How to break into Privacy as a Career

This topic seems to be more important than ever given the global demand (okay, mainly the European demand) for experienced privacy professionals. But how do you get experience if no one will hire you – and how do you get hired without having experience?

For privacy in particular, the IAPP has stepped up its efforts – recognizing the need to train professionals quickly and maintain quality. They offer online training in the General Data Protection Regulation and European data protection, available online and in person.  In addition, there is a Privacy Law Specialist recognized through the American Bar Association (squeee – very excited for this).

But what if you are not a member of the IAPP?  First, join it. There are people who have personal issues with either the IAPP or with certifications, but frankly, with very little else in the world to compete with this recognition – it’s pretty much the only game in town. There are other certifications and groups, don’t get me wrong – there are health care privacy certifications, research certifications, ISO27k certifications, CISSP, and many more. But still, CIPP, is what companies look for when looking for someone skilled in privacy.

Does being certified in information privacy mean you are an expert – no. But it is a way of demonstrating that you passed an objective measurement that indicates that you have a baseline knowledge. Call me old-fashioned, but to me, if you have been measured and found acceptable, then I expect you to demonstrate that knowledge. I am often disappointed – don’t get me started on registered nurses, doctors, and attorneys that I consider to be incompetent. That’s a whole ‘nother blog.

Back to the point of the post – you can break into the privacy field, whether you are an attorney or not. Play to your strengths and enter through a related position. If you are a litigator, start litigating on privacy issues. If you work in a bank, get into the privacy office. If you are in insurance . .. well, you should get the point. Contact the people in the privacy area of where you work, or want to work, and be upfront with them.

Make connections. Network. And keep in mind that networking, while you hope it will benefit you at some point, is not about you. It is about the person you want to know.  What can you do for them?  And then don’t be afraid to use your network to help others. Good deeds will come around.

Be active in discussion groups. Comment on stories that people post. Engage others – and on intellectual points, not in arguments. Get your name out there.

Start writing articles for industry publications. They love new blood and insight.

Join committees and work.  Don’t just lurk. Work.

And most of all, pay attention. Right now, the application for the Privacy Law Specialist is due. Today.  And I completely missed the news on it, being heavily engaged in actual working. So… sigh. I won’t be in the inaugural group, which sucks. But it underscores a key point – pay attention and execute on a timely basis.

Make sure your name, when called, is meaningful.

If you have other suggestions, please comment. If you have questions, please ask.

 

“I have a quick question…..”

quick question.png

The conversation starts with …. I have a quick question..It’s never quick to ask or quick to answer – especially when to really answer the question, more information is required. I should never say never. If your question is “Is it okay to kidnap a stranger and keep them locked up for ten years while I bilk all their life savings?” – the answer is really quick. No.

Otherwise, most of the time when someone wants to ask a quick question of an attorney, they are generally looking for a valid legal response, even if the attorney disclaims it is not legal advice.

Don’t get me wrong, most of us love intellectual debates and/or discussing our passions. Asking me about privacy is like asking a new mom about her babe – it’s a miracle if I ever shut up. (Those who know me..quit laughing! I am limited to one cup of coffee daily)

The point is – there is rarely a “quick question.” If you really do intend it to be a quick question, do your homework first and only ask the remaining issue. Here’s a good scenario:

Quick question: 
“Should I report my doctor for a HIPAA breach if they mailed me the wrong lab results?”

Why it’s not quick:

  • Who are you thinking you should report the doctor to – the medical board, the U.S. Office for Civil Rights, a non-US regulatory authority, state attorney general, state insurance office, employer, insurer? The list can be very long.
  • Is your doctor under any requirements that address privacy, other than the physician requirement for confidentiality? (HIPAA does not apply to everyone)
  • What information did you receive and how do you know it’s not you? – are the lab results for a test you did not have, is there another name on the test, is it not your patient ID, was the address wrong and the post office delivered it to the right address or post office delivered it to the wrong address? – lots of ways this could be wrong.
  • Did you discover this yourself or were you informed?
  • Why do you want to report it? (public obligation, anger, want to sue, etc.)
  • Have you been harmed? (not necessarily critical to being a breach, but is important)
  • Has the other patient been harmed? (or would they be)
  • Do you still have the information?
  • Have you reported this to the doctor? if so, what what his/her response?

and other questions would follow based on responses.

