Obey the law, but more easily, follow this “moral compass”. . . Treat, protect, safeguard (call it what you want) THEIR personal, financial and medical information the way you’d like YOUR personal, financial and medical information secured.
It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?
As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing Bud Freund.
He has been self-employed for over 40 years. After graduating from Ithaca College, his national and international photography assignments were from corporate, magazine and public relations clients. He migrated into digital imaging and has been providing IT solutions to homes and small businesses for over 20 years. He currently teaches Technology Life Skills at King School and manages the Bi-Cultural Hebrew Academy network. As a Certified SCORE Mentor, he regularly presents technology webinars. His workshops have been run at libraries throughout Fairfield County, Connecticut.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I was born in Riverdale, New York (the home of Archie and Jughead comics) and moved to New Rochelle (the home of The Dick Van Dyke Show). My parents then moved on to Greenwich, CT while I was at Ithaca College, and after graduating as a photography major, I moved on to Stamford where I currently live with my family.
Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.
For about 20 years, I worked as a photographer shooting people, products and architecture for ad agencies, PR firms, designers and corporations. I was inspired to capture “decisive moments” from a book my brother had, “The World of Henri Cartier-Bresson”.
Then the world moved from film to file and I got the digital imaging bug. My viewfinder (computer monitor) got larger, and my gratification more instantaneous. For several years, I worked in multimedia, but eventually found that there were far more computers to repair than PowerPoints to create. I had good mentors, and like many others, lots of trial-by-fire / on-the-job training configuring HIPAA-compliant networks and workstations for small medical practices. Today, I still solve tech problems for small businesses and teach technology life-skills at a local school.
Can you share the most interesting story that happened to you since you began your career?
As a photographer, I did a month of on-the-road assignments starting in Panama, continuing to Salt Lake City and finishing in Sun Valley, Idaho. There was a lot of logistics and planning to make the trip work. . . and upon returning home, several science projects to remove from my fridge.
In multimedia, it was traveling to Savannah, GA to be on call IF. . . IF the Board of Directors meeting needed a PowerPoint or Photoshop problem solved.
In my IT work, I think I got 80% of my gray hair the weekend I successfully recovered the critical business data from a company’s crashed server.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
Ah, the naming of names. Sometimes, “the best” people at the time they were helping you to grow, were “the worse” human beings imaginable.
I had a photo editor tell me, “Because of your ability to manipulate images, you are an unethical photographer and couldn’t be trusted to work for me.” It took a while to realize that ethics has nothing to do with ability.
In multimedia, I had someone hand me a PowerPoint preso an hour before showtime in the new “pptx” format because they’d “downloaded the new version of Microsoft Office last night and wanted to try it”. Fortunately the Microsoft website had a (new) pptx to (old) ppt format converter available.
And in IT, I worked for a fellow nicknamed, “Shreck”, who was a nasty SOB in dire need of orthodontia, but a brilliant small business technologist and mentor.
Are you working on any exciting new projects now? How do you think that will help people?
There are three “helpful” projects that come to mind. . .
The first is an ongoing bibliography that I compile; https://techandparents.wordpress.com/tech/ .
This is a list of 142 articles (and growing) that have 2 things in common. . .
- They all address some aspect of the risks and dangers of minors and technology.
- None state the fact that a minor cannot enter into a legally binding contract; only their parent or guardian — which places the responsibility and liability on us. . . and if you think that’s a bunch of “hogwash”, consider underage drinking in your home or the town of Shawano, Wisconsin’s bullying law.
The second project, I’ve had in development for several years is https://ptotechfundraiser.com — a website that can provide much needed tech education for parents and funding for schools.
The third is that I volunteer at Fairfield County SCORE where I am on the chapter’s tech team. The webinars that we produce are about many different small business topics and can be found at. . .
To keep my creative juices flowing, I make these images I call, Equivalents, on my mobile devices.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
That’s an easy question to answer, but very hard to implement. . . Love what you do and strive to do it better.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?
