By Carly Huth, CIPP/IT
Gamelah Palagonia, CIPP/US, CIPP/G, CIPP/IT, CIPM, is the founder of Privacy Professionals and has been in the insurance industry for more than 30 years. Recently, she sat down for a fun Q&A on her career and how she became the first of her kind: “the first generation of insurance brokers who are privacy professionals.”
Carly Huth: Tell me a little bit about your background?
Gamelah Palagonia: My background is in insurance and risk management, with a focus on technology, digital risk and media. So it was kind of a natural segue for me to get into privacy. But in the insurance brokerage industry, there were no privacy specialists. As I got deeper and deeper into the risk management side, I recognized that there was this big hole in the insurance industry.
Huth: That’s something I hear a lot, given that privacy is still an emerging field. How did you become educated on privacy?
Palagonia: The IAPP helped me fill that void so I could become educated on privacy and the risks surrounding privacy. I decided to be the first of my kind, the first generation of insurance brokers who are privacy professionals.
Huth: How has this increased awareness of privacy issues affected your work in the insurance industry?
Palagonia: I developed a business model that includes risk assessments, privacy training, incident-response planning and all the great things I was taught by the IAPP and how to integrate that into the insurance program. It’s unique because insurance offered today includes coverage for regulatory actions, notice to affected individuals in the event of a breach, credit monitoring and credit restoration. It just seemed to me it was working backwards. Purchasing insurance to cover risks you hadn’t addressed is not a best practice. So I did the reverse. Insurance is great way to transfer financial risk, but the first steps are privacy risk assessments, training your employees and planning for breaches by developing incident response plans, and then your insurance policy works more effectively.
Huth: How are you spreading the news about the changing ways to address privacy risk in the insurance industry?
Palagonia: What’s difficult is that most people don’t understand privacy in general, never mind privacy risk management and the insurance that’s available for it. So it is a challenge.
Huth: Given this challenge, when you work with a new client, what are some of your first steps?
Palagonia: Now that we have so many news reports every day of data breaches and regulatory actions, it’s getting a little bit easier. Yes, we sell insurance, but the first step is to focus on the risk. Whether it is healthcare, technology, retail, media, we try to educate first. The challenge is educating them about the risk, because it isn’t tangible. If your building is on fire, you see the risk. But if your data is compromised, you may not see it, but believe me, your building is still on fire.
Huth: I agree. What can an organization do to start addressing this risk?
Palagonia: We want to help businesses impact organizational culture, which starts with executive buy-in and commitment to build privacy into the culture. Communicating privacy guidelines and expectations from the C-suite down is essential. To have a real impact on privacy risk, you have to start with your employees; if they don’t understand the risk, it doesn’t matter if the business does. Behavior is hard to change. It’s the biggest challenge. We all must take part in protecting the information. At first, all the news reports of data breaches were helping, but now people are blurring it out.
Huth: I’ve heard some people call it “notification fatigue.” What resources do you suggest to combat it?
Palagonia: I love the IAPP; it has great, fun tools and interesting ways to illustrate risk. For someone new to the privacy field, definitely get certified in privacy with the IAPP. It helps to round out your knowledge. Certification is probably the most important thing a person can do right now, as well as remaining up-to-date, because the laws keep changing.
Huth: As a fellow IAPP member who is certified, that’s good to hear! But resources are only one important component of a privacy program. Are there some best practices you’ve gathered during your career as a privacy professional?
Palagonia: Insurance is great to provide the financial resource to respond to data breaches, but in line with the IAPP model, you have to first identify where your information assets are and understand the risk. Once you identify, you have to determine what laws apply, whether it be protected health information, personally identifiable information, trade secrets or corporate confidential information. Corporate confidential information is still an exposed area struggling to gain traction because privacy laws don’t apply to it. However, once it is breached, it can have a huge financial impact on the bottom line.
Huth: That’s great advice. Starting a privacy program may seem daunting for any organization but especially for an organization with limited means.
Palagonia: We are sponsoring a pro bono project, starting with the IAPP Privacy in a Suitcase initiative. In May, we will begin offering nonprofit organizations free broad-based privacy training and discounts on compliance-based training. We think this will help a lot as, often, nonprofits don’t have the resources to put into privacy protection but they still have the same risks as larger organizations. We hope to help them get the resources they need.
Huth: Pro bono work is absolutely fundamental. Before you go, I can’t resist asking you one more question. Can you respond to something that a lot of commentators are claiming: Is privacy dead?
Palagonia: I disagree 100 percent. They may feel privacy protections are dead because of some recent reports in the media. But people like me, and the IAPP, can help to dispel that myth. Privacy is our right to claim; it is up to us.
Carly L. Huth, CIPP/IT, is a privacy counsel for The Coca-Cola Company (TCCC), where she focuses on protecting both consumer and employee data. Prior to joining TCCC, Huth was an insider-threat researcher in the CERT Program at Carnegie Mellon University, where her research focused on the intersections of privacy and technology. Huth has been the lead author on several academic articles published in such leading journals as Computer Law and Security Review. She also has international experience, having worked with the Intellectual Property Team in the United Nations Conference on Trade and Development. Huth is a licensed patent attorney.