My quick answer would be – you should let the doctor know and return the information to him/her without keeping a copy, but take notes on the entire interaction. This may or may not be the correct answer depending on the responses to the questions above that I would not know if I did not ask. 

And the “quick questioner” will probably still ask a follow-up question or respond with more information. Making the quick question and quick-perhaps accurate- response still not so quick.

If people really wanted to ask a quick question – they would do the homework and come to the attorney (or privacy officer) with a really quick question –

“Hey, my doctor in Indiana mailed me the lab results for another patient with that patient’s name on it and it is HIV results. I know it is a breach under HIPAA, but it appears my address is connected to that name. I told the doctor’s office and I shredded it, but should I report this to the Office for Civil Rights?”

Quick answer:
“Oh, that’s bad. Yes, you can report to the Office for Civil Rights, although you don’t have to, and they can match it to your doctor’s breach disclosure list, which is not required until the year is over for one-offs. You can also follow up and ask your doctor if they let the other patient know, but they don’t have to tell you. Make sure they correct your address linked to that patient and make sure your name is not on his/her address and no information on you has been sent there.”

This is not unique to privacy or to attorneys. This happens to pretty much everyone. If the quick question is a conversation starter, because you are looking for a way to start chatting, fine. It could be awkward and you might get a rude response or create a bad impression.

If, however, you really do think that you can ask someone who knows (perhaps an “expert”) a question related to their knowledge and expertise and the person is a friend, good acquaintance, or close work colleague – sure, do it. But be respectful, do your homework, and provide concise, clear, and critical facts. Do not turn it into a verbal essay and please explain up front that if it is not so quick from their point-of-view just to say so – you get that there may be complexities that you don’t see.

If this person does answer, you should provide them with a thank you, such as a gift card to their favorite coffee or food place, flowers, thank you item, or effusive thank you card. They won’t expect it – cause who does that? – and it will become a pleasurable experience for them and you.

 

 

Privacy Officers are like Washing Machines

washing-privacyPrivacy Officers (whether attorneys or non-attorneys) are a lot like washing machines. Aside from the obvious resemblance that we handle dirty laundry, let’s consider some of the other similarities.

If there is no agitation going on, nothing’s really getting done: Like other compliance roles, privacy may not always sit well with colleagues who may see us as roadblocks to their great ideas. This is one reason why in Europe, privacy officers are afforded a huge measure of protection – they must be able to act independently without fear of reprisal or role reduction. On the other hand, we are here to help get the job done right, so sometimes, we just need time to churn and roll it around a few times!

Front Load  vs. Top Load: Privacy programs function in a variety of different ways and there are benefits in all. Personally, I prefer a front load (seeing privacy as an equal partner, horizontal) rather than top load (pushing duties and mandates down, vertical build), but they all get the job done.

Newer Models: Are the fresh new models really better? Or do they simply have more bells and whistles even though the core job is still a high quality result?

Added Technology: However, maybe those newer models do come with some extra technology, such as sensing the load, adding in steam cleaning, and using less detergent. There are lots of significant considerations when employers look for years of experience – maybe they need years, but maybe they need technical enhancements.

Washing Only, Please: Regardless of any bells and whistles, we really just want a machine that washes clothes. We don’t want a machine that does clothes, dishes, cooking, and floor cleaning (which sounds cool as a concept, but in reality would simply be overloaded and do nothing at a high standard).

Quiet vs. Clunkers: There are some who shake, rattle, and roll and others that are extra quiet. Neither really speak to quality, it’s just a different way of working.

We need the Right Settings to Deliver the Right Results: ‘nough said.

