Privacy Officer in the Hot Seat
High-Profile Incidents Shift Focus to Privacy Protection
The privacy profession is evolving, says Kirk Herath, Chief Privacy Officer of Nationwide Insurance. For those who are new to the profession, Herath offers three pieces of advice.
First off, find a mentor, says Herath, the longtime privacy officer at Nationwide. "If you're young and you're in college, or you're just starting out, go to LinkedIn and search for people in your profession who you may know or you may have a connection through somebody else with - get to know them," he says in an interview with Information Security Media Group's Tom Field [transcript below].
Next, learn the rules, laws and standards. "Learn them backwards and forwards, and then join an industry," Herath says. "It's one thing ideologically or philosophically to understand these laws; it's another thing to practically work with them in a real operating enterprise."
Lastly, privacy professionals need to take advantage of the multitude of certifications available today. For example, the International Association of Privacy Professionals offers certifications in different areas, from U.S.-specific to privacy technology, even government focused.
"And don't ignore information security," Herath says. "Information security is the yin to the privacy yang. It's very important to learn how privacy and information security intersect."
In an interview about privacy trends, Herath discusses:
- The trends that concern him most this year;
- Legislative issues to watch closely;
- How the profession needs to evolve to keep pace with threats.
Herath is vice president, associate general counsel and chief privacy officer for Nationwide Insurance Companies and affiliates based in Columbus, Ohio. He is responsible for all legal issues impacting privacy, information security, technology and information systems, contracts and supply services management, confidentiality and data integrity.
Herath is past president of the International Association of Privacy Professionals and serves on several of its committees. He also served on the U.S. Department of Homeland Security's Data Privacy and Integrity Advisory Committee from 2005 to 2011.
TOM FIELD: We spoke during the middle of last year. How would you say your role at Nationwide has evolved in the months in between?
KIRK HERATH: It's hard to say. I've been doing this now for going on 13 years so it has definitely evolved. In the last year I got another group attached to my office, the contracts management group, which has always been rather closely aligned with my shop because of the importance of making sure that the contracts contain all of the necessary protections and controls for our data, whether it's offshore or with third parties. In that sense, it leads credence to the evolution of the role in general across at least the United States, which very often grows organically. From the very beginning, it obviously has become a much broader role. It started out very narrow in just looking at privacy compliance. Now my operations include the security law, contracts and I also support the entire IT organization from an IT law perspective.
Growing Impact of Privacy
FIELD: Recently, privacy has been in the news in part because of new policies that are promoted by Google and part because legislative bodies are interested in privacy. With all this external discussion of privacy, how does that impact what you do in your job? Do you get more questions about your role?
HERATH: I'm not sure I get more questions. As I said, we've been doing this so long here at Nationwide that we're kind of a fixture. We're part of the culture now. What it does, however, is I think it increases awareness among executives and employees when they hear things externally and therefore it leads more credence to recommendations and advice for programs that my office might be putting forth. Then, from an external perspective, it does afford me an opportunity very often to speak to people like you as well as to conferences. Definitely it's something that has not gone off the boil as far as an issue in the last seven, eight or nine years.
FIELD: What would you say today are the biggest challenges that you're facing in your job?
HERATH: The biggest challenge is really balancing the duties of the corporation against the duties of the customer. I have sort of an interesting role because I'm a licensed attorney so I do have a duty to my client, which is at the end of the day Nationwide Insurance. I also have this corporate duty to the customer as a privacy officer to make sure that the data that we use or that we collect is being used appropriately. The way I look at it is there's almost always a way to get to where the business wants to go, and if they want to do something, the law is generally flexible enough that there's a way. There's always a means to get there, but then you have to ask yourself whether it's something that the customer would appreciate or the customer would believe is in their best interest. It's this constant balancing between these interests and I have to say sometimes it's like riding a razor, but at least to date my staff and I have been able to ride it pretty well.
