In this podcast, Maria D'Avanzo, Lyndon Marquez, and Sean Martin discuss the impact of GDPR on data privacy, comparing the U.S. and European approaches. They emphasize the importance of balancing business goals with data protection and addressing privacy concerns from a risk perspective.
Guests:
Maria D'Avanzo, Chief Evangelist Officer at Traliant [@traliant]
On LinkedIn | https://www.linkedin.com/in/maria-d-avanzo/
Lyndon Marquez, Corporate Counsel at Life Extension [@LifeExtension]
On LinkedIn | https://www.linkedin.com/in/lyndonmarquez
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
This Episode’s Sponsors
CrowdSec | https://itspm.ag/crowdsec-b1vp
Pentera | https://itspm.ag/penteri67a
___________________________
Episode Notes
In this podcast episode, Lyndon Marquez, Maria D'Avanzo, and Sean Martin engage in an insightful discussion about data privacy, regulations like GDPR, and how companies approach these issues.
Lyndon Marquez highlights the differences between the U.S. and Europe in terms of their approach to privacy and data handling. He explains that GDPR was a significant milestone that helped companies focus on data protection, even though it may have initially seemed like overkill. Marquez emphasizes that striking a balance between business needs and regulatory requirements is crucial.
Maria D'Avanzo shares her experience of implementing privacy programs at Cushman. She notes that GDPR was a key factor in driving organizations to prioritize privacy as a standalone function. D'Avanzo also discusses the challenges of navigating between business goals and data protection requirements, emphasizing the importance of having an appropriate privacy program in place.
Sean Martin raises questions about the current state of privacy and data protection, wondering if companies have mastered GDPR or if there's still room for improvement. Both D'Avanzo and Marquez agree that the mindset towards data privacy in the U.S. still has a long way to go before it reaches the level of awareness seen in Europe.
The conversation also touches on the role of board members in addressing privacy concerns, the potential impact of new legislation, and the challenges smaller companies face in implementing security and privacy measures. They explore the importance of looking at data privacy from a risk perspective, making it relatable for decision-makers, and ensuring appropriate measures are in place.
____________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllQZ9kSG7X7grrP_PsH3q3T3
ITSPmagazine YouTube Channel
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
____________________________
Resources
____________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Watch the webcast version on-demand on YouTube: https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
_________________________________________
SUMMARY KEYWORDS
privacy, data, linden, business, cushman, compliance, security, maria, cybersecurity, point, users, conversation, people, customers, board, organization, collect, company, part, thinking
SPEAKERS
Voiceover, Maria D'Avanzo, Sean Martin, Lyndon Marquez
Voiceover00:15
Welcome to the intersection of technology, cybersecurity and society. Welcome to itsp magazine. You're listening to a new redefining Security Podcast. Have you ever thought that we are selling cybersecurity insincerely buying it indiscriminately and deploying it ineffectively? Perhaps we are. So let's look at how we can organize a successful InfoSec program that integrates people, process technology and culture to drive growth and protect business value. Knowledge is power. Now, more than ever. Crowd sec, the collaborative and open source cybersecurity solution, analyze behaviors, respond to attacks and share signals across the community for free. Let's make the internet safer together. Learn more at crowd sec.net entera the leader in automation security validation allows organizations to continuously test the integrity of all cybersecurity layers by emulating real world attacks at scale to pinpoint the exploitable vulnerabilities and prioritize remediation. Thanks, everybody
Sean Martin01:27
for joining us. For a new
Voiceover01:29
learn mine. And Terra. I
Sean Martin01:33
always love when you set the layout of the screen and it changes it up on the right technology for you. You're expected to do something that does something completely different. Who knows maybe maybe we we may touch on that today. With respect to privacy. Today's topic is around privacy and regulation. How to how to make the most of what we know and kind of work through the things that we may not know, with respect to the laws that are in place, the laws that are forming, and all the standards and technologies that come along with those things. As everybody knows, I know very little about many things. And that's why I have amazing guests join me and I have Maria de de Ronzo and Linden Marquez. Joining me today to talk about privacy. Thank you so much for joining.
Maria D'Avanzo02:28
Thank you. Pleasure to be here.
Sean Martin02:31
And you are muted Linden. You did you didn't accept the the the the cookie to participate?
Lyndon Marquez02:43
Oh, well, thank you for having us.
Sean Martin02:47
As it's gonna be fun, it's gonna be fun. So privacy is something that we talk quite a bit about, on this channel redefining cybersecurity. And as folks know, the whole point of the shows to help practitioners and security leaders make the most of the challenges they face and finding solutions to help the business succeed without crippling it, because of all the controls and policies they put in place usually. So before we get into this topic, though, I want a few moments from each of you to kind of share with our audience, who you are and what you've been up to. So Maria, we'll start with you.