Capacity Limits (Overflows are Bad): Stuff too much in and expect too much done – and you get poor results. Sure, the laundry will be a little cleaner, but only marginally. Similarly, putting in too much detergent, bleach, softener – not good. Right amounts at the right times result in optimum work.

Wash first, then Dry: There’s an order to the process. Washing comes first. Cleaning by Design. If you just throw your clothes in the dryer without washing them first, you accomplish nothing meaningful other than getting warm sheets that feel good, but eventually the dirt on them causes real problems.

Don’t Leave the Laundry In: Ever had a load of laundry that was clean, but no one did anything with it after that?  Similarly, once we provide recommendations, if the business doesn’t act on it, the final product will smell a little musty.

Don’t Remove Laundry Before its Done: No one wants to manage soaking, sudsy laundry. Let the machine do its work. Now, if I could manage to be like the front load machines and simply not permit anyone to open the door without putting some controls in place…

We All Need Washing Machines: Seriously, who doesn’t use a washing machine? Whether you have one at home or use a laundromat (lots of machines, pay per load, able to handle huge loads – great business model), washing machines are simply a staple of modern life.

Consistent Work Product: Load after load. Great results. Doing the job right.

Complaints of Doing Laundry: So everyone complains about doing laundry, but the machine really does the massive, core job. Sure you have to give us the laundry to do along with the right tools – and yes, you have to do something with the clean clothes. And yet, complaints complaints complaints about “Ugh. Laundry Day.” Would you prefer not to have a washing machine or just have loads of dirty laundry lying around, getting in the way, stinking? Eventually, you could not actually walk around your house with all the piles of laundry or you’d just have to resign yourself to wearing dirty clothes. Oh wait – just go buy new clothes?  Eventually, you’d run into the same problem or run out of money. Just let the washing machine do its job and we’re all happier.

 

 

 

“I think I’m Doing Too Much”

I think I’m doing too much. My family had never heard me say those words. Never. And I don’t just mean my kids – my mom, everyone/no one. Those who know me might recognize that I am a hyper-personality, high spirited, too “damn” perky – pick your descriptor. I have always been busy. I started work at maybe 13, 14 years old. I know in one job, I lied about my age….could never get away with that now!

I never cared much for grades, so it is not that I was one of those over-achieving students. I wanted the knowledge, not the external recognition. Given that I generally scored in the top half percent of the top 1% of all those standardized tests, I was classified as a classic underachiever. You laugh now.

But I became too busy. Personally and professionally. privacy lawyer, silicon valley global med tech company check. BCRs (controller and processor – first ever dual application) check. HIPAA check. Emerging tech check. lawyer check. executive check. consulting check. blogging check. start writing a book (check, but leave unchecked that I finished it) – same with PhD  in dissertation phase for 3 years now. Check check check. Happily married finally. 2 amazing, accomplished daughters. Leadership roles in global professional organizations. volunteering with non-profits. great friends. good books. loving pets. awesome home. 150+ pairs of shoes. Mrs. Scottsdale America. Speaking on a variety of subjects to different audiences. teaching law classes. Mercedes AMG. money in savings. off most lupus meds. I even lost 30 pounds. checking all over the place. BUT….

– I was busy, but things were getting accomplished. Yet for the first time in my life – I was overwhelmed. I mean, hell – I survived things that killed others. I know I am lucky – and I give the praise to the God I trust and worship. But I was overwhelmed. Even my adult ADD wasn’t saving me this time.

I have learned that when you need to slow down, you either do it or you’re forced to do it. 

So I have slowed down. I am able to take stock of my goals and my 5 – 10 – 15 year plan. I kinda sorta had a plan, and executed it immaculately despite myself. I know what it important for me professionally and personally – and everything else. everything. is nonessential to my life.

Face the hard decisions. And face them head on with determination and consideration. Be brutally honest with yourself about what matters – and what is simply busy work, or chasing a dream that you thought you should have, or doing things that are expected of someone in your field. Focus on what matters. And yes, professional goals matter too. We spend most of our waking hours working (which can suck if you don’t do what you love), so don’t knock having professional goals and dreams.

