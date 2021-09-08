Get in the habit now of using a privacy impact assessment tool. These reports will become requisite to several of the new privacy legislation going into effect. Beyond the reporting, however, they’re useful in detecting where the company may have vulnerabilities.

Dan Clarke has 30 years of experience combining technology with media, retail and business leadership, has held executive leadership roles at Intel, is an experienced data privacy advisor, and is a 9-time CEO. Dan has deep expertise in the privacy landscape and speaks frequently at public venues on the topic. He is also actively involved in Arizona, Texas, and federal privacy legislation.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up in Ohio in a small town outside of Cleveland called Apple Creek. I grew up in a big family — I’m the youngest of 10 kids. I attended Ohio Northern University, and I am an electrical engineer with an emphasis on chip design.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

It actually started with an incident I had with a company’s privacy policy. It happened to be with one of the big online dating sites, which actually was very effective, as I was able to meet my long-time girlfriend through it. But I had failed to read the fine print before setting up an online profile. Lo and behold, in that fine print, it says they can keep your profile active for up to two years even if you deactivate it.

I had deactivated my profile after entering into that committed relationship, but unbeknownst to me, the service had reactivated my account. Word got back to my partner that I had an active dating profile, and it nearly cost me my relationship. I asked the company to delete my information, and they refused since I had technically agreed to their policy.

That is what inspired me to get into this field and it’s reassuring to see more laws — like GDPR, California’s CPRA, Virginia’s CDPA, and the Colorado Privacy Act — now putting safeguards in place for consumers.

Can you share the most interesting story that happened to you since you began this fascinating career?

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

I used to work for Pat Gelsinger at Intel. He’s now the CEO, but he was the chief technology officer when I was there. He showed me that you can be a great technologist and a great leader at the same time. He’s the best leader I’ve ever known.

Are you working on any exciting new projects now? How do you think that will help people?

We are offering free privacy impact assessments right now, as these will shortly become critical for most companies under new laws in Colorado, Virginia and the updated law in California, all of which require impact assessments. Fundamentally, these walk a company through an understating of the data elements, policies and risks associated with each unique project. Although required under GDPR, for many US companies, this is newly in scope or expanded in definition.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

I think it’s really important to do something physical in your life to strike a work-life balance — especially now that we’re telecommuting. Now that work can bleed into other areas of your life so easily, you have to consciously make time for the rest of your world. I’ve been doing Ironman competitions for years and that has been such a productive outlet for me. But you have to find what works for you.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

Number one is that it’s such a rapidly changing landscape. Having worked for Intel for a long time and at a number of startups, I like things that are evolving and changing. The privacy landscape is always doing just that. Just this year, we’ve seen Virginia and Colorado sign privacy acts into law, and more states are percolating up every other week it seems. There’s just change upon change.

Another thing I like about this industry is that it helps people. People need privacy. Everybody has a right to know how companies use their data and to delete that data if they wish. In fact, one of my friends, Jon Leibowitz, former chairman of the FTC, drew a comparison between the world of online privacy and celebrity gossip in 2009.

There’s the difference between information — legitimate reporting and legitimate information — and this intrusive type of information that the paparazzi want to uncover. That’s what we want to avoid in the privacy industry. We want to avoid that invasive information that nobody really needs to know about and you have a right to protect.

The third thing I like is that there are technology solutions to these problems. New innovative technology is continually being introduced to help protect consumers and reinforce some of the legal solutions in an automated and intuitive way.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

There’s no question that cyber attacks are becoming more frequent, not less frequent. We need to be better prepared for them. New methods are being employed to catch and resolve these faster, or avoid them altogether.

We’re also seeing a constant change in the privacy landscape. New states are adopting privacy laws. I’ve personally been involved in a number of states’ draft legislation. I think we’ll see 10 to 15 more states in the next year follow suit. I hope we’ll see something at the federal level — perhaps even from the FTC — to create some type of privacy requirement across the entire country.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

I have been indirectly involved in one data breach. It was a large customer of ours who was doing the right things. They had all the safeguards in place, but they still fell victim to a breach. It happens even when you take reasonable precautions. But there were a number of lessons to come out of that experience.

One — and this is an important one we constantly preach to our customers — is to be prepared in advance. There’s not much you can do during a breach if you haven’t prepared yourself ahead of time. Being prepared ensures everyone on the team knows their marching orders, there’s a protocol in place to quickly mitigate additional risk or exposure, and a plan to alert the necessary stakeholders. Preparation is vital. In fact, when you talk to cyber insurance companies, the number one factor they use in creating the pricing for renewals or new insurance is your plan of action, because the plan makes the difference.

Another takeaway for me was how important the privacy department is in a data breach. Typically, the chief security officer (CSO) and the security department are responsible for data security. Privacy is usually a different function entirely, falling to a chief privacy officer or legal compliance officer.

In a breach, the privacy department often has a treasure trove of information. They know where all the data is. They have a comprehensive data map. It’s often in a different system, so even if some system is compromised or locked, the system for the privacy department may still be available. The privacy department can also help during the notification phase. When you notify your customers, those notices look a lot like a privacy notice. They have similar legal requirements.

Bottom line, be prepared and involve your privacy department in the development of that plan.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

We are actually a privacy tool company. Truyo is used by many large companies to automate their compliance. We certainly use the tools ourselves. In fact, we just introduced a new tool — a privacy impact assessment — that enables organizations to evaluate privacy risks and mitigation of those risks. We use it internally.

In addition to that, we use monitoring tools. Truyo doesn’t detect cybersecurity incidents. We use external tools for that, and those are really becoming critical because it’s so common to have exposure in a breach.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

How you approach privacy — the tools you use and whether you do that internally or externally — really depends on a couple of factors.

