In a business forum I recently asked the question, "does your business have a privacy officer?"  A young attorney quipped, "hire an attorney, they'll tell you if you need one?"  According to best privacy practices; a National Academy of Sciences report, numerous other compliance bibles; and a multitude of federal and many state laws, all enterprises should have a privacy advocate, typically called a chief privacy officer (CPO) no matter whether your business comprises one or tens of thousands of associates. In a related incident, a CEO of an international privacy credentialing institute shared a newspaper article with me out of frustration.  It was written by an attorney that stated that ALL businesses were required to comply with the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA) - two of many privacy laws.  That's simply inaccurate.

Two weeks ago, a client described what he was told was a HIPAA violation in his retail carpet store. He received the erroneous information at an employer seminar sponsored by a prestigious local law firm.  I didn't have the heart to tell him, that his business is not covered by HIPAA.  Most employers are not covered entities under HIPAA regulations.

I am not blasting attorneys.   Today, there is much confusion with respect to privacy laws and privacy compliance.  It's complex and rapidly changing.  The privacy profession has been evolving over the last several years.  Attorneys have expertise usually a few areas of law.  Most do not specialize in privacy and information security.  In fact, few law schools have such a specialty.  The ones that do can probably be counted on the fingers of a single hand. To add to the deficiency, few attorneys have obtained professional credentialing in identity theft, privacy and information security, although that is changing too.

Chief Executive Magazine recently (Oct/Nov Issue) reported on "Enterprise Risks."  Among 10 threats, the #1 risk was identified as regulatory and compliance risks, based on an Ernst & Young Study (soon to be released). To address these regulatory and compliance risks, corporate management will team up professional risk managers - not a team of attorneys to assess the risks. 

Small businesses, on the other hand, see privacy compliance only a legal issue and consult with legal counsel who may not have the expertise or awareness to give proper advice.  (In stark contrast, small businesses are making daily business legal decisions and never think of contacting an attorney to review their other important decisions, for example, insurance coverages,  human resources policies, contracts, etc.). 

I view an attorney as an important member of a risk management team.  However, the attorney is not likely going to be the privacy expert, the professional risk manager, or the information security expert.  So beginning a risk management process by asking an attorney may not be prudent unless the attorney is an expert in that field of risk.  When you have an HR issue, the first stop is the HR professional; when you have an insurance issue, it's the insurance professional, and on matters of privacy, the first stop should be the privacy professional.

---

Add this page to your favorite Social Bookmarking websites