Elise Houlik is Chief Privacy Officer at Intuit. In this role, she drives Intuit’s data stewardship vision and advises on complex privacy and interrelated regulatory issues. Her team is deeply engaged with the business on all matters related to product development, data governance, and information security. Elise joined Intuit in August 2022 and is based in New York.
Prior to joining Intuit, Elise served as Mastercard’s SVP, Assistant General Counsel - Privacy & Data Protection, where she led privacy work for the North American and Latin American & Caribbean markets and for several global divisions, including open banking, small/medium business and B2B platforms, digital payments and partnerships, start-ups, cryptocurrency/blockchain, marketing and communications, human resources, operations & technology, and corporate security. She formerly held the role of Associate General Counsel at Fannie Mae in Washington, DC, acting as the company’s Lead Privacy & Cybersecurity counsel for several years.
Elise is admitted in DC, MD, and NY (In House), and is a Certified Information Privacy Professional (CIPP-US). She holds a Bachelor of Arts degree from Johns Hopkins University and a Juris Doctor from the George Washington University Law School.
Q: What does Intuit do?
Intuit is the global technology platform that powers prosperity for the people and communities we serve. We serve more than 100 million customers worldwide with TurboTax, QuickBooks, Credit Karma and Mailchimp, helping to put more money in consumers’ and small businesses’ pockets, save them time by eliminating work, and ensure they have complete confidence in every financial decision they make.
Q: And tell us about your background path to your current role?
My introduction to privacy law came a few years into my time at Fannie Mae around the time of the 2008 financial crisis. Part of the scope was running Making Home Affordable (MHA) – the U.S. Treasury Department’s relief program designed to assist people who were struggling with their mortgage payments in the wake of the collapse. Because it was a Treasury program, all the information getting processed under the program was covered by the Privacy Act. We had to ingest a lot of personal information and were required to handle it in a very specific way. That sent me down a path of thinking more deeply about data in general, and how it's governed.
From there, the interest only grew. After many years at Fannie Mae, I transitioned to Mastercard and got to experience the complexities of dealing with data on a global scale - both the challenges and the opportunities. In my initial role I had a focus on North America, and over time that scope grew to include Latin America and global products in the digital payments space, open banking, marketing, and crypto to name a few. It also reinforced for me the value of working for a mission-based organization, which is why I was thrilled to have the opportunity to come on board to Intuit last year. Every day, my team works to safely and responsibly unlock the power of data to improve the financial lives of our customers - giving them access to the tools and information they need to help them thrive. It’s important work done during a time of rapid change, and it’s what keeps us grounded and focused.
Since my career started, I’ve witnessed an incredible evolution in this arena, from sitting in conference rooms surrounded by document boxes, to today, where we have the processing power to make lightning fast connections across vast troves of data. To this day I’m both amazed and excited at the speed and scale of change in the privacy sector, and with generative AI and other advanced technologies changing the world around us every few months, it’s going to be something to watch the law try to keep up.
Q: You have deep experience with large global organizations. As you settle into your new CPO seat, what are some of the key concepts you’ve absorbed over time that you’ll be looking to implement?
Because of the way data moves, and the way technology connects us all together, even if you're not a global company today, you might be at some point, and chances are sooner than you think. And most people, no matter where they live, care about what's happening to their information. So if a business has the ambition to reach people beyond its limited geography, you've got to find a way to scale, and scale quickly, within the bounds of legal environments that differ from place to place. So that’s where that global mindset and experience has been very helpful, especially in an organization like Intuit.
To help stay grounded in the needs of today and also pave the way for the future, it’s crucial to center my team’s work on foundational privacy principles that guide decision making in the absence of clear pathways. We ask ourselves what would our customers expect from us? Do they understand what data we need from them and why? Have we taken every opportunity to reduce the need to use or keep data that is unnecessary? Are we taking steps to ensure that the data we hold is accurate and protected? Are we leveraging technology to transform data to make it safer to handle? Are we keeping to our data commitments and reinforcing customer trust? If you keep these considerations in mind, there is a good chance you are also already going to be prepared to address legal requirements wherever you operate.
Q: Intuit has a long track record of innovation, specifically AI and Intuit’s AI-driven expert platform. When a company enables new technologies or goes through a significant transformation, can you give us a peak behind the curtain for what that means for the CPO and privacy team? What work goes into that from your team?
