alphaspirit - Fotolia

Should privacy professionals be legal minds or techies?

Hiring privacy professionals for your enterprise can be a daunting task. Expert Mike O. Villegas explains the role and what qualities to look for in candidates.

I want to make sure my company has data privacy properly covered. Privacy is typically a law- and policy-based area, so I feel inclined to hire privacy professionals with a legal background. What else besides a law degree should I be looking for? Should I consider hiring legal and tech employees to cover privacy together?

Privacy laws and regulations are pervasive in highly regulated industries, but to some extent they affect everyone. Privacy officers and privacy professionals are responsible for identifying, classifying and setting standards for protection of personal identifiable information (PII). Performing these duties uses a privacy impact assessment (PIA). The objectives of a PIA are to:

  • Define the nature of PII associated with business processes;
  • Document the collection, use, disclosure and destruction of PII;
  • Ensure that accountability for privacy issues exists; and
  • Be the foundation for informed policy, operations and system design decisions based on an understanding of privacy risk and the options available for mitigating that risk.

Compliance with privacy policy and laws helps to identify legal requirements regarding privacy from laws, regulations and contract agreements. It ensures that security measures governing PII are properly deployed and managed.

Who can perform such duties? Legal staff will typically have the training to identify laws and regulations and be able to navigate the differing laws at the federal and state levels. Some are more restrictive than others and if an enterprise operates internationally, privacy may be even more restrictive. A legal mind can read past the jargon and correlate the controls, protection, disclosure and management of PII better than a technician; however, when it comes to the security and protection mechanisms of PII, IT skills are also important.

Legal staff may know what needs protection and at what level, but they may not fully understand the tactical protection schemes required to fulfill the letter of the law or regulation. Information security managers will have that knowledge but typically lack the knowledge of the legal ramifications of different levels of protection. Since finding a privacy officer with legal and technical skills to deploy the right levels of security will be difficult, it is incumbent on enterprises to establish a privacy committee made up of the ISO, Privacy Officer, compliance personnel and key executive management.

The PIA will identify the state and nature of PII. The ISO can determine the level of protection -- which may include encryption and other obfuscation schemes -- required for database technologies, social media, transfer of PII outside the organization, two-factor authentication for remote access and end-point security controls. Privacy rules exist in laws and regulations such as the Gramm-Leach-Bliley Act, HIPAA, the Sarbanes-Oxley Act, the Federal Deposit Insurance Corporation, the Patriot Act, the Bank Secrecy Act, the Freedom of Information Act and other individual state privacy laws.

For example, in the five years since California enacted its landmark disclosure law SB 1386 in July 1, 2003, 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have passed similar laws requiring companies to notify consumers that their personal information has been compromised. This implies that three states have not yet enacted a state disclosure law, so a privacy officer will need to know what to do in the event of a breach for each state. Since this deals with breach disclosure, the security officer needs to deploy compensating controls to prevent such breaches.

At the federal level, the Patriot Act signed into law by President George W. Bush on October 26, 2001 and extensions signed by President Barack Obama on May 26, 2011, allows for roving wiretaps, searches of business records and conducting surveillance of "lone wolves" or individuals suspected of terrorist-related activities not linked to terrorist groups. The privacy officer and security officer need to understand the conditions and communications needed to provide federal access to such data.

Privacy is not just a legal matter. It also includes information security, public relations, human resource issues and employee rights. If you cannot find a privacy officer technically competent enough to know what levels of protection need to be deployed to comply with privacy laws, it is highly recommended that the enterprise consider a committee of experts to deal with this increasing topic of privacy.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Mike Chapple reviews the most prominent data privacy laws.

This was last published in May 2015

Dig Deeper on Information security certifications, training and jobs