On this week’s SecurityIntelligence podcast, privacy is our top priority. What’s changed for companies over the last year? What role do consumers play in protecting their private interests? What’s driving corporate conversations?
The landscape is changing fast (as evidenced by news about major fines that landed even in the days since the podcast was recorded). Joined by Monica Dubeau, privacy program director for IBM Security, orators Pam Cobb and David Moulton dive headlong into the public impact of evolving privacy regulations.
GDPR Is a Game-Changer for Data Privacy
Why the big push for the primacy of privacy protocols? Four letters: GDPR. Dubeau describes the European Union (EU)’s General Data Protection Regulation as one of the “biggest shakeups” for the industry, noting that for many organizations, last year’s GDPR rollout required them to “update their process and how they manage and respond to incidents.”
While stateside data laws continue to evolve, the GDPR introduced three key changes that present significant challenges for enterprises:
- Redefining data — Under the GDPR, the definition of “personal data” expanded significantly to include everything from salary to hair color to political opinion, depending on context and usage.
- Requiring documentation — Everything demands documentation, from reaching conclusions about data sensitivity to reporting incidents — even if they don’t require public notification.
- Reporting ASAP — Once an organization identifies a data breach incident, it has 72 hours to notify the appropriate supervisory authority or face significant monetary fines.
As noted by Dubeau, these new expectations have companies “strengthening their security posture and becoming more proactive than reactive.” But they’re not out of the woods yet.
Poor Privacy Habits Persist Despite Growing Awareness
Improving data privacy helps both organizations and consumers, but companies are on the hook if something goes wrong. According to Dubeau, savvy organizations are now “building privacy into their brand, and they’re seeing this as an opportunity to differentiate themselves from their competitors.”
While customers are now asking more questions about why organizations need their data and how it will be used, they’re still exposing themselves to undue risk by prioritizing convenience over security. For Dubeau, this includes “using something so simple, like their dog’s name, fluffy25, as a password across multiple sites,” or using internet of things (IoT) devices that offer great functionality but minimal security.
In a world of private data priorities, it’s not enough for businesses to define and defend their process — front-runners also recognize the value in educating consumers.
An Open Dialogue About Data Privacy
Despite the challenges faced by GDPR regulations and the often severe disconnect between users’ stated privacy priorities and day-to-day practices, Dubeau notes that the sea change has prompted dialogue about these challenges.
“These privacy regulations are bringing all of this out into the open and everyone’s talking about it openly,” Dubeau says.
New regulations are also emerging to further refine the rules around personal data protection and use. According to Dubeau, new cyber laws “will trigger even without personal data or personal information being affected.” In the U.S., upcoming legislation such as the California Consumer Privacy Act (CCPA) will implement broader protections, while countries such as Brazil, Bermuda, Thailand and India are drafting their own data laws.
Privacy is now a priority. New expectations demand investment, education and ongoing conversation.Learn Why Data Privacy Is The New Strategic Priority
Pam: David, have you ever changed buying behavior because you valued trust over convenience?
David: Yes. Yes, I have. I had a habit of going into the cheapest haircut place I could find and getting the low-cost trim. And then one day, somebody nicked my ear with a set of clippers, and I decided that I never wanted to do that again. And went with somebody with more experience, that cuts my hair, it looks great according to my wife, and I don’t worry that I’m going to have permanent ear damage from cheap haircuts. So yeah, Pam, I’ve changed my buying behavior because I trust somebody who knows what they’re doing more than I trust somebody who doesn’t.
Pam: This is the Security Intelligence Podcast, where we discuss cybersecurity industry analysis, tips and success stories. I’m Pam Cobb.
David: And I’m David Moulton.
Pam: So I got a chance to have a conversation with Monica Dubeau, who is the director of the privacy program at IBM Security. And specifically, she goes and works with clients to make sure that the privacy policies are in line and up to snuff in the case of an incident.
Because there’s this whole ripple effect where you think of like, “Okay, of course, we have regulations like GDPR and CCPA, and things that are coming about because, you know, we need to be conscious and responsible with personally identifiable information, PCI, all of these acronyms we could throw out.”
But when you take it one step further and, let’s say, there is an incident, well, now you have to know who your clients are, and you have to be able to notify them. And you need to know exactly what got compromised in the event of an incident. And so it’s this whole complex expansion of data privacy regulations and the influence there that we see on breach notifications and incident reporting.
