We at the CIPP Guide had the opportunity to sit down with Barbra Symonds, an Associate Partner in Security, Privacy, Wireless & IT Governance in IBM’s Global Business Services group, the former IRS Director of Privacy & Information Protection, and the woman who established the privacy program at the Department of Veterans Affairs. She is also a Certified Information Privacy Professional, with almost 20 years of experience in the government sector. Below are excerpts from our interview. The entire interview may be found in the Forums section of the CIPP Guide web site.
How did you get started with Information Privacy? What was the one problem that you saw that told you this was going to be a very big deal?
I started dealing with Information Privacy while at the VA. In the beginning, there were not a lot of people that thought it was an important initiative. But the VA had a forcing function to comply with the HIPAA Privacy Rule. They had several privacy initiatives going on, but this HIPAA variant was enacted by Congress as an even more stringent policy compliance project than the existing Privacy Act and VA specific confidentiality statutes. The VA’s CIO at the time was working through his reorganization plan and identified information privacy during a gap analysis, and approached me for the project management role. It didn’t take long for me to see both the HIPAA-related and the larger universal impacts that information privacy would have on the public and private sectors.
What are the biggest challenges facing privacy today?
The biggest challenge surrounds the broad spectrum of levels of maturity where individual entities are with privacy solutions. Different organizations are at different stages as far as what privacy means to their environment. For a long time, privacy has meant baseline legal compliance. Now, the operational sides within organizations are seeing the strategic impact of a privacy program as a unique business line that feeds into program decisions. Obviously there are differing interpretations of privacy, from legal counsel which has a very rigid idea, through the operations privacy professional working the day-to-day program. It’s an exciting challenge, especially with a discipline that continues to mature. I think privacy programs are about 5 yrs behind information security and the situations that shaped it. Privacy is now seeing the beginning of those same deeper, richer program solutions.
Any comments on how the UCLA Medical Center snooping could have been prevented?
Certainly there are tools and technical solutions that can restrict these kinds of actions. With the IRS, for example, the Taxpayer Browsing Protection Act requires a notification/logging activity if an employee accesses records of cases that they were not assigned to. A law is not the only answer; it must continue into policies, procedures, training and management oversight. Statistics show the greatest vulnerability to someone’s personal information is in the workplace, which can lead to identity theft incidents. Put the tools and technology in place to support the policies and aid the employees, and you have a strong start to prevention.
You don’t really see that much happening with the tons of breach notifications; 600,000 Social Security Number breaches here, or 100,000 credit card numbers there – this isn’t correlating to actual identity theft. I know in the security space, they collect bots and rent them out for Denial of Service attacks or for spamming. Is this Information being stored for later use, maybe to topple the credit card industry or affect the financial markets?
I don’t think we should be planning for an information Armageddon or the doom and gloom aspects of this new reality. However, one of my other concerns surrounding notification fatigue is that the time lag from the point identity information is compromised to when it is actually used for an illegal purpose might actually be years. There have been reports that show identity thieves collect information on a targeted audience, say a medical or law student, and then wait to use that identity information until the individual is employed at a high paying job with high credit ratings. There does need to be a continued awareness after the compromise; the smart and savvy identity thieves know that the standard offering is one-year of free credit monitoring services, so they wait until the heat is off before they start using the stolen information.
A few years ago, the government began requiring certified Information Security Professionals (CISSPs) on any contracts which involved information security. Will there be a CIPP requisite similar to CISSP for government contracts?
Actually, it’s already starting, not necessarily as a government contract requirement, but within the job announcements. Positions in the public sector are seeing (a CIPP) as a bonus, where as many private sector positions are requiring the CIPP as a condition of employment. The information privacy certification has gone a long way to putting privacy on a par with the security industry, legitimizing the efforts to establish the privacy discipline as a profession. There are multiple defined domains, which has helped to expand the privacy discussion beyond a legal compliance issue.
I’ve been preparing for the CIPP for the past few weeks, and I’ll tell you, it’s not that easy. How long did the CIPP preparation take you?
Everyone’s CIPP preparation time will be different because there are so many different backgrounds and professions that lead someone to sit for the exam. In my case, my focus was on the CIPP/G government exam, which was my full-time job at the time. I was also fortunate to be asked to sit on the board that was improving the CIPP/G government exam, which entailed me taking the beta version of the exam and providing feedback to the questions and case studies. I achieved my certification through the beta exam process, but I still had to receive a passing score to qualify! Most of your preparation time will depend on how long you have worked with the laws and regulations in a functioning privacy program and can apply the laws to a business setting.
Barbara’s thought on additional privacy topics ranging from the Virginia Watchdog to Executive Led Privacy Programs to the Over-notification of Privacy Breaches may be found in the CIPP Guide Forums.