Cynthia Van Ort did not dream of becoming a CPO when she was a child, but her perspective on privacy today is rooted in a responsibility to think prophetically about the future of the industry in order to help shape it. Van Ort is the former North American chief privacy officer for Citigroup and the newly appointed global CPO for a large multinational corporation. She recently sat down with TRU Staffing Partners’ founder and CEO Jared Coseglia to give guidance to aspiring privacy pros and share her perspective on defining the core values of privacy as a practice and a profession.
“Privacy wasn’t a career path when I started working professionally,” says Van Ort. Like many early entrants to the privacy profession, she began her career in legal. She received her J.D. from DePaul University. “I was an attorney in the legal department at Harris Bank/Bank of Montreal supporting the privacy office and online banking.” In the early days of financial data aggregation, Van Ort recognized that privacy was an issue that would increasingly be critically important. “We had a data aggregation site where customers could go and see all their accounts from our institution as well as other institutions in a single dashboard. That required obtaining the customer’s financial information from other institutions to add to the dashboard,” Van Ort explains. She quickly recognized that in order for individuals to access the convenience of this service, they were required to give their user names and passwords for all their accounts to the vendor providing the data aggregation, essentially “giving away the keys to the kingdom.” These types of issues led Van Ort to build her career around data privacy and integrity. According to her, “data aggregation is only now finally in the spotlight because of associated privacy-related issues and government attention (like the CFPB) on providing customers the right to access their data in a safe manner.”
Being in the banking industry has given Van Ort a front-row seat to the complexity of compliance and the possibilities of privacy as a tool to help drive the business. Throughout her privacy career Van Ort has been responsible for developing approaches to identify and manage global privacy risks and resolve issues that may arise. She has led the development and global implementation of privacy programs involving the creation of privacy frameworks, specifically the development of policies, governance structures, standards, engagement models, training, metrics, reporting, risk assessment and more. “In banking we have substantial and effective authentication tools to prove that you are you. That’s security. But I wanted to make sure all employees were equipped to view our services through a privacy lens,” remarks Van Ort.
Privacy treasure chest and the security lock
Van Ort describes the difference between security and privacy using a treasure chest metaphor: “Privacy pertains to the rights of individuals over their information. Privacy is the treasure in the chest. Security is the controls that protect those rights. Security is the lock on the box,” says Van Ort. As she goes on to compare security and privacy, Van Ort notes a critical differentiation that is only now coming into the limelight as a result of recent headline news involving both security and privacy: “Privacy considerations are much broader than simply protecting the data. Confidentiality is only one element; but consider the rights of an individual to know how you are using their data. That’s transparency. ”
There have been several major public scandals in the last year that have drawn attention to the importance of transparency versus pure confidentiality. Though the Equifax and Cambridge Analytica events did not immediately impact regulatory standards, certainly not at the federal level, these moments did change consumer expectations and awareness of privacy. “I predicted there would be huge outrage after Equifax, but it settled down quickly,” observes Van Ort. “What did show up, though, is the desire for individuals to have control over their data,” adds Van Ort. This has inspired companies to seek “ways to help educate the consumer” about privacy. “Privacy notices are not helping the consumer and are not the best way to educate.” The challenge of educating the general population about privacy, for Van Ort, boils down to the competing agendas of privacy empowerment versus consumer convenience. “We need to empower people without requiring a huge investment of their time,” says Van Ort.