Computer World –
Ronald Hoffman, the privacy issues manager at Mutual of Omaha Insurance Co., is in the forefront of a new breed of executives who are working with CIOs to set corporate data-privacy policies.
Hoffman is responsible for helping to establish privacy practices for Mutual of Omaha's employees to follow. His job, which was created in April, has become a key part of the Omaha-based insurer's overall corporate strategy in response to new privacy regulations and an ongoing debate over whether the government should set more rules or allow companies to self-regulate themselves.
For Mutual of Omaha, it's a bottom-line issue. Creating data-privacy policies, and then standing behind them, "is something that is going to help build a trusting relationship with our customers that we hope will allow us to retain their business and acquire new business," said Hoffman at the Global Privacy Summit conference in Washington yesterday.
There are no more than 50 to 75 chief privacy officers (CPO) with jobs similar to Hoffman's working inside U.S. companies today, said Alan Westin, publisher of the Hackensack, N.J.-based journal Privacy & American Business and one of the speakers at the privacy summit. But Westin predicted that the number of privacy officers is going to increase, perhaps into the thousands, as companies find "that their ability to manage privacy is a major part of their competitive edge."
Corporate privacy officers officers work with a variety of corporate departments, including information systems, legal affairs, governmental affairs and employee training. But the most important thing they need is buy-in from top management, said Tatiana Gau, vice president of integrity assurance at America Online Inc.
"There's no question in my mind that one of the most important roles of the CPO is to ensure that the whole company is adhering to a privacy commitment," Gau said. At AOL, for example, the importance of data privacy has been "baked into all the lifecycles" of the company, she added.
Hoffman is currently working with Mutual of Omaha's information technology managers to document the way data flows through all of the company's systems in order to learn exactly what happens to the information and who has access to it.
"We really didn't have a good handle on information flows through the company," Hoffman said. But the documentation project now under way should lead to better risk management and security assessments in addition to helping the insurer develop its privacy policies, he added.
Some privacy advocates have argued that corporations will have an easier job of managing data-privacy issues if the federal government sets baseline regulatory standards. Some privacy rules have been established for the medical and financial industries, but no broad-based legislation has been passed thus far for e-commerce companies and other businesses that deal with customers via the Internet.
Jules Polonetsky, chief privacy officer at online advertising firm DoubleClick Inc. in New York, said at the privacy summit that he hopes lawmakers give corporate self-regulation more time before taking additional legislative steps. "Let's give the majority of honest businesses an opportunity to see if [self-regulation] works," he said.