Outsourcing Privacy Protection

By Michelle V. Rafter

With more business taking place online and incidents of identity theft on the rise, CIOs of organizations large and small understand that establishing privacy policies and using technology to enforce those policies are a must. But creating an in-house staff with the expertise necessary to build and run those programs can be expensive and time consuming.

Enter outsourcing. Organizations already hire out for all manner of business basics, from human resources management to accounting to information technology support services. Now some are turning to trusted third parties to craft privacy policies, conduct periodic privacy audits, and, in some cases, act as de facto chief privacy officers.

"Privacy is not a core skill area many companies are trying to build, yet they know lack of knowledge will not be an acceptable excuse to consumers or regulators" if something happens, says Jeff Nicols, founder of Privacy Ready, an independent privacy consultant company in Hood River, Ore., and former chief privacy officer at Intel.

Start at the top 
Privacy outsourcing starts at the top. Many companies are creating new C-level positions responsible for developing privacy policies, educating staff and ensuring compliance with privacy laws. Practically unheard of before the late 1990s, these chief privacy officers (CPOs) are becoming more common, as is the practice of retaining an outside consultant to do the job.

One reason is cost. Because CPOs maintain a unique set of skills in IT, legal, marketing and privacy issues, their salaries can run $200,000 or more, not including benefits, perks and associated administrative expenses, according to Jay Cline, founder of Minnesota Privacy Consultants in Minneapolis. Cline knows what he's talking about. Before going solo, he was CPO for five years at Carlson Co., the $37 billion Minneapolis restaurant, hotel and travel conglomerate that owns Radisson, Country Inns & Suites and TGI Friday's.

By contrast, companies can hire an outsourced CPO for the relatively low rate of $100 to $150 an hour for long-term engagements and up to $200 to $500 an hour for short term deals, according to Nicols, with Privacy Ready.

Nicols has worked as the virtual CPO of a major U.S. networking software maker for the past four years, a job that finds him interacting with the company's employees multiple times a day. One recent workday found him reviewing email marketing campaigns in the Czech Republic and United Kingdom to see if they complied with legal agreements with local host services and European Union privacy regulations. After that, he determined whether another email marketing campaign in Canada needed subscription information in English and French (it did).

Privacy audits  
In addition to CPOs, companies hire privacy outsourcers like Nicols and Cline to audit privacy practices. In a privacy audit, an outside firm reviews how a company handles sensitive data like employees' personnel files or customer Social Security numbers or health records. Since most of this data is now stored electronically, the responsibility for enforcing privacy sometimes falls to the CIO. Auditors track where the data is stored, how it is transferred physically or electronically, if it's vulnerable to leaks or theft, and whether employees' data handling practices are in keeping with a company's stated privacy practices or industry regulations.

According to the experts, such reviews could involve creating charts and spreadsheets to track data flow and interviewing employees. Privacy audits aren't cheap. A large business can expect to pay $100,000 to $300,000, Nicols says. To curb costs, companies could schedule a full audit once every three years or do partial audits each year, Nicols says.

Outsourcers also work with companies that want a third party to supervise their network of in-house privacy stewards. Privacy stewards are employees responsible for acting as a company's privacy program point person within their specific department or business unit. Often, even if a company has a CPO, that person doesn't have time to check in with every single privacy steward on a quarterly basis, especially if it's a large company with 200 or 300 stewards, Cline says.

Getting started
So how does a company start working with a privacy outsourcer? Check with the International Association of Privacy Professionals (IAPP), an industry trade group based in York, Maine, that has seen its membership spike to 4,000 individuals since starting in 2001. The IAPP Web site includes information on member companies and links to privacy groups and publications.

• Contact a local financial auditor Some of the same major accounting firms that audit the books of public and private companies have entered the privacy audit business, including Deloitte & Touche, Ernst & Young, KPMG and PriceWaterhouseCoopers. To find out more about what they offer, visit their corporate Web sites or contact a local branch office.
• Make sure consultants are certified The IAPP offers several certification programs, including the basic designation of Certified Information Privacy Professional (CIPP). Most certified privacy practitioners display the CIPP certification seal on their Web site, business cards and email signature.
• Read up on the subject Sign up for the IAPP's daily privacy newsletter, The Daily Dashboard. Subscribe to The Privacy Journal, a monthly newsletter published by privacy expert Robert Ellis Smith. Take an online course like the "Privacy Directions" series from MediaPro, the Bothell, Wash., e-learning company.

A parting thought from Mike Spinney, spokesman for The Ponemon Institute, a Traverse City, Mich., think tank that researches U.S. business privacy and security practices: It's not enough for a company to sign up with an outsourcer so they can say they have a privacy policy -- they actually have to do the work.

"What you find is a tendency at a lot of companies to establish a privacy Potemkin village," Spinney says. "They have a policy and someone with the right title, but beyond that fa‡ade there's nothing there."

Michelle V. Rafter is a journalist based in Portland, Ore. She's covered technology for Reuters, The Industry Standard and other magazines and newspapers for more than 20 years.