Break your data hoarding habit: Unnecessary data retention, or what I refer to as data hoarding, is the Achille’s heel of even the most robust data privacy and security programs. I often remind my teams that if we don’t have it, it can’t be lost in a breach. This goes hand-in-hand with a data mapping exercise, part of which is evaluating if there is a need to hold data — if it’s not needed and there is no clear business or legal reason to keep it, it should be permanently deleted. I’ve observed many organizations collecting and keeping huge hordes of very personal data without any clear reason to do so. Not only is this counter to some privacy legislation like GDPR, it also significantly increases the potential impact of a data breach. Practice data minimization, and if you don’t need it, trash it!
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Dan Linton.
Dan is the Global Data Privacy Officer at W2O, where he leads internal privacy operations and supports client data privacy related to digital marketing and communications with a deep focus on both US and global legislation such as the CCPA and GDPR. He holds current CIPP/US, CIPP/E and CIPM certifications from the IAPP.
Dan helps both W2O and clients to not just be compliant, but also incorporate data ethics into organizational culture and identify strategic opportunities to communicate privacy as a key brand differentiator. He also takes advantage of over 20 years of deep experience in digital marketing and data analytics to effectively bridge the communication and organizational gaps between legal, business, IT, InfoSec and MarTech stakeholders at all levels.
An active conference speaker and published blogger on privacy related topics, Dan has also received several awards and finalist acknowledgements for his work in both digital analytics and privacy.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in Canada, specifically in a small city called Red Deer in the province of Alberta. I’ve since moved around North America a lot, but my Father and Brother still live there. It was and still is a very suburban community with a small-town vibe. In the family I was definitely the tech-y one and my parents supported that. I can recall the first computer we had — a Tandy TRS-80 model III with dual 5¼” floppy disk drives and a monochromatic green text screen. It was 2,500 dollars at the time, and that was the 80’s! It seemed like a magical device, and, according to my Mom anyway, I spent entirely too many hours on it. Once I eventually got a computer with a dial-up modem, that’s when she REALLY wanted me to get outside more, since I was constantly using the only phone line to connect with BBS’s (bulletin board systems) to play games. Now I can trace my career in data analytics and privacy back to that first Radio Shack computer.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
In my case, it was more of an evolution than a single moment. In the late 90s and early 2000’s, I taught myself to build websites using Dreamweaver, and eventually I got a job at a small software company to manage their website. They didn’t have a lot of money for marketing, so to help get more leads, I taught myself and website analytics. I was absolutely fascinated at the “behind the scenes” aspects of web design, and how changes I made would directly impact my company’s website rank on Google. From there I slid into full time web analytics roles, then more widely into digital analytics positions. It was at that point that I began to realize just how much information is captured on the Internet, just how personal that data can be, and how that data can be stolen or misused for nefarious purposes. At the suggestion of my boss at the time, I went for training and got my first International Association of Privacy Professionals (IAPP) certification, as it was the only ANSI certified privacy credential available. Then with the implementation of GDPR and other legislation, privacy went from a useful side-specialty to my full-time position. It was a bit of a long route, but my core understanding of data flows and Internet tracking technology really helps me be a far more effective Privacy Officer.
Can you share the most interesting story that happened to you since you began this fascinating career?
Some of the best stories I have are in meeting people and have discussions on the more philosophical side of privacy. In 2005 or so I was lucky enough to run into a very senior person at Yahoo — which was a very big deal at the time — and we got to talking about how they were losing search share to Google which was impacting their ad revenues. He shared with me that they had considered somehow paying people directly to use Yahoo search in hopes that it might revive their search ad business. They never did that of course, but it was that conversation that really solidified the idea that personal data has real value, not just philosophical value but real monetary value, and it should be protected.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I’ve had many mentors to help me on the way. That boss I mentioned earlier that suggested I take the training was an incredible teacher for me. Her name is Shaina Boone, and she gave me that little push into a direction that would eventually be a huge and positive change for me — little did either of us know at the time! Before that though she taught me many of my early lessons on how data moves through the internet, and helped me develop my technical skills further. I also should say that another direct manager, Chuck Hemann, also did something similar by being the one who pushed me from privacy as a side-gig to a full-time position. I’m incredibly grateful to them both, not just for knowing where to point me at a critical moment, but also for all the other lessons in technology, data, and communications that they’ve offered me through the years.
