Data Privacy Day 2019: A New Era in Privacy

Data Privacy Day 2019: A New Era in Privacy

Show Video

Good. Afternoon ladies and gentlemen, and welcome to data privacy day 2019. Please, welcome Kalinda. Rana head, of global privacy. And seeing a director, at LinkedIn. Thank. You so much and welcome everyone it's great to see such a good crowd here for data, privacy day and, we are honored here at LinkedIn to be celebrating. For the second year in a row within CSA, and hosting this wonderful event so. I hope you enjoy the speakers we have lined up I think it'll be a fantastic learning. Opportunity. For all of us and with. That I wanted to introduce. Kelvin. Our executive. Director of NCSA. Thanks. Kalinda I. Want. To thank everyone for joining us today at LinkedIn. For a data privacy day 2019. A new. Era in privacy. We've. Also liked to welcome, everyone who's with. Us be at a live stream, we really appreciate you participating with, us today as. Kalinda, said my name is Kelvin Coleman, I'm the executive. Director of the National Cyber Security Alliance in Washington, DC for. Those of you who do not know us. The. National Cyber Security Alliance is the nation's leading nonprofit in, building. Public-private. Partnerships, to promote, cyber security and privacy education. And awareness, our. Mission is to educate and empower our. Global, digital society to. Use technology, safely, and securely. We. Create and implement, broad-reaching. Education. And awareness efforts, to empower everyone with. Information, they need to protect their privacy, stay. Safe and more secure online, and encourage. A culture of, cybersecurity, I do. Want to take a moment for the folks in the room sorry for the folks in the live-streaming, those who with the NCSA. Staff who happens to be here please. Stand, for a moment and be, recognized. Danielle. Jessica, thank, you, Jennifer. Thank you good. I. Also. Want to recognize Russ, my. Friend and predecessor. Who, was, the former executive director of national service Security Alliance thank, you for being here Russ. You. Know today's event, would not be possible without the support of, our, dedicated, sponsors. We're very grateful to, Visa. And Verizon. Our contributing, sponsors, thank you so very much for all that you do for, NCSA our participating, sponsors. Yubico. Mozilla. Trend, Micro, very, happy to have you here Mitchell. From Trend Micro really, great. To have, you, become as ill and trim micro as partners. Women. In security and privacy the Identity, Theft Resource Center, and call, for action those are our nonprofit, partners who we love. Working with and finally I t SP, Magazine, great.