First and foremost, it depends on how many consumers you reach. You can be a big company, yet you might not reach a lot of consumers because you’re purely B2B in the enterprise space. In that case, you might be able to handle privacy in a more compact way. The more people you interact with, the larger the problem you have to solve.

The other dimension that drives this is the complexity of your environment. If you are an e-commerce company that has a single e-commerce platform, it’s fairly simple to approach that internally.

As soon as you layer multiple systems along with many consumers, then there are multiple dimensions of jurisdictions. If you have customers in Europe, or across different states in the US, you’re subject to different laws. And if you have multiple companies, multiple brands — all of these things add to the complexity. Any one of them can drive you over the top to where it’s time to take privacy more seriously.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

It’s critical to have detection software for any company, large or small. The easiest warning sign to spot is network traffic, or any type of inbound or outbound traffic, that looks unusual. That’s fairly easy to see with detection software.

If you get locked out of an account unexpectedly, if you have something in your deleted emails that you never wrote, if you see emails that look like they’re coming from somebody internally that look suspicious or if your network slows down unexpectedly, all of these things can be signs that something is amiss.

It is critical, though, that it goes beyond that human element of detection. You need automated monitoring in place as well.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

The most important thing to do in any type of breach is to determine the root cause. You have to really understand, not just what data was impacted, but what was it that allowed someone to gain access? Was it external security? Was it your core security? Was it a creative phishing attack? Was it a personnel issue?

What you find in well-structured companies that have a focus on security is that it often involves some human element. Someone’s password was compromised. Perhaps a new employee is unaware of policies and protections and accidentally facilitates a breach.

Email phishing attacks are also becoming more prevalent. They aren’t really an incident by themselves, but they’re an attempt to get control of an email account, which will in turn allow attackers to access financial records or a network account, etc.

As soon as people figure out what data was impacted they often work rapidly to do the notices and to lock it down. Those steps are all important, but it’s equally crucial you get to that true root cause so you know what to do differently next time.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

We’re in the business of servicing these laws. We’re predominantly a security programming company, and we saw an opportunity to expand into the area of privacy compliance. So the laws have impacted us in a significant way, but that’s because they’ve had a big impact on many companies.

So many jurisdictions are now requiring things like impact assessments and data inventories. They’re extending rights to consumers that are not just one time, they’re an ongoing obligation that creates significant operational challenges for the business.

Many of these laws define the procedures around a breach. What is an incident? How must you notify people? How do you handle them? They’re defining categories of information in terms of what is more or less sensitive.

All of this impacts businesses that are within scope, and the scope of the law is gradually increasing with time. At first, it was just businesses operating in California with 25 million dollars in annual gross revenue with a dataset of 50,000 California residents or more, but now you’re seeing it in Colorado and Virginia — each of which have their own nuances and thresholds.

If you’re not impacted by the law today, it’s very likely that you will be in the near future, and it’s important to take this stuff seriously. They have more requirements around them and they require a reassessment of how you are approaching privacy.

You’re also seeing consumers are getting more engaged, or they’re understanding better that they have privacy rights and they want to exercise them. All of this means additional operational challenges for companies.

What are the most common data security and cybersecurity mistakes you have seen companies make?

Not being well prepared. Incidents are so common, you have to take an approach that it will happen, and be prepared. The privacy department typically doesn’t own incident response, but plays a critical role. If you are prepared, you have the best data map, duplicate vendor information and knowledge of how to notify consumers. Prepare these with an eye toward incident response.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

Covid has impacted practically every element of business. Security, cybersecurity and privacy are no exceptions.

When you go to the office, the environment is a lot easier to control from a security perspective. Now, with people working from home or hybrid, you have this new element where you have to understand and control their security, but at the same time, you have to respect employees’ individual privacy at home. We’ve seen an increase in the number of incidents.

We also have new requirements around this at the state level — like the Covid emergency temporary standards in California — all the way up to OSHA guidelines at the federal level.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

One thing I think businesses often miss is the role of the privacy department in security. The privacy department has an enormous amount of insight into how information and data flows through an organization. They know what kind of data is collected. They know why it’s collected. They know the retention policies, they know where it gets routed. They know what systems it goes into. They know where it ends up over time. All of this can be very important in a cybersecurity incident. Yet, it’s often overlooked until it actually happens. It’s completely separate from cybersecurity. If you’ve been the victim of an encryption attack, for example, or a significant network breach, having a separate privacy department is advantageous. It’s time for people to recognize that and to deliberately take an approach where the privacy department has resources that can be leveraged in any type of incident. Get in the habit now of using a privacy impact assessment tool. These reports will become requisite to several of the new privacy legislation going into effect. Beyond the reporting, however, they’re useful in detecting where the company may have vulnerabilities. Leverage technology. One big challenge for most in security and privacy right now is how to manage unstructured data. It’s easy to know what kind of information you have in structured systems like your CRMs, spreadsheets, etc., but what’s keeping privacy professionals up at night right now is all the data that might exist in emails, texts, chats, etc. There is technology out there, like Egnyte, that helps discover this information. Get a plan in place. Going through the process of putting a plan in place will also help expose any weak points. Prepare a data map. This is actually an important part of the preparation process. Data maps give you a lay of the land and essentially help you take inventory of all of your data.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)

Balancing exercise and nutrition is something that I’ve learned is incredibly important. If I could inspire a movement, it would be around making a healthful lifestyle more easily accessible for everyone.

How can our readers further follow your work online?

On LinkedIn at https://www.linkedin.com/in/danclarke/

Or at Truyo.com

This was very inspiring and informative. Thank you so much for the time you spent with this interview!