategies for In-House Counsel Responsible for Privacy and Data Security” (Feb. 22, 2017).

    Read Full Article …
  • From Vol. 3 No.10 (May 17, 2017)

    Advice From CPOs on Nurturing Privacy Programs on Any Budget

    Mounting responsibilities combined with lean staffs, underfunding, and a reputation for restricting business ideas present challenges to privacy officers. The demands of the job coupled with the realities of the workplace have inspired some of them to develop creative approaches to what remains a fundamental and seemingly universal challenge for businesses large and small: safeguarding personal information successfully at a doable cost. “We all scratch our heads on the same kinds of questions and have tried different experiments on how to be more effective in our programs,” observed Lauren Steinfeld, CPO of Penn Medicine, during a recent IAPP Global Summit panel. She was joined by the CPOs of Comcast and PepsiCo as well as the SVP, data management at MasterCard. We cover their advice on ways to maximize benefits of privacy programs while working with limited resources. See also “Advice From Compliance Officers on Getting the C-Suite to Show You the Money for Your Data Privacy Program” (Dec. 14, 2016).

    Read Full Article …
  • From Vol. 2 No.21 (Oct. 19, 2016)

    Privacy Leaders Share Key Considerations for Incorporating a Privacy Policy in the Corporate Culture 

    For in-house privacy counsel, building a cohesive privacy program means leading the company, its employees and its vendors through regulatory landmines. While there is no one-size-fits-all approach, there are certain privacy program essentials applicable to most organizations, regardless of size or industry. At the recent Women, Influence and Power in Law Conference, Megan Duffy, founder of Summit Privacy and former privacy counsel at Snapchat, Inc., Tori Silas, senior counsel and privacy officer of Cox Enterprises, Inc. and Zuzana Ikels, principal at Polsinelli, shared advice on how the legal department can create and implement a strong privacy program, from initial considerations to key components. See also “Designing Privacy Policies for Products and Devices in the Internet of Things“ (Apr. 27, 2016).

    Read Full Article …
  • From Vol. 2 No.17 (Aug. 24, 2016)

    How GE’s Global CPO Approaches Shifting Regulations With Dynamic Implications 

    Shifting cybersecurity and data privacy regulations across industries and regions challenge many companies to frequently update their practices to remain compliant, not only at their home base, but also in other countries where they conduct business. Renard Francois, General Electric’s global chief privacy officer, spoke with The Cybersecurity Law Report in advance of ALM’s cyberSecure conference on September 27-28, 2016, at the New York Hilton, where he will participate as a panelist. An event discount code is available to CSLR readers inside this article. In our interview, Francois discusses some of the key ways GE’s privacy team approaches modifying practices to stay up-to-date with global regulations, and ensuring all stakeholders are informed and working collaboratively across businesses and departments. See also “Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part One of Two)” (May 6, 2015); Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.15 (Jul. 20, 2016)

    Challenges Facing Chief Privacy Officers

    Constantly evolving data privacy laws and heightened cyber threats place a large burden on the shoulders of chief privacy officers (CPOs). At a recent PLI panel, Keith Enright, the legal director of privacy at Google; Lauren Shy, the CPO of Pepsico; and Zoe Strickland, the global CPO at JP Morgan Chase, shared their thoughts on some of the recent challenges facing CPOs, including how to work with different departments, the CPO’s role in incident prevention and response, and the pros and cons of different cross-border data transfer mechanisms. The panel was moderated by Lisa J. Sotto, a partner at Hunton & Williams. See also “Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer” Part One (May 6, 2015); Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    The Multifaceted Role of In-House Counsel in Cybersecurity 

    To effectively advise corporations on cybersecurity issues, in-house counsel must navigate myriad issues that can vary across industries, state and international jurisdictions as well as privacy and information security contexts.  A recent PLI program brought together privacy and information security counsel from various industries to share insights on the role of in-house counsel charged with securing business-critical and confidential data and technology.  They discussed the different responsibilities for data privacy and cybersecurity professionals, international data privacy and protection laws, and offered strategies for in-house counsel to prevent internal cybersecurity threats, develop breach prevention and response policies and handle vendors.  The panel was moderated by Lori E. Lesser, a partner at Simpson Thacher, and included top practitioners Rick Borden, chief privacy officer at the Depository Trust & Clearing Corporation; Nur-ul-Haq, U.S. privacy counsel at NBCUniversal Media; Michelle Ifill, senior vice president at Verizon and general counsel of Verizon Corporate Services; and Michelle Perez, assistant general counsel of privacy for Interpublic Group.  See “Analyzing and Complying with Cyber Law from Different Vantage Points (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 8 (Jul. 15, 2015); and Part Two, Vol. 1, No. 9 (Jul. 29, 2015).

    Read Full Article …
  • From Vol. 1 No.4 (May 20, 2015)

    Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part Two of Two)

    With the dynamic nature of privacy concerns – caused by changing legal requirements, growing data collections and evolving technology – top privacy officers must manage a shifting realm with proactive communication, effective reporting lines and operational structures to ensure accurate implementation of privacy policies and protocols.  Experts agree that it is optimal to have both a Chief Cybersecurity Officer or Chief Information Security Officer (CISO) and a separate Chief Privacy Officer (CPO).  Some confuse these positions, thinking “that the security person should know all things privacy and the privacy person should know all things security and that is clearly not the case,” Michael Overly, a partner at Foley & Lardner told The Cybersecurity Law Report.  In this two-part article series, we define and distinguish the roles of CPO and CISO.  This article, the second of the series, focuses on the CPO, including core responsibilities, considerations for structuring reporting lines and hiring for the position.  The first article focused on the CISO.

    Read Full Article …