Mobile & Cloud Technology
FIELD: When we spoke earlier last year mobile technology and cloud computing were among the top issues for you. How have you dealt with those issues since then?
HERATH: One of the reasons I became IT counsel is because my group deals with privacy and security law, and we began integrating a decade or so ago with the IT organization to make sure that we were baking privacy in up front, privacy by design as they call it today. We didn't call it that at the time but that's basically what it is, and my role evolved into a general IT lawyer and my staff also that deals with the IT issues.
What we've done, and we've been able to do because we're so integrated into IT, is we integrated into several work streams that they've got in place around mobile technology and cloud computing. Through these work streams, we've developed first pilots and then in some cases production. Smart phones are now generally in production here at Nationwide, and by that I mean iPhones and Droids. We use a technology called Good, which is sort of a virtual sandbox which we load up onto personal devices and through which associates can access their Lotus Notes, contacts and calendar, and even a secure web browser that gets them into our Intranet.
We've been going a little slower on tablets just because the form factor permits so much more creation of content, i.e. data, and we've really been focused solely on iPads because the Droids - at least from our workforce - haven't really broken in as much as obviously the iPads have. We've got several hundred users on iPads, their personal iPads as sort of bring your own device. We load onto it Good and permit people to access their e-mail, their contacts, their calendar and a secure web browser. We also have enterprise license with Box.net, which we use as sort of a virtual cloud share drive and it's secure. We have contractual guarantees from Box.net. We've been able to create this pilot where Nationwide associates are permitted to use these devices and get approved apps on these devices for Nationwide work and then they can do their own personal stuff on their personal apps.
From a cloud perspective, there's a very broad undertaking here to come up with real policy and direction around cloud. I think everybody has been using cloud as broadly defined for years and years and years, but we've got a very well thought-out process. We're coming up with a recommendation here in the next couple months on very specific policies and procedures for how to use the cloud and when not to use the cloud.
Top Concerns in 2012
FIELD: Beyond mobile and beyond cloud, what are the trends that concern you most this year as a privacy officer?
HERATH: The great recession has abated a lot of the state and federal proposals to expand privacy and security responsibilities in general. I mean there are lots of bills that have been proposed, but very few have taken form mostly because I think legislators are rightfully concerned that they don't want to do any harm or more harm to the existing business climate.
But what I see as a disturbing trend is sort of this never-ending quest by government and it's kind of broadly written for data and this really includes data of any kind through any means. They desire the data, but at the end of the day when they ask for it and when they sort of fight for laws that permit them to collect it, they have very little desire to protect it, at least to the extent that we're required to protect it. So you have these sort of uneven standards of we're required to protect at an incredibly high level; government standards if they exist at all are very low. If they do agree to protect it, they are reluctant to protect it at our standards. Quite frankly, if they make a mistake and lose it through sovereign immunity and other gaps in the laws, they're really not liable for their mistakes. At the end of the day, the old adage is, "Where's your data?" If it goes to the government, you have absolutely no idea where your data is and who has access to it and even who has perhaps made a copy of it. Maybe that's sort of a civil libertarian concern, but it's a concern I have and I mean where govern has a right to the data, I think they should have the data. But once it hits the government environment, you have no idea where it goes.
The EU and what it's trying to do by expanding the definition of privacy is a little concerning. I don't necessarily think that the ideas are going to immediately spread to the United States. Quite frankly, they haven't really spread to the United States, the EU directive of '94 still hasn't really gotten here, but these concepts are very fluid and the world is very small these days. So I do worry about, from a practical perspective, whether some of these ideas can even be implemented within our current information technology culture of today.
FIELD: You hinted at your response to this. What are the legislative issues that you're watching most closely right now?
