Inside the mind of Silicon Valley's chief privacy officer
When the growth of technological capabilities began to result in an influx of data collection on a local level, cities responded with the adoption of chief data officers. The "rise of the CDO" was documented as an emerging trend — a necessary one, too — and spread nationwide in the past few years as its importance grew.
So, why haven't government agencies followed suit in the realm of privacy?
While chief privacy officers are popular in the private sector, states and local governments don't require the CPO role unless the jurisdiction calls for one. However it's a "rapidly growing field," according to Sam Pfeifle, content director at the International Association of Privacy Professionals (IAPP). Pfeifle notes that, a city level, Seattle and Phoenix became early adopters of the CPO role, while states such as Washington, South Carolina, Ohio and West Virginia have also established the position. Overall, IAPP has more than 1,000 members certified with a CIPP/G credential, "which demonstrates that the certification holder has a mastery of the very specific laws regulating the use of citizen data by federal agencies."
One of the newest officers to join the elite group of public CPOs is Mike Shapiro, a 15-year privacy veteran and former software engineer. On December 14, Shapiro was welcomed as the first chief privacy officer of Santa Clara County, CA — known as Silicon Valley — tasked with protecting information and data for all of 1.9 million residents.
Smart Cities Dive caught up with Shapiro to learn more about his expertise in the field, his strategy for Santa Clara and his advice for cities hoping to bring on their own CPOs.
The following interview has been edited for clarity and brevity.
SMART CITIES DIVE: Tell me a bit about what led you to this role.
MIKE SHAPIRO: I have a history of working in the consulting world, working with a lot of federal government and state government agencies as well as large- and medium-sized companies. So what that does is give me a really good breadth of different types of clients to work with as well as different types of privacy problems ... I think what my background brings is being able to deal with privacy in a bunch of different types of scenarios instead of just one or two. I'm able to bring to the table at least that kind of range of experiences to say, 'Hey, we're trying to see where we can develop enterprise level policies and standards and procedures. How can we bring that up in a smart way to make sure that we're considering the unique nature of what's going on criminal justice or in the health care community and make sure that we don't sort of circumvent that or make sure that we don't step on anyone's toes?' We can make sure that when we develop enterprise-level training and policies, that we consider that but then we give them the space they need to operate in their own environment.
Are you planning to introduce any new privacy initiatives that maybe the county hasn't seen before?
SHAPIRO: One of the first things that I like to try to do in a new environment is a privacy maturity assessment. There's been some previous work that's been done on that, and I want to extend that to really see where the county's at in their different departments because there are so many moving parts here. And with that I'll be able to better gauge sort of where those needs are, where the highest risk areas are and to really focus my attention there. Regardless, there are still some things that I want to address in this particular environment that tends to be privacy governance — making sure that all these different departments and agency are talking with each other. So actually making sure that the left hand knows what the right hand is doing and seeing where we can [address] those needs for information sharing to try to provide better constituent services while at the same time protecting that data.
One of the other things that we're really going to try to focus on in the future is building a Privacy Center of Excellence... What that means is the county working not only among departments within the county itself and other government agencies, but actually extending out to corporate and academia. Being that we're in Silicon Valley, we're in a very unique position — I think a very fortunate one — where we have such an amazing opportunity to reach out to technology leaders in the field and to work with them on building the Privacy Center of Excellence. I think with with experts that we have, we can actually really do something to come to the forefront, not just of the county in the state of California, but also the United States.
Do you feel that being in Silicon Valley adds extra pressure to the roll and to ensuring these privacy protections?
SHAPIRO: Yes and no. Of course there's extra pressure because there's a little bit of visibility, but I actually think that's a good thing. With that extra pressure comes extra opportunity, comes extra motivation to ... no longer think of privacy as an afterthought. We really need to make sure that privacy is integrated while we develop new products and new innovations. We don't want to think of privacy as being what they call "bolted on," we want to think of it as privacy being baked into that process ... I think it's just a great opportunity to integrate privacy, maybe in some ways that other counties or states or other jurisdictions don't quite have that ability, whether it's just through their location or resources. We really have a truly unique opportunity to be at the forefront of that.
What is it like for you to enter this role that not many other municipal leaders, at least on a county level, have pursued before?
SHAPIRO: Although the role here at the county is new, the role of chief privacy officer is not. There's been several of people across the different agencies and clients I've worked with who have served in that role. And I think being able to have that exposure, to see how multiple privacy offices run and some of the good things that they've done and some of the things that you probably want to avoid, I think that gives me a good opportunity to build a program here in the right way. So the good part about it is that there's not an inherent structure which some people would consider a challenge, but at the same time it gives me a lot of leeway to be able to create this program the right way — without inheriting any problems or any issues — from the ground up.
Do you think local governments face, or will face, privacy threats that are not prioritized or discussed enough? What should CPOs pay more attention to?
SHAPIRO: Well I think CPOs are pretty good at paying attention to a lot of the privacy issues that face them, but I'll put that with a caveat: I would say experienced CPOs are aware of that. My concern in the privacy field is that a lot of times, people are put into a chief privacy officer role that have the title but not necessarily the background or the experience. So I think as the field is maturing a little bit more, we're going to start seeing CPOs that are not taken for granted. It's going to be a position to where different companies and government agencies are going to make sure that people in those roles have the privacy chops to back that up.
"I think as the field is maturing a little bit more, we're going to start seeing CPOs that are not taken for granted."
I would say some of the biggest concerns in general that privacy officers should look at going to be the ones that get the most attention. You see data breaches that happen. Those are the things that the public tends to pay attention to, and the things that keep privacy officers up at night as well. But there are also a lot of other things that privacy officers should be thinking of, like how can we prevent those data breaches from happening in the first place? And those are some of the things that we try to work on ... to make sure that we have the right governance in place and that governance structure is really necessary so we're all communicating. When we set up policies, when we set up practices and our training, it's designed to make sure we prevent these types of incidents and privacy breaches and breaches of personal information and sensitive information and so on in the first place.
A lot of times what I've seen ... is that you'll have clients that bring you in after a crisis has already occurred. There's been a data breach that's getting media attention and there's a bit of a scramble trying to recover from it, so they're dealing with a little bit of a chaotic environment. What I think is wonderful for organizations is when they upfront say, 'We realize that there's a significant risk in privacy. We need to bring on somebody right now to make sure that they deal with these privacy risks upfront so we don't get caught on the back-end dealing with the breach and having to answer to it later.' My hope is that other organizations are going to realize that, first of all, it's necessary to bring on a chief privacy officer and staff to support them. But as well that they bring on one that has some experience in these matters and don't take it for granted.
Outside of hiring an experienced official, what other sort of advice do you have for cities or counties looking to bring on a CPO?
SHAPIRO: Work with other chief privacy officers in the community, whether that's through industry or academia or government. Feel free to reach out to others and say, 'Hey, what did you look for when you went to seek a privacy officer? What are some of the things that we should actually be able to know so that when we're interviewing them or bringing them on board, that we can be able to discern whether this is someone that's going to fit that role well or not?' Reaching out to circles... people that are experts in the field... I think that is a really good start.
I think the industry not only itself is important, but the protection of people and their information is becoming more and more important every day as we start seeing these data breaches becoming more prevalent. The negative impacts of identity theft and credit card fraud and other types of fraud are now becoming so significant and it's affecting people's lives so much, I think it's elevated that need [for a CPO]. As different government agencies or even corporations or are looking to provide CPOs, I think it's important to reach out to the communities to make sure they bring on good people.
Follow Kristin Musulin on Twitter