And one of the reasons that we talked about trust at the beginning is that a company’s brand is on the line and the ability and the connotation that this brand is responsible, has my best interest at heart, is responsible with my data. And that’s really a nice package to tie together. So let’s listen to the conversation.
Pam: So, could you introduce yourself and share a bit about your role at IBM?
Monica: Absolutely. Thanks, Pam. Happy to be here today. My name is Monica Dubeau. I’m the privacy program director for IBM Security, and I am responsible for directing the strategy and the design needs and also the storytelling for the privacy solution for IBM Resilient.
When a breach strikes, time is really of the essence. An organization in just a short amount of time has to figure out so many different components. And when it relates to notification, they have to figure out does it need to be sent, who it needs to go to, and what it needs to say. That really isn’t very easy to do given the patchwork of laws globally that they have to deal with.
Pam: So we heard a year ago, well, and even before that, a lot about GDPR. And with May 25th marking the 1-year anniversary, how has GDPR changed the way that organizations are required to respond to data breaches?
Monica: Oh, my goodness. Yes, May 25th, 2018, a day forever ingrained in my memory. Let me tell you, it’s ingrained in a lot of folks’ memories as well. It’s one of the biggest shakeups, right, to data privacy law in so many years. So it’s had a significant impact. And in regards to breach notification, you know, it really impacted a lot of organizations. Many organizations had to update their process and how they manage and respond to incidents.
We can talk all day about GDPR and all the different components of it, right. We could go on and on for hours. But if we want to kind of peel out a couple different pieces of this and, you know, a few of the key areas for the breach notification piece for what made it a game changer, I think if we start with kind of that broad notification, the broad data types, right, the broad definition of personal data, they expanded out. So you’ve got something as simple as somebody’s hair color, salary, a political opinion, right, any of those based on the facts and circumstances can really become personal data.
In the U.S., slightly different approach. It’s a little bit more defined. It’s usually a name in combination with something like a Social Security number, a driver’s license number, maybe some financial information. So obviously, you know, it’s something that’s a challenge for companies to have to do with that really broad data type. And then, also, I think another key area would be on the incident types, right. I mean, under GDPR, an unavailability of personal data qualifies as a breach.
You also have to show your work. There’s this accountability piece to GDPR. And you have to show your work and how you came to your conclusions, so you have to document everything. And in regards to incident response, you have to document your incidents, all of them, even if you didn’t have to notify the individuals or the supervisor or the authority.
And then the real kicker, the timeframe, 72 hours, right. They introduced the 72-hour notification timeframe that is one of the shortest globally. So that’s a challenge for clients and regular customers in the organizations. They have to be able to figure out all this information so quickly so that they can notify and understand what’s happened and how they’re going to protect their clients.
Pam: And the 72-hour clock starts when they identify the incident, not when the incident actually happened, because sometimes, that can be weeks, days, hours, months.
Monica: Right, yeah. So the clock starts ticking once they know they have this breach. Once they have figured out personal data has been compromised in some sort of fashion, that there’s a breach, that’s where that clock starts ticking. And 72 hours just isn’t a lot of time. But if we look back, the European Data Protection Board, they just released out some figures, some data a couple weeks ago, on the first year under GDPR, and we can see organizations, they adhered to these new guidelines, because there were almost 90,000 data breaches reported to regulators in just the first year of GDPR going into effect. So pretty phenomenal number.
Pam: Yikes. So beyond just the regulatory implications and the potential for fines, what’s really driving these organizations to comply with the regulations?
Monica: Beyond fines? Yeah. So, I mean, fines is a big piece of this, right, because GDPR has teeth, and you can be fined up to 4% of your global revenues or €20 million, whichever is greater. So there’s certainly a lot of attention given to GDPR because of those fines.
But yes, beyond fines, what we’re seeing is it’s really the right thing to do, right. You want to protect your customer data. It really comes down to a matter of trust. You need your clients to trust you. You want your clients to trust you. And your clients expect you to take care of their data and to make sure it’s protected.
Pam: So in the year since GDPR has gone into effect, how have organizations changed in their security posture and what they’re doing?
