Within the past few years, privacy consulting has grown into a US$400 million market in the U.S., and at least a dozen American law firms and each of the Big Four auditors have come to boast of a robust privacy practice. But to corporate executives, these consultancies can all sound like they're selling the same thing: the master plan for keeping the company's name out of Computerworld's privacy breach roundup. So which ones can you turn to for the best advice?
That's the question I posed to more than 100 of my fellow corporate privacy leaders last month. It wasn't a scientific survey by any stretch, but some clear themes emerged through all of the responses. What did these chief privacy officers (CPO) say?
Survey Results
First, law firms garnered the lion's share of the votes. This tells me American corporations are still primarily concerned with minimizing legal liability when it comes to privacy and aren't yet focused on meeting the often-higher standard of customer expectations. Among this group, Hunton & Williams stood head and shoulders above the rest. A cadre of firms--Morrison & Foerster, Baker & McKenzie, DLA Piper Rudnick, and Faegre & Benson--tied for second, with a large number of sometimes-passionate references.
What about the audit and consulting firms? Ernst & Young, Deloitte & Touche and PricewaterhouseCoopers captured about the same number of votes, but given the small sample size, they weren't significantly higher than for KPMG. For a list of all of the top vote-getting firms, see the accompanying charts.
So why did CPOs rank these firms best-of-breed? Their comments had eight common themes:
1. Expertise: The firm's staff consistently demonstrates a high-caliber command of privacy and are well respected in the field.
2. Practical: Their advice isn't theoretical but realistic and actionable, sensitive to business constraints.
3. Professional: Their work is timely and thorough, and their staff is accessible and personable.
4. Global: They have staff or affiliates in many countries with a command of their local scenes and a consistent global framework of advice.
5. Business-minded: They take the time to understand clients' businesses and deliver advice from the business perspective.
6. Connections: They have an extensive network of government and industry ties that clients can access and that broadens their expertise.
7. Interdisciplinary: The firm's privacy practice leverages other functions within the firm to provide more comprehensive advice.
8. Affordable: Their firm charges reasonable rates and its staff works efficiently. Another factor that separated the top firms from their peers was the presence of at least one nationally recognized privacy expert. In fact, nearly half the responses seemed to be a vote for an individual as much as for a firm.
Names that repeatedly were mentioned include the following: Becky Burr of WilmerHale; Kirk Nahra of Wiley Rein & Fielding; Christine Varney and Mary Ellen Callahan of Hogan & Hartson; Marty Abrams, Lisa Sotto and Chris Kuner of Hunton & Williams; Miriam Wugmeister and Rick Fisher of Morrison & Foerster; Brian Hengesbaugh and Ruth Bro Hill of Baker & McKenzie; Stu Ingis and Jim Halpert of DLA Piper Rudnick; Cate Boschee and Robert Bond of Faegre & Benson; Benita Kahn of Vorys Sater; Brian Tretick of Ernst & Young; Rena Mears of Deloitte; Jim Koenig of PricewaterhouseCoopers; and boutique-firm founders Peggy Eisenhauer, Richard Purcell, Larry Ponemon, Gary Clayton and Alan Westin. Each of these leaders has developed some fiercely loyal clients.
Some veteran CPOs noted that very few firms have actually built a comprehensive practice around all facets of privacy. So these privacy officers have taken the approach of hiring several firms for their niche expertise. For example, they hire Hogan & Hartson for help with California litigation and Federal Trade Commission investigations; Covington & Burling for European Union privacy; and PricewaterhouseCoopers for Health Information Portability and Accountability Act (HIPAA) privacy, for example.
Most Popular Services
What types of privacy services are companies seeking outside help for? The top things I noticed in the responses from both CPOs and consultancies were what you'd expect of a relatively new area of business:
1. Strategies for basic legal compliance, with a focus on the Gramm-Leach-Bliley Act (GLBA), HIPAA, Do Not Call, and EU transborder data flows.
2. Creation of privacy audit and governance programs.
3. Creation of privacy policies.
4. Assistance with contractual negotiations, particularly with outsourcing and offshoring agreements.
5. Emergency assistance to respond to data breaches and litigation.
6. Integration of information privacy and security controls.
7. Assistance with direct-marketing campaigns.
But about 20 percent of the corporate privacy leaders who responded said they don't use any outside help on privacy issues. Either they saw no need for it or had been burned by bad experiences. "I'm not impressed" with the Big Four auditors, said one Fortune 100 CPO, while another stated, "They come to us for advice more than we go to them." There was a common perception among this group that current CPOs have more expertise than outside consultancies. So they tend to participate in forums where CPOs collaborate, such as Hunton & Williams' Center for Information Policy Leadership and the Ponemon Institute's Responsible Information Management Council.
The Outlook for Privacy Consultancies
So, what's the future of privacy consulting? Is it just a fad, like the bubble of business process re-engineering consulting in the 1990s, or is it here to stay? To get at that answer, you need to look at what's currently driving the market for hired privacy guns and ask if these factors are changing.
