Processing Your Payment

Please do not leave this page until complete. This can take a few moments.

December 28, 2009

Privacy officers stand guard | The increasing sophistication of data thieves prompts a surge in the ranks of privacy professionals

Photo/Courtesy IAPP Executive Director J. Trevor Hughes has seen membership in his International Association of Privacy Professionals spike 20% in the past year
Photo/David A. Rodgers Richard Thompson, Maine's chief information officer, says state data has not been breached, but it has been the target of multiple attempts

An unauthorized employee clicks through the company website and accidentally opens a database filled with clients’ social security numbers. Unleashed malware sneaks into your computer undetected by your antivirus software and disrupts your hard drive. A hacker uncovers vulnerabilities in your company’s payment processing systems and steals credit card information.

Every day, an increasing number of professional privacy officers are fighting these worst-case scenarios. Even after an information technology privacy specialist establishes strong barricades to protect data, the effort requires unwavering vigilance, according to experts in the field.

“It is not something you create and put on the shelf,” says Holly Young, chief information officer at Norway Savings Bank. “[A privacy policy] is a living, working, breathing document. There are people who are trying to figure out how to access [your system] so you always have to change to keep ahead of them or keep up to date with them.”

As the flow of information quickens, companies big and small must safeguard whatever information they collect. J. Trevor Hughes, executive director of the International Association of Privacy Professionals in York, says he’s seeing an increasing number of companies taking privacy more seriously these days, going so far as to hire full-time privacy officers.

His association’s membership grew 20% in the last 12 months — an impressive feat considering it overlapped with the recession. Membership rates range from $50 for students to $100 a year for nonprofits, higher education and government agencies and $725 a year for a professional membership with a subscription to the association’s news offering, called Privacy Tracker.

“This issue is very, very hot right now,” Hughes says. The association, which formed in 2001, now has about 6,000 members in 52 countries, and posts annual revenue of around $5 million. “We are working with Fortune 500 companies all the way up to governments in many parts of the world on better data management, and creating programs, procedures and policies to make sure data is not only protected but used appropriately,” he explains.

At the state level, the greatest challenge in data protection is balancing data flow and accessibility — for state employees and the public — while ensuring the system is secure, according to Richard Thompson, Maine’s chief information officer. A system is safest when you don’t make “any information available, so nobody can get in and nobody can get out,” he says. But then you have a paralyzed work force.

Hughes says the focus on privacy is intensifying because the market absorbs more data and becomes more data-reliant with every passing minute. With larger amounts of data circulating in online spheres and sitting in computer databases, the risk of breaches and crimes increases. Plus, companies must adhere to increasing state and federal privacy regulations.

An emerging profession

More and more companies, including larger businesses in Maine, are hiring full-time security officers. These days, though, instead of standing guard by front doors or locked vaults, security officers sit in front of computer screens to guard online storehouses of information.

Insurance provider Unum has had a chief privacy officer for almost 10 years. Bowdoin College has a full-time IT security officer. Hannaford Bros. Co. created a more specific, full-time position overseeing information security in 2008, following its massive and well-publicized breach in 2007, when hackers gained access to millions of credit card numbers.

The state government in 2005 formed a position overseeing system security, disaster recovery planning and data security. But recently, that position has been reformed to focus more on system and data security, according to Thompson. Four years ago, the governor consolidated IT into one agency to oversee the information amassed in most state agencies, including the Department of Health and Human Services, Department of Education and Maine Revenue Services.

But even small businesses need to pay attention to how they handle and disclose data, from a tiny local bakery maintaining a customer mailing list to a department store that has five or six outlets and is collecting credit card data every day.

“Small businesses are not immune from privacy data breaches,” Hughes says, and businesses “concerned with maintaining the trust of clients and maintaining strong relationships” should scrupulously protect data, too.

