Speaker 0
0:10 – 0:14
Welcome to Tech Talk. Bye. See. Tea.
Speaker 1
0:31 – 1:24
January 28 is data privacy day, and hopefully, you all have plans to mark the day. Data privacy day is held each year to create awareness about the importance of privacy and protecting personal information, something that everyone at CDT certainly believes in. The theme for 2017 is respecting privacy, safeguarding data, and enabling trust. Joining us today to talk about data privacy day and how businesses can be good data stewards is Michael Kaiser. Michael is the executive director of the National Cybersecurity Alliance. Welcome back to Tech Talk, Michael. Well, thanks for having me in. I'm thrilled to be here. Well and I love Data Privacy Day because you get to visit us each year, and it's always great to see you. So first, tell me about your organization's role in it because it's relatively new that you you all are playing such a leading role in Data Privacy Day. Yeah. So we took over Data Privacy Day in 2011, actually. I think the first one we did was really 2012 in January.
Speaker 0
1:24 – 3:04
It had been in The United States since about 2008, but the organization that had been had been doing it wasn't really, wasn't really an education awareness organization like NCSA. I mean, we've been doing National Cybersecurity Awareness Month for fourteen years, created the Stop, Think, Connect campaign. This is the kind of stuff that we just do. Right? This is our work, every day. Right in your wheelhouse. Yeah. Right in our wheelhouse. Exactly. So when we were considering, you know, taking over data privacy day, we had some things that we thought about before we agreed to do it. And one is that we wanted to make the connection between privacy and security. Obviously, we're the cybersecurity alliance. That's really important to us. But we felt back then, it's changed a bit, that that discussion wasn't really happening. It seems to be happening more now, which we're thrilled about. But we feel that there's this real connection between security and privacy. We also wanted to make sure that we could create it underneath and use a lot of our brands that we already have, like Stop Think Connect. Right? So that we could see that, that the privacy messaging and the security messaging were deeply intertwined as well. I can talk a little bit more about messaging and the security messaging were deeply intertwined as well. We can talk a little bit more about that in a second. But so we looked at that and the people who were passing it on said, oh, that sounds great, and so we took it over. And since then, we've, you know, we've really been evolving it. Right? We've been creating, you know, many more materials, trying to engage many more stakeholders in getting involved. We actually went through a whole message development campaign to come up with some of our core messages using research. So we've really tried to evolve, like, the notion of data privacy day to be much broader, to have much more universal messaging that really reaches farther audiences, and to engage just, you know, as many stakeholders as possible. That's fantastic. And absolutely, the connection between security and privacy, the fact that you are really working on that is amazing.
Speaker 1
3:05 – 3:38
Because as I always tell people, you can't have privacy unless you have secure systems and you have good security practices. So they they do go very hand in hand, and that's great that you're talking about that. Today, we're gonna focus on what businesses can do to mark the day. But before we get to that, you were telling me just before we started recording about, you know, this is the first year you're gonna do a kind of new concept of a summit. Why didn't you tell folks about that? I think it's taking place on January 26. So that's when are we releasing this, Tim? It's gonna be, you know, this week. So, tell us about that and how people can participate.
