Privacy Issues and Education: Peter Kosmala, International Association of Privacy Professionals
In an exclusive interview, Peter Kosmala, assistant director of the International Association of Privacy Professionals (IAPP), discusses:
Kosmala oversees product management for the IAPP with specific oversight of distance learning products, privacy certifications and industry awards programs. He also manages business development efforts between the IAPP and peer organizations in the information security, information auditing and legal compliance arenas as well as organizations based in the Asia-Pacific region.
The IAPP, based in York, Maine, was founded in 2000 with a mission to define, promote and improve the privacy profession globally.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. We're talking about privacy today, and we're talking with Peter Kosmala, the Assistant Director with the International Association of Privacy Professionals. Peter, thanks so much for joining me today.
PETER KOSMALA: My pleasure, Tom. Thank you for having me.
FIELD: Just to start out, why don't you tell us a little bit about your organization and your role there.
KOSMALA: Absolutely. Well, the International Association of Privacy Professionals is in fact the world's largest organization representing the emerging field of Information Privacy, and we first formed in 2000. Primarily as a collection at the time of a very compact group of very senior privacy officers, compliance and regulatory professionals who held fairly senior corporate roles and who are responsible for the data management practices of their organizations across a number of different industries. So, it grew from that group to a more - a more broadened and more diversified and geographically representative group of professionals that we now represent today, which is well over 6,000 members in across over 40-different countries around the world, and it's also extended to include folks that aren't simply in the corporate range, but also middle management, compliance, directors, strategic-operations people, Technical people, marketing people, even folks that have gravitated from related fields such as corporate compliance, legal compliance, risk management, information security, and information auditing, and as an organization we support this profession on a number of levels by providing networking opportunities for them to meet and engage with other professionals in their local communities.
We have a series of meetings that we call `Knowledge Net` that are held in over 35 different cities around the world, and two of our most active chapters are actually located outside of the U.S. and Canada and in Japan. We hold the two of the largest conferences devoted to privacy issues each year, one is the IPP Privacy Summit which was just held a few weeks ago in March of 2009 at the - in Washington D.C. and actually brought together close to 1,400 different professionals from around the world including regulators, corporate privacy officers, academics, other thought leaders to discuss the pressing issues of the day. We also have a very operationally-oriented workshop that we offer every fall, and this year in 2009 happens to be offered in Boston, and that's called the Privacy Academy, which offers a series of workshops that are very focused on the operational challenges of putting a privacy program or team or service together.
We also offer the only Professional Certification in the field of privacy, and it's called the Certified Information Privacy Professional or CIPP, which certifies the candidate in a broad range of general-topic areas that include privacy laws, as these are now existing and being enforced around the world as industry standard best practices. As an Assistant Director in the organization, I'm actually overseeing a lot of our business development efforts, so I'm in charge of industry relations with related fields like compliance, ethics, information auditing, security, as well as organizations and individuals in the Asia Pacific rim and across Europe as well, as we develop our strategies and services moving forward, and I have personal oversight for our certification programs as well as some of our educational-program offerings which include webinars and audio conferences and the like. So in brief, we're international, we're fast growing, it's an emerging profession that really didn't exist as close to 10-years ago, and in many ways parallels the early growth of the information security profession in terms of how it's grown and how it develops over time through certification, education, and other efforts.
FIELD: And it's the hot topic.
KOSMALA: It is indeed.
FIELD: So, you've just come from your annual summit. Coming out of that, Peter, what would you say are the top three privacy topics for businesses and government today?
KOSMALA: Well, we found - first of all, we found that a lot of our sessions are so tightly packed that it was difficult to get everybody in and covered at once, and it was a pleasant problem to have. actually, because folks were so intensely interested across a number of different topics that we covered, and there were actually twice as many sessions that we offered this year as we did last, close to a different to 120-different sessions of privacy and security issues. But I think the ones that really emerged, and we learned this not just from the attendance but also from very strong evaluations of the speakers and presenters, tend to focus around three particular areas: one having to do with core definitions of what is personal data, and what comprises identity and identifiers of data, and this is in light of some somewhat controversial decisions or positions articulated by the European Commission, the EO Commission, on privacy matters in treating information like IT addresses in other technical data as personal data. And it's led us into a very interesting debate and discussion into really the core of what we - of what we deal with every day, which is personably identifiable information or PII personal data. That's what a privacy professional is really designed to protect or whose role it is to maintain the integrity in the security and the appropriate management of.
