Security, Privacy, and CCPA
To Listen To ‘Privacy, Security, and CCPA’ Podcast, Click Play
Kristen McAlister virtually sits down with Jodi Daniels of Red Clover Advisors, to discuss privacy and security in a work from home environment and the California Consumer Privacy Act (CCPA).
Kristen McAlister: Hello, this is Kristen McAlister with Cerius Business Today and I am joined by Jodi Daniels. She is founder and CEO of Red Clover Advisors and Red Clover Advisors helps companies comply with privacy laws. Thank you so much for joining us, Jodi.
Jodi Daniels: Hi, I’m so glad to be here. Thanks for having me.
Kristen McAlister: This is very timely as we were discussing the other day, there’s a number of things coming down right now with privacy laws.
There are a number of really top concerns right now for CEOs. In fact, I was with 12 of them yesterday and polled them on what their biggest challenges. And right now, all of them unanimously, unanimously, it was something to do with this work from home workforce. I know you’re working quite a bit with businesses on a very specific area of that.
How are you advising companies and helping CEOs with the remote workforce environment?
Jodi Daniels: Sure. Well, it’s certainly a challenge on a lot of different fronts from the work that I do. I’m focused on helping companies from a privacy and a security angle. If you imagine everyone kind of packed up and now we’re all accessing systems remotely, we may or may not be on company equipment.
We might be sharing equipment. We might be doing a lot more on our personal machines. We might be taking calls remotely. So now we had to potentially use new tools than we’ve had to. So the significant challenge that people are seeing is how do I protect all the data that is now exposed. I’m not on a network where I can easily lock it down. And all of that is now exposed.
And unfortunately, the bad actors recognize this it’s a global challenge across the world. In all seriousness, when you literally throw billions of people at home, the bad actors realize, ‘Ooh, great opportunity, this is awesome,’ he thinks.
And so they’re going after and trying to find the companies where there’s vulnerabilities. One of the first ways that they find that is phishing. I’m sure we’ve all heard about phishing emails and it sounds so kind of basic. It’s one of the ones that is the easiest for them to use.
And phishing attempts are where a bad actor makes an email that looks completely like a real email. It’s sent out and then unknowing, individuals click on it and poof, now they’ve downloaded malware and all kinds of bad things kind of happen on their computer. Their information can be stolen.
You can kind of make your way through the networks and things like that. Well, phishing attempts are up 350%, according to a Google report from early this year. And, you know that is a startling statistic. And if you think about that you have all of your employees that were tired, many of us had to homeschool.
Some people might still be homeschooling. Everyone’s in a different environment and we might know better, but then we by accident, click on the wrong link and now we’ve just exposed ourselves. So phishing is one of the things that I’m spending a lot of time trying to help remind companies. Honestly, you almost can’t over communicate on fishing and on.
So that’s really one of the biggest areas that I would say, we’re focusing on right now.
Kristen McAlister: And when you’re working with companies, reminding them, are you putting together the policy? Are you doing the training? What are some of the most effective ways that you’re finding, working with companies and keeping this top of mind so that their fishing attempts may not go down, but certainly the occurrences and the grief that happens after that can go down.
Jodi Daniels: Yeah. So there’s a couple different ways to approach that. And I think first is just having one: a remote work policy. Part of a remote work policy is going to encompass a lot of security measures. So we can kind of pause that button for just a moment because there’s a lot of other security risks that we want to be thinking about beyond just phishing.
In terms of how do we educate our workforce? I’m helping companies in terms of training. Just kind of old fashioned let’s get together on a now popular zoom call webinar and communicate email video on to look for in a phishing email, and literally take an email and dissect it and help explain what to look for.
There are also a lot of things. Other options. There’s some gamification. So if companies have some dollars to invest in more sophisticated training, there’s some great training tools that are out there to help with this. And there are also security software to help companies really prevent phishing as well.
The training kind of depends a little bit on the investment level of where companies are. Certainly at the basic is creating this policy and reminding employees what to be looking for.
Kristen McAlister: Thank you. And you’ve mentioned phishing as number one. What are some of the other things that we should be keeping top of mind right now and addressing with our employees.
Jodi Daniels: So some of the other ones are access management and credentials. I know I mentioned when we started, if I have my laptop. Whether it’s mine or a personal laptop, and I’m accessing a system, where am I storing all that personal information? And what type of passwords do I have to get into it?
