Penn Confidential

Lauren Steinfeld

From intrusive surveillance to identity theft to junk e-mail, privacy is under attack. It's her job to mount a defense.

Photo by Candace diCarlo

The headlines tell you everything you need to know about why Lauren Steinfeld’s (C’89) job as Penn’s first chief privacy officer is so important. “Privacy Invasion Curtailed,” wrote New York Times columnist and privacy fanatic William Safire; the Times Magazine featured “Tangled Up In Spam” by James Gleick; and The Philadelphia Inquirer reported “House OK’s National ‘Do Not Call.’” Whether it’s the Pentagon’s Orwellian Total Information Awareness program or the intrusion caused by unsolicited e-mails or phone calls, a national debate is underway that will define where, as a society, we draw the line between commerce and confidentiality and between privacy and security. Steinfeld has been at the forefront of this issue, first as a policymaker in the Clinton administration and now as Penn’s advocate in implementing privacy regulations and promoting privacy rights for everyone in the Penn community.

Q. Your position as chief privacy officer was created almost a year ago. What issues have you been working on?
A.
I have been working on compliance with new and sweeping federal health privacy requirements coming this April under the Health Insurance Portability and Accountability Act (HIPAA), organizing efforts to reduce Penn’s reliance on Social Security numbers (SSNs), continuing our efforts to insure the privacy of student records and raising awareness through our web site, linked on the homepage at www.upenn.edu/privacy, as well as through presentations and publications. Students, faculty and staff can find Penn’s privacy policies and procedures there as well as information on, for example how to minimize your risk of being a victim of identity theft and what to do if you are a victim.

Q. How did privacy become your area of expertise?
A.
After graduating from the NYU Law School, and working at a Washington firm for several years, I took a job in the Bureau of Consumer Protection at the Federal Trade Commission. At that time [1996-97] the FTC was starting to get involved in the financial privacy area and really became the “go-to” agency on what was happening on privacy. I went to work for a new Commissioner, Mozelle W. Thompson, who was very interested in online privacy, and I became his attorney-advisor on that. At the same time, President Clinton decided to appoint a chief counselor for privacy. They hired Peter Swire, a professor at Ohio State University, and in the summer of 1999, I became his deputy. That was just at the time that Health and Human Services started preparing to write the HIPAA health privacy rules that are very significant in the privacy world. Between the FTC and then going to OMB, I worked on a huge gamut of issues—everything from health, government records, data sharing, online—many of which I had no idea would be privacy issues.

Q. You’re the first chief privacy officer at any university. How did Penn became a pioneer in this area?
A.
In April 2001, the report of the University Council’s Task Force on Privacy of Personal Information was published. It raised questions not only about HIPAA compliance, but recognized privacy as a growing issue. Rick Whitfield [vice president for Audit and Compliance] thought it was important to take a proactive approach. At the same time, I had moved to Philadelphia with my family. I had exposure on the policy side of privacy and decided I wanted to get involved in implementation. I sent Rick a proposal and he hired me first as a consultant and then this job was created.

Q. Does the Health System have its own privacy officer?
A.
Yes, Russ Opland. The HIPAA requirements affect the Health System the most, and we work together quite frequently on that, but there is impact on the University side as well.

Q. What are the issues on the University side?
A.
There are schools and programs that are regulated just like the Health System is—the Medical School, certain School of Nursing clinical practices, the student health service, the dental school, Human Resources benefits plans. The other piece is that our very active research activities have important HIPAA implications. Our researchers need to get data from providers all across the country and HIPAA imposes restrictions on how that data gets transferred, who can use it, and for what purpose.

Q. Social Security numbers used to be the key identifier for the University. How has that changed?
A.
Many years ago, Social Security numbers were used to identify individuals and there were no terrible risks associated with it. The problem with a SSN is that it is the number that is used to get credit. So much of the way we see identity theft is in the area of abuse of credit. So now SSN has become in essence the riskiest identifier. What the University has tried to do in the last several years is to reduce its reliance on Social Security numbers and minimize the risk to the community of identity theft. Therefore, the identifier is no longer a Social Security number for a Penn ID. We have worked hard to mask SSNs in our major systems so that when you get a name you don’t get the SSN too. We stopped printing Social Security numbers on bursar’s bills that go to students’ homes. Bit by bit, with the systems on paper, the contracts with third parties, the vendors we select, we will have worked to get away from relying on the SSN as the identifier. Unfortunately, even if there was not a single SSN used on campus, there are SSNs used by health clubs and food stores and video rental clubs etc.

Q. The University seems to be of two minds about spam [unsolicited e-mail] as freedom of speech concerns mix with privacy. Is this an issue you are working on?
A.
We have a directory information work group that looks not only at the spam issue, but what is the appropriate level of contact information that should be out there and how much control should individuals, this includes students, staff and faculty have over it. People are starting to question, appropriately, the amount of information that is requested about them. You are starting to see more and more people asking, “Do I need to provide you that [information] in order to complete this transaction?”

Q. There seem to be two opposing trends. One is increased awareness of privacy issues, the other is the implementation of techniques like “data mining” that could make privacy impossible. Which one is winning?
A.
There is a closer look at privacy and security. A lot of that comes from the new terrorism threats from 9/11. The two concepts can work together or at cross-purposes. On the one hand, good security practices—locking file cabinets, password-protecting computer files—are good for privacy. On the other hand, security forces are looking for lots of information…to get the bad guys. When I was in Washington, there was a lot of debate about how to give law enforcement and the intelligence community the right kinds of authority to get information that was necessary for national security in a way—for example, going to a judge for a court order—that did not just mean that everyone’s data was available to them. I have to say—particularly recently, there has been more legislation passed that has really looked for a lot of information and hasn’t really had some of the privacy provisions that have been built-in in
the past.

Originally published on February 27, 2003