Maria D'Avanzo03:27
Sure. Thank you, Sean. So yeah, I'm Maria Davanzo. And I am currently the chief evangelist officer. at Trulia, we are an E Learning training online training provider in the compliance, privacy and HR space. And I joined them about seven months ago. Prior to that I was the chief privacy officer and chief ethics and compliance officer at Cushman and Wakefield for 10 years. And I put in place the compliance and privacy programs at Cushman and I worked very closely with our chief information security officer. So, Jonah in that experience, I'm sure we'll have some interesting stuff to talk about.
Sean Martin04:07
Absolutely, the questions are already starting to form
Lyndon Marquez04:13
and my name is Linden Marquez and I'm currently with like extension, and I've been with loc extension for for several months, working primarily in the legal department and working closely with our privacy officer. Before that, I was with Hilton Grand Vacations and then before that with Wyndham destinations, and in those in my roles their senior counsel and compliance officer. I did a lot of work with the developing our programs for compliance and and privacy. We're talking about vacations in particular I need delved into privacy I was with them from you know 2017 Until recently And really, this was a kind of a critical time, just because this is when GDPR enforcement of GDPR got underway, as well as CCPA. And really preparing for that and compliance with that law.
Sean Martin05:17
I love it. And so many things here now to go on. So I don't know when I, when I think about a certain topic, I tend to kind of hone in on certain areas. And I don't know, I may, I may be having built applications in the past, I may be more prone to look at things from an application perspective. So B to C and B to B to P bit of business, the partner kind of apps that let let people interact with the business. But both of you have experience looking at users, perhaps that are also physically in a building, either an office building or perhaps a destination resort. And I'm wondering how organizations need to look at users from a broad perspective, not just users through an app, not just users on the website, but users that perhaps come and go in and out of the building. And some of those users may be employees and and contractors that are there to do h back work. Or to or to feed the fish that famous resort in Las Vegas. So under who wants to tackle this first? Maybe Maria, if you want to kind of go out? How do you see organizations and security leaders? We'll just call it security leaders. For now we'll get into some of the nuances of the roles from a privacy perspective. How do I know organizations look at the different types of users when when privacy comes into the conversation?
Maria D'Avanzo06:53
Yeah, sure. So you do have to consider the various types of users in in, in the commercial real estate services world that I come from. It wasn't just employees, and it wasn't just folks that are coming out to our properties to help, you know, the HVAC and whatnot. We also managed properties for clients. And so we sometimes had to be concerned about, you know, our employees that were going to the clients locations, and perhaps using the client's equipment, clients laptops, or the client's cell phones and what have you. And so, I became somewhat complicated for us, for me, and for our chief information security officer when we were considering, you know, all of those different groups, and all of their different concerns. But, you know, as you're, as you're thinking of using new software, new applications, that was absolutely part of the of the, you know, equation when we were determining what were the right, safety protocols, the right privacy, provisions and agreements, etc. So, yeah, for us, it was interesting, and, you know, my experience a little bit different than lindens. Also, with respect to the type of data that we worried about, right, so, so for us at Cushman at the, you know, in the commercial services world, we didn't have consumer data, it really it was, it was mostly b2b data. But we did worry about employee data, which I think overlaps with Lenin. But so it was the types of data and there's also the types of users of our applications that made it somewhat interesting for us in our programs.
Sean Martin08:27
Because I'm picturing somebody not just with a wrench and some Freon fixing the air conditioner, but there are, there are people that the security guards and cleaning crews and I know, I want to kind of kind of lean toward maybe some some of the aspects of smart buildings, where there are cards to check in and sensors with, with perhaps phones and other devices to prove that you're at a certain location at a certain time. Right.
Maria D'Avanzo08:58
Yeah, as I was, as I was leaving, you know, Christians come here, they were, they were challenged with the biometrics because, you know, during the buildings now was with, you know, with the fingerprint or the facial recognition, which really, really complicated, complicated everything even further to believe.
Sean Martin09:14
So Linden Same, same to you your thoughts on this?
Lyndon Marquez09:17
Yeah, really, the, as Maria said, the overlap in particular with, with employees and the type of data that she dealt with the Cushman and my experience with in the hospitality industry. But really, we did deal with primarily a lot of consumer data, as you can imagine, and really the companies I worked with, really in the timeshare space of, of, of hospitality, as well as you know, the bottles as you would imagine, like with with a hotel type operation. So we, you know, we really had to look at data and really A look at how we handle it, as you know, we've got, we've got members here, whether they, whether they're owners of timeshare, or whether whether they are, you know, kind of the, the, the the customer who wants to rent something for just a week, but they don't own with this. And so, you know, there's a lot of data and consumer data, and in particular, when we're dealing with with members and owners of timeshare, because we see the those owners as, you know, they're lifelong as we're, as far as we're concerned, you know, they, they are part of our club. And, and so the data that we collect may be, you know, much, much broader than, than what we collect from, from customers who come and just rent for a weekend, for example, and, but at the end of the day, we do treat the other data, the same we, we really want to treat the data with kid gloves, just, I always think about myself for my family. And, and, you know, we provide data if we want, we are staying at hotel, we go on vacation, we provide that data, you know, whether it's for transportation, hotels, whether it is airplane, airlines, and so forth. And, you know, the way we approach it is, hey, you know, how would you want your data to be treated. And that really is kind of the point you try to keep top of mind as we went through our operations.
