Establish who will be responsible internally for responding to consumer requests to exercise their privacy rights. Certain privacy laws have time limits within which companies are required to respond to such requests. Responding quickly and efficiently will not only keep you compliant but will also reduce customer frustrations and complaints.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Donata Kalnenaite. She is a privacy and technology attorney licensed in Illinois, and the President of Termageddon, LLC, a generator of Privacy Policies, Terms of Service and more. Donata is the Vice-Chair of the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals. Donata spends most of her days engineering Privacy Policies and keeping track of proposed and new privacy laws across the world.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in Palanga, Lithuania and moved to the United States to live with my parents at the age of 12. I spent about a year living on Brigantine Island, NJ and then moved to Orland Park, IL. After completing my undergraduate degree at Saint Xavier University in Chicago, IL, I went to law school at John Marshall Law School downtown. While in school, one of my classmates was working at a software development company and offered me a part time job doing their finances. Needing money while in school, I gladly accepted.
When I first started working there, I really had no concept of what technology could do, apart from what was possible on my personal computer. I soon became entranced by the idea that people could build amazing websites and software and that this work can help businesses start and grow. In this job, I really fell in love with technology. After law school, the company was successfully bought out by a larger development company and I moved on to private practice, helping other software developers with contracts and business formations. Ever since the buyout, I was seeking the rush of working at a technology company and working at Termageddon has definitely satisfied that need.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
Yes, in 2013, Target was subject to a very large data breach, which exposed the credit card account details of 41 million customers. I was actually one of the 41 million customers and received a letter from Target stating that my credit card details were exposed. That was really my first brush with cybersecurity and cyber criminals and, I have to say, it was eye opening. I became concerned about the various accounts that I had with different companies and who had my personal data and what they could do with it.
It was truly unnerving to find out that my information was not as secure or private as I thought that it was. The event actually sparked my interest in cybersecurity and I did a project for school on phone companies and the data that they share with governments and law enforcement agencies. After that, I started following privacy and cybersecurity more closely and became more involved in this topic in law school and afterwards.
Can you share the most interesting story that happened to you since you began this fascinating career?
Yes, after starting Termageddon, I started applying to speak at events. One community that I was quickly introduced to is the WordPress community and I have since spoken at multiple WordPress events. WordPress is a platform used to build websites and millions of companies use it to build their business and get the word out about their services and offerings. My first speech was at WordCamp Jackson, MI and I spoke about what website developers need to know about privacy. Honestly, I thought that I would maybe have three people attend my speech. To my utter surprise, the room was packed. All of the attendees had very specific and important questions about privacy and I was shocked by how many people outside of the privacy field were interested in privacy and government regulations and requirements for websites. At that point, I knew that I was in the right place and was happy to share my knowledge with others.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
My fiance, Hans, has been a huge help with getting me to where I am today. We actually met when his company purchased the software development company that I was working at while at law school. He is also my business partner at Termageddon and runs our sales and partnership programs. He has been extremely supportive with me entering the privacy field and with starting Termageddon. I think it’s amazing that he has spent so much time listening to me talk about privacy laws and the legal engineering behind our policy questionnaires and text. I think most non-lawyers would have fallen asleep after the first hour but he has graciously spent years listening to me talk about privacy and very obscure issues when it comes to legal engineering and I’ll forever be grateful for him doing that.
He is also very supportive of me trying new things and implementing further compliance measures and engineering policies of a complexity that can be mind boggling. He’s also jumped head first into hobbies that I’ve wanted to try — how many other people will say “ok, let’s do it” when their spouse wants to become a beekeeper? Probably not many but Hans has always been happy to support me in my endeavours, no matter how crazy they seem at first.
Are you working on any exciting new projects now? How do you think that will help people?
Yes, I am working on two very exciting new projects — one from a work perspective, and one from a personal perspective. In terms of work, I am working on engineering a Disclaimer generator that will contain all of the required disclosures of the relevant state’s Rules of Professional Conduct that govern attorneys. This will ensure that attorneys comply with their state’s rules and regulations when advertising or marketing online. From previous research, I found that most attorneys do not actually comply with these rules, which can lead to sanctions and even disbarment in more extreme cases. However, if you are licensed in multiple states or a part of a law firm, it can be difficult to find all of the rules and have all of the correct disclaimers. I believe that my project and work will make this significantly easier for lawyers, helping them comply with the ethics rules and also helping consumers get all of the relevant information when evaluating lawyers.
From a personal perspective, I am working with a group called Sustain DuPage on allowing people to keep chickens in our county. To me, it’s important to be eco-friendly and to allow people to grow their own food. Our county has been very prohibitive on such practices in the past, but we are working to change that. I live in a rural area and food insecurity can be a big issue in our community. Having the ability to raise chickens will help curb that and will serve as an important educational experience for children and adults alike.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
I think that it’s easy to get burnt out in the fields of privacy and cybersecurity. There’s new laws, cases, vulnerabilities and issues that come up every single day and sometimes it feels like a ride that will never stop. While I know that each of us deal with the stresses of work in different ways, the following tips have helped me keep energized and motivated:
- Have a hobby that is not related to work. As privacy and cybersecurity professionals, we usually sit in front of a computer or in meetings all day. To me, getting outside and focusing on something that is not on a screen has been really helpful to decompress after a long day. My favorite non-work-related hobby is bee keeping. We have a hive on our property and it’s absolutely amazing to see the whole lifecycle of bees and how their society changes with the seasons or even with the weather. Since you should not be making sudden movements when you’re by a hive, it also helps me calm my thoughts and focus my attention on the task at hand, making me forget all of my work worries.