Some of us may not be in a position to be choosy, but if it is at all possible – take a step towards being in a place to choose. One step at a time. My goal, growing up poor in Mississippi was 1) be able to walk into a superstop (quickie mart, 7/11, whatever the local corner store is) and buy a coke without having to balance my checkbook first and 2) go on a great vacation every year. #1 I can do. #2 – my definition of a great vacation seems to be morphing.

I’m still young (I tell people I am 74 and looks dayum good for my age), but I am 47 years old. I am young and in a field (privacy law) that is growing leaps and bounds. I know and love some amazing people, both personally and professionally, and I work for some phenomenal people/companies that I respect and hope to continue those relationships.

And I still need to finish that dissertation. this year.

So being too busy was my come to Jesus moment. And I survived it with some hits to the pocket book, ego, health, and personal matters. Maybe that is what it took. I do not ever want to say or feel those words again. I want to be in deliberate control of my life. Live with purpose.

 

Why Work in Privacy?

top 5Often, when asked what I do, the person is totally flummoxed when I respond that I am a privacy attorney. Sometimes, they will even ask – what does that mean? Well, if I said I was a contract attorney or a patent attorney, they would understand, right? It means I handle contracts or patents – or specifically in my case, I handle privacy.

Ah – that’s the problem, they don’t understand privacy. I mean, seriously, how do I find enough work to fill 40 hours a week?

Privacy is the concept that information about ourselves is only shared to individuals/companies  whom we want to know those things about us.

Simple, right? Not so much.

So why would anyone want to work in privacy? All day long, every day, the whole year, for decades, we fight a battle that few people ever see. It’s like starring in a vampire drama – there’s a fight happening in a world that most people don’t see and would not believe. And like vampires, we typically work in the dark, our emergencies happen at night, and we live off a critical element that is very personal to people….data. And to most of our colleagues, we’re the boogie men who come to steal your profits while you’re sleeping (or when you’re bad).

So why work in privacy?

My top five reasons:

  1. I’m such a geek rebel that I C# and bleed java. I am building a complete Padme parade dress costume for ComicCon. My UAV isn’t even registered. I speak in movie quotes. And Sheldon is my hero. Bazinga!
  2. Unlike most corporate attorneys, I may work for the company, but my job is to protect the little guy. I always did go for the underdog – I liked Tom Wopat not John Schneider and I preferred Larry Wilcox to Eric Estrada. I may look like a heartless corporate attorney, but really…I’m all squishy inside.
  3. The field is growing by leaps and bounds. Everywhere you turn, there is data being collected, used, shared, abused, lost, forgotten, manipulated, and more! Technology is getting smaller, stronger, and can  hold more data.
  4. The privacy field is a gender neutral one.  Perhaps because of the way it grew up, women tend to  have equal pay and leadership roles.
  5. My ADD (Attention Deficit Disorder) has free reign! I am  never bored; I can work on 46.3 projects at a time; and given how fast the field changes – if I don’t like something, it is likely to be different tomorrow.

Being a privacy professional is a calling for certain people and requires flexibility, rampant curiosity, thick skin, and a relentless gift for persuasion. If you don’t love it – don’t get in it. It is not a profession for those seeking glory or an easy desk job.

Teachers gone Wild: Lifestyle Privacy

Many public sector employees are held to higher standards than the average person due to the nature of their position and their potential influence on other people. Should they be? Is this discrimination? Is the discrimination justifiable?

bad teacher

courtesy of sony pictures

At times, we see a morals clause used to address potential misbehavior. A morals clause is a contract provision, typically used in relation to public figures (athletes, acting, news and political personalities) that prohibits the employee engaging in certain acts. These disallowed acts may include inappropriate sexual acts or drug use, but can include requirements that the employee “dress neatly in public, to conduct himself according to the highest standards of honesty and sportsmanship, and to refrain from doing anything that would be detrimental to the best interests of the team or league” (for further information, please see this article).   Engaging in social media insults of one’s employer could fall within a morals clause, but would not be something the typical employee/employer would encounter – although it is becoming more common for executives.  This, however, completely aside from the National Labor Relations Board’s decisions and guidances on social media policies.

