Prepare for the worst. No one gets a heads-up in advance of a data catastrophe. Having a rapid response team that is prepared and a plan in place is critical. Comprehensive dry runs that can simulate all aspects of a crisis, including containment, assessing the scope of impact, internal and external communications, and regulatory responsibilities, can be the difference between successfully mitigating a serious problem and having a disaster that your company won’t recover from.
It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?
As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing Bubba Scott Nunnery, ZoomInfo’s Senior Director of Privacy and Public Policy. In this role, he monitors the status of legislation and regulations at the state, federal, and international levels and analyzes their potential impact on ZoomInfo’s business and its customers, maintains relationships with advocacy groups and key legislative offices, and builds brand programs that elevate ZoomInfo as a privacy-first technology platform.
Prior to joining ZoomInfo in early 2020, Bubba was the national political director for America Votes, where he coordinated programs run by more than 40 national, issue-focused organizations. He has also managed, consulted on, and built strategic campaigns for state parties, environmental organizations, labor unions, and local and national candidates across the country.
He received a B.A. in sociology and criminal justice from the University of Northern Colorado and M.S.W. from California State University, Long Beach.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
For sure. I grew up in the northern suburbs of Denver. My parents were both public school educators and I attended high school and undergrad in Colorado before moving to Southern California, where I went to Cal State Long Beach for graduate school.
This is probably the place to note that my birth given name is, in fact, Bubba. My dad was from the rural South and a star college football player, and I think my name was his way of creating a stereotype for me to grow into, as well as give some vitality to his Southern legacy.
Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.
My entire career has been focused on policy issues, though in different contexts. Early in my career I was a social worker, working first in direct practice, then later in a macro-capacity focused on improving policies impacting low-income, mentally-ill, and other at-risk populations. Learning the direct connection between data and how tax dollars are allocated was an eye-opener for me.
The bulk of my work has been in the political sphere, leveraging data to coordinate the political engagement of large, national member- and issue-based advocacy groups. In that context, we would use data to identify voters who were aligned with particular issues related to the environment or healthcare, civil rights, the economy, and others.
Can you share the most interesting story that happened to you since you began your career?
Who can ever think of one thing? I’ve lived through an interesting period for tech development. Looking back, when I began in politics, campaigns were conducted on paper lists. Voter data was available, but you might get a hard copy, or, if you were lucky and in a high-tech county, a CSV file on a floppy disk. Data entry was manual, and you had to plan on a few hours of keystrokes each night to track the few hundred conversations that volunteers had with voters. To now work in an environment where we ingest 400 million records a week still kind of blows my mind.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I’ll give you two: my mom and our CEO Henry Schuck. Here’s why:
Before I ever had a job, I finished college, and before I ever finished college, I failed out of college. I had initially gone to college primarily for athletics and hadn’t thought much about my academic future yet. I’ll never forget having to tell my mom and saying “I’m just not good at anything.” She looked at me, curiously, and said “Of course you’re not. You haven’t done anything. The question for you to answer is, ‘What do you want to learn about?’” It was an important paradigm shift in my thinking that led me back into school, surfaced a newfound curiosity about the possibilities in my life, and influenced me to pursue big goals in life and take big risks.
I’m relatively new at ZoomInfo, though I’ve known our CEO Henry Schuck for a long time. From a distance, I’ve watched him build this ever-expanding company while cultivating thousands of amazing professionals through his vision, energy, and leadership. Initially, coming to ZoomInfo felt foreign to any of my previous experience, but Henry was certain that my skills and background would be a value-add for the company. That confidence inspired me to trust myself, switch lanes in my career, and join our amazing team — just like my mom would want.
Are you working on any exciting new projects now? How do you think that will help people?
Everything at ZoomInfo is exciting. Most recently we launched Streaming Intent, an innovative solution that identifies companies with above-average search volume on business-to-business (B2B) topics, within minutes of their web activity — what an advantage for our customers!
What advice would you give to your colleagues to help them to thrive and not “burn out”?
I love this question. In my experience, the most balanced, productive, and energetic professionals are as passionate about their families, hobbies, and themselves as they are about their job. The responsibility of building and maintaining that type of culture balance rests squarely on leadership; people need to be encouraged and rewarded for pursuing personal goals and fulfillment, not shamed. On the other end of the spectrum, individuals need to build those personal interests into their lives. This is an aggressive, fast-moving industry. It’s very easy to forget about yourself. Don’t do it!
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?
The United States is interesting because there is no comprehensive federal privacy law, no national data breach notification law, and no universal legal definition of what ‘private information’ even is. Certainly states may have versions of these things, though they vary from place to place and depend on things like company size, type of information they handle, and what is required. Because of this, companies are always going to need to research what laws apply to them, whether it is something industry-specific, like the Health Insurance Portability and Accountability Act (HIPAA), or state-specific, like California’s Consumer Privacy Act (CCPA).
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?
Without question. Information should only be collected for a specific, legitimate purpose, used only for that purpose, rigorously protected, and held only for the minimal amount of time it is needed.
There is an instinctual drive for companies to collect and amass as much data as possible. I do understand it because, for many of us, data is the most basic and important raw resource from which we build our tools and assets.
But this idea of sitting on top of every digital ingredient we can get our hands on, like it is a mountain of gold coins, flies right in the face of what people actually want to happen to their information, and this creates an increasing liability risk of regulatory violations and/or data breaches for the company.
