Data Privacy: Do I Need to Comply?

[00:00:34.690] – Interviewer

So I think we’ll do our best to listen to you, maybe ask some questions that frankly, probably people who don’t have a deep level of understanding of this might ask and go from there. But I think the most important place to start really, can you give us a definition of what data privacy is?

[00:00:55.390] – Rob McWilliams

Yeah, absolutely. I think it’s good to think of it from the point of view of ourselves as individuals. We share a lot of information about ourselves with organizations these days, some of it quite sensitive information. Data privacy is about the regulations and the laws that govern how organizations can use that data and how they have to put governments in place to protect that data.

[00:01:28.690] – Rob McWilliams

And it’s also about our expectations as individuals. We understand, for example, that when we buy something from Amazon, we have to tell Amazon where to ship it, and we have to give them our credit card information. No surprise, no problem. But where problems come in is where we share personal information with an organization. And then that organization does something completely different with that data. Perhaps something we don’t like to have, perhaps something that’s even harmful to us.

[00:02:00.970] – Rob McWilliams

So consumer expectations are very important for organizations because if you don’t meet them, it can lead the reputation damage. So to cut a long story short, data privacy is about the laws, but also the expectations about how organizations govern and use the personal data that they collect from individuals.

[00:02:26.280] – Jason Pufahl

So in our world, when we’re dealing with security incidents, we’re really concerned about the flow of data, and that tends to be where we encountered privacy requirements or reporting requirements at the tail end of the incident. I don’t know if that’s a reasonable place to start, but it tends to be how we come across the subject.

[00:02:47.720] – Rob McWilliams

Yes, there’s quite often a confusion between security and privacy, and indeed, I’ve come across people who feel that they are the same thing. They’re different words for the same thing. They’re undoubtedly related, but they’re very different. The old story is that you can have security without privacy, but you can’t have privacy without security.

[00:03:19.780] – Rob McWilliams

In that sense, security is a subset of privacy. And what that means is that an organization, for example, could have a trove of personal data from its customers. It could have Fort Knox-like security to ensure that nobody ever hacks into that data. But they might have collected that data, and they may use it illegally, in other words, in violation of privacy laws. So you can have security without having privacy.

[00:03:55.730] – Rob McWilliams

The part about not being able to have privacy without security is obvious, that you could comply to the letter with every global privacy law but if for some reason you’ve overlooked your information security and the data is open to hackers or to people who should not see it, then you don’t have privacy. So, again, the short answer is security and privacy are related, but they’re not the same thing.

[00:04:26.900] – Interviewer

So one thing that you talked about really early on when you started talking about the definition of data privacy, you said companies are collecting your data, and they may or may not be using it in ways that you’ve agreed to. But I think we all sign on to these web-based services all the time. I think in a lot of cases, we click through the privacy agreement really quickly without ever reading it. I’ll say I’ve read every letter of every privacy agreement that I’ve ever seen, so I know exactly where all my data is like I’m sure all of our listeners here.

[00:05:05.240] – Interviewer

What types of things should consumers be mindful of if they actually do look through those? Are the common elements that you think from a data usability perspective we should be concerned about?

[00:05:18.520] – Rob McWilliams

Yeah, absolutely. It’s a great question, actually, if I could just take a little step back first, most privacy statements or privacy policies that the businesses have put out to date have been pretty bad and really hard to read for the average person. They’re a great way of going to sleep if you have problems with that. But privacy laws increasingly overseas and here in the United States, are emphasizing that privacy policies notices have to be understandable. They have to be written in plain English. So that’s something that is coming along.

[00:06:03.780] – Rob McWilliams

And, yes, what should we be looking out for? I think going back to that example of the expected versus the unexpected. If you provide your personal data to an organization, you generally know why you’re doing it. You’re doing it because you’re buying a product or a service, and you expect the data to be used to give you that product or that service. So a good thing to look out for and this would be usually in the “who do we share your data with” section of the privacy notice, what else does the organization do with that data?

[00:06:46.000] – Rob McWilliams

Does it share it with other businesses? Does it sell it? And the California Consumer Privacy Act, which perhaps we’ll talk a little bit more about later, it’s very hot on this sell issue, and it gives Californians as the right to say, we don’t want you to sell my personal data, meaning by all means, use my personal data to give me the service I wanted from you but don’t then make some monetary gain from my data that I don’t know about. So that’s one thing to look out for.

[00:07:25.820] – Jason Pufahl

So is it possible that there are geographical regions or states or nations that afford protections that are outside and apart from some of the rights given away, innocently unknowingly in those agreements?

