Peter Lefkowitz, Founder & Principal, Amity Digital Risk: Captains of Industry Interview

As part of our Captains of Industry Interview Series, Lawrence Brown, Sr. VP Legal, Houston, had the fortunate opportunity to connect with privacy and risk management expert Peter Lefkowitz, Founder and Principal at Amity Digital Risk. 

A former Chief Privacy Officer at Oracle, GE, and Citrix, Peter has led global programs encompassing privacy, security, digital risk, and trust operations for some of the world’s most complex enterprises and has served as board chair at IAPP and is currently on the board of the Future of Privacy Forum. From building frameworks for incident management and M&A data integration to advising executive boards on the evolving relationship between law, technology, and ethics, Peter’s influence on the profession is both profound and enduring. 

It is our immense pleasure to share Peter’s invaluable insights with you. Enjoy! 

Introductory Section

Q: Set the stage for us, what is Amity Digital Risk? What does the company do?

A:  I set up Amity Digital Risk in 2023 to advise companies on managing data as a strategic asset.  This can include building a data privacy team or re-shaping a privacy or security team; deciphering new legislation and regulatory obligations or melding overlapping responsibilities like AI, privacy and incident management; and even getting through corporate re-organization and sale.  Acting as a lawyer-advisor is fun and I have had the chance to take on some interesting challenges, including most recently advising a corporate Board of Directors and executive team through Congressional hearings and very briefly having my picture on The Today Show over a banner about whether the client would survive (it did).

Q: You’ve held some big seats. What was your path from law school to Amity? 

A:  Six years out of law school, I was a corporate litigator with some interesting trade secret and employment cases and a non-stop stomachache. Being in court was fun and compelling; the other 95% of the month was a brawl.  I moved to Oracle to use my law degree in a more positive way and soon thereafter met Joe Alhadeff, one of the privacy greats and my mentor in law and in life. With Joe’s guidance, I spent over 15 years at Oracle, working with Alexis Goltra (now CPO at Northeastern University) and Carlos Garcia-Maurino (now CPO at McKinsey) to build a practical privacy management program.  Work at GE and particularly at Citrix took the work in new directions, including public policy engagement,  product and system security and my favorite piece, advising on new and expanded products that involve data. Along the way, I have been fortunate to work with some of the great privacy practitioners and general counsels and some inspiring and forward-looking executives, including Trevor Hughes at IAPP and Jules Polenetsky at the Future of Privacy Forum.

Q: You’ve held top privacy and security roles at GE, Oracle, and Citrix, each at a different stage of digital evolution. What throughline connects those experiences?

A: Oracle, GE and Citrix have a common through-line: businesses using large amounts of data to serve businesses’ and their consumers’ needs.  The data differed (aircraft metadata and system access logs have unique challenges, and no two cultures could be more different day-to-day than Oracle and GE), but the need to collect and build brand value by managing data securely and by overseeing, auditing and providing transparency about data use are constant across all three. 

Q: How have those experiences shaped your leadership philosophy today? 

A:  I learned from great people in each place. Joe Alhadeff and Dan Cooperman at Oracle; the great Katherine Butler at GE; and Tony Gomes and Rob Feldman at Citrix.  All straightforward do-ers and good people. And that is what I hope to bring to my work and to teams with whom I engage, whether in privacy, on a non-profit board, or in my own practice at Amity Digital Risk.

Privacy Management Best Practices

Q: Across your time leading privacy programs for some of the world’s largest technology organizations, what core principles have remained constant regardless of industry or scale? 

A:  When I taught privacy law at Boston College Law School, and when new people joined the team at Citrix, I’d share the OECD privacy principles (the original 1981 version).  What are you collecting? How will you use it and with whom will you share it? What do you need to do to secure it? And what do you do when you’re done using it?  No matter how complex the laws become – and there are a lot more laws about data today, across many more areas, than there were in 2000 – the same basic questions matter.

Q: You’ve built and managed global teams at every stop. How do you balance centralized policy-making with the need for regional nuance and local empowerment? 