Because the next way that the bad actors are trying to get in are hacking passwords. Can I get into your systems if I just have a simple password? And if I’m using my home computer, maybe I don’t have all the right security measures and maybe I don’t have the virus software.
I didn’t update all the patches and things to be able to protect my machine. The ways that companies can help address this. And what we’re working on again, that policy and part of the policy is going to be, you need a strong password. This is what this looks like. This is what the rules are for what you can and can’t be doing on your home computer or your work computer and reminding. Working with the teams to push out as many updates as possible.
And honestly, the simplest is to have a complex password. Coupled with what’s known as two factor authentication. Some people listening might have heard it as two 2FA or multifactor authentication called MFA. And all of that simply is, is where I’m sure many of us have gotten that one-time pass code to your phone to make sure you’re really who you are.
And that’s what that is. It’s the password, plus the extra method of doing it. And there’s multiple ways of how you can address that two factor authentication. And we really want companies to do it on as many of the tools as possible. And again, there’s different ways of how you can address complex passwords.
You can have password policies where you reset them every 90 days. We’ve all experienced when you have to have uppercase lowercase, certain symbols. There’s different ways how you can manage those types of things. Together, the password plus to 2FA is one of the next best ways that you can help prevent a data breach from happening to your company.
Kristen McAlister: It’s interesting, Jodi, I’m talking to you and I’m thinking we all learned this in Kindergarten, back when we first started using computers, but we’ve been a little sheltered being in offices with entire IT support teams who have been worrying about this and watching it. And now I’m kind of out there on my own in my home.
I am my IT support team. So it’s almost like going back to basics from 10, 15, 20 years ago and we’re assuming everyone remembers it from 15 years ago. I barely remember algebra, strike that, I don’t remember algebra. I, we need a refresher course. These are all fantastic reminders. Switching just a little bit. I know that there’s some compliance that also needs to be done at the corporate level.
So you have different layers of it. There’s security at the employee level, but there’s also some policies and compliance that needs to be done corporately here in California. I think we probably have more than anyone. You were mentioning that there’s some things that we really should be aware of as business owners in California that are coming up here. Can you give us a rundown on what those are.
Jodi Daniels: Absolutely. First to kind of address the corporate policies. I had mentioned you want a remote work policy. That’s one of them. For anyone listening, if you didn’t have a business continuity plan, that’s probably another one. They kind of go hand in hand as well. It’s basic information, security policies.
Some companies have a big monster one and they break it up by all the different topic areas. Other companies have individual ones. Maybe I have an incident response plan. I have an email management plan. I have a network access plan, so on and so forth. And all of that is really important to help us protect our data and the new law that is coming out.
It’s called the California Consumer Privacy Act. Affectionately known as CCPA, and it became effective January 1st, 2020. It will become enforceable July 1st, 2020. And for anyone listening, you’ve heard the word consumer and should not be fooled. It’s not only consumer because that would be too easy. It includes quite honestly, employees and the B2B side.
Now we’re not going to get too complex. That’s probably a conversation for another day, but there is sort of an exemption for part of the law for employees and B2B, not a hundred percent, but for part of it. And what’s really important is how we connect these two, the remote work and CCPA there’s.
Like all good privacy laws that are around protection, there’s use and collection. I should use the data and tell you what I’m doing with it. I should give you some choices and I should protect the data that you gave me in that protection piece. If I don’t and there’s a data breach under CCPA, there’s an individual private right of action. Also known as potential for class action lawsuit.
And in our very litigious society, we know that you’re going to have plaintiff’s attorneys. And I’ve heard this directly from privacy litigators that I work with all the time. They’re just waiting. They’re going to wait with bated breath for the data breach to happen, and then they’re going to go in and pounce.
And now you have not only remote work and COVID-19 that we’re dealing with and a data breach that in itself is a challenge. There’s 50 different state breach laws. 50! If you are a national company, you have 50 [00:11:00] different laws to deal with. You now also potentially have a class action lawsuit on your hands.
We don’t want any of that. None of that sounds really fun to us. Well, what is it that we need to do? We need to make sure that we have a good security program in place and in a remote working environment we’re going to have some complex security measures that we want to have in place.
We should also, like you had mentioned, go back to basics and really making sure that we have the basics that we can help remind our employees who are on the front lines of using our data. And we also want to be thinking about some of those more sophisticated security measures on our systems and our databases and all those types of things.