Sean Martin11:38
And I liked that, like he went there with that, because it's another other question I have on my mind, which is, how do you how do you approach the world of privacy? I know, security has been around forever, right? Not really. But it's been around longer than perhaps a formal Privacy Rule has. Or maybe not, maybe you can correct me if I'm wrong on that. But I have a background in security. So everything from me looks like a policy creates a control that we then align with some some standards and frameworks that we can then kind of get a big picture of, here's how we look, here's our posture. How much of that? Did you did you lean on? Do you lean on to kind of get a similar picture for privacy? Or do or do you approach it like, like you were describing when, from purely from the user perspective, what they would expect from you to protect their data? And do you do you approach them that way, and then, and then come back to it and say, well, these are the controls and policies for that, and they either do or don't align with everything else we're doing in the business.
Lyndon Marquez12:50
In a sense, that's, that's how it is, I think, really, you know, when we look at, you know, especially when we're talking about, you know, a lot of the regulation that has come out, you know, and you know, we'd like to point to GDPR kind of this is, you know, it was just really such a major milestone, especially in the US, in Europe, in particular, they are miles ahead of us, or, or decades have however you want to say it, and how they work, how they believe privacy and handling of data should be done is very different than, you know, philosophically, then then we have you in the US. And, you know, probably the way, the way we've always done it is looked at, okay, we've got GDPR that came online. And, you know, we've got to, you know, we know that we have all this data already, we collect all this data, we know that we want to, you know, do the right thing, by by our customers, and by our by our members. But we also have to run a business. So let's, let's wait this out, let's see what the regulations say. And GDPR kind of, in a way helped us to focus and kind of say, Okay, this is how we're going to do it. And, you know, GDPR may seem like overkill in the US, especially back in, you know, 2017 2018 timeframe, it seems like, this is really there's a lot of prescriptive requirements here. But, you know, we tried to kind of base it on what GDPR required, and kind of saw, okay, here's where we are, here's where our businesses how we have been handling, and how we've looked at data, personal data. And this is what the requirements are now, let's try to marry this. And also, keep in mind that, hey, we're trying to run a business here. And, you know, we have to make sure that we don't handcuff ourselves to the extent that, you know, we're not doing what, what organization was created to do, which is to, which is as a business enterprise, so that's kind of going around a long way and saying that we do take into account and GDPR. And now with things like CCPA CPRA, and the state legislation that's coming around, it's giving us a chance to focus more and more and trying to see, okay, how are we going to balance our business needs? With our, with the requirements of useless?
Maria D'Avanzo15:28
Yeah, you know, I would say that, at Cushman, it was it's probably it was a little different experience than than what Glyndon had in the hospitality space, right, because of the type of data that was collected and whatnot. So, I would agree, though, that it was GDPR that, you know, sort of kicked everybody into gear, so to speak, as far as you know, creating an understanding that privacy is an absolutely important standalone function within an organization, you know, before GDPR at Cushman privacy was handled by our then Chief Information Security Officer, and it was really limited to him dealing with, you know, some of the privacy shield at the time, you know, Privacy Shield applications and all of that, and, and the General Counsel pulled me in, I was chief compliance officer pulled me in to sort of work with him to make sure that, you know, the legal stuff was, was alright, but two things happened, and Cushman one was GDPR, came into play. And we were global, and of course, had a European presence in European business. And two was Christian Republic. And so when those two things happened around the same time, they were like, Oh, wait, we need somebody who like this is their, you know, they really are looking after this. So we're putting a program in place to your point, Shawn, right. So it the Sisa was like, Well, I can't I'm not doing that, like I have all this other security stuff to do. Right. So who's gonna do it? Well, I had put the compliance program in place. And we really, literally from scrum zero from scratch. And we talked about it, it was much like what you said, Tom, it's the same sort of thing, right? You have policies, procedures, controls in frameworks, if you put those in place, and then you go back in your audit, and you make sure it's all working and all of that. And so, so the natural place for default was with me. And so it did. And, and so, you know, I was I had GDPR, to sort of guide me and I agreed outside counsel that I worked with, but in addition to that approach, we did also have to worry about, you know, sort of the data piece of it the users, you know, what is the business want to accomplish here? I remember many heated conversations with the business, myself and the seaso. Like, what are these guys thinking? Like, we can't do that, right. You know, we had a client global publicly traded a client who had health centers and fitness centers on their property that we managed, and the client wanted us just to take that over, right, and applications to be in the gym, and you're writing down three, and, you know, credit card information. And we were like, No, you know, we don't want that, right, we're not PCI compliant, or not Apple compliant, right. And so we had to figure out a way to, you know, sort of make everybody happy, we found a happy compromise, and we were able to get comfortable for it. But yeah, I mean, all of that is, is absolutely part of putting in place an appropriate privacy program that works. But to your point, you know, cybersecurity, and then that sort of function and rule has been around for way longer than privacy, especially in most in most, most companies in most industries. Now, if you're American Express, if your MasterCard if your visa, like you've been struggling with this stuff, you know, probably much longer than the rest of us. But yeah, that was that was my experience with putting the program in place and how we look at it.