Hughes complimented some of the large companies in Maine, like Unum and Hannaford, for employing chief privacy officers. “It is an emerging profession,” Hughes says. “Many organizations will be looking to manage that data through the services of a privacy professional because there is no one solution. It’s an ongoing management challenge, and companies really need people who know how to deal with those solutions.”

As head of information for the state, Thompson protects information about every citizen in Maine. So far, no information has been exposed, Thompson says. But the breach detection system has picked up “a number of intrusions that we’ve rejected.”

The life of a privacy officer

The job of a privacy officer is manifold, and the path to it is not always straight. Unum, a Fortune 500 leader in disability, group life, long-term care and voluntary benefits, has had a privacy officer for about nine years, according to Derek Albanese, chief privacy officer. The creation of the position coincided with legislation in 1999 called the Gramm-Leach-Bliley Act that imposed tighter privacy regulations on financial companies, he explains.

Albanese, who now works with the corporate privacy team made up of the chief privacy officer, two full-time privacy attorneys, a project manager, an administrative assistant and himself, says he started out in marketing and product development and also did a year of underwriting before he moved into his position.

“I think the interesting thing is you can have a variety of backgrounds for this job,” he says. A legal background is helpful to analyze legislation. A good business sense helps, too, to grasp how information flows through business processes. Lastly, privacy officers need to understand technology and how data moves through systems and applications, he says. “What makes privacy interesting is it is the place where law, technology and business processes come together,” Albanese says.

The privacy team must stay alert to the changing landscape of privacy regulation and legislation, which is a bit different in every state. “I would say in general the biggest challenges are the increasing amount of legislation regarding privacy and safeguarding information,” Albanese says, “and the increasing use and development of technology, which makes it much easier and much faster to share large amounts of information.”

None of the officials interviewed for this story were comfortable sharing many details about how they protect their data, but Norway Savings Bank’s Young says protecting financial information requires “defense in depth.” Young talks about firewalls and intrusion detection systems, and using “multiple layers or methods of protection. It is not just one single thing, it’s a multitude of methods, a layering process, so in case someone gets through one level, you have another layer of protection.”

Albanese says Unum, besides having log-ins and passwords, encrypted every lap top and work station a couple of years ago, making information on the hard drive indecipherable to an intruder. Hannaford, too, has gone through a multimillion-dollar encryption upgrade of its store registry and throughout its network, according to spokesman Michael Norton.

Unum and Norway Savings Bank also hold annual privacy and security training for all employees, and Unum has set up a 24/7 hotline for employees to use as soon as they think private information — for instance, an application or claim form — is missing, stolen or “misdirected.”

At that point, the company “puts a triage in place to determine what steps need to be taken,” Albanese says.

Protecting public data

Recently, the state Legislature passed a bill authorizing a statewide data warehouse. Edward Charbonneau, deputy executive director of Maine Revenue Service’s legal division, says this will lead to greater information sharing between state agencies and Maine Revenue Services.

“We will collect information from other agencies, like the Department of Motor Vehicles, Health and Human Services, Department of Labor, and get that information and see if someone has not paid their taxes but might have money available in other places,” he explains. “There will be a cross check if they’re benefiting under one department and yet owe money in another.”

Charbonneau says the method of keeping personal information secure as it is transmitted is “being worked out as we speak,” he says, and has led to the creation of a new liaison position for the agencies.

In the end, Thompson says he’s confident that even as we become more steeped in information and dependent on the machines that store and manage it, we are just as secure as we’ve always been.

“It is easier for me to determine if someone has breached our [computer] security than to tell you that someone has taken something out of my file cabinet,” he says. If he leaves his office and someone breaks into his paper files, he won’t necessarily notice anything amiss. But if someone sneaks in through the Internet backdoor, they’ll likely leave a noticeable cyber footprint. “We log every time something happens,” he says.

 

Rebecca Goldfine, a writer based in Dresden, can be reached at editorial@mainebiz.biz.

 

Sign up for Enews

Most Recent

Most Recent

Comments

Order a PDF