Privacy and Security Officer

Legal              ·          San Francisco Bay Area            ·          Full time

Based in Mountain View, CA., NeuroPace is a commercial-stage medical device company focused on transforming the lives of people suffering from epilepsy by reducing or eliminating the occurrence of debilitating seizures. Its novel and differential RNS System is the first and only commercially available, brain-responsive platform that delivers personalized, real-time treatment at the seizure source.

At NeuroPace, employees are our greatest asset. We are continually searching for solution-oriented individuals who can bring energy and creativity to our growing workforce. At NeuroPace, our success depends upon our ability to recruit and retain the most talented, enthusiastic and dedicated people we can find and providing them with a dynamic and challenging environment in which to thrive.

We are currently seeking a Privacy and Security Officer to join our team. As the Privacy and Security Officer of a highly regulated medical device company, your primary responsibility is to ensure the protection of sensitive information by continuing to develop, implement, and maintain a robust privacy and security program to ensure compliance with applicable regulations and industry best practices. You will play a crucial role in safeguarding patient information and protecting the company’s assets from potential security threats. You will work closely with cross-functional teams, including product development, IT, commercial, legal, quality assurance, and regulatory affairs, to ensure robust security protocols for the company’s products and operations and to maintain a culture of privacy and security throughout the organization. This job is a remote based opportunity.

Key Responsibilities

• Privacy Compliance:
  • Develop, implement, and maintain privacy policies and procedures in accordance with applicable laws, regulations, and standards such as the Health Insurance Portability and Accountability Act (HIPAA) and General Data Protection Regulation (GDPR).
  • Conduct privacy risk assessments, identify potential vulnerabilities, and recommend appropriate mitigation strategies.
  • Ensure the company’s practices align with privacy principles, including consent management, data minimization, and data subject rights.
• Security Compliance:
  • Establish and enforce information security policies and procedures to protect the company’s systems, networks, and sensitive data.
  • Monitor compliance with security standards such as ISO, NIST Cybersecurity Framework, and FDA guidelines for medical devices.
  • Conduct regular security audits, vulnerability assessments, and penetration testing to identify and address security weaknesses.
  • Implement and manage security incident response protocols to effectively respond to and mitigate security breaches or incidents.
  • Security by design: Provide input into the product development, product improvement, and other company projects and undertakings with respect to whether cybersecurity/data security concerns are identified and adequately addressed
• Data Governance:
  • Develop and maintain a data governance framework to ensure the proper collection, storage, retention, and disposal of data.
  • Define data classification and access control mechanisms to protect sensitive information.
  • Collaborate with cross-functional teams to establish data sharing agreements and evaluate sufficiency of certain aspects of contracts with external partners, ensuring appropriate safeguards are in place.
• Key member of the incident response team
  • Lead the investigation and resolution of privacy and security incidents, including data breaches or unauthorized access and follow up with respect to “lessons learned”
  • Coordinate with relevant stakeholders, such as legal, IT, and regulatory bodies, to ensure timely and appropriate actions are taken.
  • Prepare incident response plans, including communication strategies, to mitigate potential reputational damage.
  • Fine tune/periodically test the company’s formal incident response plan
• Training

• • Develop and deliver privacy and security training programs to educate employees on their responsibilities and best practices.
  • Promote a culture of privacy and security awareness by organizing awareness campaigns and providing ongoing communication regarding privacy and security updates.

• Risk Management:
  • Conduct regular risk assessments and develop risk mitigation strategies to protect against privacy and security threats.
  • Monitor emerging privacy and security risks and provide recommendations for proactive measures.
  • Manage annual risk assessment process (e.g., data mapping, analysis of sufficiency of controls, debrief to executives)
  • Conduct ad hoc risk assessments, help define and subsequently track action items for risk mitigation
  • Develop risk mitigation strategies to protect against privacy and security threats
  • Oversee/facilitate annual third-party vulnerability & penetration testing
  • Oversee Company’s vendor management process, vetting potential third parties relative to privacy, data security and cybersecurity considerations.
• Compliance:
  • Collaborate on and keep apprised of the company’s outward facing communications regarding cybersecurity and data security – for example, FDA submissions, security questionnaire responses, marketing collateral, representations made to third party collaborators (cloud providers, researchers, etc.) – to ensure/help company maintain consistency across organizations/functions

Requirements

• Bachelor’s degree in a relevant discipline required (e.g., Information Security, Privacy, Computer Science). Master’s degree or relevant certifications (e.g., CIPP, CISSP) strongly preferred.
• Minimum of 8+ years of experience in Data Privacy, Information Security, or IT Risk Management.
• Experience with and/or solid understanding of security and privacy provisions of a variety of relevant regulations and industry standards (e.g., HIPAA, HITECH, HITRUST, SSAE 16/SOC, FDA Cybersecurity Guideline, NIST SP 800 series, ISO 27000 series, COBIT, ITIL) and best practices and methodologies to address and apply these requirements.
• Proficiency with server and network infrastructure (AWS, OS, Active Directory operations, VPN, Windows Server, Firewalls, etc.) as well as intrusion detection and prevention, incident investigations and forensics, vulnerability scanning tools, and other systems security experience.
• Experience with conducting risk assessments, vulnerability management, and incident response planning.
• Ability to adapt to a dynamic regulatory environment and stay updated on privacy and security trends and developments
• Capable of anticipating needs and driving clarity on expectations.
• Must connect easily with customers, clients, and colleagues to communicate effectively across business and technical boundaries to offer recommendations as an expert with best practices. 
• Work independently without detailed guidance. 
• Be proficient in writing executive level reports and technical documentation.
• Strong customer service focus.

#LI-Remote

$120K – $220K Base Compensation – Compensation will be determined based on several factors including but not limited to skill set, years of experience and geographic location.

Benefits

• Medical, Dental & Vision Insurance
• Voluntary Life
• 401K
• RSU
• 529 plan
• ESPP Program
• Health & Wellness Program
• Generous Paid Time Off plus eleven paid holidays
• FSA & Commuter Benefits

NeuroPace is proud to be an equal opportunity employer and values the contributions of our culturally diverse workforce.

San Francisco and Los Angeles applicants: The Company will consider for employment qualified applicants with Criminal Histories in a manner consistent with the requirements of the Los Angeles Fair Chance in Hiring Ordinance or the San Francisco Fair Chance Ordinance (as applicable)

PRIVACY NOTICE:  NeuroPace takes its responsibility to protect your personal information seriously, and it uses reasonable safeguards to avoid unauthorized use or disclosure of it, and inadvertent loss or impermissible alteration of it.  NeuroPace complies with all applicable federal and state laws and regulations that govern the handling of your personal information.  If you would like more detailed information on NeuroPace’s privacy policies, please refer to neuropace.com/privacy/ for reference.  NeuroPace retains candidate resumes and applications in its files for future reference and/or consideration for other available job postings.  If you do not wish for your resume and applications materials to be retained in NeuroPace files, or wish to obtain a listing of any personal information that NeuroPace has stored about you, please contact us at privacy@neuropace.com. 

Please click here to apply.