Speaker 0
3:38 – 4:51
Yeah. So we've always had, you know, big events for data privacy day. Right? That's part of what we do. I mean, we look at these, you know, these awareness activities, whether it's data privacy day, cybersecurity awareness month, as, you know, we do things, but we really count on other people doing lots of stuff too. I almost often measure by, like, what other people do not what we do. So we've had a lot of events. We've had some here in DC. We've had some on the West Coast, but we wanted to try something new. And because it's the Internet and it's because it's online, we and because now, you know, the world is changing so fast, the ability to broadcast yourself has become so much easier than it was in the past. We're gonna do a whole day of live events from Twitter headquarters in San Francisco, which anybody in the world can join. It's gonna be on January 26. We're gonna have a whole host of great speakers. We have some chief privacy officers from major corporations. We have some folks from NGOs. We're gonna have discussions about wearables, about identity theft, about, IoT, about all different elements of privacy and where we're headed, in this world. And, really, instead of just filling up the room with, you know, a couple of 100 of our closest friends, we're making it available to everybody on the Internet, not just as a recording, but live, and you can watch it. So you can go to our website, staysafeonline.org/dpd, and get more information. And you can also,
Speaker 1
4:52 – 5:26
you know, sign up on our Eventbrite page and, like, say which topics you're interested in. We'll ping you right before they start, and you can come watch them. That is awesome. So, Tim, for those of you listening who don't know, Tim records, edits, produces our podcast, and we just gonna make sure we get this one out before the twenty sixth so that we're perfect on that one. Alright. So let's shift to businesses. Sure. Obviously, businesses can do a lot of things to mark data privacy day and a lot of the the language you use is good data stewardship. What does that mean for a business? Yeah. Well, the at the most basic level, it means if you collect it, you gotta protect it. Right? So, you know, we think that,
Speaker 0
5:27 – 8:32
you have to have this kind of social contract with your customers. Right? When they give you information, the assumption is that they're trusting you to protect it. And we can you know, we don't have to talk necessarily about, you know, the ways businesses use personal information. That can be another discussion. We should have that one for sure. But just the fact that if you're in business these days, people are giving you credit card numbers. They're giving you home addresses. Maybe they're giving you a birth date. Maybe you have, you know, depending what kind of service you provide, you might have other family members names, right, and other things about them. They may have vast amount about of information about you. And I believe that people expect have a high level of belief that you're gonna protect that information when they give it to you. And that's sort of when we say that data privacy day is about respecting privacy and safeguarding data, we mean just that. Like, I give you the information, you respect and keep it private, and you safeguard it and protect it. So businesses have a huge responsibility here. It's very easy to collect this information about people right now. It's not as easy to protect it, so you need to be really cautious. What are some of the concrete things that you would recommend that they do or does that depend on the data they have? Well, it certainly does depend on the data. Right? And so, you know, obviously, if you're a health care provider, you're gonna be subject to different kinds of regulations or if you're a school, you're gonna have another set of regulations. So you have to know your own vertical. Right? Like, what business am I in and what are my requirements if there are any? But I also recommend, you know, one, people collect the least amount of information that they possibly need about people. It's very tempting to collect more. It's very tempting to say, oh, maybe down the line we could use that information for something else. But just be, you know, be very prudent in what you collect. Be extremely, thoughtful about the security of your network. I mean, this is really where, you know, where where that, trust relationship grows. Right? So we're talking about, you know, any business of any size, right, has to have some kind of security plan. We're big, believers in the NIST cybersecurity framework, which we think applies to every business, up and down the ecosystem, which are really sort of five simple steps. And it starts with, I think, the most important one, and in this case, really with speaking about personal information here is like, what is it that you have to protect? Do you know what you have? Do you know where it is? Great question. Yeah. Right? Do you know, what you're doing to protect it right now? And would you understand if something happened? Right? And then how would you recover and respond if something did? So those are the kind of the five steps of the NIST cybersecurity framework. They're really essential for every business. And you could be, you know, a pizza parlor who just has customers' names, and addresses because you're delivering things all the way up to a highly complicated health care provider or something which has, you know, massive amounts of history about people. But you just need to know those, you know, what are the crown jewels? What are the digital crown jewels? Where are they and how am I protecting them? If everybody did that, we'd be a lot better off than we are today actually, since not every business does that. So you mentioned a bit, you know, this works for businesses of all size. Are there certain things that are more challenging for, say, a smaller medium business than some of them the mega businesses? And if, you know, the bigger corporations, do do they have any responsibility
Speaker 1
8:32 – 8:38
to help out some of the smaller players in this? Or are there lessons we could learn from the bigger players' privacy practices?
Speaker 0
8:38 – 10:00
Yeah. I I think there are. And I think it's it's really interesting because, you know, the the Internet is about interdependencies. Right? It's about connected networks. But, you know, big businesses do business with small businesses all the time. Good point. Right? You know, and this includes up into the critical infrastructure, things like the light, you know, the electric grid or transportation or banking and finances. It's a the the business ecosystem is very complicated. I think larger businesses can play a role in helping smaller businesses, do better at security and privacy. One, by putting demands on them, like, if you wanna do business with us, you have to do x, y, and z. Right? Like, follow the NIST cybersecurity framework or be able to describe to us your safety and security practices. Right? Maybe even have things like cyber insurance, right, to cover any losses that may occur. And they can also teach them about the things that they've had to do to become more safe and secure. You know, not this is, this is an evolving discipline. Right? It didn't, you know, I mean, it didn't happen, and it didn't take one hundred years to get where we are. It took, like, ten. Right? And so people are still learning how to do some of these things. Even the larger enterprises are still learning. So sharing that information, maybe putting a little pressure on their vendors, to, make sure that they're following good practices, making sure that they're communicating their values around personal handled. Right?