Are you working on any exciting new projects now? How do you think that will help people?
Since I began at W2O, we’ve always been up to some exciting things. Most recently we’ve launched a new clinical trial recruitment service called Hū (short for Hūman but long on humanity), which is really a first-of-its kind revolutionary program. Among other things, Hū combines data, behavioral economics and decision science to understand human decision making — all to drive significantly more effective clinical trial recruitment. There is currently an unprecedented decline in clinical trial participation that is threatening the development of new therapies, and Hū aims to bring a dramatic shift in research participation. Of course, because it’s so data-intensive, privacy and security are key components of this work, and Hū promises to have a huge impact on incredibly important medical research.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
I practice and recommend self-awareness strategies, including mindfulness and meditation exercises. Paying attention to how I think, feel, act and believe has helped me uncover the many root causes of my stress and fears. By uncovering them, I’ve come to understand myself more completely, and the stress and fears have slowly fallen away. I can’t always control the situation, but I have learned to control my reactions, and that has not only saved me from burnout, it has also helped me to become a more effective employee, manager and person.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
The most interesting thing for me is the delineation of security and privacy. Security and privacy were for a very long time synonymous, and often a CISO would be the de factor — or actual — privacy officer. While the two are definitely intertwined, the advent of significant privacy legislation like the General Data Protection Regulation (GDPR) in the EU, and the California Consumer Privacy Act (CCPA) here in the USA have brought more focus to how data should be handled, not just keeping it secure. In my experience, it takes a village of experts across IT, legal, privacy and product to manage an effective privacy and security program.
Secondly, beyond security, I’m seeing more and more discussion on privacy and data ethics. The idea that “if you’re doing something that you don’t want other people to know, maybe you shouldn’t be doing it in the first place” is an outdated mode of thinking. Digital tracking and data collection has for a very long time taken the approach that if it can be done, it will be done. Now, attitudes have shifted and I’m participating in discussions about what should be done versus what can be done.
Lastly, I’m excited about privacy and security being adopted as a brand differentiator. Organizations like Apple are now pinning their reputation on privacy and security, and using that to stand out from their competition. That shift means that these organizations are starting to finally take privacy and security seriously, because now if a data breach occurs, it’s not just an IT problem, it’s a board-level brand problem. Having that higher level of responsibility to a brand means that companies will be far more diligent in applying proper resources, technology, and policies to ensure their consumer data is safe and secure.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
There will always be evolving technical threats that cybersecurity must constantly keep up with. Deepfakes, AI-based cyberattacks, quantum computers being able to break encryption systems, it’s a constant and never-ending race. Most responsible organizations pay a lot of attention to these threats, and have people, systems and vendors to keep up.
