Season 2, Episode 2: Data Privacy discusses critical components related to data privacy. Join our host Manager, Marketing Communications Bridget Anders and three amazing speakers Director, Risk Products Alex Toews, Director of Cybersecurity Safi Raza, and Solutions Manager, Compliance Lauren Kornutick for a discussion on key issues and trends that tie privacy and resilience together in 2022, new regulations, how business continuity professionals support privacy in risk and resiliency strategy, and more. Learn more about Fusion Risk Management and see how technology can help with the basics. Discover what's possible and request a demo!
Bridget Anders (00:00):
Welcome back to Building a More Resilient World, sponsored by Fusion Risk Management. This podcast is where we discuss the basics of operational resilience, business continuity, and risk management. In support of Data Privacy Week, we will be discussing data privacy in our conversation today. My name is Bridget Anders, and we will be speaking with three amazing experts: Safi Raza, director of cybersecurity, Lauren Kornutick, compliance solutions manager, and Alex Toews, director of risk products. Thank you all for joining today. Let's get started with an easy one: why is data privacy important?
Safi Raza (00:38):
I'll take this Bridget. Hi everyone, this is Safi, and to me, privacy is a human right. It is respecting individuals, managing their reputation. It gives freedom of social and political activities. So, privacy itself is a basic human right everyone should be able to enjoy.
Alex Toews (00:58):
Just to build off of that, Safi, I mean I think that's really the core of it. Privacy is a fundamental part of who we are. It gives us the ability to protect our information and feel secure and safe. And it's also - and I think the concept has changed dramatically just with the evolution of technology and where we are in 2022. Privacy is no longer having blinds on your windows and locks on your doors. You're constantly exposed. And, you know, I think the importance of privacy is more paramount than ever. And I know we'll get into the details of that, but, as you said, privacy is a basic human right and something that we are born expecting to receive.
Lauren Kornutick (01:39):
Just tacking on to that - a lot of the modern privacy law that exists is rooted in the concept of safety because now that all of our information is available online, if it gets into the wrong hands, it could be used for nefarious purposes. A lot of people don't know this or talk about it, but the root of the European Union's General Data Protection Law, or GDPR, is based in the Holocaust and preventing people from taking information and using it for something horrible. And I guess in a more practical sense, I mean it's really empowering you to have a choice and to have control over your own data.
Bridget Anders (02:27):
Those are all really great points. What are some of the key issues or trends that tie privacy to resiliency in 2022?
Lauren Kornutick (02:36):
The biggest overlap of privacy and resiliency, in my view, is on the third party. An organization is only as strong as third party and an outsourced requirement. So, a lot of privacy overlap is going to come into play on your contractual obligations with your third party vendors if they're handling PII. And it's also going to come into play as you're building out SLAs for incident management and an incident response because in the privacy realm, you know, in addition to having regular breach response requirements, there are often notice requirements and notice obligations to let the individual know that their data has been compromised. And in some statutes in the privacy incident response world, you have to self-report to either regulators or, you know, potentially criminal authorities.
Alex Toews (03:38):
And just to build off that, not only do I completely agree, but I also think there's a lot of synonymous competencies when it comes to privacy that are paramount to protecting data and information that is managed on someone's behalf, to your point, on a third party, right? Organizations, you know, these days - given the reliance on technology, reliance on, you know, digital infrastructure - there's so much data stored at organizations that for all of your customers, your clients, those who you're serving, you have a responsibility to protect. And the consequences of not protecting the privacy of your customers and the attributes, which, again, if revealed, invaded their privacy, the consequences can be severe. And that's a part of resilience, right? Being able to operate no matter what. You know, if you are subject to some type of situation in which your customer or client data is out there for the world to see, you may have a pretty short-lived life within your marketplace, and you're going to lose your customer's trust and your ability to operate.
Safi Raza (04:47):
Agree with both statements. And what we have seen late 2020 and throughout 2021: it's no longer enough to ensure that you have your items all together, you are following the appropriate laws and regulations. But at the same time, now you have to also ensure that your third parties are following the best practices, you want to make sure that they're in compliance as well. So, completely agree with Alex and Lauren that the focus has shifted towards third party risk management because we have seen that even though, yes, you are SOC certified, yes, you are ISO, you have all the appropriate certifications - but having a third party risk advantage can cause a very severe blow to the business.
Bridget Anders (05:31):
Are there any new regulations or security add-ons to be aware of?