Partners, And looking. Forward to working with them in the future, we're honored to have such a distinguished, group of privacy. Experts, who have quite diverse backgrounds. Working, with us today lastly. I want. To extend heartfelt sincere. Thanks to LinkedIn, for, hosting in. This incredibly. Beautiful building. We, hope all of you will engage by asking, questions and taking part in the panel discussion our, handle, at stay. Safe online will, be tweeting, we. Also encourage you to tweet about the event and engage, with us on social media using hashtag. Privacy. Aware, which. I was told by Danielle our social media director that we've been with, viral, you know we're trending so that's a good thing I, thought. This group would get that but obviously. Alright. At this point we're gonna start. And I go into our next session so thank you very much for being with us today. Please. Welcome Kelvin, Coleman and panelists, for a new, era in privacy. You. Know it's really great as I said to be. Here today. Karen. And Kalinda are gonna introduce. Themselves and, talk, about their backgrounds a little bit and then we're going to get into our question and answer I really, encourage those, in the room you know if you have a question please let us know we're, gonna have microphones, set up on either side of the room. And of course we're live-streaming and, so those who are joining us by live-streaming, please, send your questions as well. Kalinda. Audience. Yes thanks so much. My name is Kalinda Rana I head up the global privacy, team here at LinkedIn and prior. To that I was. Working. At Apple on privacy issues and then prior to that Nintendo, so, privacy. Has been an area that, I've been interested in before it got popular and it's nice to see the changes, that have happened. Hi. I'm Karen Zechariah I'm the chief privacy officer at, Verizon I. Often, say I've been at Verizon forever. I've been there for 25 years and I've been in the privacy, role for about. Eight years now. You. Know I once. We were preparing for this session I was so excited because, both Karen and Kalinda have such extensive backgrounds, and a such, amount experts and to people who have, so much to offer to us today so I'm very excited thank you both for being with us and with that you. Know we know how. Recent. Changes in privacy legislation has, really impacted, not, only our country but our world, how has recent, privacy, legislation changed. To landscape, and how have, companies, responded, and Kalinda. Let's start with you yeah. I think there, has been so much change in the past five years in the area of data privacy, so when I started, in 2001. We. Didn't even have data, breach laws. And we, did have the European directive but. For a lot of US companies it didn't have much of an impact if they weren't working having, offices, in the EU so. Over, the past five years we've, seen a big shift in terms of the GDP, are coming in to affect California. Now passing, its law and. We're seeing other states choosing, just pass laws as well and then, we're seeing changes happening in Asia and, many. Other countries that, in the past had, not focused, on data privacy, so for. Our team a lot of what has changes we've had to be even more global, than we were in the past it's. Not. Simple. Enough to just focus on Europe or the u.s. you've got to be taking into account trends. That are happening in Latin America, as well as Asia and it's. Also very hard to figure out how, to apply, these laws on a global basis, so that's, one of the big changes we're seeing. I. Agree. With everything that Kalinda, said and perhaps I'll. Answer. It or look at it from a slightly different lens, you, know when you think about the privacy landscape, I think about a number, of different external, factors that are really influencing.

What's. Happening, in companies one is certainly the legislation, that you're talking about and, especially, for global companies that's very challenging. In. Addition. There, is uh, you, know I think that consumers. Or people in general have a growing, sense, of the, benefits, and the ways that companies. Are using data there's, somebody, was just talking to me about the fact that she didn't go to the Department of Motor Vehicles on, a certain day and she went the next day because she, could look at a camera and see how long the lines are and you, know there's just so many different ways that were net that data is now being used that's helping, individuals, in their day-to-day lives that I think people have a sense. Of that and then of course there's also some of the headlines, that we've seen and so. Really a combination of, all of those things I think have, very much impacted the way we do business today. Karen. Let me pick up there because. Kalinda, talked about how, you. Know she wasn't the popular kid in class. A couple years ago with privacy. I. Just, said wasn't. Popular. So. You talked about our privacy, was it popular. Well. Now it is and. So can you talk to us a little bit about the challenges, though that organizations, are facing adapting. To this new privacy, era privacy. Legislation, yeah. Sure, you know it's interesting in part, because there's so much more of a sense just. From again from people's day-to-day lives, about the impact, on privacy, that I think that, employees. Have, a more. Of an awareness than, they used to right as long as I've been in my job we've trained, all employees, about privacy, we've told all employees, that it's their responsibility to. Protect customers. Privacy but. One of the real changes, now is that people really get it in a way that they perhaps, used, to not and so whether you're talking about an entry-level employee, or, the. C-suite right people, are very very focused on privacy and although. You. Know they were I think it would agree they were focused on it or paid attention five years ago but it's just that much more so today and, you. Know in terms of the challenges. Kalinda. Talked a little bit about the challenges of operating, globally when. You have many many different laws and that's absolutely true. We. Also have, just, interpreting. Laws can be a challenge, and so. I think we're gonna see over time, as, different, companies, interpret, laws differently. We're going to see regulators. Step in and tell us their view of what the law is and. Companies. Will have to be, careful. To read those opinions and make adjustments as necessary and, then, we're all having to staff up more than we used to because there are additional. Regulatory. Requirements, that we used to not have one. Thing I was just gonna chime in on what Karen was saying is one of the big shifts we do see across companies is that data. Privacy has become something that's not just for the lawyers anymore, and I think that's something that, has really, developed over, the past five six years it's. Something, that everybody, at the company needs to be aware of and at LinkedIn, we call it a culture of privacy, because it's, something that it's, not just the lawyers responsibility.