A: I have never understood how or why one would build a data protection program from the ground up for each law and each region. Instead, I try to build the framework and team that will withstand 90% of all requirements out of the gate.  That includes having people work on cross-border initiatives; having young lawyers advise Red Teams on what they can do (decompile our stuff in a lab) and can’t do (don’t hack our partners); and spending time with business teams learning about what they want to do with data before piling on the entire PCI 4.0 or Data Act framework.

Q: You’ve long been an advocate for constructive engagement with regulators and policymakers. How can today’s Chief Privacy Officers help shape regulation without crossing into advocacy? 

A:  In my experience, regulators and policymakers appreciate how difficult it can be to hit the right mark when leaning into business and protecting data.  Striving to protect data at any cost is extremely difficult and can kill a business.  And so I have often met with regulators, and separately with policymakers, to discuss the practical challenges of balancing needs.  One example: At Citrix, I met with regulators and legislators to discuss the need to analyze large sets of metadata to prevent cyberattacks.  Yes, we could limit data use for this purpose, but then we might let a nation-state actor into a system.  So how could we engage in data protection and still protect data?  I find that government officials appreciate digging into these issues and are eager to find a way to solve practical problems, so long as companies are making a real effort.

Practical Advice for Privacy Leaders

Q: You’ve interviewed, hired, and mentored dozens of privacy professionals over your career. What do you wish interviewees better understood when pursuing these roles? 

A:  With so many evolved privacy practices today, it’s easy to get caught up in names.  Does that law firm have a national reputation? Is that the hot company?  My guidance has been and remains to find the best people, the best mentors, and the best fit, a place where you can learn how to engage with leaders outside the legal department and take a chance learning and doing something new.  That may be a big law firm, but it could also be an AG’s office, an AI company or a think-tank or advocacy group that engages deeply in data issues.

Q: You’ve reviewed thousands of resumes over the years. What makes a great privacy or digital risk resume stand out—and what common mistakes do you see? 

A:  OK, now we’re getting into what I tell my adult kids. Find something about which you are passionate.  If it’s not the straight line to a law firm partner, that’s ok.  I’m intrigued by the person who taught English somewhere else in the world, or worked on the Hill, or was an electrical engineer before turning to privacy.  I love the resume that has someone going back to a clerk after a few years of practical experience.  And I have had great success with people who moved over to data risk management from financial auditing.  All of these folks are actively engaged and thoughtful about why they’re getting into data protection. 

Q: When advising rising privacy professionals, how do you frame what the job really is? Is it just white collar regulatory, legal, and compliance work? Is there something more to these roles?

A:  Sure, there’s a fair bit of regulatory compliance, but it’s also about the interaction.  How do you close a deal with a regulated customer when the salesperson is one deal away from the Sales Club with two days left in the year and still remain compliant? What do you do when the CEO wants three new live agentic AI projects this month using all of the company’s regulated data?  A lot of the craft and the joy is in working with constituents, understanding their needs, and guiding them without breaking their business.

Q: Building credibility with business stakeholders can be challenging for privacy teams. What have you found most effective in building trust and buy-in across the enterprise? 

A:  Time, effort, work in the trenches. Going to the sales kick-off is fun, but sitting at a client site for three days or re-thinking the opening page of a website with the person who is going to be judged on the output is more likely to gain you friends with whom you can do productive work in the future.  I think the same is true of regulators: you need to talk with them when things go wrong, but if they already know that you want to engage with them to do things right, you start every interaction from a place of trust.

Digital Risk, Trust, and the Modern Enterprise

Q: The intersection of privacy, security, and digital risk has become more pronounced in recent years. How should companies think about integrating these functions? 

