Has the time come for a chief privacy officer?

• Author: BERNSTEIN, DAVID H.
• Position: Brief Article

Why your company should be proactive when it comes to privacy.

THE NEW ECONOMY has introduced many new abbreviations with which directors and boards must grapple, including ISP, HTML, and ICANN. One important new acronym, however, should not be ignored in this jumble -- CPO, which stands for chief privacy officer. That is because all companies, not simply those operating through the Internet, need to think carefully about their privacy practices and whether the time has come for the board to designate an officer to oversee these issues.

The ease with which data can be collected and shared via the Internet has pushed the privacy issue to the forefront. In the past five years, every major economic power worldwide has adopted laws regulating the use of personal information. Although consumers may rejoice at this privacy protection, these laws often create legal obligations and data management headaches for businesses that collect and exchange data.

In the United States, data protection laws have been adopted in a piecemeal manner; taken together, these laws regulate a broad swath of business practices. (Even more restrictive are the laws passed in Europe.) Among the most recent laws are the following:

* Financial Institutions: The Gramm-Leach-Bliley Act regulates the use by financial institutions of nonpublic, personally identifiable financial information.

* Health Information: The Health Insurance Portability and Accountability Act regulates the collection, transmission and use of individually identifiable health information.

* Children and the Internet: The Children's Online Privacy Protection Act regulates the collection and use of information from children.

As a result of this complex regime of data protection laws and consumers enhanced sensitivity to these issues, more and more boards, including those of such leading corporate citizens as IBM, AT&T, and American Express, have decided the time has come to appoint a CPO.

What exactly does a CPO do? Here is a sampling of CPO responsibilities:

First, a CPO gathers facts regarding the company's data practices. Such an assessment could involve: interviewing people responsible for information technology, marketing, and sales; determining how data is being collected (online, off-line, or both) and whether data is being used only where it is collected or shared across borders; and identifying data that is shared with third parties. With this information, a CPO can determine which laws govern the...