Our, Job is to help interpret the law but, it's really the responsibility, of everybody. At the company and as a data-driven. Company. That's an important, thing for every employee to understand, and, get a sense of so a lot of the works that we do here at LinkedIn is, to help make sure that. Everyone feels a part of that culture of privacy, and that they're. Aware of the responsibilities. That we have. So. I really, have to ask you this question because it's somewhat I'm not, gonna say the easy one but when you probably think about a lot I mean what, should privacy, legislation look, like if you, could you know advise state, legislators, and the Capitol Hill. Because. As large multinational. Companies you have insights, that they don't necessarily have and based, on your experience, of implementing, and interpreting, GD P R and C, CPA what. Should legislation, look like, sure. Sure. I can, start on that you know I often think of, privacy. Legislation similar, to a maze and, you, can have a really hard maze that has only one path from, the start to the finish or. You could have a really hard maze that has several, different, ways that you can get from the start to the finish and I. Think of, privacy. Legislation and, especially federal. Privacy, legislation like. The latter like, the hard maze that has several different ways we can get to the finish line and for that reason you're not going to see, me say federal. Privacy legislation must. Have the following ten provisions, in it but what I can talk about a little bit is sort of some overarching, themes, that we think are important, so. First. You've, heard me say federal think. In the United States it's really important, that we have a consistent, regime. And so, that means one, regime, that, applies to all players in the ecosystem that's. Enforced, at the federal, level by the Federal, Trade Commission, I. Think it's important that the regime be very flexible things. Are changing so quickly that. We don't want Congress to pass a law that next. Year is out of date I, think. It's really important, that it have meaningful, protections. For consumers so. That means that, it. Needs to includes, provisions. That require companies. To be trans, parent and how they use, information, and what informations collected, it also means that we have to give consumers, meaningful. Choices and not just check, the box type choices, and. Finally. Any privacy legislation should, have some kind of safe harbor, provision, in it so, that companies. Understand. That if they take certain steps what they're doing is consistent. With the law, and. I would agree with all those that's a great outline. Of really, what federal legislation. Should look like and sadly. It's not somewhere we here. In the US have gotten to yet if you, look at US federal, laws we have, the. Children's, Online Privacy Protection, Act, we have HIPAA and. We have gramm-leach-bliley, but, we haven't, developed a comprehensive. Data privacy, law and then in addition, for, data breach laws we have forty-eight different laws so, ideally. I absolutely. Agree it'd be wonderful to see one. Law that is operated. At the federal level that is consistent. And brings, the ability for companies to plan throughout, the, US as to how they're going to comply rather than having to do a state-by-state analysis. And, I think that one of the things that the any law needs to do is is. Be, very flexible because, it's hard to take into account so, many different industries there's not just the tech industry, that this would apply to but. The healthcare industry and, potentially. You know many. Of the other areas even, auto, industry. Or every. Industry, today touches. On data so, this would have to take into account various. Different. Technologies. Industries. And to. Do that successfully, you really have to leave the flexibility. In and that's, where the difficulty is in interpretation. How, do does, each company, apply the law, and how do we think about what is transparency, what is choice and how do we get those concepts, across to, users, in a way that doesn't overwhelm their daily lives I, think that's one of the hardest challenges for, thus those, of us in the tech space who, truly want to provide transparency and. The. Ability, for users to be in control but, how do you do that a way that is effective, and efficient. For, the end-user. We. Are gonna open it up here to the audience but I I've. Often thought about this issue, like. Early. 19th cent yeah, 19th, 20th century America. With time, every local did jurisdiction, had a different, time right every state they, sort of ran their own time, in, order to make the Train literally, run on time we had to come together and sort of decide, okay here's what our timing, mechanism, is going to be is, that a decent example of where we are in terms of everybody's, gonna create these sort of privacy, regulations.