[00:07:42.980] – Rob McWilliams

Yes. Absolutely. Particularly here in the United States, as the internet grew, the uses made of personal data, personal information were really unregulated. It was a Wild West. If you could get hold of people’s personal information you could pretty much do with it whatever you wanted.

[00:08:11.540] – Rob McWilliams

That era is ending. It started earlier in Europe than it started here, but it’s most definitely arriving here, very recently California put in place that California Consumer Privacy Act. They are strengthening that with the California Privacy Rights Act, which will come into force in about 18 months, and other States are getting on the bandwagon. Virginia has recently passed a privacy law that has some similarities with California and with Europe. Colorado has done the same. Nevada has a law about selling personal data. So it is growing in the United States.

[00:09:01.510] – Rob McWilliams

And of course, there is speculation about whether there will be a federal privacy law. Now, I think it’s not a privacy question as to whether that will happen or not it’s more a political question where everyone’s opinion is as good as anyone else’s. But certainly businesses, I think, would like federal privacy law so that they don’t have to operate in an environment where they have to comply with an increasing number of different state-level laws.

[00:09:36.580] – Interviewer

So it’s definitely good news. I certainly I know you the EU with GDPR or something specific, is much more advanced than us in the US here, relative to privacy. I think our data is a lot more valuable than so many people probably ever really realized or gave consideration to. Incredible opportunities to market against your browsing history or your shopping history or just generalized internet-related activity, incredible opportunities for companies to sell your data to save their partners or other businesses in similar spaces for the purposes of marketing.

[00:10:25.420] – Interviewer

Generally speaking to the States that have privacy laws look to restrict that a little bit more? Do we have some hope that some of the data that we use simply by nature of using the web on a day-to-day basis is maybe less available to people?

[00:10:43.320] – Rob McWilliams

Yes. I think that the common denominator with all of the privacy laws on the books, whether in Europe or the United States, or Canada, is to give individuals more control over their personal data. And these tend to come in the form of right. So for example, both in Europe and in California, you have a right to ask a business to tell you what data it has about you.

[00:11:17.990] – Rob McWilliams

And you’re absolutely right that for many of us I think it is going to be quite shocking to find out how much data that is we think about, yes, I provided my email address, I provided my home address, perhaps my phone number, my name. We forget about all the stuff that we don’t provide but is generated through our use of services.

[00:11:46.100] – Rob McWilliams

Location data when we’re moving around with our iPhones, people can or applications can collect where we’re going, how much time we’re spending there, how often we go there, and that data can be traded between companies. So we get right to say I want to know what it is that you hold about me, and then we get right to say, actually, I don’t want you to hold about it, delete it. I don’t want you to hold it about me. Delete it. That’s, for example, so we get that control.

[00:12:21.730] – Rob McWilliams

As I mentioned that in the case of California and now increasingly in other States, we can say, look, I don’t mind giving you this data because I understand that when I downloaded your app that you’re going to track my location, but I don’t want you to provide that data to other organizations and that’s generally called the right to opt-out of selling. That’s becoming more common.

[00:12:46.660] – Jason Pufahl

So, Rob, in terms of the more nebulous data that users aren’t really aware of. I’m confident that there are other more concrete types of data that are highly regulated or more specifically regulated. Can you speak a bit to specific types of data that organizations are obligated to protect outside of the more generic user behavior information that you’ve spoken about to date?

[00:13:13.930] – Rob McWilliams

Yeah. Again, that’s a very good point. And I said that earlier that I already painted the situation in the United States in the internet boom was being  a Wild West and that was perhaps a little unfair because the US approach to privacy historically has been very sectoral, meaning that there have been privacy laws for certain types of businesses, but not a sort of umbrella or omnibus data privacy law that covers all businesses.

[00:13:52.380] – Rob McWilliams

So we can’t say everyone knows many of these examples in the United States. If you interact with the healthcare system which nearly every does, you’re probably aware of the privacy rule under that particularly health care providers and health care insurers have to comply with. So there is that rule, HIPAA.

[00:14:18.830] – Rob McWilliams

If you have kids at school, you may have come across FERPA, and that’s the federal regulation that governs how schools, including colleges, need to handle the student data to make sure it doesn’t get with the wrong hand and gives parents and give the rights over their data.

[00:14:48.480] – Rob McWilliams

There’s another less common one for the financial services sector, the Gramm-Leach-Bailey Act, GLBA. So there is this sectoral as well as State pattern in the United States, but to date in the United States, we haven’t had a comprehensive privacy law like the GDPR in Europe.

[00:15:11.480] – Interviewer

So, Rob, one of the things I think we talk a lot about here are ramifications for not doing something and in the security space here we’ve talked a little bit about ransomware and the potential for an incident that affects business, for example. In the privacy space, are there regulatory ramifications you’ll find or something else that might be [inaudible 00:15:40] out of business for not complying with HIPAA, maybe, or not complying with FERPA? Or maybe you’re not adhering to a published privacy policy or statement?