Other areas we're noticing that are really emerging fast are - and these - this is not exactly new, but it's just growing even more, is an increasingly complex constellation of laws and regulations now emerging around the world. Where the U.S. has taken a lead in regulatory approach around things such as notice of security breech, the data breach notification and response, other countries are fast on the heels of these developments such as in Canada, where the Privacy Commissioner of Canada, Jennifer Stoddard, issued late last year some guidelines around what organizations are expected to do in terms of ID-theft prevention and data-breech response. Even the United Kingdom and other EU nations are starting to look at the issue very closely, and this is just one issue is resulting in a very complex, really just legal landscape for privacy professionals to guide their organizations through in terms of complying, particularly if they're a global organization irrespective of where they're physically based. If data is flowing in and out of these countries or across to employees that serve in far-flung offices, it's all data flow, and it's all flowing into different legal jurisdictions and different sets of requirements, and that's a lot to keep on top of.
And the last thing I would say, is in an emerging technology such as cloud computing or decentralized data flows, data centers that are - that require or have different various in-points and require similar considerations on how to sort of map that data inventory and protect it, make sure that's it's complying with relevant legal requirements.
FIELD: Well, interesting. How do you find that organizations are tackling some of these challenges, and I wonder if out there, there might be some - some leaders in the industry that others can follow.
KOSMALA: Well, there's - there's a lot of really good work that's being done on the policy side especially, and I think one response is to start to look at - start to look at privacy issues more holistically as information-management issues and information governance and looking at - looking not just at the specific legal and operational requirements, but integrating that into the practice of the organization as a whole. Historically, privacy as a profession had very compliant-centric origins in terms of just compliance with established laws here in the U.S. that would be HIPAA in the healthcare profession, the Gramm-Leach-Bliley Act, the privacy provisions within that law, it drove a lot of activity and a lot of program strategy amongst organizations here in the U.S. But as I said, as our membership has diversified, so indeed has the approach to privacy.
In it's being now positioned more as the strategic assets and a trust builder among relationships with customers, citizens, if you're a government agency, vendors, other types of partners, which are really critical component of what an organization does, and that essentially has pushed us to where it has a very valuable strategic role in what an organization does, whether that's a government or a business or a non-profit or other type of organization, and I think that in turn has led to a greater awareness that there has to be coordination; that privacy is not a sub-set of any one particular area such as Information Security as one example, but is in fact a very valuable area of it's own that is rooted very much in legal concepts and regulatory approaches and solid practices. But that that requires integration and collaboration with folks on the information security side or on the risk management or corporate compliance sides, so that the organization is very integrated and is very coordinated in it's response to very vexing issues like identity-theft prevention, data-breach prevention, other types of threats to the integrity or the security or the privacy of information that organizations deal with.
I think it's very valuable that the CIPT as a designation is out there for organizations that are starting privacy teams or efforts to establish a base-line level of education and understanding amongst their team members. Even folks that they're coordinating with elsewhere in their organization, just so that everyone is aligned on what the basic requirements are and importantly that they can spot the issues as they start to emerge.
FIELD: Now, you talked about privacy legislation, Peter, and there are a couple of topics I want to talk with you about. One of them is the Massachusetts Data Protection law. I get the sense that this is one of the toughest privacy legislations to come down. I wanted to get your perspective on it, and what kind of impact that legislation might have on other states or even the federal government.
KOSMALA: Well, as an organization, it's important for me first to note that the IAPP doesn't take explicit policy positions on laws, privacy laws or regulations both established and emerging, but I certainly can comment on how some of the challenges that our members have run in to and how we wish to assist them, and our goal really here is to provide a forum for discussion around the development of such laws and such approaches and allow them to coordinate with each other and develop practices and responses together.
But that said, you are correct in noting that it's quite a - it's quite a challenging law that Massachusetts established. It actually - it was enacted, or the rules were enacted in September of 2008, and was originally scheduled to go into full enforcement mode early this year in January, but the compliance deadline has actually been pushed back to January 1st, 2010, and the law is fairly broad-reaching in that it doesn't require, or doesn't apply to organizations that are simply physically based in Massachusetts. The business or organization can be based anywhere, but as long as it's handling the personal or sensitive information of a citizen of Massachusetts or a Massachusetts' resident, that they would then be subject to the law, and it also goes further, and that it's not simply a notice of security breach law, but rather, it's pressing for evidence of a comprehensive, written information-security program and actual established procedures extending out even to a vendor network. If you're working - if your organization is working with outside or third parties that are handling or processing the so-called personal-sensitive information on your behalf, and of course, the consequences for non-compliance are price-significant in terms of not just government enforcement, but also private litigation.
