by Steve Ulfelder

Oh No, Not Another O! The Role of the Chief Privacy Officer

Jan 15, 200115 mins

Reader ROI

Learn what the newest chief executive brings to the table

Understand why some remain skeptical of the CPO’s role

Discover how to turn this new position to your advantage

When Verizon Communications faced a worker strike last August, the company wanted to do all it could to meet customer needs during the walkout. So the IT people hastily put up an Internet application to assist people in posting repair requests online. But the new application wasn’t airtight—as a customer playing around with it soon found out. “He was able to see some information about his account,” says Shelley Harms, Verizon’s chief privacy officer. “He could see other [customers’] information too. It was kind of a security breach.”

Verizon moved quickly to fix the problem, and no damage was done. IT workers handled the crisis while Harms was away. Her contribution came later: “I talked to the techies about how we could prevent this from happening again.” No matter how hurried a project is, Harms learned, it’s critical to take time to probe Internet applications for holes. Verizon has since instituted a policy, developed by her and the company CIO, to ensure all subsequent projects would be “hack-tested.”

Harms considers herself a CPO with clout. But she may be an exception to the rule. While their own press releases say that chief privacy officers serve as a sort of corporate ombudsman, standing up for the little guy—the customer—privacy advocates, analysts and even some CPOs concede that their primary role may be public relations, not to mention protection from lawsuits. The latest addition to the executive suite may bring value to the company, but there should be no mistaking what that value is.

Six months ago, chief privacy officers were all but unheard of. Most businesses had a person or people handling privacy-related issues, of course, but the task was unpublicized and usually handled by corporate counsel. However, a series of privacy-related snafus have damaged the public perception and stock price of some companies. Last fall, for example, online retailer accidentally exposed the names and telephone numbers of some customers to other Internet users because of a problem with United Parcel Service’s new Web-based product return

system. The previous month, was widely panned for its decision to stop guaranteeing that it would no longer share customer information with third parties. And earlier this year, New York City-based DoubleClick, an Internet advertising company, was forced to cancel plans to merge information about people’s Internet surfing practices with personal information on those consumers.

In the wake of these well-publicized debacles, CPOs have been named by such blue chips as American Express, AT&T, IBM and General Motors. But CIOs remain skeptical about their value. Jim Swartz, CIO at Sybase, an Emeryville, Calif., software company, says, “There are a lot of people already who deal with privacy.” He names the legal, human resources, IT, sales and marketing departments. While the issue of privacy itself will continue to grow in importance, the title, Swartz predicts, “will peak out.”

As for bravely fighting for the customer, we’ve all seen various executives wage battles over issues that would hurt the bottom line in the short run but would be better for the company image in the long run. The short run always seems to win out, doesn’t it?

There’s another powerful reason for CIOs to wonder exactly what the new “C” on the block is up to: Almost by definition, the bulk of the CPO’s job will revolve around IT issues. Is the website secure? Where are the vulnerable points in the network? Who has access to which databases? And yet few of the newly minted CPOs have IT backgrounds, a fact that concerns CIOs already overloaded with educational duties.

Interviews for this story reveal still another reason to be skeptical about the CPO dance craze. Companies with CPOs are eager to parade their new treasures before the press. But ask a PR flack for interviews with the CPO and the CIO—to explore this critical relationship, to probe how the two functions plan to work together—and you instead get hemming and hawing, throat-clearing and excuses. Draw your own conclusions.

It’s not that all CPOs are window dressing. Experts agree that a CPO with true power and proper resources is an important player in an e-business era. The question is, How many have that power and how many have those resources?

While the newness of the title makes it hard to say how many actual CPOs exist, privacy experts and people active in associations for CPOs estimate the number at no more than 100 nationwide. A recent meeting of the brand-new Association of Corporate Privacy Officers ( drew 67 attendees.

Making the CPO Your Ally

Unlike most CPOs, Mark Lawrence is an IT guy. Before being named privacy officer in July at CompuCredit, a financial services company based in Atlanta, he was that company’s IT director—a title he retains. “When the company looked at this issue, I did a little research,” Lawrence says. “There are not a lot of us [CPOs], and most have legal or PR backgrounds.” But CompuCredit, he adds, “wanted to put the privacy function closer to where the data was.”

That makes sense. Yet, as Lawrence notes, CPOs tend to have a legal, rather than an IT, background. Of the six CPOs interviewed for this story, three come from the legal side and two have both IT and legal credentials; Lawrence is the only pure IT person.

