The advent of the chief privacy officer role has occurred largely within the regulated sectors of health care and financial services, but has spread to many industries and companies of all sizes. The spread has no doubt been quickened by the FTC’s enforcement of Section 5 of the FTC Act, prohibiting “unfair or deceptive acts or practices in or affecting commerce.” The most common enforcement actions undertaken by the FTC have been against companies whose use of their customer’s personal information is in violation of their own stated privacy policies. These types of mishaps reveal an underlying lack of coordination between the privacy and security functions. Therefore, the quality of the relationship between an organization’s privacy and security functions may be a key predictor of compliance success.
The introduction of a privacy program within an organization can sometimes cause tension with the information security function. These tensions arise out of the common goals and purposes shared between the two groups. Further, shared interest in common technologies that provide for confidentiality of information, the primary objective of both groups, can confuse program scope or worse, foster unhealthy competition. In-house counsel can work to ensure the relationship between privacy and security functions is conducive to reducing risk, not introducing it.