The CIO And Privacy: Liable, Culpable, Or Merely Responsible?

Or maybe all of the above. What exactly is the CIO's role and responsibility in protecting the digital privacy of customers, partners, and employees and the security of proprietary corporate data? Where does the privacy buck stop?Jim Haskin, the CIO of Websense, a company that markets Web-filtering technology, has his own opinion on the CIO's potential exposure when it comes to privacy problems. "Liability is a specific term," Haskin says. "Culpability might be better."

The specifics of liability concerning the loss or exposure of personal data have been spelled out in legislation such as Sarbanes-Oxley and HIPAA, he says, and that's a good thing. "In this rapidly changing environment, there is a role for legislation that constitutes reasonable business practices" around privacy, he says.

Maybe because of the business he's in, Haskin's more concerned with corporate data privacy than consumer data privacy. The security of consumer data -- or lack thereof -- has been driving the privacy conversation up till now, Haskin points out. It's also driving most of the privacy legislation pending in Congress, legislation that's primarily concerned with notifying consumers when there's been a breach of their personal data.

"I'm not mitigating consumer data," Haskin says. "That's the one that's gotten all the publicity." But companies need to protect all their valuable data, in all its forms and vectors, he says. Companies should be equally concerned with protecting proprietary corporate data and intellectual property, everything from inventions and formulas to marketing plans and business strategies.

In fact, public companies should consider it a fiduciary responsibility, which puts the onus and obligation for security and privacy of that data at the board level. And that's where the federal government comes in. Haskin stops short of advocating the "L" word -- legislation -- but he does believe that the federal government should have a hand in "setting standards for what needs to be protected."

Just like public companies have to have security policies, they should be required to have policies and procedures in place to guard valuable "unique and proprietary data" that, if compromised, would lead to financial exposure for a company: loss of brand loyalty, loss of market share, loss of IP, and/or loss of consumer confidence. "I think there is a need at a very high level to define the categories and types of data that should be protected," Haskin says.

Once again, he stops short of advocating legislation. "You don't want to get down to the 'how,' " he says, but standards need to be defined "on the federal level rather than the state [level], just from a complexity standpoint."

Does that take the responsibility for data security and privacy off the CIO? Not necessarily, Haskin says. But for him, it's a corporate obligation, and that means the privacy buck ultimately should stop at the board level.

What do you think? Are CIOs liable for data privacy breaches? And does that keep you up at night?