[00:15:50.690] – Rob McWilliams

All of the above. Certainly, there are government agencies that are responsible for enforcing the various laws, agencies at the federal or the state level. So the appropriate agency for HIPPA, if you violate HIPPA, can come after you and can find you and that does happen. FERPA, the same. If you’re a school and you deny rights, the parents right see their student’s educational records and that school, the school district, can be fined and there can be other measures, certainly.

[00:16:36.850] – Rob McWilliams

You mentioned nearly every business these days except perhaps a Pop Pizza Store puts up a privacy statement of some sort on their website. Those are legal commitments and if you violate your own privacy notice, so if you say you’ll do one thing and do another, say you won’t do something and then do it, that is considered an unfair and deceptive trade practice and enforcement will happen either at the federal or the state level. At the federal level it’s usually the Federal Trade Commission. At the State level, it’s usually the attorneys general, and they are both very active in enforcing unfair and deceptive trade practices that come to their attention.

[00:17:36.480] – Rob McWilliams

If you are a business that is covered by the GDPR and many US businesses are, there are fines and other penalties for not complying. I used to know somebody who said, and this is going back 20 years I should emphasize that, he was a CEO and was fond of saying about privacy that the ice was thin, but the water wasn’t deep, and this was 20 years ago. The ice is still thin, but the water is a lot deeper now and the downside to your organization in terms of fine regulatory investigations and indeed being sued by individuals, class action or individual is exponentially increasing.

[00:18:32.230] – Rob McWilliams

But perhaps in some ways more important, it’s worth considering reputation risk. We all know the damage that can happen to organizations when their databases are breached and personal data is taken. These costs and fines and class action settlements run into millions. But the same is true of an organization that doesn’t have proper privacy governance. You get a bad reputation that’s going to hit your business in nearly all the activities that it does and I think this point about government is actually very important.

[00:19:18.610] – Rob McWilliams

Personal data now I think every business recognizes is an asset. It’s something that’s really important to them. In that sense, it’s almost a bit like money and when you have an accent you need to know where it is, you need to know it’s protected and you need to control it-

[00:19:42.210] – Jason Pufahl

[crosstalk 00:19:42] gets back to the interplay between privacy and security ultimately, because one of them is preparatory, I imagine, organizationally preparatory, and the other has to do with the actual safeguards in place to make sure that data is safe or doesn’t get exposed unnecessarily.

[00:20:03.130] – Interviewer

He jumped into a topic I think we could dedicate a whole episode, too, which is data inventory and just knowing where your data is, understating data flow. That’s paramount to all of this. You can’t protect it if you don’t know where it is. You can’t remove it if you don’t know where it is. A lot of this comes down to that inventorying idea.

[00:20:23.180] – Rob McWilliams

Exactly. And, of course, that inventory changes dynamically. Still, some executives, C-Suite, see privacy as something that you do, then it’s done, and then you forget about it maybe until a major piece of legislation comes along. I’ve always liked the arguments I heard once that was put to such a CEO and he said, wait a minute, you’ve never told me we counted the money last year so why do we have to count it again this year?

[00:21:03.990] – Rob McWilliams

And it’s a bit the same with data privacy, but unfortunately, it’s never done. It’s about knowing where your personal data is, what you’re using it for, what the risks are, how you mitigate the risks, how you comply with the ever-changing legal landscape and people’s expectations. It is, unfortunately, an ongoing activity.

[00:21:29.550] – Interviewer

So I think both security and privacy are ongoing, and the reality is, for both of them, they’re programmatic. Hopefully, you’re developing a program that improves over time. They’ll likely start with something as simple as a privacy statement and matures into something where you’ve got a legitimate data inventory where you can really implement some of the rights you described, like the right to be forgotten. But there’s a lot of opportunity I think here to dive more deeply into some of these specific regulatory requirements perhaps moving forward.

[00:22:03.500] – Interviewer

But I think we’re roughly up against perhaps a little bit more than our normal 15 minutes here. So I’d like to throw out there to our listeners that if anybody’s interested in talking more about privacy, I know Rob would be happy to join. You could tweet us or direct messages at Vancord Security. We’d be thrilled to bring Rob back on. Frankly, I’d be happy to spend more time talking about privacy since I do live in that security space. And with that, I want to thank everybody for listening to CyberSound and we look forward to talking to you again.

[00:22:36.720] – Rob McWilliams

Thank you very much for the opportunity. I appreciate it.

[00:22:41.450] – Speaker 1

Stay vigil. Stay resilient. This has been CyberSound.