Additionally, there are still certain career fields in which the employees are seen to be role models to our youth. One example of this relates to the private lives of teachers (see this story on a kindergarten teacher fired for nude photos). Before the advent of social media, teachers’ private lives were more easily separated from their professional lives. While being subject to public scrutiny may not be new, having one’s personal life so easily available is relatively new, as is facing severe repercussions from them (and this does not acccount for the egregious phenomena of impersonators).  Courts have taken two avenues to evaluate whether a teacher’s private actions are subject to employer review: a public official view or a student-speech view (whether the speech would substantially interfere with the educational duty) (Miller 2011).

Miller states that “[t]here are basically four types of internet speech that could put at risk a teacher’s relationship with his or her school district: 1) befriending students on social media sites and communicating inappropriately with them, 2) criticizing the district, school, students, parents, or the community online, 3) posting what school districts may deem as inappropriate photos  or comments (usually things that are sexually explicit or that promote alcohol or drug use, and 4) commenting on political or social issues.”  Teachers may see more disciplinary action and control if their private-life postings are viewed from a perspective of being a public official and in a position of trust than if considered whether their posting substantially disrupt the educational duty.

The question that we face is “Is this right?” Is it okay to restrict a teacher’s private life because we feel that they should be held to a higher standard than other people? What about cops, firemen, nurses, doctors, lawyers, preachers, etc.? More specifically – or more generally, I guess – is it fair to hold anyone to a certain standard in their private life as long as the behavior is not illegal?

Which brings us to lifestyle laws (more appropriately called lifestyle anti-discrimination laws, but for the sake of brevity and ease of conversation, I will call them Lifestyle laws). Lifestyle laws prohibit discrimination against someone at work based on their personal lifestyle choices – and in most cases, this is directed towards risky health behaviors, such as smoking, as applied to health insurance premiums through one’s employer.  In many states plus the District of Columbia, employers are prohibited from banning employees from smoking off work premises. Plus, twelve states protect the use of any lawful product during non-work hours, such as alcohol or even unhealthy foods. Currently, only California (CAL. LAB. CODE § 96(k)), Colorado (COLO. REV. STAT § 24-34-402.5(1)), New York (N.Y. LAB. LAW § 201-d(2)), and North Dakota (N.D. CENT. CODE § 14-02.4-03) have comprehensive protection statutes that protect employees for any lawful activity outside work.

Not only do the various state laws differ in what behavior they protect, but courts interpret them differently. Once you mix in social media, it’s a circus out there! People should be free to do what they want to do within legal boundaries and laws should not be required to permit people to do so. Good googli moo.

Keep in mind that there are federal laws (Title VII of the Civil Rights Acts of 1964) against discrimination of protected classes and disabilities (Americans with Disabilities Act)- so lifestyle laws are in addition to any protection under these areas. Plus, in general, government employees are protected by equal protection and due process clauses of the federal constitution.

I leave you with this thought – are we as a society free to engage in lawful behavior even when it indirectly impacts others’ lives (such as higher health care costs)?

 

Can you be yourself at work?

Recently, I spoke to an executive coach who says she works with executives for years before many can finally accept who they are – and let themselves be themselves.

I tried to find a really good quote for this – and there were so many on being yourself, yet none fit what I’d like to discuss. This one by Political Animals comes close: “It’s like you put on this expensive tailored suit and everybody tells you how great you look in it, but it doesn’t fit quite right unless you stand perfectly still.”

Frankly, I struggle with this concept. Not that I struggle to be me, but that being me is acceptable to those around me. As an attorney, a certain amount of presence is expected. And of course, I am a woman working in a male-created field – and one that largely remains male-dominated.