Kristen McAlister: When you first go into an organization, if they’re not complying with it, what does that next step normally look like? Are you doing an assessment? You’re going giving them where all their gaps are. Are you testing it and sending out test phishing emails to see how many of their employees are? I would have to see that on one of those trainings while they’re on it. Send a test phishing email.
Jodi Daniels: That’s a great one. So I can share that it was not me who conducted it, but it was a group of executives in a meeting and it was on phishing and security. Let’s say 60 people, they sent an email out and it was completely a phishing email.
They wanted to test them and see what would happen. More than 75%, I think, of all the executives clicked on the phishing email. It was very, very telling. It was very interesting. It really is. And you know, it’s just human nature, nothing against those folks. We’re all busy. We forget. And that’s part of just that reminder piece.
So to address the question, there’s kind of two sides. There’s the privacy side. And for CCPA, there’s a lot that we need to be doing from a CCPA perspective. So there’s certainly an assessment that’s going to come. You need to do these many items and requirements. Let’s march forward and start working on those.
And on the security side, there’s also an assessment that you’d want to do. So if we were to look at, their remote work environment, you’d want to think about, what are the measures that you have in place today and start doing kind of a high level assessment. And then from there you can start diving in to determine what other deeper dives quite honestly are necessary in terms of how many systems do you have. Every organization’s a little bit different.
So you would start working from that angle and, and going from there. but you really kind of want to start with that high-level assessment and understand. What the organization is and understand it and then determine where you should go a little bit deeper.
Kristen McAlister: From that there seems to be a number of different stakeholders that you’re working within the organization, because I can see that it is involved.
I can see that HR is involved. How do you work with all the different stakeholders and keep that coordinated from your standpoint?
Jodi Daniels: Privacy is definitely a cross functional role and security, and today we’re talking a lot about on the security side that tends to fall in a pretty narrow spot.
The chief information security officer, director of information security often owns that. It’s a little bit debatable where that role sits, but often in an organization, the privacy role is kind of homeless. A lot of the times it often starts in the legal organization because it’s associated with the law.
If there’s no in-house councils, often it falls to the CFO where they often own risk compliance or the legal piece. And from there everyone has personal data across the organization. So what you have to have is at least a single sponsor, and then it’s all about connecting all of the different parties together.
So in any of the projects that I I’m working on, there’s generally a point of contact. But then we’re working with the marketing team, the finance team, the HR team. It’s almost like a hub and a spoke. You kind of put the individual in the middle of the customer data, and who are all the other parts of the company that touch the customer data.
And they all need to be a part of that conversation with just whomever your central sponsor, if you will, of the project is going to be. It’s certainly cross functional. And if anyone listening happens to have a privacy person in the organization, that person needs cross functional support for sure.
Kristen McAlister: Thank you. It’s really tough when you have any initiative to make sure that you have all parties involved and working together. So now going back to really the one that’s on our minds and coming up here in the next couple of weeks with the CCPA being enforceable, what does it mean to me as a business owner and what do I need to do in order to be prepared?
I understand that. It was effective in January, but now if I’m not complying, there’s going to be some consequences. What should I be doing to prepare? What do I need to know?
Jodi Daniels: Yep. So the California Consumer Privacy Act, CCPA, it has some core basic tenants to it. The first is all about notice.
It is that privacy notice that we all likely have in the footer of our page. We need to pay attention to it. It needs to have a variety of requirements and it needs to disclose what we are doing with personal data. First, we have to understand that the definition of personal information here under California is much bigger and broader.
We need to be thinking about all the marketing activities that we’re doing. That’s now all in scope of personal information. A lot of times, especially from a security point of view, we think about personally identifiable information. PII people always say. But that’s not PII. In the privacy realm, we’ve got to throw that out the window a little bit, and it’s now much, much broader.
All the tracking, all the digital technologies, all of that us in scope. We have to understand all of the data that we collect, use, share, store. When we understand all of that, then we can write our privacy notice and communicate to everyone. What it is that we’re doing in California that has some very specific requirements.
It says you need to do these certain things. So business owners need to understand what data they’re collecting, using, sharing, and storing and disclosing it properly. Within that as I had mentioned – sharing. There’s a little bit of an interesting nuance under CCPA. It’s called the sale of data. And it does not only mean that I sold you data and you gave me a dollar.
It could mean that I share data with, for you or to you. And I received valuable consideration back. So it’s a very interesting nuance to get to understand. If you’re sharing or selling any data under that definition, you’ve got to understand the data you [00:18:00] have in your company.