Speaker 1
10:00 – 11:01
Making sure they're communicating if you give us information, how we're protecting it, so their vendors know how they're protecting them. So it's really a lot about communication at that level and best practice is sharing. Yeah. It seems like another, point of, I guess, influence or power here is the actual consumer working with these businesses and the influence they can have. You know, it's it's pretty easy to picture a world. I mean, you were already seeing it where companies that respect user privacy and have good practices, it's a a differentiator. It's something that's good for the market. But for a lot of consumers, you know, your initial, I guess, look into the privacy and security practices is through that little, you know, like, privacy policy that if it's an app, you're briefly prompted to do it. If it's a website or a service you're signing up for, you know, it kind of comes in, you scroll through, and you check a box. How else can, like, a a consumer influence us? And how can a consumer unpack those privacy policies? You know, is there is there more companies should be doing? I know there's a lot in that question, but Yeah. Yeah. I think, you know, at the end of the day, this is a lot about communication.
Speaker 0
11:01 – 12:28
Okay. Right? This is a lot about companies, you know, moving away from the legal, you know, gibberish that's required to clear and concise information that consumers can act on. I mean, we we've done some research with consumers. They really tell us, you know, kind of three things that they always Right? How are you using it? Are you sharing it with other people? And do I have any control over that? Right? And I don't think they're saying I need to have control. They just wanna know. Right? Like, you know, are there user controls in place that I can adjust some of this stuff? Right? You know, what is the basic use? I think it gets very confusing for people. I think even when you download an app, sometimes it'll say, oh, this app maybe needs access to your phone calls. And you're like, why would you need access to that? And you think about it a little bit. It might be, well, wait a second. Maybe they need that because if my phone rings while I'm using the app, it needs to stop the app and tell me my phone's ringing. Right? Right. That may not always be true. Yeah. Right? But I think the the the notion there being more connectivity between what you collect and what it does. Right? I mean, everybody knows, like, you need my location for maps because I can't tell me where to go from here unless you know where I am. I mean, when you start getting beyond to other layers, it gets more complicated, like and there's so much interaction between these apps apps and other parts of your device, you know, and that becomes very unclear to people. And I think I think actually people vote with their feet on this. Right? I mean, if they get a list of things that gets collected and they can't make the connection
Speaker 1
12:28 – 12:44
to why the app needs it, they probably, you know, they're gonna probably reject it. Yeah. And I also I often feel, you know, as a someone with tons of apps on my phone that even if you do read, I'm a good CDT or I do read the privacy policy or the what I'm accepting before I click most times.
Speaker 0
12:45 – 14:08
Sometimes in the moment, you know, a a prompt like this is we're using this now could be useful even though that might be difficult. So you have that one time, okay, this is when something's being used as opposed to when you're initially signing up. It's one of those, like, okay, in theory, this is either bad or this is great, you know, but in the moment, you might have it might make more sense just like your phone call. Well, you know, it it and some do. Right? And then, you know, that can become confusing too. Right? But, yes, I think, you know, in the moment. Right? Right. Like, sometimes if you've turned off location and you open your maps, it's gonna say, well, I don't know where you are. Anything. Yeah. So I can't help you here, and you have to turn it back on. But I think, I agree with you in the sense that I think the more we move towards giving granular controls to people, they're gonna be happier. And that doesn't mean right down to absolute minutiae of how things work, but, you know, working in some of those controls so that I think, you know, people wanna feel empowered that they're controlling the tech, not vice versa. And so, being able to say, you know, I'm turning off location, and I understand the implications of that for the next few hours. Right? I you know, or I'm turning off, you know, Wi Fi now as I walk into the store because it's gonna track me. Those kinds of things, you know, are really important for people to understand what's going on around them. And, you know, ultimately, they should be telling the the the Internet or the tech companies, whoever it is they're interacting, what they're comfortable with and and what their level of comfort is with what's going on. Great. So let's shift back to the what companies can do.
