Information Security and Client Data: Balancing the Use of Client Data with Privacy and Data Protection Requirements

February 21, 2006

For any corporation, and thus for the CIO, there will always be a need to strike a balance between the need to protect the privacy of their clients’ (or employees) data and the need to use those data for legitimate business purposes. In order to manage this process effectively, the CIO and technology organization needs to understand all the stakeholders and their competing interests. Personal data is used by commercial, governmental, and non-profit organizations for a variety of institutional and societal benefits: to evaluate and manage risk, to evaluate and pursue market opportunities, and to enhance our general social welfare. We discussed the fact that much of what is considered personal information may, in fact, be public information, but in combination with other sensitive information such as medical or financial data becomes highly risky information and needs to be private and secured. We also discussed that the legal and regulatory approach to the issue worldwide is to a) secure the data and b) emphasize consumers rights to notice of an institutions practice, a consumers choice on how information is collected, and consumers access to view information’s accuracy. For the technology community then, the challenge is primarily one of determining what data must they protect and secure, what controls do they put in place to secure it, how do they test to insure those controls are working properly, and how do they prove they have tested those controls. A further challenge is present in having to monitor the plethora of regulatory requirements that are issued at the global, federal and state level since there is no uniform framework for data privacy protection. We discussed some ways that Technology organizations work with their counterparts in Legal and Compliance organizations to work effectively to track the changing policy landscape. But the basics of information security management, as represented in many of the frameworks such as COBIT, are the starting points for creating a control infrastructure.


  • Craig Conway, Senior Vice President, First Data Prepaid Services
  • Partha Bhattacharya, Director of Security Engineering, Cisco Systems
  • Eric Hudson, Senior Vice President and CIO, Foamex International, Inc
  • James Koenig, Practice Co-Leader, Privacy Strategy & Compliance, PricewaterhouseCoopers LLP


  • Judith E. Tschirgi, Chief Information Officer and Senior Vice President, SEI