The picture below (from the Association of Corporate Counsel annual meeting, Health Law Committee wins small committee of the year) is a visual of what I struggle with.

Do I not fit in … or … do I stand out? Which one of these is least like the others?

I truly struggle with this. I have worked with and do work with amazing professionals – professionals that while I may try to emulate some traits that I admire, I don’t feel that we mesh. Don’t get me wrong, I also have worked with and do work with professionals that mesh very well. scarily well.

When I am comfortable, I have no trouble expressing my opinions on a matter. Have I mentioned that I am ADD? So I am hyper, my logic takes a different path, and I speak with passion, sometimes eloquently, sometimes not so much. I usually wind up apologizing for being me.

Why do I feel I need to apologize? Is this a me thing? Is it a woman thing? Is it an awkward geek thing? Is it a manifestation of my disabilities (which are systemic and do impact affect, emotional lability, and expressiveness)?

Typically, when I feel that I have said something in a meeting that I should explain more or apologize for, I draw on advice that I received in the State Bar of Arizona’s Bar Leadership Institute: Man Up. To be fair, they did not say it that way. But I learned a lot about differences between the genders. In general, women tend to worry about what they may have said  – and agonize, apologize, follow up, bring it up again, etc. (anyone relating to this?). Men don’t. By bringing it up repeatedly, following up to apologize, women actually make it an issue that others then do remember – whereas generally, they likely never noticed it. Please keep in mind that these are generalities and may not apply to every situation.

On the other hand, a female professional I once worked with – on a restroom break during a meeting where we were the only two females in a group of about 20 people – this woman made the comment that the two of us had bigger balls than anyone in the room. Pardon my crassness.

Am I too feminine at some times – yet too assertive at others?

Do men even worry about these things – not the being too feminine part, but how to strike the right note professionally?

Is the real problem one I mentioned earlier? The legal field was built by men. All the expectations on behavior, dress, attitude, work-life balance, etc. were all defined by men. Women, to enter the field, adopted those expectations – wearing black, navy, gray, and brown – working long hours – and in some part, distancing themselves from the idea of femininity (which is not to say these colors are not feminine, just look at the picture above, the other two women are gorgeous and feminine and wearing traditional legal colors). A female professional I know – in the generation before me – wears a tuxedo to black tie events rather than a dress. I think it’s cool. But I wonder if that desire was formed because she developed professionally in a field that is decidedly unfeminine.

Me. Well, I wear purple cowboy boots to work. And ones with peacock feathers. I love pink. and lace. and frills. I laugh too loud and talk with my hands. And my work accepts it. I am hyper, scattered, ADD, some OCD, and frankly, way too freaking perky for anyone’s good. And yet I worry. I worry if I am accepted and RESPECTED for who I am. I am highly intelligent but not scholarly. I am well-educated but not an academic. I am ambitious but won’t sacrifice my family. I am emotional but not vindictive. I am outspoken but not mean. I am honest to a fault but I do love playing with words. I cannot abide stupidity (unless it is truly a case of low IQ and the inability to learn) or people who do not deserve respect (no exceptions on that one). I am passionate and creative. I am not demure or understated.

So can you be yourself at work? I say yes in most cases. It won’t come without some cost. If you are a psychotic killer, I’d say no. Please don’t be yourself. But in general, the average person should know who they are and not be willing to sacrifice him or herself for the job. You might worry if you strike the wrong note, but hiding your personality where you spend a large part of your waking hours does not serve you well in the long run.  In the end, unless there are significant drivers to the contrary, I recommend finding somewhere you can be you. You will be a better professional and perhaps feel like a better person.

There may be some compromises, but they should not compromise your foundation as a person. For example, just because you love 80s rock does not mean wearing Metallica t-shirts and ripped jeans to court is acceptable for an attorney. But if your personality truly demands that freedom and it impacts who you are as a person, choose a career avenue that suits you better (pardon the pun).