Sean Martin18:38
So where are we? Because I mean, GDPR what you said Lin, and 2017 2018, something around there. It's kind of old news, but still important. There are other things coming CCPA I think other states have things in the works, some past others coming down the pike. And we talked earlier before we started recording that there's a US Federal one on the books. Where where do we sit? Not less, not so much, just from the regulatory perspective, we'll get there in a moment. But just from a mindset have we will say we in the US or maybe global if you want to take it that far. Have we mastered GDPR Are we okay, there do you think generally speaking?
Maria D'Avanzo19:30
Well, you know, I think it just depends on which company you're talking about. Right? So if you have a company that you as base so lindens point here in the US, we just do not think about data protection data privacy the same way they do over in in Europe, I think we'll probably get there. You know, with all the data breaches that you're hearing about regularly, the new the new laws in the US, but I'm not at my my feeling is that that mindset is not necessarily there. I will tell you that in my experience, on the At the training provider side, I was surprised pleasantly surprised to see that our our trainings in the data privacy data security space are, you know, are growing. So, you know, that's so improved to me that, you know, we're moving in that in that direction, certainly. But it was such a it was it was such part of the DNA and the culture over there in Europe that it's going to take us a little bit of time here in the US, I think, to get to where they are over there. Linden, would you agree with that?
Lyndon Marquez20:33
Yes, I definitely agree with that. I think we're getting there. But you know, it in Europe, it was something, this was something top of mind. For them, it was a fundamental right, for the most part is how they looked at it. And we just don't in the US, we just have never thought of that. data, personal data and personal information that way. So it'll take a while for us to, to get there. I think we're heading in that direction. And especially I think, what, what helps in getting everybody on board is, you know, when you see these large, these large settlement agreements, for people for, you know, large companies who violated GDPR, you know, that, that really opens people's eyes, not to mention something that really, when I was hgB, all these all the data breaches and the consequences of data breaches. That really got got our senior leaders and the board. The board's attention is like, wait a minute, what's our risk here? How, you know, how exposed? Are we here? And, you know, what can we do about it? So, you know, I think we're gonna get there, it's just a matter of taking longer, because it's a, it's a shift in mindset of Americans with regards to privacy. And, and as, you know, as the whole issue, you know, situation with data breaches continues to, to spiral, as well, as you know, on the privacy of the privacy laws, from states that, you know, continue to evolve and get put on the books, and in more and more states, I think, I think we're gonna get there just going to take longer.
Maria D'Avanzo22:27
Yeah, you know, it's interesting that you should mention about the board, Linda, because, you know, I used to report to the board when I was a freshman and quarterly basis, and what for all 10 years that I was there. And it wasn't until like the last three years that I was there that our seaso actually had the opportunity to come in and to talk to the board about, you know, what his program looked like when he was doing. And, you know, that was interesting. And it he did so at the request of the board, right. They were like we we want to hear from you know, where's Eric? Like, we want to hear from him. What is he doing? Right. And, and so that's, you know, that's really, you know, interesting. And and I think, you know, we've talked about data privacy legislation in the States. And yes, absolutely, that's true. But the other thing that's happening in the, you know, maybe in the background is that the SEC is, you know, proposing that companies publicly traded companies have to make disclosures with regard to their cyber security incidents, right, within, I think, some ridiculously short period of time, I think it might be 10 days, if I'm remembering correctly. And you know, if that actually happens, that is going to, you know, propel the us forward in in the area of both, I think security and necessarily privacy, because frankly, they they go hand in hand. So it'd be interesting to see where that goes, and what the impact of that would be.