Monica: In the year that it’s been in effect, GDPR has definitely strengthened their security posture. What we’re seeing is that many organizations are making significant investments with the amount of employees that they have working this type of compliance. They’re also really stepping up to the plate so that it’s not a check-the-box mentality or, you know, as far as trying to look at the latest data breach in the news and just pay attention to something like that.
They’re really looking at it from a long-term effect, right, privacy and this long-term compliance. And it’s not a race, right. It’s a journey, and they’re continuing to invest in it. If we look back two years ago, from a breach perspective, what we were seeing clients really handle breach notification was privacy teams kind of handled that on their own. They had their own system of record, and they would track their incidents really separate from the security teams.
And now, what we’re seeing is that the trend in the industry is to break down those siloes, and they’re coming together, working more fluidly together, and also working together in one system of record. They’re trying to use technological tools that help automate this process for them so that they’re talking in real-time to each other because of these tight notification timeframes. And you know, this is something that we’re seeing, right. This is that long-term investment that they’re making. And as they do that, they’re strengthening their security posture, and they’re becoming more proactive than reactive.
Pam: Are there any cases where the incident response plans falling short?
Monica: Oh, my goodness. Where they’re falling short, you know, I would say that if they’re not pulling in all of the appropriate stakeholders together, because you know, it takes a whole team, right. Many different departments are involved. And if they’re not communicating and collaborating together, that’s where there’s going to be some struggle.
Pam: So, what kind of departments need to be pulled together beyond just security and maybe IT to put up incident response plan into effect?
Monica: It involves so many different departments, because you’ve got your privacy and legal teams that are going to be making decisions and trying to understand who has to be notified, but they need to understand what’s happened in the event, you’ve got your security teams in there telling you all these details and facts and whether or not things are mitigated, where it stands, you know, is the risk of exposure still there.
But then you also pull in, sometimes, you’ve got your public relations, because you’re making public statements or you need to figure out, you know, FAQs for team members. Because you’ve got clients hear this in the news, there’s been a breach, they’re going to start calling, and what are you going to say? And what about that team member that answers the phone, what are they going to say? They want to start getting together different plans and FAQs. But also, outside of your organization even, you want to think about your call center service providers, or maybe outside legal firm, law enforcement.
So there’s different people that you bring in to the plan, and you want to have those engagements really thought out ahead of time, because when you’re trying to do things under short timeframes, when there’s an incident there, and the stress of all that, right, it can be very lengthy process, first of all, and you don’t have the time to dedicate to that. But there are so many other things you want to work on. And so if you have these relationships already built ahead of time and you’ve run simulations with those folks, right, I mean, you bring those team members, like the FBI, right into one of your simulations. And that way, you have those relations and you can make those phone calls a lot easier.
Pam: With all those departments involved, what steps do organizations need to take to build out this kind of documented incident response plan to make sure that it complies with regulations?
Monica: You want to have something documented and you want to make sure that you’re including these teams, and you have roles defined. Because just pulling everybody together, you have to still know, “All right, what is everybody’s role? And who’s in charge? Who’s in the lead role?” Because you get everybody in a room, and somebody has to be running the show. So you do want to indicate who’s actually going to be in charge.
And then, also, you want to test this. That way, you break through any of those gaps if you identify any issues or you find that there’s an area in particular that you need to strengthen in your plan or communicate better throughout your organization. You’ve done that ahead of time before the real incident strikes. And so running these simulations, it’s good to look to your, not only incidents and the types of incidents that can happen to you or are happening to you, right, looking at that historical data, but looking at the trends in your industry, what type of incidents are happening.
Or even looking outside your industry and just seeing, “All right, is there something that we can use for the simulation that we just saw in the news? How would we have handled it? Let’s pull our team together and let’s run through that one. And what would we do? What would our response look like?” And is there a way that you can mitigate, right? Are there actions you can take within your organization to mitigate that for you?
Pam: All right. Well, knowing that GDPR is based in Europe, what other privacy regulations that are out there that organizations need to consider?
Monica: Yes. So the landscape of breach notification, oh my goodness, and privacy laws — it’s changing fast, right, and it is global in scope. We have so many new laws and regulations that are coming out.
Just to name a few, you’ve got Brazil, you’ve got the Grand Cayman Islands, Bermuda, Thailand. India has a draft. I mean, we’re tracking, within our team, over 130 proposals that are out there. But beyond that, you also have in the U.S. You have all 50 U.S. states finally have breach notification law, and that just happened last year.
