Over a hundred organizations are responsible for shaping the future of data privacy. In this new series we’ll profile some of the organizations that are helping to shape the massive privacy ecosystem through the eyes of the professionals that work there and learn more about their perspectives on privacy.
What is your organization’s role in the privacy ecosystem?
TeachPrivacy provides computer-based privacy training and information security awareness training to organizations in a wide array of industries. TeachPrivacy has FERPA training for schools, HIPAA training for healthcare providers and business associates, PCI training for merchants and others handling payment card data, and much more.
What key goals/issues is your organization focused on tackling?
Our goal is to provide training that really makes a difference. Training is one of the most important things an organization can do to mitigate the risk of having a data breach or a privacy incident. I founded TeachPrivacy because I thought that there was a better way to train employees about these issues – to really educate them, to show them why they should care.
My goal is to apply good teaching techniques to training. I learned a lot in teaching as a professor and in speaking to audiences of all types. I aim to create training that is engaging, concrete, vivid, and memorable.
How have your organization’s goals/focus changed over the years to address evolving technologies or challenges?
Our goals have remained stable – we are an education company. Our primary goal is to help organizations educate their workforce about privacy and data security. We want to make the best training we can create.
In the training I develop, I strive to use the techniques that work the best – using stories, interactivity, vivid imagery, varied styles and approaches, immersive experiences, activities, genuine passion, and memorable explanations. There is a timeless quality to these techniques. They have worked for thousands of years.
Looking ahead – what are the most important data privacy issues/concerns you think need to be addressed by the industry and/or government legislation?
It would take many books to answer this question. But one overarching point that I think is essential: The best legislation includes governance provisions – it requires a privacy and security officer, privacy and security programs, routine risk assessments, training, policies and procedures, etc. And there must be good enforcement. Laws without such provisions are often poorly followed.
What is the biggest current threat (to consumers or businesses?
The biggest threat to businesses is their own workforce. Human error accounts for an enormous percentage of data breaches. The hackers know this. Humans are easier to hack than machines.
This threat can be dealt with – the workforce needs to be educated, and it must be a meaningful education. But it takes time, effort, creativity, and an understanding of how to engage people.
The worst consequence of a privacy or security incident is loss of trust. It hurts the organizations when people lose trust that their data will be protected or when they lose trust that an organization will treat them fairly and respect their privacy. Not only does it hurt organizations, but it hurts consumers when they cannot trust organizations they do business with.
How do you think the Privacy Ecosystem will/needs to evolve over the next 3-5 years to be fit for purpose?
Privacy and security need to be better united. Privacy and security go hand-in-hand. They support and reinforce each other. They are deeply intertwined. Yet, they have become siloed in many organizations. Privacy and security professionals often inhabit very different professional circles, go to different conferences, and speak different languages.
I’m trying to do my part in bringing privacy and security together by launching a new annual event called the Privacy+Security Forum. The event is October 21-23, 2015 in Washington DC. We have session topics that attempt to bridge the privacy/security divide, and we are bringing together privacy and security professionals to share knowledge and develop new insights.
Tell us about your role at TeachPrivacy.
I founded TeachPrivacy and am President and CEO. I am involved in all aspects of the business, and I focus most on creating the training.
How did you start working in the privacy field and why do you enjoy it?
I began in the late 1990s when I was in law school. I took one of the early cyber law courses, and I thought there would be interesting issues in the field. Not much was written about privacy at the time, so I started to look into that issue. And then I fell into the rabbit hole, which seems endlessly deep.
When I started teaching in 2000, I proposed a course in information privacy law. My law school kindly let me try it out. There were only a handful of such courses at the time. I put together hundreds of pages of materials, which I then turned into a casebook. It’s now in its 5th edition.
Privacy issues are fascinating, timely, and varied, so I feel like I’ve landed in the New World and have an entire continent to explore.
What do you wish more [people, business, etc.] knew about privacy?
I wish more people and businesses would recognize the importance of thinking about what privacy is. Policymakers, judges, and businesses all have an implicit conception of privacy, but often these are too narrow or incomplete. As I wrote in a blog post about Privacy by Design: “All decisions regarding privacy depend upon a conception of privacy. If the conception of privacy is poor or incomplete, the decisions will be bad.”
Check out an overview of the Privacy Ecosystem Blog Series and stay tuned for more editions!