Who are the best people and firms at providing privacy advice? It's a question I've been asking since 2006, before privacy was cool. Since then, a plethora of new privacy rules and penalties and a tsunami of new technologies and risks have placed privacy among the top handful of corporate concerns. Doing privacy wrong now takes a bigger bite off the bottom line than it did when I first started asking this question. So have the answers changed?
Not when the question is which type of outside privacy practice you prefer. Lawyers are still the top choices, with law firms grabbing six of the top 10 spots in the survey. And for the fourth consecutive time, Hunton & Williams garnered the most votes. This may be a case of success breeding more success: Hunton attracted more than twice as many votes as its nearest challenger.
Second-place Morrison & Foerster still is highly regarded, followed by Foley & Lardner and Privacy & Information Management Services]. [[xref:http://www.hoganlovells.com/data-protection/]] and [[xref:http://www.cov.com/practice/global_privacy_and_data_security/]] round out the law firms ranking in the top 10 of all firms.
What does this say about the corporate privacy agenda? Two things, I think: Regulatory compliance is still the first step to take for many companies, and the firms that were the best at assisting with this first step five years ago are still the go-to destinations for in-house privacy officers.
Other firms gaining ground
Even though law firms took six of the top 10 places, that was down from the last survey, in 2008, when they accounted for eight spots. Indeed, consulting firms now account for half of the top 12.
The stronger showing of consultancies may reflect the emerging consensus in the privacy profession that doing privacy right is bigger than regulatory compliance. Particularly for industries such as healthcare and technology, which involve an intensive use of personal information, creating privacy-friendly products and services involves meeting customer and social expectations. "Organizations need to 'do' privacy better, faster and cheaper," noted Brian Tretick, managing director for Athena Privacy, a new boutique firm. "That means more formal, repeatable processes, automation and active monitoring."
The survey also showed that firms may be looking for services beyond traditional advice from experts. New entrants to the list of top vote-getters include service providers, a certification firm and a professional association. Among them:
• San Francisco-based Truste is the provider of the popular Web-privacy seal and a number of other privacy-verification products and services.
• Toronto-based [[xref:http://www.nymity.com/]] provides an information portal for privacy content.
The International Association of Privacy Professionals organizes the best-attended privacy conferences and offers the CIPP certification for the privacy profession.
Table 1: Top firms for privacy advice
In the table below, law firms are marked with a dagger symbol (†), and consulting firms with a double dagger (‡).The firms are ranked in order of the number of votes received, but banded into three tiers to compensate for statistical margin of error. Tier 1 firms garnered more than 10% of total votes, Tier 2 firms received 3% to 10%, and Tier 3 firms achieved 1 to 2% of votes.In the interest of full disclosure, Minnesota Privacy Consultants, the author's firm, finished behind Foley & Lardner.
† Hunton & Williams
|† Morrison & Foerster||2|
|† Foley & Lardner||2|
|† Privacy & Information Management Services||2|
|‡ Samet Privacy||2|
|† Hogan Lovells||2|
|‡ Ernst & Young||2|
|† Covington & Burling||2|
|‡ Corporate Privacy Group||3|
|‡ Deloitte & Touche||3|
|‡ Rebecca Herold & Associates||3|
|† Wiley Rein||3|
|† Infolaw Group||3|
|† Baker & Mckenzie||3|
|† Drinker Biddle & Reath||3|
|† Field Fisher Waterhouse||3|
|† Bird & Bird||3|
|† Oldaker Belair & Wittie||3|
|† DLA Piper||3|
Source: Minnesota Privacy Consultants
I asked Overbrook Research to carry out the survey again this year. Overbrook performs professional research for national political candidates, and The Wall Street Journal and other national media outlets have featured its work. The privacy professionals participating in the survey (there were 146 respondents this time - people in large corporations and government agencies who have data privacy responsibilities, based primarily in North America but also Europe) could choose up to three firms as their top picks, muting the effect of a bias that could result if a respondent was in the midst of communicating with one of the firms during the polling period. I weighted more heavily the responses of those survey participants who chose three firms compared to those who chose two or one.
Table 2: Best privacy adviser -- individual
Respondents gave top billing to Lisa Sotto of Hunton & Williams when asked, Which person would you consider to be the top global expert on privacy? Respondents could choose only one person.
