Every week seems to bring news of a massive data breach in the corporate or governmental realm. Its impact is felt on the personal (identity theft), business (loss of profit and goodwill, fines and damages) and national levels, including in U.S. elections. While privacy and cybersecurity were once considered secondary technical issues, they are now at the forefront of the critical legal issues today's General Counsel must manage proactively. Once a "mere" box to check for risk management, privacy and cybersecurity are now key determinants of, and impediments to, the full realization of corporate value in strategic events such as mergers and acquisitions and initial public offerings.
State regulators around the world are constantly improvising to strike the right balance between free commerce and protection of personal information. Corporations and law firms are looking for legal talent who can guide their businesses, clients, and internal constituencies through these ever-shifting shoals, with a working knowledge of the developing General Data Protection Regulations in the European Union. From our recent work and conversations, here are several brief case studies of how companies and privacy officers are adapting to today's privacy and cybersecurity environment.
We undertook a search for the Chief Privacy Officer of a multinational digital information company with operations in over 60 countries. This client handled personal information of customer constituencies that included adults and minors, and dealt extensively with public entity customers. The company viewed privacy not just as a matter to be internally policed, but as something that could be leveraged for a competitive advantage in its markets. Hence, the mandate was to find a CPO who could bring together a combination of strategic and tactical skills, with an international sensitivity and ability to work effectively in a matrixed organization. Knowledge of the applicable E.U. and U.S. privacy regimes was treated as a baseline, with the following higher-end leadership and social traits being equally essential: experience presenting directly to the Board of Directors and C-Suite; the ability to work hand-in-hand with Chief Information Officers and Chief Technology Officers; experience designing privacy/cybersecurity initiatives; and, most importantly, experience "operationalizing" these privacy initiatives within their prior organization.
The candidates we presented to this client were much more than legal technicians. They were leaders who could synthesize a company's business and operations with rapidly evolving legal requirements, knew that a good plan was just a start, and understood that protecting customer, client and employee data depended on constant internal advocacy at all levels of the corporation.
Effective in-house privacy professionals want to feel connected to their internal clients. These professionals do not opine and dictate from afar; rather, they enmesh themselves in their clients' businesses, knowing that privacy matters touch on virtually every aspect of their companies' work.
One privacy professional led a global dedicated privacy team of a dozen people at a $25+ billion technology company. His mandate was to develop a privacy program covering, among other things, millions of names contained in databases around the world. Critical for this company, which was characterized by strong leadership overseeing an entrepreneurial culture, was enlisting the early support of the C-Suite. This included having daily discussions with the Chief Information Security Officer and ensuring periodic meetings with the company's Board of Directors. Having the imprimatur of leadership ensured the buy-in of global managers who brought an inherent skepticism to the process. These managers found in the CPO an effective working partner who was able to successfully lead cross-functional legal, business and engineering teams in a massive systems upgrade with minimal business interruption.
Another privacy professional was hired at global headquarters for a diversified manufacturing multinational that was heavily process- and consensus-driven. One of his mandates was to change the corporate privacy focus away from lobbying and government affairs and towards robust, consistent, and effective internal privacy policies and practices. This CPO knew that, in this environment, such a significant shift in emphasis would take time; he would have to build relationships from the ground up across a range of independently run operating companies. He not only needed the right knowledge, but also the patience to champion "privacy by design" and embed good policies and practices as systems and businesses were built.
At one emerging consumer-facing company, privacy sensitivity was critical. Having a limited legal department consisting only of the General Counsel, it was imperative to hire someone with deep privacy experience, in addition to the commercial, financial and intellectual property experience typically expected. This particular hire began her career as an IP lawyer at a leading AmLaw 50 firm but expanded her skills – including those relating to privacy and cybersecurity – through a lateral move to one of the leading law firms in the country servicing the venture capital community. This last move set the stage for her to ascend to the General Counsel role at this successful start-up, where she was responsible for the entire program of privacy design and compliance, including creating external-facing privacy policies, planning incident response, and advising on systems design and data storage. As this company grew, the GC was fortunate in being able to hire an engineer with a legal background to be her privacy counterpart on the engineering/technical side. This joint engineering/legal team proved essential in the success of this company's privacy and data security efforts because they were able to effectively translate to each constituency the legal mandates and engineering constraints involved in establishing privacy and data security safeguards.
By contrast, at another emerging company, a B2B SAAS platform, data security was deemed more important than privacy. Though this company did not typically handle sensitive personally identifiable information, its business clients (comprising some of the best known multinationals in the world) were extremely sensitive about the handling of their data. This company relied mostly on an internal dedicated Chief Information Officer to keep apprised of privacy and data security regulations and best practices. This CIO led the company's efforts in the design, implementation, and monitoring of its data security program, and liaised with the company's customers. The General Counsel advised on legal questions and would review and approve procedures and reports as a secondary "backstop" to the work of the CIO. This company, whose business required a sensitive approach to data security at all levels, discovered that it worked best for a trained CIO (who did not necessarily have a J.D.) to take the lead in this area.
There is not a one-size-fits-all solution to the privacy needs of different companies. But, across the corporate world, businesses increasingly acknowledge the central importance of maintaining up-to-date procedures, plans, and systems to handle their data and recruiting highly qualified, accountable professionals to manage these programs effectively.
This article originally appeared in Law Technology Today, April 3, 2017.