Yes and no. . .There are legal requirements at both the state and federal level and they will vary from state to state as well as in complexity and obligation. Check with your credit card service provider. They will be a great resource because Payment Card Industry (PCI) compliance is mandatory if you want to get paid by credit card. Also check with your specific industry organizations. The rules of HIPAA, Sarbannes-Oxley, Gramm-Leach-Bliley, and the California Consumer Privacy Act are different and extensive.
Also important to note is that many small business owners have neither the technical expertise themselves nor the financial resources for IT staff, so it is important to be able to simplify into manageable, understandable and actionable steps the data safety requirements that they are required by law to observe. Sadly, studies have shown that in our current Covid environment, small businesses are highly susceptible targets for hacking and ransomware attacks.
So in a simple, “broad brush” statement. . .
Obey the law, but more easily, follow this “moral compass”. . . Treat, protect, safeguard (call it what you want) THEIR personal, financial and medical information the way you’d like YOUR personal, financial and medical information secured. And we’ll touch on some suggestions shortly.
Also, one of the more interesting “drivers” of American data privacy practices is the European Union’s General Data Protection Regulation (GDPR) https://youtu.be/y30iZi6z_lo. Put simply, American companies doing business with any EU nationals need to abide by GDPR rules, and rather than build and maintain two websites, it’s easier to comply with one.
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?
Here’s an overlying concept. . . Technology / Data safety isn’t a product. It’s a process. Current events consistently show us that buying a piece of hardware or a piece of software isn’t the solution.
Now before addressing several “best practices”, yes, customer data should be destroyed / deleted once a business is “done” using it. HOWEVER, I’ve yet to see any documentation, recommendations or certifications clearly defining, “done with use” and “data deletion” (ie: school alumni lists). Also, since legacy data has a value to business analytics, the ambiguity of when specific information (my name, credit card info and purchase) needs to become anonymous data (male with gift card bought clothing) is the stuff that lawyers wrangle.
So until such time as the legal gobbledygook (personal data needs to be deleted in a timely fashion) becomes definitive (ie: 2 years after sale, personal data needs to be deleted), here’s a few considerations. . .
- Who has the keys to your kingdom? Do your salespeople have access to the client list database? Which office staff can access your bank accounts online? If you have a medical practice, can your front desk staff see just billing and scheduling or medical records as well? Problems occur when we lose track of who can access what.
- Ongoing education — The majority of computer problems occur because of human error; clicking on a bad link, email phishing, or the wildly popular password sticky on the monitor. Your frontline staff are your frontline of defense. Treat them well. Keep them current on the latest scams, and they will have your back.
- Updates — There are 80,000 “doors” (in computer lingo, they’re called ports) into and out of a computer. Among other things, updates plug those 80,000 “holes” and keep hardware running safer.
- Passwords and TSA — If you lock the door of your house and you lock your car when you park in a public garage, lock your data. . . PERIOD. Using passwords prevents unwanted access. Two-step authentication (a/k/a multi-factor authentication) is like having a double lock on the door. Will this make accessing data slower? Yes, but it will keep customer / client data safer.
- Focus — In our current online world, home has become office, conference room, school, playground, bakery, snack bar, short-order kitchen and laundromat SIMULTANEOUSLY. It’s very hard to keep track of complex information and workflow when you need to get your child a snack AND put the clothes in the dryer RIGHT NOW! So. . . go slow — is that email REALLY from the client? Or does it just look like it’s from the client? Hover over links before clicking on them. That pause will bring up a box with the destination URL; where that click will take you. Remember: Click first, regret later.
In the face of this changing landscape, how has your data retention policy evolved over the years?
For my business, offline data on hard drives, thumb drives, CD’s and DVD’s that are not connected to any network have always been a norm. Offline = Incorruptible. However, a lot of information and digital services have gone online — and I (you / we) hope that the subscription fees we pay are being used to safeguard and protect the data we entrust with these service providers.
Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?