But At some point we need to bring them together so, that there are you, know consistent. So. That we all understand, it it's not a. Decent. Example of how to look at this I think. It's a really good way of looking at it yeah, I agree I think it's a great way the challenge. With it is we are now dealing with something on a global scale at, a speed, that is is extraordinary. And with. The technology, that's constantly, changing so you, know what. That example, is a perfect idea of what we need to do to come together but. In reality part, of the thing that's hard for, developing. Any sort of legislation, here is that the technology outpaces. It and so, how do you develop something with broad enough frameworks, that you can successfully, apply. Across. Technologies. As well as ten years from now I think the GDP are did a fairly good job of that by putting in concepts, like privacy by design and data, subject, rights but, we, have to be able to whatever. We develop here in the US have something that 10 years from now can still be working 20, years from now can still be working and beyond. Great. Gonna, turn over to the audience now any. Questions, you may have for. The panelists and I'm gonna ask you to maybe go, over to a mic there sorry I'm gonna make you do some exercise here yeah, yeah not. That you need it. Hi. God this is karen mehta co, and I think you touched upon the global nature but. If you look at, both. Consumers, their data and kind. Of the products. That we use they. Are even more, global like, I go to London, what if I fall sick like. How do I access my data sitting here so, is there any effort, to have. Legislation, which is not just, US. Or federal, but. More global, and, in. The absence of that how do you see all. Of this evolve. Well. It's interesting because, back. In when. I started. Getting interested in these issues back, in 1996. One of the questions, that was coming up was how. Do we develop something at an international. Level and, have, can all governments, come together and, solve. This problem or not and you know there the OECD. Has done work on this the Fair Information practice. Principles which, are the foundation, for anything, any, of us are doing when we think about a privacy, structure I'll come, from this global coming, together of thinking about these issues but as I think the Internet has commercialized, it's gotten harder, for, all regions to see the issues in the same way and to have the same stake in it and the, same concerns. And so that, that, is the ideal solution because. As we were just saying the the Train, example, is wonderful, for, when you're working across. A continent. But, what we're really thinking, about if you think the analogy is how do you get planes to, go. Across country, to country and transport, people and and follow similar, rules in terms of security checks and health checks and all the other things that come into play so it's, where we need to head but it's it's a hard place to get I, don't know what your thoughts are Karen yeah no I agree and maybe thinking. Perhaps. You'll tell me I'm taking the train or the time analogy, too far but. Right. Around, the world we have different time zones but, yet we've figured out what. They are and how to sort. Of operate, with different time zones in different parts of the world now there are some places that have I'll. Call them somewhat quirky time zone sometimes you'll find a country, right next to another country, and it'll be 15 minutes difference and, perhaps. That's I, understand. You know I'm guessing this is not my area of expertise, but I'm guessing countries, do it because they want to exert some kind of independence. And things like that from the neighbouring country, but, perhaps, what we need to try to do in the privacy, world is understand.