Lauren Kornutick (05:36):
I think that in the U.S. there's been increased attention on coming up with additional data privacy frameworks. So, California kind of led the pack, the U.S., with the CCPA and now the CPRA. And you have additional states like Virginia and Colorado coming to the table here. The big thing going on in the U.S. right now though is the FTC is working with its rules committee to enhance consumer privacy protections. And there's also some discussion about legislation, in particular, targeting tech companies that are doing targeted advertising to, perhaps, those groups that they shouldn't be advertising to like children. There's also a lot of things going on around the world. China recently passed a prescriptive data privacy law, but I'm, you know - I'll turn it over to Alex and Safi if they have anything to add.
Alex Toews (06:37):
And I was reading recently, I believe it was in one of the analyst group forums, but, you know, by 2023 they estimate that approximately 65% of the world's population will have most of its personal data covered under some type of modern privacy regulations. And, I think, you know, given the release of more prominent and more focused or targeted mandates and regulation, I don't see that trend stopping. I mean you can see there's not just federal regulation, but states are taking it into their own hands to increase the amount of scrutiny that is being placed on how organizations or how certain firms handle our data, right, to maintain our privacy because our data's everywhere. So, you know, there's a responsibility that is finally, I think, gaining enough momentum where these regulations are almost expected. And I think there's oftentimes questions that are asked of certain jurisdictions or government entities who don't have a robust data privacy standard, right? Because it's really their responsibility to protect the people that they govern. So, I think that's a pretty telling statistic in saying that 65% of the world's population will have its personal data covered, which as a consumer, as we all are, is something that certainly gives me a bit of solace.
Safi Raza (07:57):
And that is great. That is very exciting to see that organizations, governments, and already people are caring about their privacy, we have seen, given the waking up of the world. We did see that almost half of the countries in Africa actually have some - adopted some kind of regulations, some kind of privacy act to ensure their private information stays safe. I think the most famous one is from South Africa. When we're looking towards Asia, we see India, China, and Indonesia are passing their privacy act. Well, a number of countries from a developing world are right - coming right behind them. So, we definitely see a lot of countries are adopting some kind of privacy laws and regulation which is very refreshing to see.
Bridget Anders (08:42):
Given what we have discussed so far with the importance of privacy, some key issues and trends we're seeing, as well as new regulations coming up, what does this mean for Fusion and our customers?
Alex Toews (08:55):
As far as, you know, what does it mean for Fusion and our customers? I think for the most part it's one and the same as far as our data security standards as well as those which we help organizations employ and enable, right, through our software. As I look at Fusion as a suite or an enterprise tool and the applications we build to help organizations manage their risk, cyber security and data privacy and information security is fundamentally a consideration and a part of every solution area, regardless of what you're managing internally as part of your organization. Whether you are part of your third party risk team, right, using a third party risk product, or whether you're part of the operational risk group or business continuity, if you're not considering or baking into your program some perspective of how information, cyber, or data security vulnerabilities can affect your evaluation of risk, I think, you know, you're missing the mark.
Alex Toews (09:48):
And per Fusion, as we continue to approach, enhance, and create functionality that, again, isn't meant to be single point functionality but rather a focus on operational resilience, right, your ability to maintain your customer promise no matter what, you know, we give you those tools to be able to cross-pollinate information that may just sit within an IT risk group and make sure that all of your teams are leveraging those insights and that context. And I think as we think about, you know, what are the tools and solutions that customers would need to remain resilient? And then we think about all of these occurrences that are pretty systemically disruptful when it comes to information, data, and cybersecurity, that entire picture is always well understood. And that there's information, technology, risks that, you know, fundamentally become a part of every program area.
Alex Toews (10:41):
It's no longer an excuse, and you can't claim ignorance if you're not within your data privacy or IT risk team to say, well, you know, that team manages that, you know, I don't necessarily need to pay attention or consider that. You know, having that integrated approach that Fusion is built on allows you to understand that there's data privacy, information security, and cybersecurity risk in everything you do. And, so, making sure you are establishing and enabling a program built on technology, leveraging all of those cross-functional understandings is paramount, and, obviously, information and data security is top of that list.
Bridget Anders (11:16):
Yeah, absolutely. Which leads me into my next question: can you talk a little more about how privacy professionals support the broader risk in cyber strategy?
Lauren Kornutick (11:28):
I mean privacy professionals are pretty specialized just because of the, you know, nature of what they do requires them to be immersed in all of the changes and in laws and all of the specifics that lead back to program management. So, a privacy professional is going to touch your risk management and touch your resiliency strategy in some way even if they're not core to that. And what I mean by that is: your privacy professional is possibly going to have a role in your risk assessment and risk management. They'll have a role in your incident response and incident management, you know, if the relevant risk they are dealing with is related to the handling, notice, use, and collection and processing of that personal information. So, they're kind of a very close constituent and close stakeholder to those other groups where they may not necessarily be leading the charge, but they will be involved along the way to support the broader efforts.