This isn’t necessarily a crippling blow to your organization; CPOs are cross-functional almost by definition, and they have to come from somewhere. Andrew Shen, a policy analyst at the Electronic Privacy Information Center (EPIC), a Washington, D.C.-based research and advocacy group, says, “An effective CPO has to be integrated into all facets. They have to be able to talk to the technology people, the marketing people, management and legal.”

Legal training may play another important role as well. “Being an attorney, I’m always thinking in terms of, Who’s my client?” says Ray Everett-Church, CPO and vice president of public policy at Hayward, Calif.-based, an infomediary that tracks consumers’ Internet-surfing habits. “I try to represent the party who’s not at the table. So when I’m with business development people and tech people, I’m representing our [customers]. I wind up dancing between three different fields: legal/policy issues, marketing and growth concerns, and technology.”

This type of constant negotiation is hardly viewed as the strong suit of IT organizations, so perhaps it’s no coincidence that IT people are seldom called on for the CPO job. Yet in-depth IT knowledge is hard to beat when you’re dealing with thorny technology-related privacy issues every day. CPOs with legal backgrounds tend to get vague when asked how they stay up-to-date on complex IT-related topics. “It depends on the issues,” says Harms, who may be the dean of the field, having served as Verizon’s (formerly Bell Atlantic’s) privacy guru since 1994. “Our people are good at explaining technology. And you do sort of pick up the vocabulary.”

Small wonder, then, that obtaining an on-the-fly education is a high priority for many CPOs. “A lot of them need to learn about technology,” says Chris Kelly, chief privacy officer at Excite@Home, a division of Redwood City, Calif.-based At Home Corp. Kelly is a rare CPO with a great deal of experience in both privacy law and IT; as such, he is often sought out by new CPOs looking to get their bearings. “A lot [of CPOs] are lawyers, or marketing or businesspeople transitioning into the role,” he adds. Their top priority? “They want to learn the tech.”

This need for an education is, to borrow a phrase from those marketing types, an opportunity for CIOs. It’s worth your while to make sure you, rather than anybody else, explain to the brand-new CPO how the company’s data flows, how its technology works. It’s a relationship you’ll want to cultivate, and that’s especially true if the CPO is a technology neophyte.

There are two reasons to do this. First, it’s a wise political move to make your CPO an ally. Second, the CIO’s in-depth knowledge on privacy technology can best help the company safeguard data. Sybase CIO Swartz says that although his company lacks a CPO, education is one of his primary duties. “We work very closely with the legal, marketing and sales groups,” he says. “We need to make it clear across the board that privacy is a top priority,” Swartz adds, sounding eerily like a CPO.

Steve Lucas serves as both CIO and CPO at Persona, a Broomfield, Colo.-based infomediary that lets consumers decide what information they want to share with online businesses. An IT guy at heart (he served as CIO at Excite before moving to Persona), Lucas says that without a technology background, many CPOs “won’t even know what questions to ask.” When Lucas heard conflicting stories about a potential business partner’s privacy practices, he went right to the company’s database administrator to get the straight scoop. As a CIO, Lucas says, he knew “the database administrator always knows what’s going on.”

When CPOs Matter

While it’s reasonable to question the sincerity of the CPO movement in general, there are instances when the new function truly influences decisions.

“Just about every deal that comes down the pike has [privacy-related] elements,” Everett-Church says. He cites a recent case in which an partner “was building an infrastructure to make it easier to personalize and customize websites based on a person’s online profile. If they knew you liked soccer and fishing, the actual [site] content would show you new waders and soccer shoes.”

Everett-Church says this potential deal “really raised a lot of thorny issues. It takes a lot of delving into the database to determine the factors that would tell you how to generate that kind of content.” In the end, he says, “that deal didn’t happen; the technology wasn’t there to let us draw from the profile, then serve up the information while keeping privacy intact. Company officials feared that once they were able to dip into a database for that kind of personal information, they wouldn’t be able to safeguard that information down the line. “We said, ’This is where the data needs to flow, here are the points where it breaks down. Can we find ways to plug holes or change the data flow?’” recalls Everett-Church. “It was a case of incredibly intelligent people poring over the problem and deciding the technology just isn’t there yet.”

Eager to avoid a reputation as the guy who says “No” all the time, Everett-Church is quick to mention a deal he gave the green light to. “We’ve been working on a debit card deal,” he says. “We were able to structure the data transfer in such a fashion that we could maintain some level of control over transactions.” Everett-Church gave the deal his blessing.