- Have a hobby where your skill set can be used to help others. As cliche as it may sound, helping others feels good. As part of my work with the American Bar Association and the International Association of Privacy Professionals, I get to work with other attorneys and professionals on planning events, writing articles, helping other professionals stay up to date with changes in our professions, and I get to network and meet a lot of amazing people. Volunteer work is not as demanding as you may think and every little bit truly helps. It really feels great to share my knowledge with others and to help others on their career paths. Volunteer work also helps break the day up and doing one good thing a day for others helps me stay happy in my career.
- Don’t be afraid to take a personal day to just do things that you enjoy. This is one where I have to try to take my own advice too. Especially if you are working for yourself, you can feel really guilty about taking off a day to just breathe and work on yourself. However, sometimes it’s good to step away from work and do something fun. Whether it’s gardening, antiquing, spending time with your family, or just watching mindless TV, it’s good to take a day off every once in a while.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
To me, the three things that excite me the most about this industry are:
- The fact that privacy and cybersecurity laws are constantly evolving. While there is a multitude of privacy laws currently in place, there are also 23 privacy bills that have been proposed in the United States. The fact is that more and more states are proposing and passing legislation to protect the privacy of consumers online. This makes my work challenging and exciting. There’s always something new to learn, a new law to read, a new interpretation to consider and new changes that need to be made to existing policies. While it’s an absolute maze of regulations, privacy is also fun because it’s really satisfying to navigate that maze and get to the answers.
- Consumer interest in the field. Privacy is no longer a fringe interest, ever since the Cambridge Analytica scandal, consumers have been more interested and invested in protecting their privacy online. There have been some really interesting studies lately showing how much consumers are paying attention to privacy — For example, a recent study found that 93% of Americans would switch to a company that prioritizes data privacy. Privacy compliance is no longer merely about following laws and not getting fined, it’s about listening to your customers, doing the right thing and responding to consumer concerns. The fact that consumers are so actively engaged in this topic makes the field very rewarding and interesting to me.
- New technologies. The field of privacy and cybersecurity has some truly bright people in it. The new innovations and technologies that are developed on a regular basis are absolutely astounding. For example, some companies are working on ways to deliver personalized advertisements without the implementation of cookies and others are working on assigning consumers digital identities that are not tied to their “real world” identities to reduce the effects of data breaches. Reading about these new technologies invigorates me and keeps the field interesting because I know that a lot of people are invested and passionate about privacy and cybersecurity.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Yes, absolutely. In my opinion, the biggest compliance threat that companies need to prepare for is the increased patchwork of state privacy laws. While many federal privacy bills have been proposed, none have passed and states are taking matters into their own hands. Since privacy laws protect consumers, and not businesses, businesses need to be aware of the fact that there may come a day (and soon) where they will need to comply with 20–30 privacy laws, all of which have different requirements. The fact is that companies need to start implementing privacy by design, mapping what privacy laws apply to them and how, and preparing for an onslaught of regulations that they will need to comply with. Implementing and following best practices now will save a lot of time and headache in the future.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
Yes, I volunteer at a non-profit and help them with privacy compliance. A few months ago, the non-profit was subject to a data breach. While I was not a part of the security team, I was helping evaluate whether the breach should be reported to users under GDPR. There were a few main takeaways from that event:
- You should have an Incident Response Plan. When you are subject to a data breach, your first instinct will be to panic and your mind will probably just go blank as a result. An Incident Response Plan that is up to date will tell you exactly what to do, who to contact and what measures to take. This means that you will be a lot more efficient and orderly in your response and will ensure that you do not forget any crucial steps.
- Practice. Practice. Practice. At least twice a year, you should perform a table top data breach exercise. While it may seem like an additional chore, you can make this fun by coming up with interesting scenarios and rewarding your team for doing well. Having an Incident Response Plan is great, but a lot of plans can fall apart when a scenario is applied. Practicing can help you work out those scenarios in a safe setting, instead of when an actual data breach happens. When a data breach actually happens in real life, you’ll be happy that you previously worked out the issues and that your team knows exactly what to do.