Speaker 1
14:09 – 14:21
One of the things I was going through your resources is, building a culture of goods data stewardship within an organization. How do you do that? Like, what are the elements of a culture that embraces goods data stewardship?
Speaker 0
14:22 – 15:48
Yeah. Well, I think there's a several things, you know, in this regard that are that are really critical. One is, you know, if you have to, let your employees know just from the beginning how important protecting data is to your company, whether, you know, losing it would hurt your brand, whether there's the level of trust that their the customers are putting in you by giving you their information, information. We talked about that a little bit. I think training people to understand how important, the securing of that personal information is to the, you know, health and safety of the organization over time, to remind people that that of the organization over time, to remind people that that information may not just be of their customers, they have their colleagues' information that's around them all the time. There's intellectual property, which isn't really like personal information loss, but a lot of IP that under, you know, underlies a lot of these companies and how valuable that is and creating a sense of a value system around information within the organization, whether that's through training, awareness, through you know, the same way they might, you know, have a culture of, like, you know, in a restaurant of, like, smile at every customer before you take their order. Right? Companies are really actually good at establishing cultures around the way their customers are treated, and they should do the same thing around the data that's in the organization. And that should help employees implement good privacy and security practices. Right? Because they're acting not just because the IT department told me I had to have a long password,
Speaker 1
15:49 – 15:59
but because they're connecting the password to the value of protecting that information in the organization. Yeah. And a lot of it seems like making that data helping people understand that that data is not just numbers or points. It's actually about real people. That's a big part of it. And
Speaker 0
16:01 – 17:06
numbers or points. It's actually about real people. That's a big part of it. And that I think, when you see you think of data not just as numbers, you treat it a little bit differently. So we certainly think about that at CDT a lot. You know, know, how do you make data something? I mean, it's just a word that's not, you know, particularly doesn't evoke emotion necessarily and sometimes you're not gonna deal with it in a way that is disrespectful. But when you really think about what that tells, well, it's fascinating what you can get to. So Well, I think that's true, you know, and I really think I think that that's a really great point in the sense that, you know, as sort of I was saying before that this isn't just data. These are your customers. Right? How would you treat your customers? Right? How you treat your customers when they walk in the front door if they were coming to a physical location versus they're walking your front door in an online location? How do you want them to be treated? Right? How do you want their data to be treated? How do you want their experience to be at the end of the day around the stuff that you collect about them? Right? Do you want them to walk away from your business saying, wow, really? That was a really, you know, and it I feel good about Right. Like, what transpired here. Right? Or do you want them to feel, well, that was kind of creepy. Look how much they want from me before they let me do my thing. Right? So, I mean, think about it from the customer experience point of view,
Speaker 1
17:06 – 17:33
is one way to start to build that culture as well. Absolutely. Can I go back to the the customer one more time just because I think that this came up a bit there? You mentioned a little bit about customer control of the data, and I feel as though a lot of consumers feels though that control is already gone. It's already been given away. Do you think that's the case in general? I mean, obviously, there's case by case examples. But is there just so much data out there about us now that it's it's too late to put the genie back in the bottle?