Yes and no. I believe some of that has been outlined above. Otherwise, the less said, the safer things are. And to that point, I am not a believer in password managers because EVERYBODY — both white hat and black hat hackers — knows what they’re for. Having provided IT support for someone who worked in national security, I learned about. . . hiding in plain sight. Create a spreadsheet or Word doc called. . . Birthdays and Anniversaries, or Guest List, or Shopping List — anything but. . . “This-Is-The-File-Where-I-Keep-All-Of-My-Passwords” and then password protect that file.
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?
For me directly, no. For my clients, it varies by industry. That said, “trickle down data security” will eventually affect both large and small businesses. It works like this. . . Government passes a law for the insurance (or medical or financial) industry focusing on “the big players”. These companies then notify the businesses they work with that in order to maintain their contracts, licenses, “relations”, these small businesses will also need to address the same compliance issues or the bigger company will no longer work with them.
In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?
A long time ago, someone told me that a camera is only as good as the person who uses it. Similarly, I would suggest that computers and networks are only as good as the people who run / manage them. Putting faith in automation tends to result in situations like we currently see with the federal government and the software they “thought” was “minding the store”.
There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?
As a technology educator, one of the hardest and most important aspects of the work I do is to provide information to my clients in “plain English” so they can make informed decisions. These outages and breaches only serve as ongoing examples of why we cannot be complacent about the “soundness / safety” of our business / technology infrastructure(s) or how much dependance we place on technology.
Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)
I want to continue with the “people / human” side of the ideas I ran earlier, so let me review them now and cite some examples.
- Who has the keys to your kingdom? Whether large or small, if you rely on others for essential and critical business processes, in the words of Ronald Regan, “Trust but verify.” https://www.providencejournal.com/story/news/coronavirus/2020/09/17/bookkeeper-to-admit-embezzling-more-than-740k-from-law-firm/114044960/
- Ongoing education — Frank Abagnale Jr., conman-turned-FBI trainer, has been quoted extensively about the need for cyber-education.
3. Updates — Both Apple and Microsoft provide software updates for their operating systems. For the safety and well-being of a business that uses computers (and I don’t know of any businesses that do not), it is essential to update and patch your hardware and software. https://www.computerworld.com/article/2534742/unpatched-windows-pcs-fall-to-hackers-in-under-5-minutes–says-isc.html
4. Passwords & TSA — “Password” is not a password. “[email protected]” is a password. And that second lock, TSA, might slow your workflow down, but it will help to keep your data safe.
5. Focus — While multitasking sounds like a great way to work, an ever-increasing number of studies show that it is a bad idea.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Once upon a time in America, you could crank-up your car to chase the chickens around your front yard and you didn’t need a driver’s license or insurance.
Once upon a time, you could buy “snake oil” in America and you didn’t need FDA approval or clinical trials.
Once upon a time, you could buy a musket and you didn’t need a permit or a background check.
In each of those cases, the rules, laws, regulations, ordinances (call them whatever you like) changed for the safety and well-being of the general public.
To buy a computer, tablet or smartphone today, you don’t even need cash. You can take your pre-approved credit card, go online, and have it at your doorstep in two days.
So the question becomes whether the rules, laws, regulations, ordinances (call them whatever you like) for the safety and well-being of the general public need to change in regard to computers. Please ask Sony, Target, Home Depot, Experian, JP Morgan Chase and the Democratic Nation Committee — to name just a few — whether they think it might be time for change.
So what I suggest is that it may be time for some kind of “mandatory” technology education. You can’t get a driver’s license today with taking a driver’s test. The ability to afford the latest gadget, gizmo or widget has no bearing on the owner’s ability to use or understand it. As we learn almost daily about what dangerous weapons computers can be — whether bullying in social media, or hacking sensitive data — it seems we need a more “responsible”, global technology community; which comes from education.
How can our readers further follow your work online?
There are several places. . .
https://techandparents.wordpress.com/tech/ — An online bibliography and tech resource for parents
http://budly.live — My website
http://bit.ly/TechAmok — My YouTube Channel
https://saatchiart.com/Budly — My digital images
http://bit.ly/EquivalentsByBudly — Instagram
This was very inspiring and informative. Thank you so much for the time you spent with this interview!