For me, the biggest threat organizations seem to be ignoring is the rise of privacy legislation that can either result in massive fines or class-action law suits. Not losing your data to ransomware is one thing, not being on the receiving end of a 124 million-dollar government fine is another. As we see more and more privacy laws coming online, with many more coming in the near future, a lot of them with the potential of massive financial penalties. To be prepared for that, companies need robust cybersecurity and privacy / risk assessment programs. A lot of organizations I talk to don’t even know where all their data is, what systems their data resides on, where it’s coming from, when it’s being deleted (if ever), and so on. That lack of knowledge and governance results in significant risk, and it is no longer just reputational risk when someone leaves a database of 500 million email addresses unprotected. More and more we’ll be seeing significant financial impacts from not being buttoned up because new laws are giving regulators and individuals the right to purse legal recourse.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
The breaches that I’ve been involved with typically involve an untrained employee making a mistake. Actual hacker-style breaches in my experience are fairly rare, but employees can violate policies fairly easily, intentionally or not, or be phished. What I’ve learned in my career is that constant and frequent employee training is just as important as IT cybersecurity systems. The larger an organization is, the more important this becomes. There is only so much an IT department can lock down, and in my experience, it’s the end user that is the weak link in the chain.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
W2O is primarily cloud-first, meaning we evaluate and use leading vendors for things like file and data storage. For example, it’s critical for us that files be encrypted both “at rest” and “in transit”, meaning that a file is constantly encrypted whether it’s stationary or moving between systems. That ensures that if a file is intercepted as it’s moving, it’s still as unreadable as when it’s not. We also use anti-virus software, two-factor authentication password management, and next generation firewalls. Next generation firewalls check packet payloads (the actual data being transmitted across the Internet versus the header / destination information) much more deeply for things like malware than traditional firewalls.
On the privacy side, we use robust privacy-specific software to do data mapping (what data is coming in from where and about whom, how long is it kept etc.), handle data subject access requests that come in related to GDPR and CCPA, as well as evaluate our vendors for security.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
I always think about this kind of question from a risk-analysis point of view. A company may not need a large cybersecurity team if the risk is low, and specifically what must be asked is — what kind of data is the organization handling, and what kind of impact would it have if it got out? The higher the volume of sensitive data, the more need there is for a security and privacy team. My first recommendation is always a data mapping exercise to understand what data is being handled, how sensitive that data may be, and what systems it’s flowing through. Then and only then is an organization in a position to balance risk versus higher funding in cybersecurity and privacy, whether in people or in systems. A relatively small team can handle a large organization if they have the proper funding in tools.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
My personal Twitter account was hacked a few years ago, and the first sign I got was a text message from a friend asking me about an unusual tweet that was sent through my account by someone else. It can be difficult for people to detect a breach, so my best advice is vigilance. I use a credit monitoring service that alerts me when there are any changes to my credit file. I also use a password manager that helps me by creating unique complex passwords for every online service I interact with, along with two-factor authentication. In the absence of actively monitoring your online presence, you may not notice a breach until you can’t login to your favorite website, or your bank account has already been drained. Most consumers need to take a far more proactive stance with their digital lives and set up things like login alerts and dark web monitoring. I also can’t emphasize enough how many people I know that still use one password for everything and never change it, and that is very risky. Get a robust password manager, and change passwords on sensitive accounts frequently.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
A breach response plan is critical. If an organization waits until they have a breach before planning what to do about it, it’s too late. Planning a strategy, and practicing it regularly are key. Breach response plans lay out how an organization will monitor for, respond to and recover from cybersecurity incidents, and they are critical processes for any company handling data.
In addition, a reporting and notification plan should be part of the bigger breach plan. Many state, federal and international privacy and breach laws require very rapid reporting both to authorities and consumers. Knowing what data you have, and who you need to notify in case of an incident is critical to lay out long before an incident occurs.
Breaches and cybersecurity incidents are not a question of if, but a matter of when. Having a robust and well-practiced plan long in advance is key to any organizations ability to respond and recover.
The CCPA, GDPR and other pieces of legislation becoming enforceable around the world bring new levels of responsibility to organizations, and that definitely has an impact. The CCPA is primarily an opt-out mechanism, and as such I haven’t seen too many impacts to our business other than being prepared to respond to requests from Californian’s which the new law allows for. GDPR is primarily an opt-in mechanism, so we have seen impacts to things like website designs with new cookie controllers, and a reduction in specific types of advertising like retargeting. That said though, enforcement of GDPR has been spotty in my opinion, and as a result there are a lot of organizations that don’t appear to be changing, preferring to stick to the status quo. Once European regulators get around to handing out more fines, I expect to see more rapid changes.
What are the most common data security and cybersecurity mistakes you have seen companies make?