Sean Martin23:45
So all of these things, and I mean, you both of you kind of pointed to large organizations, the organizations you are part of are no, no small company, and lending us the term and and cuffing the company with this stuff. And I'm just wondering. So as I was asking, Where are we I'm just part of my thought process was, we're probably not the to your point, both your points, we're not there yet. Right? And nothing's perfect. We have a long way to go. And if you're a small company, I mean, your whole world is getting your product or service to market and delighting your customers and getting renewals. We cares about security and privacy. Right? So how, if you do investments in that area, take away from new features take away from hiring staff that might might help customers be more more happy and successful. So how do you how do you see those conversations going? Or how did the conversations go for you, talking to executive leadership, and the board when you have those out? opportunities to say, this is important. Here's how we, here's how we measure what our risk is, here's how we measure the value of addressing that risk to the company, I guess, do you look at it from a risk perspective? Did you end up there? Have you ended up there?
Maria D'Avanzo25:17
Yeah, you definitely have to look at it from a risk perspective, right? And if you're a smaller company, it's there's a, there's challenges, but there are certainly things you can do, right? Like, at the end of the day, you have to know where your data is, what kind of data are you collecting? You know, you know, where does it sit? How is it protected, you know, the keep it longer than you really need to, you know, all those good things, and there's ways to do that, you know, without having to be super, super, you know, fancy about it and spend a lot of money on it, you have to have appropriate contracts and provisions with your vendors. Right. And, you know, the point is, you have to as a business owner, whether it's small or large, you have to, you have to think about these issues, because someone whose point, you know, you read the paper, and it's, you know, it's hard to open up a newspaper or not read about some sort of data breach, or another. And, you know, I have to tell you, because I wore both the compliance hat and the privacy hat, my experience was, it was easier, it was easier, believe it or not to get funding and resources and support for the privacy side of things, then it was the compliance side. And the main reason for that is something that lindum raised earlier is we can all relate to it as individuals with data of our own. And so if you put it to the, to the CEO, or the board chair, whomever, Hey, would you like your social security number and your banking information to like, you know, they can relate to that. Whereas when I was in compliance, I was, you know, I was talking about things that people like me don't know what you're talking about, you know, you're you're being silly. You make it personal. And talk about the personal risk, and once they think about it, that right, and they're like, Oh, me, yeah. So
Sean Martin26:55
then storytelling, I love this. The role and value of storytelling.
Lyndon Marquez27:02
The, it's, that's pretty interesting. You mentioned that, Maria, because, you know, I've had many instances where, whether it's the, you know, our head of it, or our, you know, Chief Operating Officer, they'll they'll, you know, shoot me an email and say, Hey, I was contacted by, you know, so, so company, and they said, they got my information from this place. And, you know, so they, you know, for them, you know, they they understand it from, you know, being a consumer, being a user, that, you know, it's upsetting when you start, you know, you start getting calls or emails, or you get started getting bugged by a company, and you're wondering, how did they get my information? You know, they, you know, and at times, you know, they'll, they'll ask a bridge to get my information, and they'll say, Yeah, we got it, you participated in some kind of promotion, and we got your information from there. And, you know, it kind of opens eyes are like, that, I agree that my information could be served for other purposes, you know, things like that. And, and it kind of helps when you're trying to, you know, trying to develop policies, or really update or revise your policy is around around the handling of data. And it also serves well, I mean, we work a lot with very closely with our marketing teams as well. And really, it's a matter of just really just having that conversation and making educating them on, you know, that the data you're trying to, you know, data minimization, for example, you know, if you don't need, you know, their, you know, their mother's maiden name, and, and you're their oldest son's date of birth, you know, why are you collecting it, for example, you know, you know, get gathered in the data that you need, and let them know, you're gathering it, these pieces of information for a particular reason. And don't go beyond that, because you're exposing the company. And even though you may not, you don't have any ill intent, what if there's a data breach of some kind and out, we have that data in, in our database that gets breached, and now that information is out there. So it's a good way to start that conversation to continue that conversation with, for example, our marketing teams.
Maria D'Avanzo29:30
Yep. Speaking of collaboration we collaborated with, with HR quite a bit, right. And towards the end of my tenure at Cushman, one of the challenges that we were, we were wrestling with, with the HR team was, you know, our dei initiatives, especially in Europe, right where they were, they wanted to send around employee surveys to collect all types of dei data. I mean, you could imagine, you know, your sexual orientation, and you know, and the like, and, you know, I was like, wait, wait, you know, I would say, do you really do we really need You know that like, do we have? Do we have an obligation report on it, if we have a regulatory obligation to report on it as part of our dei reporting, then okay, we can have that conversation. But if you just start asking these questions, so that you can, you know, generate some nice marketing materials about, you know, statistics, and that's so fast, right. So, so that was that was that was a challenge, but again, required to your Portland and collect collaboration with that group, because they don't know they don't necessarily think about the privacy aspects of what they're doing. And so we tried in the GDPR fashion, to, you know, implement privacy by design. And it was like doing this, you know, as you're doing this, you need to think about the privacy, the privacy ramifications of it.