That Globally, we're not all gonna be on exactly, the same time we can't do that the Sun rises and sets in different places just, like there are different sensitivities. And different thoughts for how information should be used, and the types of consents, we have but at least if we can get it closer, so. That you, know we all share, some common terminology and. We all share some, common. Sense of, how. The times work or what the terms are so that we can interoperate, in. A more efficient way, thank. You absolutely. I. Go. Ahead. Hi. There so, you made a comment at the beginning about. Consumers. Becoming, more savvy about their data themselves, and more concerned about your uses thereof, and there, were subsequent commentary. And discussion, about legislation. And safe harbor and how, you protect the corporation, those, two things of course are different. How do you compare, those or offset, those when you look at your enterprise. And the. Protection, of the. What, the person wants done with their data versus. Protection. Of the corporation, relative to legal liability. Does. That make sense. Sure. Sure I'll go first I actually don't see them as as different. As perhaps. You do I think that for. Consumers. To trust, companies, and to want to use their products, and services they. Need to understand, how their information is used and believe. That they're using it in ways that's beneficial, to the consumer, so I actually think the two things go hand in hand I. Don't. Know if that answered the question. But I would, agree I think you. Know safe, harbors are typically in the law because, companies. Are complying, with other laws and likely, for most of us that would be complying, with the gdpr which, does get to a lot, of what. Both the, CCPA, and the washington, bill that's being proposed or trying to get to so i think, every. Company as you say Karen or most, of us are very aware of the fact that we. The trust, is to be earned and to be kept and in. Order to do that it's in our interest to. Make sure that we're in compliance whether, you do that through a safe harbor or through some other way we, have, a number of people who registered. On here, simply. Because you want to know a little bit more about it or then industry, and we have other folks walking around with little green things under their tag. Called media and. So if you can introduce yourself hi. Tom clearing the register so Illinois, has, a has a law, called the biometric, Protection Act and their Supreme Court just upheld that consumers, have a private, right to action and that they can bring action against the company for. A privacy, rights violation, independently. Is, that something that you. Think makes sense for a federal law why. Or why not. You. Know I think I think a private right of action gives. Consumers. An interest, in the issue I, think what I've seen to be most, effective though with the gdpr has, been the the penalty, function. That has been put in place with. The hive penalties, and, fines that the government has the right to bring into play it. Is what, is, helping. To drive a lot of the change that gdpr has brought about in terms, of greater awareness in. The corporate world so I don't. Have an opinion either way on private right of action I think the key thing is that any law that gets passed needs. To be able to have consequences. Attached to it. And. I. Also. You know I was originally talking about the maze in different ways you can get to the end zone and I also don't have a personal. View either way I. Do think that there are times where, well. If what we're trying to do is make sure we're protecting, consumers. It's, not clear, to me that private. Right of action 'he's always get there and actually help. Consumers, as opposed to more, helping the lawyers, who are bringing them but. But. You. Know it's something that we certainly would look, at, thank. You sir. Yes sir Mitchell, Kim register I was, wondering as company's building this products, how should, we approach informing.

Or Education, educating, end members, about, how. Things. Work or what controls they have at their hands, on the, one when you don't want to implant things in the middle of their core experiences, to be interfered, with but, on the other end you don't want to build Help Center articles, and settings and then just hide it and so they can find it so I was wondering what is the right balance to. Meet in this, case I think. It's a real challenge for for, any company to think through because those, of us who are creating those materials, want those materials, to be seen and used and so, we are constantly working, with. Designers. And others in the organization to, evaluate. How effective is, our messaging, how is it being seen, our. People, responding, to it and are we putting things in the right places, one. Of the approaches, that LinkedIn. Followed. Very early on was the concept of the layered privacy, policy, in the hopes that what. That would achieve is get more people engaged with, the privacy, policy and understanding. It in plain English and then, attaching a video to that as to which. You, know is something that actually in. Different cultures, when you think about us as a global company different people are able to interact, with that material in different ways so, it's, always a challenge though, I, totally. Agree with Kalinda this is one of the biggest challenges, that we face. How. To get it just, right and sort of not too big not too small you. Provide lots and lots of information and, you know nobody's, going to read it because it's just filled, but it's just too detailed so, figuring. Out how to get consumers. Really. The information, that's most important. To them is, a. Large, part of what my, team and I really struggle, with and, you. Know I often, say that one of the hardest things that we do is say something, doesn't, have to go in and notice and that's not because I'm, saying, that consumers, that we should hide something, it's, perhaps, because, it's so obvious, that we shouldn't be clogging up you. Know putting additional words and to the notice about something, that consumer, really understand, or perhaps, it's, less important, than the really, big thing that we think is most significant, to consumers, and so getting, that balance right is, really a challenge for all of us, the. Other thing I just want to add and this, goes back to my prayer comment, about a culture of privacy, is that it's also required as lawyers to, not be the only ones saying everything, so we have our team I have, a lot, of folks on my team who are non lawyers as well as we work with our communications, team and our design team because. Sometimes you have to get the lawyers out of the way because we we say a little too much that is hard, to follow so sometimes, we, work with other members of the team to try to figure out how do we say it's in a way people will engage, with and understand so I don't. Know if a person this room who would agree with you to get the lawyers out of the way I. Will. Say that working with companies I, often say, to people that these, companies are working actually, very hard to find, what I call the Goldilocks zone right not, too big not too little just right so what Karen was saying you don't put stuff in it it's kind of obvious but if you don't are you trying to hide it just, not the case and as I've dealt with these companies, I just think they've they're really, doing a great job of trying to find that Goldilocks, zone. Because, it doesn't you know there's. No benefit to them to hide anything you want to be as transparent as. Possible and with that please, sir next, question I just want to say thank you first off for hosting and sponsoring today my. Question really stems around taking, from a legal and privacy standpoint at the federal level when we look at the confidence around state, level breach notifications. Or consumer, rights we haven't seen that consistency, so. I guess my question really, is what, would you say to the audience or, folks listening on the streams like what is the call to action to help push the agenda for more of a federal expectation. For. Privacy regulation, across, the u.s.. Are. You asking, sort of how can we get Congress, to act how, can we get Congress okay. A very. Tough kind of questions okay. I'll. Tell you that since, I've been in my this job the privacy job at Verizon we have supported, federal privacy legislation and. That. Hasn't been of, all, companies sometimes I've walked out of meetings and I've had people pull me aside and saying you know what is it you guys are thinking I think, the tide has really changed, on that in the United States and I think there are a couple of things that are that.

