It's easy to overlook the fact that a majority of businesses require a privacy or data security staff these days. That forgetfulness is especially the case with non-traditional businesses, including professional sports leagues like the National Basketball Association.

NBA Cyber Security Analyst Christian Petermann, CIPP/E, CIPM, is in charge of data protection, data privacy and third-party risk management for the league's business side. He said he's "worn many different hats" in IT over the years, but indicated the shift to privacy-focused work was no walk in the park. "Making the transition into privacy was certainly a big change, but when the opportunity presented itself, I knew right away it was a challenge I wanted to take on."

In this Member Spotlight, Petermann chats with IAPP Staff Writer Joe Duball about explaining this to the general public, the keys to a strong data security program and how to address an emerging data breach reporting conundrum.

CP_Trophy-300x300.jpg
Christian Petermann, CIPP/E, CIPM

The Privacy Advisor: Are you often approached by people that are surprised the NBA has privacy professionals on staff? What do you say to those folks to help them understand your role and why privacy and data protection are valued?

Petermann: Honestly, when most people find out that I work for the NBA, the questions they ask are more along the lines of, "Have you ever met LeBron James?" or "Why did this team trade my favorite player?" When it comes to telling people what I do, I explain that I am part of a team that’s responsible for ensuring that the data of our league and our fans is kept safe and is handled in a way that respects their privacy. If I need to break it down further, I like to use a castle analogy. There are teams that guard the walls, there are teams that look for weaknesses in our own defenses so we can make them stronger, and then there are those that guard everything inside the walls as well as oversee who and what is coming and going. That last group is data privacy/protection.

The Privacy Advisor: Obviously, you deal with the league's business side, so how does that side approach privacy and data protection? Are there specific aspects of the league's policies that are unique compared to other big businesses?

Petermann: The NBA's four key values are integrity, teamwork, respect and innovation, and I think this says a lot about how we approach privacy and data protection. We may not be considered a typical business so there may be instances where various privacy tools or templates that work well for most businesses may require adaptation.

The Privacy Advisor: Cyberattacks are becoming more and more prevalent around the world. Is the NBA doing anything to beef up its data security operations management?

Petermann: It’s most certainly an interesting time to be in this field. Like many other businesses, the NBA continues to expand its digital and global footprint. Our NBA 2K esports league is entering its fourth season, we just launched the Basketball Africa League in Rwanda and technology-based products like NBA Top Shot are growing in popularity. There is no shortage of data security work and we will continue to adapt and innovate as the landscape changes.

The Privacy Advisor: In your opinion, what are a couple of the biggest keys to a solid data security program?

Petermann: Communication, collaboration and training are some of the biggest keys in any program. You could have the most highly trained security team in the world, but if they are not communicating and collaborating with one another or the rest of the business, how successful can they really be? Training is also an important part of a data security program and not just for your security team, but for the entire company. It is important to remember that a company’s security and privacy teams cannot do it alone; it takes a full team effort.

The Privacy Advisor: Is there a way you differentiate between privacy and data security concepts, or does the NBA kind of have them go hand in hand?

Petermann: I see the two going hand in hand. You can't really have privacy without security, and proper security is going to be as private as you need it to be. Privacy is an obligation to handle data in a fair and secure manner, and security is the way you make that happen. People often hesitate or get nervous when they come to me with an idea and I start talking about data privacy and security implications. I’ve even had someone say, "Maybe this isn’t a good idea," to which I replied, "It's a great idea, we just need to make sure we do it the right way."

The Privacy Advisor: What's your stance on the data breach reporting dilemma? Some companies are struggling with whether to first address the incident internally or report it in a timely manner. Is there a balance that can be struck?

Petermann: Every incident is unique, and every business operates differently so it's almost impossible to have a cookie-cutter solution. As a customer, you want to have as much information as soon as possible, but it can be challenging for a company to conduct a thorough investigation in a short period of time. However, a company can't take months and months before letting a customer know about an incident. The answer is likely somewhere in the middle, but it’s also very dependent on the situation and the company.

Photo by Keagan Henman on Unsplash