So, it's - Massachusetts law, while not the first breach notification law, I think it's an evidence of sort of a new breed of approach that is quite comprehensive and quite aggressive in terms of the enforcement that it's pursuing. Of course, really the pioneering law was California's Senate Bill 1386, which was first enacted in 2003 and put forth some essential requirements around the definition of computerized personal information and certainly encryptional requirements and paper records and the like, but now Massachusetts - a lot of states are looking to it as a essentially the latest evolution of this type of approach. So, the number of organizations that we've talked about are looking at the law closely. I think they're encouraged that the compliance has been pushed back ... because it does involve so many different things from potentially looking at the encryption and protection of portable devices and laptops to, as I say, getting vendors and third parties verified or certified in data protection procedures.
That vendor network can also include tens if not hundreds or maybe even thousands of different organizations or companies, so vendor management is a key challenge of it. Mapping all of that data and inventory, as I said, making sure it's encrypted, it quite a lot to get together, and it's really a matter of mapping the technical requirements of the laws together with the practical realities of implementing that, and I think everyone's looking closely to see how organizations respond, and how the Massachusetts Attorney General and others respond and take actions, and we'll be watching that very closely in the months to come.
FIELD: Peter, what's your sense - is there a climate or an environment now where we might start seeing federal privacy legislation?
KOSMALA: Well this is a - we're often asked this, and it's come up on several occasions, and I think there's really two perspectives. I mean, one is from a compliance standpoint that is particularly challenging is the so-called patchwork quilt, as we say, of various state requirements on various privacy matters, again, relating primarily to ID-theft prevention, data breach prevention, but also other areas - medical information, genetic privacy information, private information, etc. And it's led to a situation where for an organization that is doing business within the U.S., that it's a lot to keep track of. Of course, attorneys and legal professionals are overjoyed, because it calls more upon their expertise and their keen insights on how to navigate through that, but where the position is standard for compliance for your organization, and it is now taking on more of a global complexion, as I alluded to earlier, with other countries and other nations and regions looking closely at these very same issues, so that a global organization is really challenged by putting together an appropriate compliance framework for that.
There are some organizations within our membership, such as Microsoft and Hewlett-Packard, and they're joined by others in the policies communities and the consumer-advocate communities that are arguing strenuously for an established federal standard for privacy protection or an omnibus bill that touches on all these issues, with the primary benefit that it establishes a single standard that then everyone can map to, and that essentially preempts state provisions. But there's also a school of thought that looks to some of the different states like California, like Massachusetts, that have established even higher standards than one might think might emerge in a federal bill, and that that might result in stronger consumer protection. So, it's a debate that continues to emerge. When we were asked this question last year, we were very doubtful that it would be top of the agenda in light of the new Presidential administration.
Now that the new Presidential administration has been established, we're starting to see some indications that privacy will be a big part of the agenda, but secondary to obviously economic initiatives and stimulus initiatives, but we've already seen some major enhancements to the Health Insurance Portability and Accountability Act for healthcare privacy provisions under the stimulus package that was recently passed by President Obama. We have a new Chairman of the FTC, John Lebowitz, who comes from a strong background in enforcement, particularly in the area of on-line behavioral marketing and on-line marketing privacy practices, so we expect to see a stronger enforcement posture there, not just by his appointment, but the policy direction of the FTC as a whole. So there will be - we expect to see more activity. If this will lead, in the short term to us, you know, the development or the introduction of a single omnibus federal bill is less certain, but it's certainly, I think, has become a greater possibility.
FIELD: Let's go back to the topic of your certification in Information Privacy. How has that program evolved over time since you first introduced it?
KOSMALA: Well, the Certified Information Privacy Professionals or CIPP was on the one hand the natural evolution of our program or our offering to members in helping to support and grow and enhance the visibility of privacy as a profession as a discipline and a business and an important government role all of it's own and fast growing, so it would only - it only goes to logic that we would establish an educational standard to demonstrate what is the core body of knowledge that you ought to know as a successful privacy professional, that you ought to have essential understanding of in terms of fundamental knowledge that at the very least is going to enable you to stop the issues and escalate those or delegate those as necessary if not tackle them directly, and that program is the CIPP, which is a certification - a professional certification and essential league on operational and technical concepts of information privacy, and it consists of a really a one-part - a two-part certification process.
One is called a Foundation Program, and that's a - it's an optional course and a mandatory exam that establishes understanding of global data-protection standards, so some of the principles, privacy principles, frameworks from APAC to Asia Pacifica economic cooperation to fair-information practices to the OECD guidelines and other basic information-protection principles that are established around the world and which form the basis for a lot of the laws that were subsequently enacted in the U.S. and in Canada and in Europe. In Canada, through a Federal law called PIPEDA and Europe through the EU directive and others, that foundation core then leads nicely into beyond just laws and principles also general practice areas like Information Security, and its important role in partnership with privacy in insuring the confidentiality and integrity and reliability of information and access to information as well as the entire world of on-line privacy. So at a very basic level, a CIPD candidate is equipped in all of those essentials before he or she then moves to the legal or practical specialization that they wish to pursue, and here we offer variations in U.S. corporate-privacy issues, if you want to certify specifically to the jurisdictional requirements of the U.S.