Conducting privacy impact assessments on a cadence that makes sense can help fast-moving companies stay on top of those fundamental questions: What information do we collect? Why do we collect it? How long do we need it? Why do we need it that long? Then what do we do with it?
In the face of this changing landscape, how has your data retention policy evolved over the years?
To be fair, in its current iteration, ZoomInfo is less than a year old, so “evolved” may not be the most accurate term. Still, the compliance landscape changes frequently, and these changes concern us, our customers, and our vendors. Companies have had to augment their approaches to data retention to meet the requirements of numerous stakeholders, and the responsibility to maintain the proper secured infrastructure becomes more burdensome and requires more resources every year. These concerns are in a constant state of examination to ensure the proper balance is maintained. I will say that we are constantly pushing ourselves toward collecting only the data we need and retaining it for the absolute minimal amount of time.
Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?
Data retention policies are unique to the organization and cannot be generically implemented. To appropriately develop such policies, a thorough review of the data is made to determine (among many other things) the classification and the potential for regulatory compliance treatment — think GDPR, SOX, HIPAA. For example, is this a customer’s data that includes PHI (Protected Health Information) or does the data contain company financial information? The answers to these questions are what drives the company’s approach.
Once that determination is made, resources can be appropriately allocated to suit the needs and budgetary constraints of the business. Data that requires contractually mandated retention periods of a longer duration, and those that are associated with compliance requirements, would be maintained differently than other classes of information.
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?
For sure. This is where I like to tout ZoomInfo as an industry leader. Like many, we were affected by both the CCPA and GDPR in recent years. When CCPA passed in California, we built a privacy program that complied with the law — the strictest to date — then we asked ourselves “What else can we be doing?” We made the decision to apply the law to the entire country, meaning we provide notices far and beyond what we’re required to do by law. When the GDPR passed in Europe, we preemptively expanded our obligations to the entire world and now run a global privacy notice campaign. Nobody else does that. We also have an automated Privacy Center with explicit workflows that allows contacts to proactively manage all of their own information, 24/7.
As far as things we’re worried about, one thing we view as problematic is that, to date, the federal government has been unable to come together on a comprehensive privacy law. That concerns us because what we don’t want, what no company should want, is having to navigate 50 different state privacy laws that don’t have any symmetry between them. This would be extremely cumbersome for anyone doing business in multiple states and exponentially harder on smaller companies, who may not have the legal, technical, or staffing capacity to monitor and assess varying regulations across states, nor the resources to build and implement the required compliance systems.
The other big challenge is that as legislators are drafting privacy policies, they are listening to the public that is rightfully concerned about things like data breaches and identity theft — the loss or misuse of personal, sensitive information. But in many cases, what legislators are not doing when drafting these bills is differentiating business contact information from personally identifiable information that is truly sensitive. That’s a big deal. We all know that your social security number is more sensitive than your work email and someone knowing your company address doesn’t make you as vulnerable as someone knowing your precise geolocation.
Business contact information, like would be typically found on a business card or email signature, is intended to be used for business. It’s the least sensitive information, intended to be used by professionals and not excluding it from privacy laws could have a devastating effect on business-to-business commerce.
In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?
Tools may have matured, but have also become much more niche-oriented. That is to say, great tools are available to provide specific services within a larger Data Retention program, however, a strong application to manage the entire spectrum — end to end — of Data Retention procedures is not available, to my knowledge. If you know of one, we’d be happy to hear a presentation on the tool’s capabilities!
There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?
Every breach reminds us how vigilant we must be in protecting our information assets. Part of that is knowing what information we have, how to protect it, how long to keep it, and finally, how to get rid of it.
Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)
- Privacy needs to be someone’s full-time job. There are a lot of companies that may have a data protection officer who splits time between privacy, security and maybe even IT. Or they may get all their privacy direction via contract legal advice. Understanding that everyone’s resource realities are different, the privacy landscape is dynamic and only becoming more complex. Someone needs to have a finger on the pulse all the time.
- Policies and practices need to be revisited regularly. In addition to the ever-changing world outside the office doors, companies are constantly changing and evolving. Building new products and services, expanding into new markets, mergers and acquisitions… it’s all very exciting and it can be easy to overlook, if not outpace, the current policies. Implementing a recurring privacy impact assessment on a schedule that makes sense can help ensure that a company is doing what they say they’re doing, as well as meeting all relevant regulatory requirements. It can also help identify where any updates or changes need to be made to policies and procedures.
- The entire company needs to understand its obligations and protocols. One of the hardest things to do in a big company is get everyone looking at the same whiteboard. Yet, in order to be effective, data security and privacy needs to be in the bloodstream of the organization. This can be achieved through robust training and onboarding programs, deliberate interdepartmental coordination, and regular security audits and privacy impact assessments. Additionally, these things shouldn’t be thought of as a way to avoid crises; strong privacy and data security commitments are huge competitive advantages for companies.
- Prepare for the worst. No one gets a heads-up in advance of a data catastrophe. Having a rapid response team that is prepared and a plan in place is critical. Comprehensive dry runs that can simulate all aspects of a crisis, including containment, assessing the scope of impact, internal and external communications, and regulatory responsibilities, can be the difference between successfully mitigating a serious problem and having a disaster that your company won’t recover from.
- Resist the impulse to collect as much data as possible. Limit information intake to the absolute minimum you need. Tell people exactly what you’re doing with their information and give them the choices and tools to decide if they want to be a part of it or not. When you no longer need data — get rid of it! More isn’t better. Better is better.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!