The pace is fast, especially because our legal teams work in lockstep with the business as things evolve. We’re included at the outset of the ideation process, where the organization is looking to bring a very big and bold ambition to life. We’re at the table to ask the question of ‘how’: what is it we need to do to get there the right way, and ensure the customer and platform data is handled in such a way that keeps our customers’ best interest at the forefront. This is central to how we implement “privacy by design.” Our team is really lucky in this way. We have professionals stacked against the different disciplines across the entire organization who look at things from a data perspective. We're working with the system architects, cybersecurity teams, product developers and the privacy engineers, to name a few, to make sure that the systems are processing the information correctly, that we're building tools to give consumers access and control over their data, and that we use the data in the best way possible to improve experiences and make things easier for our customers. Because that’s the end objective, regardless of how quickly things are changing around us.
Q: Is the proper scope of the role “just privacy” or a broader umbrella that might include data governance, data ethics, InfoSec, data monetization, privacy compliance, consumer trust & safety, law enforcement response, privacy public policy, etc.?
I have to confess, when I hear the phrase, “just privacy” I’m mystified, because truly, what could be bigger? To me, all of those elements come into play when I think about my remit. Privacy is not just a compliance function, which I think can be a bit unspoken in our space. Because of the central role data plays in all that we do, we are at the table for every meaningful conversation about how Intuit wants to show up for our customers and the market overall. My team still has the run-the-business responsibilities that any legal team would have, but given our scope and the nature of the organization, we also get to exercise our creative muscle, and I think privacy today is all about having that mindset.
Q: The pace of change in privacy is accelerating, and yet the more things change, the more it seems basic data hygiene stays the same. Are you concerned about the pace of change? Broadly speaking, what is your strategy for change so that you don’t have to iterate the program for every slight difference?
Regardless of the pace, the focus remains squarely on how we're using data to truly bring value to our customers in a compliant way, especially when talking about emerging technologies. It’s about how we’re scaling data, and how we explore new methodologies to transform the data we hold whether that’s by using encryption or the creation of synthetic data sets, so that it has much more utility for the customer and the organization. The onus is on finding ways to safely share information between parties to benefit the customer, agnostic of the technology. Doing that at scale and within the bounds of the law is the next game changer in our space.
And, again, I think there is so much value in having a global mindset - no matter where you are operating. When used effectively, data and technology help to break through boundaries and expand opportunities for everyone, but the regulatory and cultural norms vary from place to place. Keeping your objectives centered on serving your customers responsibly is essential, but so is keeping an eye on the landscape to anticipate emerging trends. As I speak with you now, I am just back from Tel Aviv where I joined a delegation of privacy professionals to discuss privacy enhancing technologies (PETs) and also the value of strong governance over the use of AI. While there, I had the chance to also catch up with our amazing, locally-based team who are doing cutting edge work with data and technology to help us fight fraud and create safer, more secure experiences for our customers. Every time I take a trip like this I come home with not only more information to share with my team, but also a better perspective on what our customers expect.
Q: How do you plan for needs of the future, especially staffing levels? What are your key factors for determining staffing levels? Department budget?
The privacy profession is evolving and growing quickly. For instance, I am an attorney by trade, but it's not necessarily another attorney that I'm looking for when scaling our team. We have privacy engineers on our staff. We have a need for strong analysts and program managers. We have a need for people who have a curious mindset and the willingness to be creative. And we also want to continue building a team of diverse voices - this is foundational to Intuit, and critical to our ability to deliver results and fulfill our mission to power prosperity for all. This focus on diversity is also important to me personally. I’m fortunate to have worked with and been mentored by strong female leaders throughout my career - especially in privacy. Being able to see myself represented in leadership was a critical factor in enabling my career and it’s something I intentionally keep in mind when I staff my own team today.
Overall, professionals who are willing to be more of a utility player are always attractive candidates for us as we grow the team, because we serve the entire company. There is not one aspect of the company that you do not get exposure to while working on the privacy team, so our needs always have to align to the changing needs of the business and our customers.
Q: What are the key factors you look at in determining your outside counsel?