HERATH: We continue to watch anything regarding changes to breach notification standards, privacy standards. We're watching the only bill that I think may have an actual chance of passing this year, sort of an information security/national security bill that would permit the federal government from essentially taking over private Internet infrastructure during cases of emergency, which again, getting back to my earlier concern, worries me. I think the privacy standards debate today - I'll talk about a little later on - financial service industries and health companies have had a very strict, high-level of regulation now for well over a decade, and we bake these standards into our processes, into our products and they're working very well. There are other companies who operate globally, manufacturing and tech companies, that really don't have standards, and they clamor for them particularly at the federal level. They talk about uniform standards.
To my perspective, we have uniform standards and the desire by some in the industry and in the private sector too to get their own should not upset my apple cart because any change to the current system is incredibly expensive, not just for Nationwide but for my customers and for all of my competitors and their customers. Like I said, we've spent probably billions of dollars over the last decade or more complying with this myriad patchwork quilt of state and federal laws.
How Profession Needs to Evolve
FIELD: As the threat landscape evolves, as the legislative landscape evolves, how does the profession have to evolve?
HERATH: Well, we have to get smarter and we have to get more nimble, and that can be kind of a difficult hill to climb. I think you have to constantly be learning, and I was remarking to someone the other day that I have probably consumed 50 or 60 periodicals in a week. I've always been a real prolific reader, but I mean it's hard for me even to keep up with the amount of change and information that keeps coming at one who wants to stay abreast, because the scope of the job is growing into technology, information security, contracts management and data governance, records management. There seems to be an ever expanding array of issues and information one has to at least, at a basic level, understand.
I also think from a profession's perspective, we're all kind of lumped together as privacy professionals, but if you look at the last three to five years, clearly a lot of us don't have common interest. I do have some concerns that, while we all learn the same set of laws, rules, and standards, the profession is somewhat fracturing between those who work for either the private sector or highly regulated companies, those and work who do privacy, because of international obligations, but really don't have domestic or few domestic requirements, and then government which really has very little liability for making mistakes and continues to want to collect untold volumes of data.
Then, what you would kind of call activists, non-profit activists, uphold policy groups who understand privacy, but they don't understand the operational side of privacy. They are kind of much more ideological, and I do think the IAPP is doing a very good job today of trying to tie all of these interests together. But, like what we see in all other areas of our personal and professional life, when you have separate interest, it often points you in separate pathways.
I think keeping all of these different interests in the privacy profession united around a common profession in the long run will be very difficult. The lawyers have done it for years. Accountants do it. We all have different sides, whether plaintiffs counsel or defense counsel or lobbyist. It's not that it can't be done, but I do see there isn't a monolithic privacy profession - not that I ever think that there was - but I think maybe for the first five years we were able to sublimate some of our more base special interests. You start to see again, like I was talking about earlier with the clamor by tech companies to want to have federal privacy standards, not understanding or not caring that others of us have been living under our own standards for years, and if you change those standards it's going to be very expensive for us.
FIELD: A final question. If you were to boil it down, what advice would you give to somebody entering the privacy profession today?
HERATH: Find someone to mentor you, and I have tried to do that myself, I think fairly successfully, over the years. I've consulted some of my protégés throughout the industry - not that I ever really wanted them to leave - but at some point organizations grow and people's careers grow and they leave the nest and go elsewhere. Find someone to mentor you. If you're young and you're in college, you're just starting out, go to LinkedIn and search for people in your profession who you may know or you may have a connection through somebody else with - get to know them.
Find a mentor and then learn the rules and the laws and the standards really well. Learn them backwards and forwards and then join an industry because, as I said earlier, it's one thing ideologically or philosophically to understand these laws; it's another thing to practically work with them in a real operating enterprise. You learn very quickly that there are almost no black and white answers, and that everything is sort of in the gray, which is very good. It gets you to think and gets you to actually be a better privacy person.
Also, avail yourself of all the great certifications available today through the IAPP in particular. IAPP has got a U.S. certification, a Canadian certification; they've got one that's sort of a privacy technology certification. They've got one that's focused at government and then they've got a new one that just came out that's all around the EU. Those are very good. And don't ignore information security. Information security is the yin to the privacy yang. It's very important to learn how privacy and information security intersect.