But now, just this year alone, we’ve seen, oh my goodness, several amendments, even just in the last two months or so, where these states now are amending their statutes, and they’re enforcing stricter rules and broadening out the scope of personal definition for personal information. They’re broadening that scope. And so just trying to stay on top of that, right, there are so many components for what’s happening out there.
But beyond even breach notification laws, we’re seeing some influences from GDPR make their way into the U.S. And so CCPA, everybody’s all on top of that one, the California Consumer Privacy Act. And you’ve got other states now making those copycat laws. So CCPA doesn’t go into effect till next year. But the other states, they’re coming out with their laws right now, too. And even beyond that, we have the cyber laws. And so you’ve got the cyber laws will trigger even without personal data or personal information being affected, and you’d have potentially notification obligations that you have to send out to some type of authority or regulator.
Pam: So, Monica, why California? Why are they at the forefront of this here in the United States?
Monica: California likes to be a trailblazer, I guess. I mean, if we look back at history, right, they were the first ones to come out with a breach notification statute for the U.S. And all of the other states followed suit. This isn’t anything new for California to do this again, now, with the broader privacy protections. And again, those other states are following suit, and you know, pretty soon, we’re going to have even bigger patchwork of laws here in the U.S. to have to comply to.
Pam: We’ve been talking about notification based on personally identifiable information being leaked. What about some of the regulations around disclosure when there’s not a PII leak, where there’s just an incident? Can you talk a little more about that?
Monica: Those are those cyber laws that, you know, trigger without having that personal data or personal information being part of the incident. And some of these could be something like a critical infrastructure, right, or maybe you have a financial services center, their system has gone down and they can’t service the customers. So some type of disruption, that’s where they have these notifications that they want to be sent out to the regulators that they’re tracking to understand if there’s any type of infiltrations happening, you know, any type of particular group or industry.
Pam: Okay. So with all these regulations that are both, now, in market and being developed, how do you think that they’ve changed how organizations, and even consumers, think about privacy?
Monica: Yeah, that’s a loaded question there. Because organizations and consumers, let’s separate those out. So if we start with the organizations, you know, I do think that we’re seeing a change in how they’re handling the personal data, how they’re looking at privacy, and we’re seeing a trend towards data minimization, where they’re not collecting as much data that they have to store, and maintain, and protect, and then also delete.
But even beyond that, I think it comes down to where you’ve got the savvy organizations that are building privacy into their brand, and they’re seeing this as an opportunity to differentiate themselves from their competitors. So they’re embracing privacy, and they’re providing education to their customers from a cybersecurity perspective and helping them understand what kind of harm could come to them or what the risks. Because people don’t know what they don’t know, and they’re taking this opportunity to really educate their clients.
And I’d love to share an example of just, you know, the other day. I was invited as a client for a financial services firm. And they had this cybersecurity education 101 event, and I went. And I’ll tell you what, for an hour and a half, everyone was on the edge of their seat listening so intensely as the head of cyber for this company was talking about the types of ways that they’re protecting the customers, but also giving examples of things that you can do.
Because it takes not just the company doing things, but the individuals have to follow steps, too, to really protect themselves. And they were giving tips and advice, and everyone in there had these aha moments of, “Oh, wow, I can go home and do that. Yeah, I need to do this. I didn’t know that.” And so those organizations are seeing this as an opportunity to build it into their brand.
But if we look from the perspective of consumers, I do think that as we see more and more notifications being sent out, they’re asking more questions, right. People are starting to wonder like, “Wait, why do you need this information from me? What are you going to do with it? How are you going to protect it?”
But the interesting part about the consumer, I think, is the real disconnect, because sometimes, what they say isn’t what they do. And so their actions speak a little bit different, right. They’re sending mixed signals. So they’re saying privacy and security are important, but then when we look at certain things like basic hygiene of cybersecurity stuff, they’re not doing it. And so if we look at passwords, for instance, there are so many people that are still using something so simple like their dog’s name, fluffy25, as a password, right, and they’re using it across multiple sites, not just one, but multiple. So they have that same password. Even though they’ve seen it over and over again in the news that something has been breached, change your passwords, some of them don’t even change their password. Worse yet, right. It’s something simple and they don’t take that extra step to protect themselves.