Sean Martin30:43
So I don't want to get too deep in that one specific example where anybody is put on the spot. But I mean, when I'm having conversations on the show, I often end up to a point where I say, and it's often technology routed us, why did you set up the cloud that way and, and expose that ports with that service? To put yourself at risk? Why Why did you do that the first place? Why did you set up that machine that requires that it's patched four times a month? A different one, that that doesn't need to be. So a lot of my conversations are like that. But when I look at privacy and data, it's the same, same idea. To your point, Maria, what you don't collect the data, don't store the date of the you don't need to. But in your your example, this isn't necessarily a product being built, or, or a new database being set up in Salesforce is this is something that HR marketing, probably spun up. And I guess my the point, I'm trying to get to use Google overseas. Somehow you got alerted to it, right, presumably, before something took place. But so take the take the realities aside, maybe from both of you share, share some examples of things that could happen and how you actually kind of monitor these rogue, I'll say rogue scenarios from from putting the company at risk.
Maria D'Avanzo32:14
I'll tell you that, you know, sometimes you just find out by accident, Shawn, I mean, you know, I don't know Linden, what your experience was, but you know, you absolutely, you know, the way that that my experience is where it's, you know, either I would hear if something in the course of my operation as a Chief Compliance Officer, right, and being part of the board and listening to board conversations. And then I bring it to my privacy team and the seaso. And I'd say, hey, you know, did you know that, you know, or it'd be the other way around, he would hear something, and and then come to me, and then either from a compliance perspective or privacy perspective, we would I would send a note and say, Hey, can we just chat about this? Right? Sometimes it was that they reached out to us, you know, it just depended who within the organization with whom we were dealing, they would know that, you know, our approach was privacy by design in post GDPR world, which is a requirement, and so they would loop us in, but honestly, sometimes you would just, you know, you'd sort of find out, by accident, most of the time, we found out before, it got too far down the road, you know, because if it got too far down the road, then you know, especially if it was a business initiative, you know, from from, you know, commercial initiative from the business teams, that became a little bit challenging. I can't really think of an example where there's probably even one that I could talk about, but it can't think of an example that where it went so far that, you know, I'd look back and say, How come you know, you put something in that we'd have to patch four times a month in the privacy equivalent of that, right. But yeah, you know, in reality, it was, you know, sometimes I'd hear about it by accident, when didn't How about you?
Lyndon Marquez33:50
I think that is probably how we hear about probably at least 70% of these types of situations where, you know, you know, they're, they're working on a particular project, or let's say, let's say it's a marketing initiative, where, you know, they got this great plan, whether we're going to launch the sweepstakes, and all you got to do is, you know, provide, you know, this type of, you know, these pieces of information to to enter and, and it's like, okay, well, you know, why didn't we know about this earlier? It's usually later on, did you find out about this? And in some cases, look at some of these cases, some cases, it's still very primitive, a primitive type of marketing initiative, where it's like, okay, we could, we could pull back on that, which is what you hope for that if you do catch something like that, that it's something that you could roll back, fairly easy. There. So that really was the bulk of how we find out about these things. I do think it's really important building a relationship for compliance team and privacy to be able to do build that relationship with the business teams, whether, you know, whether it's marketing or sales or even HR, just the various teams and have, you know, you know, it's having that, that, you know, the communication and relationship to where, you know, maybe the first three times, they didn't think about asking you about whether, you know, what information can I collect, but over time, as you build that relationship, you're going to be top of mind, they'll be like, Oh, I do remember now that, you know, let me run this by, by our compliance team or privacy team, and see if this is okay. And that is, I think that's, you know, kind of the, that's where we need to get is, an organization's needs to get to is to where you can have that relationship. And, you know, legal or compliance is not going to be the last stop, before, you know, launch date tomorrow, you know, it's gonna be something to think about early on. And you can weigh in early on and kind of make sure we're going down the right track, and not have to spend a ton of money trying to fix something that could have been caught earlier.
Sean Martin36:12
I'm very afraid to introduce acronyms, because we have many, many of them are Berge words, but the all I can think about, again, I'm having built apps in the past, something to think about as engineering and development and the DevOps process where developers and operations and those two come together and something beautiful happens. And then we insert security. Ops, and everybody gets pissed off. Do we need something like that? For privacy? For HR prove ops, that's where I was getting scared to introduce something new, but do we need? Do we need a more formal privacy? Or piece that gets gets plugged into programs that aren't just apps and programs that other business teams run?