We mostly rely on the internal team, because our teams are so close to the business and the technology that enables our growth and the success of our customers. There was a time when you could be a lawyer and dismiss technology because that's “somebody else’s space.” Today you've got to be deep on technology to get involved with an organization like ours. We move fast and don’t have the time to teach outside counsel the ins and outs of artificial intelligence for example. So my outside counsel “unicorn” knows the law, knows technology, and is ready to roll up their sleeves and come to the table with ideas on how to enable our products and services within the limits of both.
Q: Lots of new hiring these days. What are the top 1 or 2 must-haves when you look at a candidate? How much does exactly on-point legal experience matter compared to say project management or ability to craft a simple business solution? What advice would you give an up and coming privacy lawyer?
Data know-how is extremely important – you can’t do the job without that. By definition, though, you don’t start knowing everything - and certainly not in privacy where there isn’t a centuries-old body of precedent to rely upon. I love working with people who are willing to get deep to understand the challenges we are trying to address, asking questions along the way to come up with real, tangible solutions. So curiosity is a must. Ask all the questions - learn to fall in love with not knowing something and still finding a way forward.
This is a really complex space, so in addition to being willing to entertain what's possible, you will need to be able to break it down to simpler terms, and advise product teams and technologists on how to navigate the laws that may impact your end goal. That’s where communication skills are essential. Can you quickly get to the heart of an issue, identify the most critical risk, and address it head-on to an audience that is not likely to be as deep in the nuances as you are? That’s a huge component to being successful as an in-house counsel or an advisor to an internal corporate team. Practice writing and communicating from the perspective of what your audience needs versus what it is you want to communicate - and do it frequently. I still go back to prior deliverables and think about what I could have done to make my messaging clearer, more succinct.
Q: What is the top privacy or data security issue that kept you awake at night as CPO?
There is no end to the list of challenges, but the lens I tend to put over it is what are we most excited about? There's so much we can do for our customers who really need our help and expertise to thrive. For the small business who has the ambition to be the best in town, we're helping them to power their own prosperity by assisting them in managing their finances. And maybe more importantly, we're helping them leverage their information and data that they either don’t have the time or ability to do themselves. We take that burden off their shoulders and use their data to power financial success. And that’s what a great mission has to be centered on – being responsible with data and information, making those connections, and helping customers capitalize on the power of data in a way that big companies do all the time. The ability to do this can often be the reason why some businesses survive and some do not. And so that's what I get excited about: the scale of our promise to customers, and ensuring that we have the right people here to deliver on it.
Q: Everyone is chatting about ChatGPT (pardon the pun) and AI. Why should privacy pros care about this new technology?
Every new technology brings with it the need to understand the potential threats to customer privacy, and we’ve got a long track record of taking a thoughtful, customer-first approach to how we leverage these tools to help our customers achieve their ambitions. For example, we just launched Intuit Assist - a new generative AI--powered assistant that will provide personalized, intelligent recommendations to help consumer and small business customers make smart financial decisions with less work and complete confidence, enabling them to put more money in their pockets. Intuit Assist is embedded across Intuit’ s platform and products including Intuit TurboTax, Credit Karma, QuickBooks, and Mailchimp, and will put the power of next-generation AI in the hands of customers. Intuit Assist spans the company’s products to harness their power and deliver new benefits in all-new ways to improve customers’ financial lives. It is live now, and will be available more widely in the coming months.
This comes on the heels of the introduction of our proprietary Intuit generative AI Operating System (GenOS), which enables us to build and run generative AI-based applications, making it simple to create generative AI experiences, and ensure customers have the best experience possible.
A huge part of both Intuit Assist and GenOS is our ability to safeguard customer data and privacy. And as an organization with an AI-driven platform, we’re excited about the game-changing potential of new generative AI technologies, and laser-focused on keeping the customer’s best interest at the center of any use case we pursue.
Q: Anything else you’d like to share?
I think for me the best part of being engaged in this field for so long is that it has yet to bore me - or even come close to doing so. That, and the amazing community of people I have encountered along the way, have made this a tremendous career experience. I may be biased, but you will not find a better, more engaged, more dedicated network of individuals than those engaged in privacy. It’s not always the easiest, but it can be some of the most fun work you will ever do.
Mark Jaffe leads the Rivian ethics, compliance, and privacy program, which includes ethic...Read More
Meredith K. Grauer is Deputy General Counsel and Head of Privacy at Marqeta, leading a te...Read More
Lorenzo Robleto is an Adjunct Professor at the University of San Francisco, School of Law...Read More