And I think another piece of this too is the convenience or features that consumers want. Sometimes they’re willing to sacrifice the privacy for it, even when they think it’s kind of creepy. So I have to tell you, I know somebody who has an Echo, and they’re not sure that this thing is not recording them all the time even when they didn’t say, “Alexa.” She was telling me how her husband whispers sometimes when they’re saying stuff that they were certain they don’t want anybody to hear. But yeah, right, it’s in the house, because they still want that convenience in the feature. So I think, sometimes, they’re sacrificing, you know, what they really want even when they think it’s not being protected the right way. So that’s where I still see that disconnect with the consumers.
Pam: So with headlights on the coming year, what do you think that both organizations and consumers need to pay attention to between the upcoming regulations and other trends that we’re seeing?
Monica: Yeah. I think that they need to continue to invest and, you know, make sure that they’re investing and strengthening their security posture. And then educating their employees, but also educating their clients, because as I mentioned earlier, right, there’s a way to really cut down on some of the exposure when customers can really understand what those consequences are. And some of it, you know, falls on them. So as far as them having a secure password and being able to go back, change your password.
But having those discussions and continuing this conversation, and that’s where these privacy regulations are bringing all of this out into the open and everyone’s talking about it openly. So it’s good to see the dialog is taking place. And when they’re building out their new technologies and their innovations, that they’re engaged and trying to think how do they bake this into that innovation.
It’s really neat out of the ICO in the UK, where they’ve got this sandbox for the companies and organizations to really interplay with the regulators on any other innovations, and they’re talking about how do they keep the data secure. So it’s all about these conversations and working collaboratively together.
Pam: Great. Well, thanks so much for joining. It’s been a great chat.
Monica: Oh, thank you so much. It’s been great.
Pam: You know, it’s something we’ve talked about before, it’s something we continue to have conversations about as an industry: what is the best way to get education and refresh your skills and where are those opportunities to create aha moments for both consumers and professionals? And when I think about some of the most meaningful learning experiences I’ve had, some have been online, I think there’s so much new technology. When I think about when I got my MBA was the initial advent of online classes, and it was all weird group chats and like MS Paint whiteboarding sessions.
And we’ve come so far, and it’s really the ability to connect the human experience with that digital platform that is helpful. And I think in-person training, you know, is never going to be overlooked as one of the best ways to go and experience, particularly if it’s training a department as a whole to function. I think that’s something that we really see benefits cybersecurity teams.
David: You know, for me, Pam, that aha moment happened years ago, early in my career. I would always go with my gut. And I remember having a hypothesis, and we tested it, and I was so incredibly wrong. A fellow marketer and web developer had wanted to test it. And when we went and looked at his idea and my idea, he crushed me.
And that was the aha moment where, sometimes, it takes seeing the data and being able to run the experiment to really understand something, and it starts to inform later on all the other types of experiences and experiments that you can run, or at least it did for me. And I think that’s one of the importance of having that open to idea. And if you want to accelerate that, education is definitely a key to lighting a rocket behind it.
Pam: Awesome. So, David, do you have any good news for us this week?
David: I do, Pam. So, do you know what company controls over 400 kinds of beer?
Pam: Here’s where I confess, I do know the answer. But for the sake of the audience at home, I’m going to say, “No, David, what company is that?”
David: Well, they’re called AB InBev or Anheuser-Busch InBev, a huge beer company. And they recently set up a dedicated cybersecurity unit. And I think that this is both reflective of our time and a little bit awesome. So here’s a company that has beer from all around the world, every different flavor, every different style, and they’re protecting our sweet supply with cybersecurity. And I just delight in that.
Pam: I do as well. Having grown up in Williamsburg, Virginia, area, there is an Anheuser-Busch factory tied into Busch Gardens, which is one of the theme parks there. And so that was the good place to go get lunch when you’re at the theme park, was like tour the factory where they make the beer. Go pet the Clydesdales.
And so not surprised, because they always seemed very conscientious in terms of their process and refinement. I mean, even when it comes down to making consumer goods, there is obviously a lot of scrutiny and dedication to quality. And I think it’s good. I’m so interested to hear that it’s in Israel, and I know that is a source of a lot of tech startups in the cybersecurity space. So I’m excited to hear that.
That’s going to be it for this episode. Thanks to Monica Dubeau for joining us as a guest.