Maria D'Avanzo37:05
When do you want me to do? Well,
Lyndon Marquez37:07
I could start off, obviously, Maria, you could add on to it. I think it's important, I think that's not a bad idea. In fact, I think it's a good idea overall, but I think it's something we're in the process is like, you know, like whether, like on the, you know, legal department, we're there's the contract process, or in it, or, you know, information security when they review contracts or initiatives, I think privacy needs to be a part of that. I think sometimes they you know, they do think about information security at some point in the process, but I think privacy needs to have a seat at the table, or they need to be part of that, that checklist of, you know, teams that, you know, need to be coordinated with before you press onto the next step of a of a project. So yeah, I think that it makes sense to include privacy and compliance in the
Maria D'Avanzo38:10
Yeah, to be part of the governance process. Right. Yeah, that gets put into place. But to your point earlier, Linda, I think you're right once you but you know, have created those relationships with whomever you know, in the organization, that business HR, you know, sales. In my case, I'm telling you as a see, so he and I were like a team that we just, you know, that it couldn't get past. Us, if one of us learned about it, it was that he would, he would call me and vice versa. But once you develop those partnerships, then it naturally you're naturally brought into that governance processes matter of time.
Sean Martin38:45
We're going to talk to me about the broader view of this, not just the business leaders. But the every user and every account, if you want to go to every part, that may be too much, but but kind of the idea that it's a mindset, Linden kind of alluded to it earlier, that two or three times they didn't think about it, the third, fourth and fifth time, it's in their mind, right? That happens somehow, it can happen by finding out 70% of the time that it shouldn't have happened. And we fix it or you can be a little more proactive. And, and kind of help spread the the mindset, the culture, if you will build a culture, right that that has privacy in mind, even if the processes aren't completely formed, at least people are thinking and acting a certain way. Yeah, we
Maria D'Avanzo39:38
did that with whatever the Cushman, we did that with the contracting process, for example. Right. So you know, we would have agreements, Master services agreements with some of our larger number of global customers and those agreements will contain your DPA, data processing agreements and, you know, standard clauses from the GDPR. And you know, we work With our legal team, because they were not responsible for privacy, it was it was my team. I mean, I'm the lawyer, but our legal team straight up who did the contracting wasn't. And so, you know, they knew that, that they had to send those agreements over to me to review, you know, those sections, right, or to my, you know, to some of the people in my privacy team, you know, and, and that was a matter of, you know, just communication and as GDPR came out, and that, that, that was part of our GDPR program, right, it was like, Okay, so now we have this process that has to happen, where Davanzo, and her team have to review, you know, the list of all those, whatever the clauses and stuff were, and, frankly, the legal team was happy to throw it over the fence, right? Because they were like, we're not experts. We don't care about you know, we want it we're gonna talk about the commercial terms and indemnity is and all that other good stuff. But so, so. So and then once you get the word out to the transactional lawyers, right, then they really are, were instrumental in explaining it to the, to the business guys, right? Because sometimes, just because the business guys would be like, Why is this taking so long, right, and we need a privacy review. And sometimes the privacy provisions were so you know, complicated, or were onerous at the request of the customer that I would go to outside counsel. And, you know, I'd say, Listen, you know, I had a go to guy, he was great, commercially reasonable, and all that good stuff. And so then the business teams understood that they had a looping legal early, because legal add a loop and privacy, and it would just slow everything down if they, if they didn't do that. And so, you know, more broadly, you know, that word got out in the organization that, you know, we have this group, and their responsibility is, you know, is for privacy. And so, you know, that was sort of how you know, how we did it at a broader level.
Sean Martin41:48
So, we're coming up on the end here, sadly, this has been fun. I know, it's super fun. But what I want to do is maybe break out the crystal ball, or I need to grab a crystal ball. And you touched on the SEC, breach notification, that kind of a monkey wrench in the works for for some folks perhaps. Are there things coming? Regular regulation wise? Notification law? I don't know if other notification penalty was legal way. I don't know, whatever. Is there anything on the horizon, you think, known or unknown, that privacy leaders should really start to think about?
Maria D'Avanzo42:38
Why didn't you have your crystal ball handy?
Lyndon Marquez42:46
Yeah, I think that, again, I just something I've got to get smart on and really dig into, but the world of AI is, is upon us. And that is an area that's going to continue to grow. And there's a lot of, there's a lot of traps out there, from a privacy and data protection perspective that, you know, we've got to really take it seriously and really start, you know, start delving into and understanding Okay, how's this gonna affect how we operate? How will it affect how we, you know, collect and manage our the data that we collect from our consumers? And I think that is kind of where there's going to be, I think that's kind of where the big story will likely be, over the next five years, if not even further out, as well.
Sean Martin43:45
Will it help bring consistency and kind of level set things? Or is it just going to screw everything up? Anything?