First and foremost, it's all about legal compliance. Within the past five years, new privacy laws have papered the industrialized world, and multinationals are searching for help to sort out their compliance plans. I see the next five years bringing more refinements and extensions of existing privacy laws that will only increase the number of variances between state, federal and international privacy standards. Variance means that global companies will have a harder time complying. As a result, some of our experts don't see any letup in the lawyering. "Privacy used to be a quirky little niche," Boschee says. "But not anymore. Privacy's on the table now for mergers and acquisitions, marketing initiatives, outsourcing, cross-border deals--you name it."
Halpert echoes this sentiment: "Companies can't avoid privacy law these days, and lawmakers impose new regulation almost every year."
The second driver I see is the changing nature of the market. Business models have become more risky from a privacy perspective. In the past five years, companies have steadily outsourced their noncore functions, Web-ified their business applications and globalized their operations, all in an environment of a global war on terrorism and increasingly sophisticated hackers, malware producers, phishers and identity-theft rings. I don't see any of these trends abating in the next five years, short of a wholesale societal rejection of online conveniences.
Eisenhauer agrees: "It used to be the case that only certain industries had to worry about privacy compliance, but now all companies need to think about how privacy and security considerations affect their information-handling practices."
But will companies keep turning to privacy consultants to solve these problems for them? Or will they bring these functions in-house? The financial, health care and technology industries have done both--formed internal privacy offices with budgets for external consulting. But outside these sectors, it's a mixed story, and the future outlook is uncertain.
Companies facing tight earnings this year may be holding back from investing in this hard-to-understand area. With qualified CPOs in short supply, since few people have the needed backgrounds in law, technology and business, their base salaries at Fortune 500 companies are easily topping $200,000 this year. Privacy consultants are charging similarly high rates--typically $300 per hour for consultants, $550 for privacy lawyers and $700 for senior partners, with a significant range on either side of these medians.
Sotto sees privacy evolving like environmental law did in the 1970s, becoming so regulated that it becomes an in-house function in every company.
My prediction: By 2010, half of the Fortune 500 will have made a public notification of security breach and subsequently hired a chief information protection officer overseeing both privacy and security. And insurance companies will force the other half to follow suit. The U.S.-EU privacy Safe Harbor will more than double its membership to 2,000 companies, and negotiations will commence for an International Safe Harbor. The best law schools and MIS programs in the country will have a discipline in data protection. And somewhere, somehow, a chief privacy officer will become CEO, as the reality sinks in that the future of business is data.
Table 1: Leading American law firms with privacy consultancies
Law Firm Privacy full-time employees Privacy specialties
Baker & McKenzie 60 Global compliance & data transfers
Offshoring, outsourcing & third-party
Internet privacy
Covington & Burling 15 to 20 Internet, financial, health & employee
State, federal & international
Legislation, litigation & transactions
DLA Piper Rudnick 38 Global compliance
Legislative & regulatory
Litigation
Faegre & Benson 12 Global compliance & data transfers
E-commerce & direct marketing
Financial, health & employee
Hogan & Hartson 18 to 20 Privacy & security audits
International compliance
Financial & health
Hunton & Williams 21 Global data protection
Information security
Financial & health
Jones Day 10 to 20 Cross-border data transfers
Health care privacy
Global compliance programs
Morrison & Foerster 60 Privacy & data security advice
Technology & sourcing transactions
Litigation & dispute resolution
Privacy & Information Management Services 2 International data protection
Targeted marketing
Privacy assessments & incident response
White & Case 12 to 14 Cross-border data transfers
Privacy audits
Ad hoc privacy advice
Wiley, Rein & Fielding 5 Financial & health
Do Not Call
Cross-border data transfers
WilmerHale 10 to 14 International compliance
Incident response
Investigations & litigation
Base: 157 responses of predominantly U.S.-based corporate privacy officers to the question: 'Which firm provides the best privacy advice?'
Notes: The top vote-getting firms are listed in alphabetical order. Many more firms with robust privacy practices received votes but weren't included in these tables due to space constraints. The firms provided their own descriptions of their privacy specialties.
Source: Jay Cline
Table 2: Leading audit firms with privacy practices
Consultancy Privacy full-time employees Privacy specialties
Deloitte & Touche 101 Global privacy strategies & programs
Operationalizing privacy
Audit, compliance & incident response
Ernst & Young 19 Audits & compliance programs
Vendor risk management
Corporate governance
KPMG 65 Global privacy strategies & programs
System-based compliance
Vendor risk management
PricewaterhouseCoopers 50+ Global regulatory compliance
Information security and risk management
Privacy program development
Base: 157 responses of predominantly U.S.-based corporate privacy officers to the question: 'Which firm provides the best privacy advice?'
Notes: The top vote-getting firms are listed in alphabetical order. Many more firms with robust privacy practices received votes but weren't included in these tables due to space constraints. The firms provided their own descriptions of their privacy specialties.
Source: Jay Cline