Notes From A Law Firm Chief Privacy Officer: CPO vs. CISO

August 9, 2017Articles Law360

The post of chief privacy officer is now an essential ingredient in good risk management for the 21st century law firm.

In a law firm of any substantial size, the security and privacy of electronic data is a many-layered issue. Perhaps more than any other industry, we lawyers are routinely entrusted with the sensitive data of our clients. On top of that trust, our licenses to practice carry an ethical mandate that we ensure the confidentiality of communications and work product. And, of course, like any business, law firms have employee data, including health care-related information, that must be protected.

Oh, and one more thing: We’re at war. Cyber terrorism is a fact of life. Law firms are prime targets, and defending against these threats must be taken into account in any firm’s strategic planning.

As a result, law firms are increasingly recognizing the need to create the position of chief privacy officer or CPO — a role that is often adjacent to or part of the general counsel’s office or the firm’s risk management team.

To understand the role of the CPO — and why that person ought to be a lawyer — it’s important to distinguish the role they fill from that of the chief information security officer or CISO, who is typically a nonlawyer and leads the firm’s information technology department.

The Roles of a CPO vs. CISO

Typically, a CISO is responsible for operational security, infrastructure security and employee access management for information technology resources. Stated differently, the CISO is responsible for ensuring that the firm’s electronic data is adequately protected. A CISO is often part of the IT department, and only rarely addresses issues arising outside of the IT realm.

The CPO’s role is substantially different, first and foremost because the CPO focuses on electronic and physical data, policies and procedures across the entire firm. A CPO’s primary responsibility is to advise the firm as to what data may be collected, how that data may be used, where and for how long data should be stored, and when it may or must be destroyed.

Client data is routinely gathered and stored at law firms in myriad contexts — as discovery in litigation or in the due diligence process in corporate transactions, to name just two. Too often, not enough thought is given to the highly sensitive nature of some of this data, especially when it holds the potential of identifying an individual and revealing financial or health care related matters.

The CPO is tasked with addressing this issue by first crafting policies and then ensuring, through staff training and lawyer education, that the policies are followed.

Priorities Drive Decisions

Tensions may arise between a CISO — who wants budgetary discretion to purchase products and services to make data more secure — and a chief information/technology/financial/executive officer who is resistant to expenditures that may appear to be chasing ghosts. Stated differently, if a chief information/technology officer is defending the budget, security initiatives may be omitted that a CISO would otherwise push.

Therefore, having a CISO creates a voice that may not otherwise exist. However, a CISO generally still answers to that chief information/technology officer, who still may overrule those recommended initiatives.

A CPO, by contrast, has no such conflict. While CPOs may face other roadblocks, they focus on the business as a whole and their recommendations or requirements about the treatment of electronic and physical data are premised not on competing technologies, but the end result. There may be ways to get to that end result more cheaply, but the end result must be accomplished.

Ideally, very few tensions should exist between a CISO and a CPO. They each want the same result and can agree on the method to get there. Unfortunately, that perfect scenario is easier dreamed than accomplished.

For example, CISOs often wear many hats. Responsible for user experience in some manner, they may opt to sacrifice a security measure because of the inconvenience to users. Likewise, in working within a chief information/technology officer’s budgetary priorities, they may feel restrained to sufficiently push certain security measures.

A CPO without the right background can be an impediment to the process and the obligations of a CISO. The CPO that is not technology savvy will have almost no chance of working successfully with a CISO in regard to electronic data. The disconnect in understanding how to achieve the stated goal will create operational challenges. For example, if data must be encrypted, the CPO must understand the different states of that data and the operational benefits and challenges to encryption in each of those states.

Likewise, the CISO will be tempted, if not convinced, to present only certain options or identify certain gaps in protection if the CPO does not already have a solid foundation of understanding the systems and technology. In other words, to do the job adequately, the CPO must have the sufficient technical fluency to work in concert with a CISO.

It is critical that a CPO be involved in the selection of data security solutions for a business. This involvement should start, at the latest, with comparing the pros and cons of any products under consideration. Arguably, the CPO should be involved at an earlier stage to ensure that superior solutions were not excluded for unacceptable reasons.

Just as important, the CPO will view any potential data security solution from a business-wide perspective and assess whether a particular solution addresses all five concerns — collection, destruction, handling, restriction and storage requirements. A CISO acting independently may focus only on the security of the solution, but not take into consideration other requirements of the business.

The CPO Should Be a Lawyer

Considering the legal aspects for which a CPO is responsible, there is a compelling argument that the post should be filled by an attorney and the post must, by design, have a strong connection with the firm’s office of the general counsel

One role of the CPO is coordinating any response to a data breach or loss, and directing the actions taken when data may have been compromised. Extraordinary measures should be undertaken to ensure that those internal efforts and investigations are protected from disclosure to others by the attorney-client privilege. Taking appropriate steps to ensure the attorney-client privilege is established and maintained should be a priority.

Finally, to the extent that a business also has an individual that is responsible for security of the business that is not limited to electronic information (e.g., an information security manager), it is advisable not to have that person in the IT department. First, that person is responsible for enterprise-wide security, not just electronic data. Second, that individual should not feel the same pressures and restrictions that may be generated in an IT department. Finally, by placing that individual in the office of the general counsel, the attorney-client privilege is more adequately addressed.


Law firms cannot rely on the technical expertise of their IT departments to craft policies and strategies that adequately address the risks inherent in data security and privacy protection. It is essential to put another seat at the chiefs’ table and to fill that seat with a lawyer who possesses the experience and training necessary to lead the firm to safe and smart solutions.

Reprinted with permission from Law360. (c) 2017 Portfolio Media. Further duplication without permission is prohibited. All rights reserved.