- Do a post mortem. After you have resolved a data breach, you should do a post mortem, what worked and what didn’t? Which steps helped and which steps just made things worse? Which team members performed well and which team members crumbled under pressure? Doing a data breach post mortem will only strengthen your response when the next data breach happens.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
- WordFence: an endpoint firewall and malware scanner that is developed specifically for WordPress;
- Google Authenticator: helps us protect the security of our accounts with two-factor authentication;
- LastPass: Last Pass keeps all of our passwords encrypted and secure.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
What level of funding in security your company wants to make really depends on the size of your team, your revenue, how much personal data you collect, what types of personal data you collect and what you do with that data. For example, a dog sitter will need significantly different measures than a company processing credit card scores for marketing of services of banks. The best way to determine what your funding should be is to perform a thorough risk assessment and data map. This way, you will be able to clearly articulate what your risks are and thus what funding you should make. Regardless of the stage that your company is in though, it is important to not get complacent and perform such risk assessments every year and mitigate any new risks that have presented themselves.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
- Issues logging in. If you or a staff member have issues logging in to your accounts and you are sure that you are using the right passwords, you may have been hacked. In my experience, IT departments can be very quick to blame users in situations such as this, but, sometimes, the inability to sign in can be a signal that there is something nefarious going on. Encourage your IT and other staff to report logging in issues immediately and to investigate for wrong doing.
- Changes in files. If you were working on an important file and cannot seem to find it the next day, even though you are certain that you put it on a certain file on your computer, it is possible that hackers may have infiltrated your system and moved or deleted that file. It is important to pay attention to what you are doing on your computer and where files and other such items are stored.
- Suspicious activities in logs. If you are not logging the activity of administrators and others with access to important data and files, you really should be. Logs are the best way to tell if something strange is going on. For example, you could see if a particular account is adding users when they should not be, deleting files and/or changing passwords. If you see suspicious activity in a log, that’s a great indicator that you have been hacked.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
After you have been made aware of a data or security breach, you should complete the following steps (please note that depending on the type of breach that you are experiencing, the steps that you need to take may be different):
- Assemble the staff and third party experts that will help you investigate the breach;
- Confirm that a data breach has in fact occurred, who was affected, what type of data was affected and what exactly happened;
- Secure the area and stop additional data loss by taking the affected systems offline;
- Conduct interviews and gather and preserve evidence;
- Fix any vulnerabilities that led to the breach and mitigate any effects of the breach;
- If customers were affected, determine how your company will mitigate the potential impact of the breach on such customers;
- Inform regulators and customers if you need to do so;
- Perform a post-mortem of the data breach and improve any policies or procedures if you need to do so.
Since I am a legal engineer of Privacy Policies, new privacy laws have required me to do some re-engineering to include all of the disclosures required by these laws. This means a lot of studying of the laws themselves, associated rules and regulations and opinions on what these laws mean. For any business collecting personal information online, the implementation of new laws mean updating Privacy Policies, creating customer portals where customers can exercise their privacy rights, responding to such requests to exercise privacy rights, hiring more privacy and security staff, and drafting new policies and procedures. While this may seem onerous, studies have shown that companies that invest into privacy actually have less likelihood of being subject to data breaches and, if they are subject to a data breach, that data breach can actually have a lesser impact. Finally, investing into new privacy and security measures can mean avoiding bad press and lessing the frustrations of customers when it comes to the use of their personal information online.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Since more people are going online now, we have definitely seen an increase in companies wanting to get their Privacy Policies squared away and compliant. As more consumers do business online, they want to ensure that their personal information is kept private and secure and are therefore more interested in the privacy compliance of businesses to whom they submit their personal information. This obviously increases the risk of enforcement of privacy laws, fines and lawsuits and companies are much more willing to invest into making sure that does not happen.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Privacy laws are not going away. In fact, more states are proposing and passing their own privacy laws. Companies need to understand that there are currently multiple privacy laws that they need to comply with and, if they fail to do so, they risk high fines or even lawsuits. Furthermore, companies also need to understand that there are currently 23 proposed privacy bills in the United States and more states are adding their own privacy bills every day. This means that companies will need to invest in privacy and cybersecurity heavily in the future and should plan for those compliance costs and efforts now.
- Management must support staff in their privacy and cybersecurity initiatives. Many compliance and IT staff are often relegated roles that are seen as secondary to the “actual business” of a company. Management must understand that in the current threat and compliance landscape, companies are not going to survive unless compliance and IT staff and their work are taken seriously, appreciated and supported. Management should clearly communicate to all staff that privacy and security are of utmost importance and must be upheld even if that means slight delays in other departments.
- It’s not just large companies that are being fined for privacy and security non-compliance. While the media tends to focus on more high-profile cases such as Google or Facebook, hundreds of smaller companies have also been fined for non-compliance. European Union’s Data Protection Authorities are not shy about issuing fines to smaller companies for smaller infringements such as abusing the privacy rights of only one person. Companies need to understand that they can still be fined even if they are smaller and therefore need to take the time for compliance.
- Perform data inventories and data mapping. Knowing what data you collect and where you keep it will help you prevent and respond to data breaches, respond to consumer requests to exercise their privacy rights, and will save you lots of headaches when performing audits.
- Establish who will be responsible internally for responding to consumer requests to exercise their privacy rights. Certain privacy laws have time limits within which companies are required to respond to such requests. Responding quickly and efficiently will not only keep you compliant but will also reduce customer frustrations and complaints.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
My pleasure! I’m very happy to have been able to share my knowledge with readers.