There's a Canadian Privacy certification that's specific to the enforcement model for data protection, just to our north, and it's a decidedly different model there where they're actually is a Federal Privacy law established, as I mentioned, the PIPEDA [Personal Information Protection and Electronic Documents Act] as well as a series of provincial privacy laws that are akin to some of the state laws in the U.S. but quite different, and there's also a Privacy Certification that we offer in U.S. government for employees, officers, records managers, security professionals, even vendors or consultants that work within the sphere of U.S. government, whether for or on behalf of a government agency and department. Because there again, there's a whole set of laws from the Data Quality Act to the Federal Information and Security Management Act to the E Government Act to FOIA [Freedom Of Information Access], all which apply to government operations and practices in which any government protection ought to know at a fundamental level in order to protect the information of citizens and insure appropriate access to that information. And then our most newest credential, which will be premiering again this year in 2009, is focused on the IT community, it's CIPP/IT, which focuses on privacy issues specific in the development and implementation of information technology services and products, because in the software and hardware engineering and development world, there's a great deal of benefit to the notion of building privacy protections into products and services early in the process, so as to ensure the integrity of data once it's being processed.
So, this is all designed to equip a number of different professionals from a number of different levels in different fields to understand the privacy fundamentals, the legal and operational and even technical requirements to do their job better and to broaden and promote awareness of privacy issues and practices. We now have over 3,000 credential holders around the world that hold one or more of these designations.
FIELD: Impressive. Peter, one last question for you, we're a quarter way through the year now officially, looking ahead, what do you expect are gonna be the biggest privacy stories that we see for the remainder of 2009?
KOSMALA: Well, it's a great question, Tom, and there's actually three I'd like to raise. One of which I mentioned briefly before: a complex constellation of laws on a global level that privacy professionals must tackle on behalf of their organizations to insure compliance, but also that information is being handled reasonably and practically and in a way that really benefits both consumers and organizations and allows us all to grow and benefit in this information economy that we live in, and in a challenging market place as well. It's a certain - one issue that we're gonna see continue on is this sort of lack of stability in laws, and I don't mean to say that the laws themselves are breaking down, but some of them are very much influx, and there's ongoing debate, such as the one I mentioned earlier on the very definition of personal data itself, that continue to evolve, and which we're watching very closely, and which could lead to some very interesting outcomes in terms of new regulatory frameworks.
As I said, we live in a very highly networked world, and I think another issue we're gonna see more and more is around cloud computing and a decentralized data-sharing model where data centers are set up and accessed by many organizations, many different entities and really to get our hands on that data and manage it and protect it properly when it is in that sort of decentralized mode. I think the one thing we learned from our most recent conference was just intense interest around cloud computing and how to manage that, how to build privacy protection into implementations of cloud-computing programs and platforms. And there's also a lot of interesting work being done around data-retention standards and understanding exactly how long is appropriate to hold on to data, and this is the issue emerging out of the bigger analysis of on-line-behavioral marketing, what a lot of on-line companies, websites, on-line services do when they capture data through just basic registration processes or other types of inputs from on-line consumers, and what indeed is inappropriate for re-use and for storage - how long that information should be held. In Europe, they're very stringent guidelines around the amount of time you should be holding on to that information and exactly what you're doing and your obligations as an organization to inform the consumer of your intent and your re-use.
This is some of the debate and analysis that's occurring around organizations like Google and Face Book and a lot of the social networking sites. So there again, I think that's an issue that will continue to evolve in interesting ways that we'll have to track closely, and which will have implications for different organizations.
FIELD: Peter, you've been an excellent spokesperson. I've really appreciated your time and your insights today.
KOSMALA: Well, we very much appreciate the opportunity to speak, Tom, and if anyone has any information or interest in pursuing certification in Information Privacy or simply knowing more about the IPP, I invite you to visit us at privacyassociation.org. And a very simple way you can engage just in elevating your own privacy awareness, is to sign up for the, absolutely free, daily-org e-newsletter, which is a daily digest of information privacy news as this occurs around the world each day, and it will simply get you smarter on what these issues are, how the laws are developed, and where it's all taking us, and it's absolutely free.
FIELD: Again, privacy is the topic of the day, and we've been speaking with Peter Kosmala, Assistant Director with the International Association of Privacy Professionals.