So create and conduct a data inventory that will make sure you’re in compliance with CCPA. The next is going to be individual rights. Jodi has a number of individual rights. I can ask you to tell me what data you have on me. I can ask you to delete my data, and if you sold data on me, I can ask you to not sell that data.
So again, I have to know all the data I have including where I store it, for me to be able to execute on those individual rights. I have to make sure that all my contracts with all my vendors, all my vendors, they need to be CCPA compliant too. I can’t just pass it to them and hope that they’re going to do the right thing.
I have to make sure that they are also compliant with the law. And there’s a couple different items I need to think of. I need to look at my contracts. If I’m selling data, if I’m not selling data, the sort of different nomenclature. If I have a vendor, they need to be a service provider for me, our contract needs to state that I need to have a special addendum that addresses that they also need to protect our data.
Going back and tying it all to the remote work piece. What tools might we have now that we’re sharing personal data with? Even if it was my employee data. So Jodi, working with acompany.com logs into the cool zoom tool. I need zoom to protect that data. So it’s an entire cycle. So I need to do all of those things to make sure that I’m ready for CCPA.
And I need to train the people who are on the front lines, who might receive customer calls to make sure that they’re prepared and know what this is all about. Because at the end, this is a reflection of your brand and user experience and privacy and security is about trust with your customers. So making sure that you’ve built that in to your organization, so you have a strong trust based relationship.
Kristen McAlister: I’m so glad that you brought up the frontline workers and everyone else in the organization, because you can create all the policies and publish them. But if your actions and your processes and how it’s actually going about does not reflect what that policy says. That can be a big black hole.
We went through it as well. If someone emails and says, please remove me from your database. We got an email. I think it was probably back in January. We didn’t have a process yet. And it went into a black hole until it came up and we said, “you do this, you do this, and you confirm back and gave us a full circle.
And then we had to educate anyone who might possibly receive an email or a notification like this from anyone, here is how you proceed with it. Having a statement isn’t enough.
Jodi Daniels: Yeah. The process. And yeah, you can have a policy, but you have got to have a process that goes with the policy. And you have to train the people who are responsible for that and people change roles.
So you also have to make sure that whoever else might be taking that role, so it’s an ongoing activity. I can’t say, ‘Oh, I trained Sally six months ago. We’re good.’ Because now Sally might have a new role. So now who’s taking Sally’s position and you also want to be thinking about not just the commonplace where someone’s going to ask that question. So customer support might be one, or whoever’s managing the website, but there might be other avenues. Maybe it’s the social media team who gets those messages. And you want to make sure that that team knows where to direct it to. Because again, it’s all an experience.
Imagine I reach out to your company and the person on the other side says we don’t do that. I have no idea what you’re talking about. That would not be a good experience for me. And also it doesn’t put the company in a good light for complying with the law.
Kristen McAlister: You’re telling me is that there’s many things to be talking about, looking at, having your thumb on it, the processes, the communication. I love your hub and spoke example because I can start to see the layers of complication, that and details that need to be attended to, and I can see why companies bring you in and let you own the solution to that challenge that they’re having right now, because it’s a big weight on our shoulders.
No one likes having to worry about complying with something that they are not an expert in. And I can see the value of bringing Red Clover Advisors in to just say, don’t worry, I’ve got it. Appoint the champion that I’ll work with and I’ve got it from here.
Well, thank you so much, Jodi. Any last words of advice?
Jodi Daniels: Well first thank you so much for having me. It’s such an important conversation. You know, I want, I want all companies to be able to thrive, especially in this challenging time. And I really do feel like some of the basic items that I’ve put together, like a working guide kind of a best practices guide, can help people. Just what are those basic items that you had mentioned that we learned in Kindergarten? Right. And remind us of what those are and then to take the CCPA seriously. The one last piece might be just that if you are, especially in the B2B context, your customers are expecting this of you and the end consumer like me is expecting a company to protect my data from the security side and use it the way I expect. So it all goes back to that trust element. And this is a good thing to be able to help us build that cadence in our organizations, to always be protecting our data.
Kristen McAlister: Well, thank you, Jodi. And fortunately we have experts like you to remind us and guide us through that.
That’s it for today. I appreciate you sharing that with us, Jodi. And if there’s any questions, we will be posting Jodi’s information inside of the transcript of this and the blog. So you can certainly reach out and ask her any questions. Thank you so much and have a wonderful day.