A:  As Joe Alhadeff was fond of saying, there aren’t databases with personal information and then databases with “non-personal” information.  We’re starting to see this idea embraced in legislation like the AI Act and the Data Act. Going back to the OECD principles, for any data set, it’s about what you have, why you have it, and how you’re going to process it, secure it and manage it.  With that said, the skills gained from privacy practice – learning products and systems, interpreting the law, performing impact assessments, requiring and producing meaningful improvements over time – all come into play.  And the companies that do this well generally have a key pivot person for these sorts of initiatives.  It may be a privacy officer, a CISO, or a data officer. The person who manages the portfolio can bring a common toolset of analysis and assessment to a range of issues that span beyond international transfers of personal data.

Q: You’ve overseen cybersecurity, privacy, and incident response teams. From a governance perspective, how do you ensure coordination without overlap or confusion? 

A:  I was really fortunate at Citrix.  We had a security team and a privacy/digital risk team running side-by-side. Both knew their and their counterparts’ strengths and each counted on the other.  And the key was leadership: Tony Gomes is an amazing GC and Chief Administrative Officer. He made sure we were wrapped into the business and working closely with the executive team.  And that made the difference in our effectiveness with one another and across the company.

Q: “Trust” has become both a corporate value and a management discipline. How do you define trust in an enterprise context, and how can leaders operationalize it? 

A:  I think about “trust” and the “trust officer” role simply: You need to do what you say and say what you do.  This is, in my opinion, why trust centers and their constituent parts – including up-time dashboards, certifications, and published patch updates – are so valuable as a strategic business moat.  When companies are transparent about what they do to protect data, customers and their compliance teams can have confidence in what the company does.

Management & Operations / Future Outlook

Q: What are you working on that you are excited about? What are you working on that worries you?

A: On the positive side, everything about the development of AI.  The conception, development, and release of new AI-related products are moving faster and with more concentrated focus, and everyone understands the importance of data governance for both legal compliance and customer trust.  On the downside:  we’re getting swamped with laws that don’t overlap well, even within the US.  We have over 20 comprehensive state privacy laws; many more sector-specific state laws covering health and financial data, biometrics, and genetics; and a growing set of laws governing bias, discrimination, and AI governance (as well as bias and discrimination using AI).  All of these topics are extremely important.  But the dispersion of laws with different definitions and different obligations has negative consequences, including diverting privacy teams with limited resources from risk mitigation to checklists and rewriting policies to meet definitional mandates.  We’d be well served by Congress addressing these issues for the benefit of both business and consumers.

Q: The Chief Privacy Officer role has evolved rapidly—now often encompassing AI governance, cyber incident command, and digital ethics. What’s your view on the future scope of the CPO?  Where are we heading?

A:  I was a “digital risk officer” in 2017 and think that name, or something close, is likely to have more resonance in 2027 and even more in 2037.  Data is becoming an ever-more-valuable asset, and so risk officers will need to know about a variety of issues that surround data and not just privacy.  Whether digital risk officers are senior or junior is likely to depend on the company, its circumstances, and culture.  (It is a fair bet that any company that has experienced a big data breach or regulatory investigation is going to have a pretty senior digital risk officer.)

Q: You’ve worked closely with executive teams and boards. How should today’s privacy and digital risk leaders communicate impact and value at that level? 

A:  Boards don’t need to know that you did X reviews and found Y risks and that every dashboard is green. They do need to know that you know what you’re doing, that you understand their business and the few critical risks, and that you can mitigate risk effectively.  If you are fortunate enough to engage with a risk committee or data committee of the board, that is a chance to dig deeper, but still with a focus on the big picture. 

Q: What’s next for the profession? What do you see as the defining challenge—and opportunity—of the next decade for privacy and risk leaders? 

A:  You have alluded to some of the big challenges here.  There is a risk that privacy officers will be relegated to deep in a compliance stack rather than engaging with the business; that associates will come to view privacy as just another law firm partner track; and that regulators will focus on the letter of 100 different laws rather than ferreting out commonalities and opportunities to simplify and focus on real risks.  For all of this, data has never been more valuable, and there has never been a greater legal or business need, or a greater opportunity, for data protection professionals.

Q: Anything else you’d like to share? 

A:  Thank you, Lawrence.  Your firm is at the top of the field, and it is an honor to have this opportunity.