Educate and train employees — An absolutely critical defense against data breaches are employees. Many times, an employee clicking on a phishing email, having a weak password, not using multi-factor authentication, or using a personal device on public wifi, can expose the company to a data breach. By training and continuously reminding employees to know how to spot a phishing email, to use strong passwords and MFA, the employee can protect the company against cyber threats.
It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?
As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing Jodi Daniels.
Jodi Daniels is the Founder and CEO of Red Clover Advisors, a privacy consultancy that helps companies create privacy programs, build customer trust and achieve GDPR, CCPA, and US privacy law compliance. Jodi helps companies with the daily operations such as data mapping, individual rights, training, policies, etc. and also serves as a fractional chief privacy officer.
Jodi is a Certified Informational Privacy Professional (CIPP/US) and national keynote speaker with more than 22 years of corporate experience at Deloitte, The Home Depot, Cox Enterprises, Bank of America where she most recently served as the privacy partner for Digital Banking and Digital Marketing. Ms. Daniels started her privacy career by creating the comprehensive privacy program at Cox Automotive.
Jodi holds a Masters of Business Administration and a Bachelor of Business Administration with a concentration in Accounting from Emory University’s Goizueta Business School. She lives in Atlanta, GA with her husband, two girls, and a big fluffy dog named Basil.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in a small town in Guilford, CT and then in high school I moved to south Florida. That was a huge change but a very exciting time. My parents were both entrepreneurs and were a huge inspiration for what the road I took today. I had two older brothers and was definitely the baby sister of the family! We took family vacations, had Sunday night dinners (always the same meal), and Thanksgiving was our favorite family. These traditions have been steeped in my family life today.
Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.
My career has been a series of different hops bridging skills into new functional areas and industries. I found my way to privacy by recognizing an unmet need in my current company and was also a growing industry. I relish the challenge and the opportunity to join a growing movement was exciting to me. I had always wanted to be an entrepreneur and it was a matter of timing and feeling confident to start it. When my daughter was starting a new school and after nearly 19 years in Corporate America, I decided it was time to leave. I made a goal to leave by a certain date and met the goal!
Can you share the most interesting story that happened to you since you began your career?
One of the stories that stands out the most was in my first year at my first job. I was a financial statement auditor and often had to conduct physical inventories on December 31. I was at a manufacturing plant an hour outside Atlanta and believe I was the only female there and youngest by 20 years for sure! They started to use the heavy equipment to measure these heavy rolls of steel and they totals were not matching what they said they claimed to be. To perform my job properly, I had to take extra samples and the older men who I’m convinced were not used to a businesswoman telling them how it needed to be done at the plant. That day convinced me it’s not about title that earns respect, it’s about confidence in doing the job and the right thing. I was confident in what needed to be done despite the looks, grunts and stares I received.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
My dad has always pushed us and his motto is “do your best” on everything. Whether that be cleaning the floor — it wasn’t skip the corners — to our school projects or work assignment. If we did our best, then we could be proud of what we accomplished and learn as needed for the next time. I have carried that with me in all my professional activities and have taught it to my children as well.
Are you working on any exciting new projects now? How do you think that will help people?
I am helping companies think about how privacy can create greater trust with their customers. I believe privacy is the new social activism. 79% of individuals according to Pew Research said they were at least somewhat concerned about how companies were using the data collected about them. How can a brand continue to effectively serve its customers when they don’t trust it with their personal information? That’s a significant disconnect that is not sustainable. Companies that pivot and put privacy and the customer first will have a competitive edge.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
It’s very important to create boundaries between work and personal priorities. Reviewing professional goals should be done quarterly and at least annually. Everyone has a hobby or activity that brings them happiness and can help reduce stress. For some people they need to schedule them, for others its a routine that will never get interrupted from work. Whatever needs to happen to ensure that there is time to exercise, spend time with family, or perform a favorite hobby is critical. It’s during these downtimes that the best ideas often come. Self-care is not just time away from work, it’s time to rejuvenate and make our time working more productive.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?
