168th Commencement: Watch Live
Information security expert Rey Leclerc Sveinsson, Ph.D., saw the writing on the cybersecurity wall: privacy was becoming the biggest emergent issue in the field. “A lot of new rules have come out, and the expertise was not necessarily there,” he said. “We needed to expand our knowledge on the subject—and I wanted to be at the forefront of that.”
The 20-year veteran of a rapidly changing industry is no stranger to adding degrees and certifications to update his skill set. This time he sought master’s degrees specifically in privacy, earning one from John Marshall Law School and then enrolling in Albany Law School’s online Master of Science in Legal Studies (MSLS) program with a concentration in Cybersecurity and Data Privacy.
“While the first program was mainly about general data protection regulation, Albany Law’s program allowed me to focus more on the cybersecurity law,” he said. “Plus, it was a perfect fit for me because it was entirely online and I was living in Iceland at the time, and I could continue with it wherever I went.” That was fortunate, because his new job took him to Miami.
Leclerc Sveinsson had his own consulting practice, called Trimsec | Solutions, and over 10 years built a base of clients in Europe, Canada, and the U.S. Earlier this year, leading information security firm ERMProtect bought his practice and appointed him director of cybersecurity and privacy consulting.
“The Albany Law program helped me get this job,” he said. “It has expanded my knowledge of privacy, and the company wanted someone with that expertise to kick-start their privacy practice.”
The job required him to move to Miami, where ERMProtect is based, but he is keeping his house in Reykjavik as well. “The idea is to tap into my existing contacts, and as clients come on board [with ERMProtect] for a wider range of products and services, I will travel back and forth as needed.”
Though he came to love Iceland—“it is simply beautiful, especially if you love nature”—he was actually born and raised in Puerto Rico.
A full scholarship to Xavier University in Cincinnati brought him to the states, and while he earned a bachelor’s in International Affairs and then an M.B.A. in Management Information Systems (his first of five master’s degrees), he also served in the U.S. Coast Guard, working in computer operations.
Leclerc Sveinsson worked in IT risk assurance for EY (Ernst & Young) in Puerto Rico and El Salvador and then as an IT auditor for Honeywell, splitting his time between New Jersey and Spain. Then he got the opportunity to become an information security officer just as the Internet was taking off. “It was a great experience, but I felt like I needed to catch up.” So he pursued a Ph.D. in Information Security from Nova Southeastern University. Meanwhile, he held roles of increasing responsibility at several companies in New York City and Boston.
Then he met someone who introduced him to his native Iceland, and they married. Unfortunately, his spouse was not able to stay in the U.S. because of the Defense of Marriage Act, so in 2012 they moved to Iceland. From there, Leclerc Sveinsson served as head of information security, privacy, and cyber risk services for global professional services company Deloitte and vice president of cybersecurity strategy and risk services for Zurich-based insurance company Swiss Re.
He also consulted for Enterprise Risk Management (now ERMProtect), until they decided to acquire his practice—and his international expertise—this year. “The concept of privacy is very different in the U.S. and abroad,” he explained. “In the states, organizations own the data once an individual provides personal information—which is why companies like Google and Facebook are based in the states.”
Outside the U.S., the data subject is considered the owner of that data, and the individual must consent to its use. “An organization has the role of custodian and is responsible for protecting that personal information and using it only in accordance with the rights conveyed by the individual,” he explained. As a result, companies in Europe have much different regulations than in the U.S.
Some say the approach stifles innovation. “From an economic perspective, I can see what they’re saying,” Leclerc Sveinsson conceded, “but from a privacy point of view, I believe that the individual should always provide consent.”
The European Union rolled out the General Data Protection Regulation (GDPR) in May 2018 to address privacy law. One month later, the California Consumer Privacy Act (CCPA)—which closely resembles the GDPR—was signed into law. “Although it only applies to California, it also applies any time you do business with any resident of that state—so in essence it is the start of a federal law,” he said.
In his new position at ERMProtect, Leclerc Sveinsson examines clients’ cybersecurity and privacy controls and develops plans for remediation or improvement—while minimizing the business impact. He also oversees assessment against a laundry list of regulatory and industry standards including the GDPR and CCPA.
This is why the Albany Law MSLS program has proven so valuable, he said, because it is designed to provide cybersecurity professionals with expertise on existing, new, and emerging policy as well as the ability to adapt and advance in this rapidly evolving field.
“It is a continuation of my information security studies, but incorporating new privacy rules and regulations,” he said. “I like that the program isn’t too much legalese. Yes, it’s a legal program, but a person with an information security background can easily tap into the knowledge provided.”
Leclerc Sveinsson is on target to complete the program by December. “I’m eager to finish, but it has been a good two years and has been absolutely worth it.”