The most common mistake I see is simply not knowing. Many organizations don’t have a robust data mapping or vendor management program, and as a result they don’t know what data they hold or where it is — which makes it very difficult to protect.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
While the major shift to remote work has certainly required changes to IT infrastructure, I haven’t personally seen any increases in privacy or security errors. If anything, it feels like people have started to feel like there may be an increased risk (which may or may not be true), and as a result they are being more vigilant. In offices people felt like they were in some kind of impenetrable bubble of IT security, and now they feel they need to be more attentive. I don’t believe working from home is any more or less secure with the proper precautions, but I do believe the pandemic has raised general security and privacy awareness.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Create and maintain a data map: Many large organizations have no clue what data they have, how it’s being used, who’s collecting it or why, and essentially there is often no data privacy governance at all. Companies need to get on top of their data immediately, and map out what data they have, where it’s coming from, where it’s stored, and how long it’s held. In my experience, I see this happening a lot at organizations that often have robust cybersecurity functions, but no privacy or data governance function at all. IT cannot protect what they don’t know about.
- Develop a robust privacy function or working group: Cybersecurity teams are focused on systems protection, but they may not be as versed on privacy compliance issues, nor might they know in granular detail what types of data points are flowing through a system. Legal teams may not have specialized knowledge of what specific points of data are flowing through what systems. A privacy working group should bring cybersecurity, legal, privacy and product owners together regularly to evaluate data flows with an eye towards risk reduction and ethics. Depending on an organizations size, a dedicated privacy function can help bridge the gaps between the internal groups, and manage activities like ongoing data mapping.
- Train, train, train: In larger organizations, both general awareness training for all staff, combined with specific functional training for employees that handle sensitive data are key. Some privacy regulations now require staff training, including being able to prove the training occurred. In my experience, regular training combined with other less formal reminders help drive adoption. At W2O, we hold an annual Data Privacy Day, where we combine a short training with an annual personal data audit and file cleanup for all employees, which then culminates in a party at the end of the day. Regular reminders and fun activities help drive compliance throughout the organization, and at the same time it also builds a culture of data privacy and security awareness that lasts the whole year.
- Break your data hoarding habit: Unnecessary data retention, or what I refer to as data hoarding, is the Achille’s heel of even the most robust data privacy and security programs. I often remind my teams that if we don’t have it, it can’t be lost in a breach. This goes hand-in-hand with a data mapping exercise, part of which is evaluating if there is a need to hold data — if it’s not needed and there is no clear business or legal reason to keep it, it should be permanently deleted. I’ve observed many organizations collecting and keeping huge hordes of very personal data without any clear reason to do so. Not only is this counter to some privacy legislation like GDPR, it also significantly increases the potential impact of a data breach. Practice data minimization, and if you don’t need it, trash it!
- Build privacy and security as a brand value: Ensuring privacy and security is absolutely vital to protecting a brand’s reputation, and it can also become a brand pillar and competitive differentiator. Organizations that communicate clearly about their privacy programs tend to see higher engagement and more trust from their audiences. The most notable example of this is Apple, who differentiate their phones based on privacy principles and protecting people’s data. They not only develop policies and technology to protect user data, they communicate and advertise on the basis of that protection, and it’s helped drive consistently higher levels of brand loyalty versus their competition.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
In the business context, shift your mindset — all that data you’ve collected is not “your” data, it belongs to the person to whom it refers or came from. Treat it as if it’s borrowed from a close friend, on loan to you for specific purposes, and protect it with that mindset. New privacy legislation is giving people the right to take their data back, and they will if you don’t handle it with respect.
In the personal context — use a password manager and get regular credit monitoring if you can to protect yourself from organizations that don’t respect your data.
How can our readers further follow your work online?
I’m an infrequent tweeter at @danlinton, and please follow W2O (@W2OGroup). We’re also just in the process of launching a privacy video series, in which I speak with industry experts and we answer common privacy and security related questions in short, five-minute bites — you can check those out soon at w2ogroup.com.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!