There are numerous privacy requirements that are dependent on the country and industry a company is in. For example, if a company is international, it has to deal with the most stringent privacy law in the EU which is the GDPR. The US on the other hand has a sectoral approach to privacy making it a patchwork quilt of laws companies have to manage and understanding. Companies in the US serving California residents may have to consider the California Consumer Privacy Act, CCPA. If a company is in the healthcare space, they need to comply with HIPAA. Those in financial services, have to comply with GLBA. Marketers need to worry about email, telephone, and text marketing laws. Companies serving Canadian customers also have various laws to contend with such as CASL, the Canadian Anti-Spam Legislation, one of the strongest anti email marketing laws in the world, as well as PIPEDA. Companies in the media or education sectors have additional privacy laws.
Privacy laws generally focus on informing individuals of the data that is collected, used, stored and shared as well as offering individuals choice to opt out of data being processed, access to information or have their information deleted. Companies need to understand the data they process so that they can have accurate privacy notices, can honor individual rights, and can protect the data from a data breach or unauthorized access.
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?
Companies before asking, collecting, using or sharing personal information should think about the customer’s expectations first. Individuals expect they can trust companies with their data. If they can’t, they will choose a competitor, not provide information, or provide inaccurate information. Companies should only collect, use and store information needed for the shortest period of time. It’s so tempting to collect data and keep it forever, however, that increases the risk of a data breach for a company.
In the face of this changing landscape, how has your data retention policy evolved over the years?
I see companies are changing their data retention plans due to the increasing privacy laws forcing companies to keep data only for business purposes. Maintaining a data retention policy is still challenging for many companies and technology will likely play an increased role in helping companies manage it for them.
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?
GDPR and CCPA has had the biggest impact on companies and their data retention policies. With the requirements under GDPR to keep data for business purposes only and under CCPA the potential class action fines for a data breach, companies realize that minimizing the data stored will lower their risks.
In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?
Tools are coming on the market however because data is in so many places it is still a challenge for companies to truly maintain full control over data that are in databases, cloud software tools, laptops, and email.
There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?
Many privacy and security professionals say it’s not a matter of if, but when, a company experiences a data breach. The risk to business disruption, loss of customer trust, and significant financial consequences have encouraged companies to take data protection practices more seriously. Understanding the data collected, where it is stored, and the business purposes for the data are all critical components to building a strong data retention program.
Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)
- Know your data — A company told me they didn’t collect any personal data on their website. I said what about the contact form? The advertising and analytics pixels? Another time a company said we don’t have much personal information. We just have name and email. My response — great, your data inventory will be simple — it all counts as data. It’s critical to comply with any privacy law to know where the data is and know what data is considered personal information (hint, a lot more than people think!). Every time a new product feature is deployed, a new marketing strategy is executed, companies need to know what data is being collected, used, stored and shared. That’s how it begins to comply with privacy laws and protect the data.
- Multi-factor authentication (MFA) — One of the best defenses against hackers is to have multi-factor authentication. That plus a strong password will make it much harder for a bad actor to gain access to information. It should be turned on everywhere it can — social media accounts, email, CRM, financial services to name a few.
- Identity Access Management — To help minimize data breaches and ensure only those who should have access to data do, identity access management tools are a must have for companies.
- Use of encryption for data — Encrypting data is a significant and important security protocol that should be deployed wherever possible. It’s important to consider both data at rest and in transit. If there’s a data breach, data that is encrypted will be minimize the financial, operational and reputational burden to the company.
- Educate and train employees — An absolutely critical defense against data breaches are employees. Many times, an employee clicking on a phishing email, having a weak password, not using multi-factor authentication, or using a personal device on public wifi, can expose the company to a data breach. By training and continuously reminding employees to know how to spot a phishing email, to use strong passwords and MFA, the employee can protect the company against cyber threats.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!