Safi Raza (12:40):
Very well said, Lauren. I think that privacy professionals can shift their focus towards more strategic areas. Where they see more future growth, they can help revitalize customer strategies, they can create privacy-conscious applications and implement privacy programs for increasingly vigilant investors. The third party focus is, and we just talked about it, and there are more eyes on organizations who are providing services or who are offering product. It makes sense for the privacy professionals to focus more into those areas and become a part of the design phase, right? Privacy - it should not be an afterthought. Just like security, privacy should be part of any initiative from the very beginning.
Bridget Anders (13:23):
Yeah, absolutely. What about business continuity professionals? How do they support privacy in the context of risk and resiliency strategy?
Alex Toews (13:31):
That's a really good question. And I think, you know, not only do they support or play a part, I think they're absolutely paramount in managing data information in cybersecurity. With the advent of technology, right, as we move forward, you're really only as resilient as your ability to respond when things happen - because they're going to happen, right? There's too many half-locked doors and ways for bad actors to get inside your organization and attempt, at least, to access data that is private. And the clock is ticking when that door does open. And, so, you have to be able to, to the greatest degree, minimize your downtime, protect, recover, and restore any data that has been accessed. And for any business leader, the onus is on you to ensure that the business experiences as little loss as possible with minimal disruption.
Alex Toews (14:24):
And that really is reliant on your business continuity team and their ability to not only create active response strategies, to recover things generally, but to really tailor and specialize those response strategies to these types of risks because they're more pertinent than ever in 2022. And, so, you know, there's lots of, you know, different strategies that you can employ to make sure that you are resilient in this space. Especially within business continuity, you can achieve those things through running tabletop exercises and actually, you know, running scenario tests against these types of events to ensure that your response plan doesn't only just exist, but that it's tailored to respond to these types of dynamic events. Because as I said, the clock is ticking the minute that there's a disruption of this nature, and you have to able to respond not only effectively, but in a very targeted manner to stop any throws of leaked information, data as fast as possible.
Bridget Anders (15:20):
Yeah, that's a really good point, and I want to go off of what you said: that things are unfortunately going to happen, which is so true. And we have seen that: that it's not about "if" something is going to happen, it's about "when." So, with that, how is the market evolving to protect digital data, and what are some core issues for cyber threats?
Safi Raza (15:41):
We're seeing more organizations focusing on encryption, for example. And Alex just said it rightly so that, yes, it's not the matter of "if" but "when." Unfortunately, yes, things will happen. It is possible that some people lose their data, but organizations are coming to terms that, yes, they will lose their data. But what if their data is encrypted? Even if the data is stolen, it's almost impossible. Of course you need to have the right technology, right, a number of supercomputers to break a standard encryption these days. So, one of the biggest things that - or most effective things that folks are doing is they're encrypting their data to make sure that even if the data is stolen, that it's still safe. I mean it's great that someone has an encrypted file, but they have no visibility into the data itself.
Bridget Anders (16:30):
Thank you, Safi. Lauren, Alex, do you have anything to add to that?
Alex Toews (16:35):
Yeah, absolutely. I think when we look at where global interconnected economy and organizations - there's a couple, I think really key trends emerging and more so standards when it comes to protecting information and data. One thing that I see in here a lot is the bare minimum in privacy is not enough, right? There's actually a funny saying for anybody who might have friends or family in the military, but necessarily because they wouldn't call it the minimum if it weren't good enough. Which is fair enough, but they often follow that with, you know - but never ask me what the minimum is. And I think that applies to data privacy today. It's no longer good enough just to meet the standards, right? To either fall in line with a lightweight compliance mandate or regulation, you really have to step your game up when it comes to data privacy.
Alex Toews (17:23):
And I think as we were speaking earlier from a federal or localized government standpoint, we're seeing that with the introduction of this regulation, which you're saying "essentially the bare minimum is not good enough for these specific areas - this is now the expectation." And, so, I think that theme is being well heard and understood regardless of the type of organization that you are. And I think, to follow that, there's also this general theme that, you know, organizations are, you know, embracing this digital age. We're seeing the introduction of digital currencies and NFTs and AI and machine learning - these things that we used to think of as being firmly planted in some futuristic universe, right? It's now a reality. And, so, you have to step up more than ever to understand not only how you protect your data in its resting state today, but how it may be used in emerging technologies, which with those have an incredible bevy of emerging risks that we have never assessed. You have to start thinking as forward looking as possible and trying to identify and understand these new and emerging technologies that you can build a plan and a protection strategy that will prepare you for when those things arrive, if they aren't already here. So, those would probably be the two I think that resonate with me.