Lyndon Marquez43:54
I guess and, you know, I wish I could, I wish I had a good answer for that. My guess is it'll slow it may slow things down a little bit. In terms of, you know, progressing, and especially in the US with regards to the various laws, state laws, with regards to a federal privacy law, it may slow things down, because, you know, if the legislators are, you know, thoughtful in what they're doing, or, you know, looking ahead, they'll realize that, hey, you know, let's not just roll something out that for the sake of, of getting something out there and getting a vote from voters that I did something for privacy and stuff like that, and really think about, you know, let's build something that can be adjusted and to what the future may bring in the privacy and data protection realm. Come.
Maria D'Avanzo44:51
Yeah, I'm not so sure we're gonna see a federal law, you know, anytime soon, right. I think all these proposed bills, you know, in addition to the five that are already there, I think to your point showing the inconsistencies are probably just gonna continue. And, and it will just depend, you know what state you're in. And you know what kind of program and obviously, the response to that from a business perspective and lending you and I talked about this, just like with GDPR is like you can have to put a program in and, you know, just rises to the highest level, right? So if it's CCPR, you know, or CCPA, whatever, that's the most stringent, no matter what state you're in, you're gonna have to your whole program is gonna have to look like that. But I would agree that, you know, AI is, is. It's super interesting. I think it raises all kinds of risk issues, you know, beyond privacy, frankly, that people aren't even thinking about, you know, I read an article the other day about, you know, the potential disclosure of, you know, material nonpublic information, and people putting stuff into this AI chat bot to get, you know, letters issued or articles written or what have you. And they're not thinking people, users are not thinking of the implications of, you know, what they're doing. And I think you're right, Linden privacy is certainly one of the red flags that will come from it. And I would agree, you know, if these, these lawmakers are being thoughtful, that they'll slow down and say, Hey, wait, we can consider all of this. But, you know, being a bit cynical, I'm not so sure we're going to see that happen, either because politicians or politicians, and they weren't votes. And so they may just come out with a law that that will have to be amended later on. So it's gonna be interesting to see how AI has has a an effect on privacy.
Sean Martin46:31
I'm hopeful it can be used to kind of tamp things down a bit. But I can also see it just taking off. In just even this simple chat bot example where customers are sending sensitive information they shouldn't, because they feel comfortable chatting with the bot, and employees responding with, oh, yeah, or maybe they using the use of chat bot to craft their response. All this is super, super interesting. You probably have another whole conversation just on that. For now, I think we have our hands full with just regulations and kind of getting your head wrapped around all those differences. And to your point, we didn't get too deep into it, but kind of just set the high watermark. As you alluded to there, Maria, where's the where's the mark, you need to reach for the most stringent and kind of work from there? Yeah, I think it can get super complex if you try to save money and go lower. You don't need to or coordinate off systems that don't need to follow the same rules. But if you're having those thoughts, that's a good start. Not doing anything, because it seems too hard. And an AI or not have the thought at least and have the conversations with your with your executive leadership team and the board if they're open to it. And yeah, with each other, like we're doing here, Maria and Linden, thank you so much for coming together and have this conversation and for sharing your thoughts and insights with our audience here. Any final thoughts?
Maria D'Avanzo48:22
No, just thank you so much for the opportunity to come here and and to chat with you and talk about privacy. It's such an important area and you know, great to have the conversation in the context, you know, your context of cybersecurity, and with the audience that you have, because, you know, I know I've said it a lot, but I think he's just super important partnership, privacy and cybersecurity. So it's really great to have the opportunity to speak to your audience. So thank you.
Lyndon Marquez48:47
Yeah, thank you so much, John, for this opportunity to really talk about it's an important topic. And you know, everybody is really looking around trying to find out what do other people think about this or that. And it's nice to have this conversation as well. As you know, a lot of the your other podcasts have been really helpful. And I think hopefully this will be helpful as well.
Sean Martin49:11
Everybody has a question. Hopefully, hopefully someone will get a good answer. All right. Well, thank you. Thank you both so much. And thanks everybody for listening. There'll be links to profiles and any resources there if you want to share it to help people continue to learn after the break and those will be in the show notes whenever we provide and keep keep on keeping on with security and privacy everybody thanks everybody.
Voiceover49:49
Pens Terra, the leader in automation security validation allows organizations to continuously test the integrity of all cybersecurity layers by emulating we Real World attacks at scale to pinpoint the exploitable vulnerabilities and prioritize remediation towards business impact. Learn more at Penn terra.io. Crowd sec, the collaborative and open source cybersecurity solution, analyze behaviors, respond to attacks and share signals across the community for free. Let's make the internet safer together. Learn more at crowds sec.net. We hope you enjoyed this episode of redefining Security Podcast. If you learn something new, and this podcast made you think, then share itsp magazine.com with your friends, family, and colleagues. If you represent a company and wish to associate your brand with our conversations, sponsor, one or more of our podcast channels, we hope you will come back for more stories and follow us on our journey. You can always find us at the intersection of technology, cybersecurity, and society