Katie Race Brin might be relatively new as the Federal Trade Commission's (FTC’s) chief privacy officer (CPO), but her passion for privacy rights took root years ago. A law student at Berkeley, she was a member of the first-ever class at the Samuelson Law, Technology & Public Policy clinic, then headed by well-known scholar Deidre Mulligan. It was there she first tackled some of the most complex issues of our time, issues we’ve yet to resolve on how evolving technology affects our expectations of free speech, for example.
After law school, she went to clerk for two federal judges and was a litigation associate at WilmerHale in Washington, DC, where she grew up. But she’d always had an interest in public policy and public service. Her father was a long-time attorney for the federal government.
“I saw how much good you could do in that role,” she said over the phone in an interview with The Privacy Advisor.
So she decided to make the move to the FTC. There were two reasons behind that. One, she said, was that the mission to protect consumers is so worthy. Second, if you’re going to work in privacy, the FTC is really the place to be.
“At the FTC, people think we’ve all drunk the Kool-Aid because we’re always talking about the mission, the mission. Everyone from the chairwoman on down talks about the mission all of the time because that’s our reason for being here, to protect American consumers,” she said. “I felt that even when I first interviewed at the FTC, and it’s definitely true.”
She landed a position in the Division of Privacy and Identity Protection, where she spent seven years working on policy and enforcement issues related to privacy and data security, and after that worked as an advisor to Jessica Rich, the director of the Bureau of Consumer Protection, who Brin calls a “fabulous mentor.”
Brin succeeds Peter Miller , who left the FTC in January for private practice. Marc Groman, CIPP/US, held the post before Miller. Though Brin became "acting CPO" in January, the agency made it official in May. Brin credits her background with giving her a unique perspective in her role.
“It’s a real advantage to come from an enforcement and policy background because I understand the challenge of implementing sound privacy practices,” she said. “I can recognize what we’re asking companies to do to protect information. It’s one thing to say go forth and implement Privacy by Design, but what does that mean?”
She’s been able to take the advice she used to give to companies and apply it internally, thinking about privacy from the start when rolling out a new product or acquiring a new system, or looking at the full life cycle of the data acquired when the product goes live, for example.
“My years spent looking at companies and mistakes they made in terms of not adequately testing a product, collecting too much information and not securing it—or not building privacy in from the beginning—all of those things help formulate what I think the goals of our privacy program should be and the steps we need to take,” she said.
That being said, she’s looking at things through another lens now.
“In some ways, it’s very different from my role on the enforcement side,” she said. “I spent a lot of time looking at the privacy missteps of companies and thinking about what best policies should be in place for folks in the commercial space, and now I’m looking internally at our own privacy program and trying to make it as robust as possible.”
While some might think the CPO of the agency known as the “privacy cop” must not have a whole lot of work to do, that assumption isn’t true, Brin said. While the FTC has a robust privacy program in place, privacy is constantly evolving. It requires a vigilance.
“Privacy is hard. It’s difficult putting generalized privacy principles into practice, and things are always changing and dynamic,” she said.
The main duties of the office, which Brin calls “small but mighty,” involve providing counsel and guidance to staff, coordinating risk management and handling the agency’s documentation of compliance with federal privacy laws and other applicable directives and guidance. The office also evaluates new technologies or systems that might be implemented and identifies and, hopefully, mitigates privacy risks.
“A big part of what we do is making sure people know who to come to with questions, making sure we can spot issues before they become bigger problems,” she said.
That includes all FTC employees’ data, personally identifiable information that comes from FTC investigations—anything from consumer complaints to financial information to data turned over as part of an FTC civil investigative demand—as well as data that comes from the Bureau of Economics’ data-intensive analysis, often containing sensitive information.
Brin acknowledges she’s lucky to be the CPO of an entity that values privacy so much already. Some CPOs spend a lot of their time just trying to get employees to care about the privacy message.
“I don’t have to convince people that privacy is important,” Brin said. “The fact that, as CPO, I report directly to the chairwoman of the agency shows, at an organizational level, how integral privacy is to everything we do here.”
But that doesn’t mean her job is a cakewalk. The FTC, which is regulated by myriad laws and regulations, including FISMA and the eGov Act as well as NIST and Office of Management and Budget requirements, has got to walk the walk, and that takes work.
“My job is basically making sure we’re putting our money where our mouth is in terms of privacy,” she said. “As part of our consumer protection mission, we bring enforcement actions when companies engage in unfair or deceptive practices in violation of Section 5. We take action when companies haven’t adequately protected information, so we have to make sure that as an agency we’re holding ourselves to those same standards.”
If you want to comment on this post, you need to login.