Lauren Kornutick (18:40):
And going back to something Safi said earlier in the conversation, I think we're going to continue to see organizations investing in teams that manage privacy by design, which basically is, conceptually, you take the bare minimum information that you need to be able to accomplish the task or process you want to accomplish. And I think the concept of privacy by design or privacy engineering - whatever term you want to use for it - is something that is going to really start to explode. Because a lot of times you will get information about customers or prospects or consumers or even if you're looking at something simple like a real estate listing, people are always asking you for your information. So, I think a lot of what you're going to see is a shift to how we manage these processes with the most limited amount of identifying information about the person who's consuming the service so that way it avoids the overall risk. So, for example, maybe you get prescriptions. The old way that people used to validate that information was to get your date of birth or your social. Now you're seeing something simple like an address verification, and that's something that's available and accessible already in the public space, so when you are communicating, you're not inadvertently giving away something of value. And I think we have to really, as a society and a global community, start thinking about our personal data as a commodity that has value to it.
Bridget Anders (20:30):
Lauren, you touched on this a bit, but how do you see these dynamics further playing out in our key industries in 2022, and how do teams need to adapt? Are there any best practices here that we need to discuss?
Lauren Kornutick (20:45):
I think from a best practice point of view, there is heightened attention to incident response and incident response sharing. There's pending legislation in the EU called the Digital Operational Resilience Act that impacts not only financial institutions, but their third party technology service providers. And one of the things that's really unique and interesting about that legislation to me is that it has this whole concept of: if there is a cyber attack on one entity, then that entity should share what happened with the whole network. And I think compliance and privacy and risk professionals have a tendency to want to keep this information very close to the vest because they view it as a personal failing. But, like Alex said before, this is going to happen. And the best way we can work to prevent this is by sharing what happened during the incident and doing that kind of collective root cause problem solving. So, it was very interesting for me to see legislation kind of tackle that. And while it's not specifically aimed at privacy, a lot of those technology service providers for the financial institutions, just by the nature of what they do, are going to hold and harbor a lot of consumer data that, you know, our privacy team and privacy professional is going to be involved in architecting.
Bridget Anders (22:19):
Absolutely. Alex, Safi, do you have anything to add to that?
Safi Raza (22:25):
What you're seeing is - across the globe is - there are a number of privacy acts that are coming up. But at the same time, we have seen that in a case of Quebec, recently passed their - are about to pass their privacy law as well, and despite the fact that Canada has its own privacy act in place. Now, what you're seeing is this is just an example of your smaller, very local states or local governments. When they're seeing that their needs are not being met by legislature, they are introducing their own acts. And I think we will see more of these going forward where these states, these local governments will pass their own privacy law to cover any gaps that may present or all federal laws.
Bridget Anders (23:12):
Yes, that's a really key point in this conversation. Thank you, Safi. Well, we have covered so much insightful information today. Could each of you share one takeaway that you want our listeners to take from this conversation today?
Lauren Kornutick (23:27):
The key takeaway for me from our discussion, and it was very thought provoking, is that how we collect, store, and use people's personal information is a challenge that as risk, compliance, privacy, and resiliency professionals are going to continue to face. It's not going to go away. You know, it's something that's going to continue to evolve, and it should definitely be a consideration as part of your broader strategy.
Alex Toews (24:00):
It's a great point, Lauren. We covered a lot today, and I think there's a lot to take away from data privacy in 2022. But, if I had to boil it down, I think one of the most, I'd say, eye catching elements of data privacy in its current state is that the expectations of you as an organization or as a firm for protecting data is no longer an expectation that requires you to do, as I said, the bare minimum. You have to be forward looking, and you have to have strategies in place that are hyper targeted towards, right, not only the data privacy, you know, exposures and vulnerabilities that exist today, but you have to think about how the technology landscape is evolving. You should always be trying to establish programs and processes and strategies for protecting information and protecting data that are not only fit for the current moment, but that are expansive enough to address emerging technology, right, as it's relation to the market, as it's more broadly adopted, and that your program is robust enough to address the speed of regulation that is being released. So, if you find yourself on the back foot responding to requirements in a regulation, you're probably further behind than you thought.
Safi Raza (25:18):
Thank you, Alex, great insight. For me, I think that privacy - just like information security, privacy should also be part of a company's culture. It starts with the leadership understanding and clearly communicating: how do they prioritize data privacy? The leadership should invest in people, train people, hire the right people - and who not only understand the privacy, but also help establish the concept within the organization. So, making privacy a part of their culture will pay dividends in the long terms, especially with the ever changing regulations and requirements.
Bridget Anders (25:56):
It's been amazing hearing from all of you today. Thank you all again for your insights, and thank you to our listeners for joining us on Building a More Resilient World.