Speaker 0
17:34 – 18:59
You know, I think that's an, it's hard to answer that question yes or no. You know? What? It's not that simple? No. It's not that simple. But I do believe, that in many ways, the genie is out of the bottle, but that doesn't mean that it's the end of the world. Right? Because while we may be sharing data, again, it's how that data is used, who gets to see it. I mean, if you think of privacy as, like, you know, what does that mean for you? Is it what is the definition for you? Is privacy is, you know, trying to keep keep the things about yourself that you don't want other people to know. Right? Private or secret. And that doesn't mean if I give it to someone else that I've not necessarily violated that. Right? It could be what they do with that. I mean, we all have places where we tell incredibly private things to other people like the doctor's office. Right? And, you know, there's a high expectation in that setting that that information is not going anywhere. Right? I mean, maybe it's going to the insurance company, maybe it's going a couple other places, but the expectation is that they're the setting is such and that you have to have that information in order to help me. Right? So you just you know, we we can establish these kinds of norms in certain places, but it has to be around, leg of our, you know, theme in data privacy day because when you respect people's privacy and you safeguard their data and you build a trusted platform, then people are gonna use
Speaker 1
19:00 – 19:23
it. Great. So one last question for you. But at first, I'll remind people data privacy day. It's the twenty eighth. The big celebration is the twenty sixth that you should all be checking out online and we'll make sure we post that information, with the podcast and on CDT's website. Any final advice for either businesses or consumers when it comes to the, like, the best way to mark data privacy day besides, of course, visit your events and
Speaker 0
19:23 – 21:48
participate? For businesses, I would say really simply take data privacy day as an opportunity to educate your customers. Right? Take as an opportunity to not opportunity to not only educate them about, you know, remind them to look at your privacy policies or to be clear about what information you collect about them or to remind them of what controls, what kinds of settings you have in your services that they may or may not be using. I mean, you can look at your own environment and see how many people have changed their settings in the last six months. Is that something you could say? Hey. You know, 50% of you haven't touched your settings in the last five months. Go take a look at them. What a great thing for a business to communicate, remind them of your commitment to your to your to their privacy and their security. That's a really important thing to do. And for the consumers, you know, we really take a very simple approach here. We'd like to say to them that personal information is like money, and and you need to value it and protect it. And you need to move through the world, understanding that your information is gonna be collected in various different times in various different ways, and you have to pay attention to that, and you have to be smart and thoughtful about who you share it with. And that doesn't only mean, like, what business I do business with. That includes what you post about yourself online, what you tweet out, what you put on Facebook, you know, what pictures you send about yourself. Pictures often have, you know, tons of information about you in them. Them. Right? And all of us at the end of the day share this I mean, this is something that I think has really changed in our world. Right? We all know stuff about other people. Right? I mean, we don't Or can find it out really easily. We we just have friends. So let's just say the people that we're not we're not looking. Right? Yeah. People share things with us. Right? In the digital world, a lot of that stuff stored electronically. Right? I mean, just as an individual person, your contact list. Right? Just the people that you know. Right? The pictures on your computer, the financial records that you might have of, you know, your aunt who you do her taxes, you for her. Right? Those kinds of things. We are actually all entrusted with vast amounts of personal information in ways we never were before. And we so we all share that responsibility. And that's one of the reasons when, you know, back to the very beginning, we took over data privacy days because we see like we do in cybersecurity that there is a responsibility up and down the ecosystem. Now, obviously, a company has a whole different set of responsibilities than your aunt Martha at home, but aunt Martha better be protecting your personal information too because you've given it to her and you've entrusted to her. And that's just something we all share now. That's a great point. And I'll use that opportunity to plug a little resource that CDT did. If you visit cdt.org,
Speaker 1
21:48 – 22:06
there is a cybersecurity self assessment quiz that we created that kinda walks you through a couple of quick tips in terms of how to, better secure your personal devices and all that sort of stuff. We geared it towards journalists and activists because we we could see a different threat model for them right now. But I think it applies to pretty much everyone. So definitely check that out.
Speaker 0
22:07 – 22:25
Any last thoughts for us, Michael, before we go? Although, your advice right there was a pretty good last one. Well, the only thing I'd say to everybody is, you know, if if you just do one thing on data privacy day either look you know, take your self assessment quiz that you've given and do something to strengthen your security a little bit. You know, make sure that you've talked to your kids,
Speaker 1
22:26 – 23:04
you know, or in the workplace, do something around privacy and security. Just take that moment. Just, you know, take a little time. If we did that on a regular basis, we'd actually all be a lot better off. That's great. And I hope my inbox is flooded with emails from companies that I do that I work with saying, you know, here's my here's my policies. Here's what you need to be thinking about. That's great advice to businesses. Thank you so much for joining, Michael. Well, thanks for having us in as always. That's it for this episode of Tech Talk. Be sure to check out all the great resources for businesses and consumers from the National Cybersecurity Alliance at staysafeonline.org. I'm Brian Waslowski. Thanks so much
Speaker 0
23:08 – 23:09
for listening