Asked how he reached his decision, his reply reads like an advertisement for heavy IT involvement in privacy decisions. “We sat down and mapped out the data flow,” Everett-Church says. “Where it’s being called from and to, where it’s accessed, what items then need to be passed along. Follow the data, follow the data. That informs a lot of decisions about what procedures need to be made.”

Michael C. Lamb, who became CPO at AT&T in June, recalls one of his early firefights: Some of the company’s wireless data services used customers’ wireless telephone numbers as ID numbers. Once Lamb got wind of the practice, he nixed it because it had the potential to expose customers’ phone numbers to prying eyes. “My key role was to find out what was done, confirm it was possible to change it and work with executives to make sure it didn’t happen again,” Lamb said.

Excite@Home’s Kelly, while declining to give specifics, recalls “a couple of gray-area deals proposed by the business side that we had to restructure or kill. Those have been challenges.”

A Diplomat’s Role

It’s one thing to do interviews and freshen up the company’s privacy policy. It’s quite another to derail a major deal. In the initial flurry of press releases and stories about the dawn of the CPO era, much was made of CPOs’ independence. “In many cases,” wrote on July 7, 2000, “the privacy officers report directly to the chairman or chief executive officer.”

But in many other cases, they don’t. Everett-Church reports to CEO James Jorgensen at Yet the other CPOs interviewed for this story report to their company’s general counsel, chief operating officer or vice president of compliance. This is not to slight the CPOs’ pull; the examples we cited demonstrate that some privacy officers wield genuine power. “Who the CPO reports to isn’t that important,” says Robert Ellis Smith, publisher of Privacy Journal, a 26-year-old publication based in Providence, R.I.

Perhaps the CPO’s role was hyped in the initial rush of breathless publicity, when the officers were portrayed as defenders of the little guy. The reality is that CPOs play the more subtle (and difficult) role of diplomat, facilitating negotiations among business-development people, technology executives, top management and the general public. This role is nothing to sneeze at. EPIC’s Shen says that with many of today’s privacy screwups, “the problem is that CIOs aren’t talking to policy people.”

Or perhaps they’re not talking soon enough. That’s the view of Linda Rossetti, CEO of Boston-based eMaven, an online strategy consultancy. “Typically, people on the business and legal side don’t get technology folks to the party early enough,” Rossetti says. As a result, she adds, “there’s always a stage of misunderstanding [about] what the technology is doing.

“The tech folks have a lot of knowledge about IT’s exact capabilities,” Rossetti says. “They have the deep understanding about what data is collected and the persistency of that data.” Smith agrees, saying that generally, new CPOs possess “not much sophistication at all.” Smith says that CPOs who are new to the job and don’t understand technology are liable to overreact in their quest to protect customer information. They might attempt, for instance, to prevent their company from sharing any data whatsoever with suppliers, no matter how innocuous. Such ignorance makes the CIO’s role as educator all the more crucial, says Rossetti.

There’s Value in PR

Some observers say that a CPO’s public-relations value should be prized, not scoffed at. John Kamp, a privacy expert and legal counsel for the Internet Advertising Bureau, says he’s recently fielded many calls from recruiters asking what attributes CPO candidates should possess. He tells them “the CPO ought to be able to speak with the press and should be very comfortable in the public world,” Kamp says. “He’s very likely to be a [frequent] spokesman for the company.” In this role, a CPO can help consumers understand the company’s privacy practices and policies. “Every company needs to let the consumer know about their privacy commitment,” Rossetti adds. “Without that, there’s no net benefit.”

CPOs, perhaps sensitive about perceptions, soft-pedal their public-relations role. “It’s very easy to perceive this as a PR play, a kind of rubber stamp,” Everett-Church says. “So it’s really important to the CPO to have actual authority.”

“For some [companies] it is unfortunately a PR ploy,” says Excite@Home’s Kelly, “but for most it’s not—there’s a genuine commitment to doing the right thing.”

However, Shen, from the Electronic Privacy Information Center, says some CPOs are “PR gloss.” And James Grady, an analyst at Giga Information Group, based in Boston, agrees. “It’s easy to throw around titles,” he says. “The question is, has anything changed [at a company that has recently appointed a CPO]?”

In the end, CIOs might feel a certain kinship with CPOs, the new guys in the boardroom. Everett-Church points out that “back in the old days, all the technology infrastructure was managed by some guy in the basement. As computers became more integral to operations, suddenly that computer guy turned into an MIS manager or a VP, and eventually a CIO who really does sit at the table and help shape the strategic direction of the company.”

Perhaps there is room for one more at the table. And perhaps CPOs will grow into the title. On the other hand, as Sybase CIO Swartz says, “How many chiefs can you have in one company?”