Follow ACC Docket Online:  

CPO and CISO: Who Should Respond to a Data Breach?

This is the second article in a two-part series, inspired by a presentation featuring Debra Bromson, Deena Coffman, and Ashley Slavik along with the authors. The first article discusses the different responsibilities between a chief privacy officer (CPO) and chief information security officer (CISO), as well as the policy ownership and vendor management. Here, authors Maggie Gloeckle and K Royal overview how these leaders should respond to a data breach.


Few CISOs like to review contracts, but it is necessary, especially when it involves a vendor that has a technology component. On the other hand, many IT department seems to vet their own vendors, and may get pretty far through the vendor process before privacy is engaged in the negotiation. Elements in a vendor’s contract that require extra review by privacy and/ or security include: defining basic terms (the vendor definition of personal data, may differ from your company definition) liability and indemnity, cybersecurity insurance, data breach provisions (notification, management, etc.), vendor’s technical and organizational measures, and conformity with customer’s security requirements.

These same elements require both privacy and security to review when they are on the vendor side of the contract negotiation. Please do not let a contracts team/ legal team do the sole review, unless that team is well-versed in the current status of both privacy and security within your company, plans for program development and revision, and strategic plans for development in the future covered by the contract period.

Data breach and incident response

One of the most common areas in which privacy and security conflict is on incident responses, but even before that, the conflict is around language and requirements. One can have a privacy incident without ever touching information systems, and one can have a security incident without ever involving personal data.

[Related: Cover Your Assets]

Some of the language confusion stems from such common terms as “BA,” which can be a business associate to privacy people and a business analyst to security people. For incident response, the confusion comes over “incident” and how to accurately describe what is or may be occurring without hitting legal complications. The term “breach” has legal implications as does the term “incident” in more recent times.

A common scenario: an employee reports a lost phone to the help desk. This phone could be a corporate device, or part of your company’s Bring Your Own Device (BYOD) program. The help desk initiates a remote wipe, issues a new phone, and considers the situation closed. However, on the privacy side, a review of this “event” being a “possible incident” needs to occur.

[Related: Stopping a Hack: How to Prevent and Respond to a Data Breach]

First, how long has the phone been lost or misplaced, and how long has it been since the individual physically accessed the device? What information is on the device (email that has text or attachments with sensitive data, applications providing access to corporate functions) that can be compromised? Is the device encrypted? After all, encryption is not an automatic safety net. So for the technical side, this may be a non-event, but for privacy, it can easily become an incident if the phone belongs to someone who used it to access sensitive data.

The CPO and CISO need to work together on incident response plans. Certainly, the CISO is in the better position to know back-up, disaster recovery, and emergency operations; but don’t discount that the CPO has valuable input into these processes.

Board of directors

Last, we examine the visibility these roles have to the board of directors. The US Securities and Exchange Commission (SEC) has issued substantial guidance that the board needs to be educated and informed on cybersecurity issues. Specifically, the SEC has provided guidance on disclosures by public companies regarding cybersecurity and cyber incidents. The SEC has stated that cybersecurity issues may fall under a disclosure of Risk Factors, Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A), Description of Business, Legal Proceedings, and/ or Financial Statement Disclosures — and may consist of considerations prior to, during, and after a cyber incident.

Similarly, the Office of Inspector General of the US Department of Health and Human Services and the American Health Lawyers Association issued guidance for corporate responsibility and corporate compliance: a resource for health care boards of directors. Clearly, even the government seems to envision the CISO playing a greater role in front of the board than the CPO and in general, that may be true. The CISO, if not visible to the board directly, is generally visible through the CIO, who reports on all things information systems.

[Related: Cyber Awareness: How to Prevent Breaches on Healthcare Data]

However, the CPO, if not visible to the board directly, is generally visible through the general counsel, who reports on so many more topics than those related to privacy or personal data. At times, privacy is rolled into general compliance and may or may not be visible to the board through the compliance officer or audit committee. Additionally, boards may or may not have a steering committee with direct contact with the CPO (or CISO).

It seems clear that boards of directors need to have insight into both privacy and security, whether from one person or two, especially companies in industries that a particularly rich in sensitive personal information, such as health or financial.


As mentioned earlier, it is not uncommon to see in the news where a CISO has been terminated or resigned over a breach. However, it is common to see where a company will now hire a CPO because there was a breach. Under the new European Union’s General Data Protection Regulations (GDPR), applicable companies will be required to have a data protection officer (DPO), who “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill” certain tasks (GDPR Article 37).

This position could clearly be CISO or CPO oriented, but must have knowledge of both sides. Most laws are privacy-related implemented by security processes, so the person needs to understand the intricacies of privacy law and the applicability to their organizations business model.

About the Authors

Maggie GloeckleMaggie Gloeckle is the privacy and compliance counsel at A+E Networks. @maggiegloeckle

K Royal is a technology columnist for, and director at TrustArc. @heartofprivacykroyal

The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.