Note: The author ranked behind Andrew Serwin, but this result has to be discounted in light of likely influence, since he was known to be conducting the survey.
Hunton & Williams
|Andrew Serwin||Foley & Lardner||Attorney|
|Rebecca Herold||Rebecca Herold & Associates||Consultant|
|Shai Samet||Samet Privacy||Consultant|
|Miriam Wugmeister||Morrison & Foerster||Attorney|
|Peggy Eisenhauer||Privacy & Information Management Services||Attorney|
|Daniel Solove||George Washington University||Professor|
|Martin Abrams||Hunton & Williams||Consultant|
|Christopher Kuner||Hunton & Williams||Attorney|
|Eduardo Ustaran||Field Fisher Waterhouse||Attorney|
|Ann Cavoukian||Government of Ontario||Regulator|
|Christopher Wolf||Hogan Lovells||Attorney|
|Richard Purcell||Corporate Privacy Group||Consultant|
|Jules Polotensky||Privacy Futures||Attorney|
|Kirk Nahra||Wiley Rein||Attorney|
|Jennifer Stoddart||Government of Canada||Regulator|
|KC Turan||Dun & Bradstreet||CPO|
|Richard Thomas||Hunton & Williams||Attorney|
|Robert Rothman||Privacy Associates International||Consultant|
|Stanley Crosley||Privacy & Information Management Services||Attorney|
|Alan Westin||Columbia University||Professor|
|Ariane Mole||Bird & Bird||Attorney|
|Christopher Millard||University of London||Professor|
|Francois Gilbert||IT Law Group||Attorney|
|Nuala O'Connor Kelly||GE||CPO|
Source: Minnesota Privacy Consultants
What do these experts foresee in the privacy arena in 2011?
"Online behavioral advertising, [[xref:http://www.computerworld.com/s/topic/158/Cloud+Computing|Cloud Computing Topic Center - Computerworld]] computing and smart grid were front-burner issues in 2010," said Lisa Sotto, head of the privacy practice at Hunton & Williams. "Those issues will continue to hold the spotlight in 2011."
Sotto added that new privacy laws around the world and innovative uses of data will "guarantee the need for experts who think about privacy issues 24/7."
Eduardo Ustaran, a partner at Field Fisher Waterhouse in London, points out that in Europe, for example, 2011 brings a new e-privacy regime across member states and firm proposals for a new EU data protection directive. Jonathan Armstrong of Duane Morris LLP sees a "repeat of the issues around whistleblowing, but magnified. The bounty provisions of Dodd-Frank legislation and the U.K.'s Bribery Act 2010 mean significant changes for any global business."
Kirk Nahra, a partner with Wiley Rein in Washington, D.C., said that where businesses need most help "is in managing the wide range of overlapping and often inconsistent laws, as well as understanding best practices across a variety of industries." He added, "It is the growing complexity and volume of these laws and regulations that's creating the compliance problems, rather than the substance of the privacy standards themselves."
Much of this in the U.S. will play out in state laws. Kevin Lyles, privacy practice leader at Jones Day, anticipates that many states will follow the lead of Massachusetts in requiring companies to document their data security programs. John Corelli, president of JMC Privacy Consulting Group, sees state attorneys general stepping up random auditing for all areas of privacy compliance, along with the FTC.
Table 3: What separates the leaders from the pack
Respondents were asked to choose one reason from the following menu to explain why they voted for their best policy advisers.
Broad and deep expertise
|Global staff and affiliates||3||4|
|Timely and thorough work||4||5|
|They understand my business||5||3|
|Good value for the rates charged||9||9|
Source: Minnesota Privacy Consultants
Why the best are the best
Some things never go out of style. Since I began the survey in 2006, respondents have cited "broad and deep expertise" and "practical advice" as the top two reasons they chose the firms they did. Those concerned with protecting data want the right answer, and they want it delivered in practical terms that make sense for their organization and industry.
Also, as globalization continues apace, respondents in the most recent survey gave higher priority than they have in the past to advisory firms having "global staff and affiliates." As the previous surveys showed, good advice does not usually come cheap. Of the nine possible choices offered, "good value for the rates charged" once again ranked dead last.