Both Make, a lot of companies, want privacy, legislation but. Also has and more importantly members of Congress, really focused on this right now and I, think, one. Thing is the legislation, we've been talking about both GDP, are right we've had a lot of members of Congress say hey if. Europeans. Are getting these protections, or even US citizens, when they go to Europe, why, not my constituents. We, have things like the California, privacy, law that also has members of Congress thinking about it and then we have those headlines that I mentioned earlier and there really is, a. Renewed. Focus in Washington. On this issue and I, really hope that Congress. Does do something on it during this Congress. Yeah. And I would reiterate what, Karen said I think the biggest challenge, will, be the state that Congress's, in right now to be able to, consider. These sort, of bills and I think, California though, passing, this law, California. Was the first to lead the way with data breach laws and you. Know I think my. Hope is that we will get to federal legislation, before we get 48 different privacy, the, state laws quite honestly because, that is just the real challenge, for, those of us who are trying to follow, the laws, how, can you we, already have, various. Country laws which happily many, of them are converging, around the gdpr model so, you, know that will be a real challenge if, we don't get federal legislation, and instead we end up with state laws. Once. In a Supreme Court case the Supreme, Court said States are the perfect labs for democracy, right CC, EPA and other states are coming in with their. Legislation. I think it's gonna force the, federal, government's hands I think there's an enforced Capitol Hill to say hey we, really have to make, sure the trains run on time so, sorry. Hi. Tim Ralph's with the spark Institute I guess one of the problems that I'm struggling with is applying. A physical. World with physical. Boundaries to. A virtual, world and I. In this terms of privacy and I wanted to get your thoughts on how that, might get, itself resolved, if I live. In one jurisdiction and, I transact, with a vendor, in a second jurisdiction. But, then I travel, to a third jurisdiction. And I interact with that same vendor. Where. Where. It seems like there's a lot of a lot of issues in terms of. Even. If it's at the federal level or the, state levels, coming, up with what rules apply.

You. Know that's actually been a challenge, on the internet since its beginning, and when commerce, wanted to start online that. Was one of the biggest things that people threw. Up as a difficulty, and making it happen was how, could you exist. In one place buy, something, from another company, that existed, somewhere else where maybe it was manufactured, somewhere, else and how would you hold everyone, along the line accountable. And, I think that's part, of what makes Karen's and my job very interesting, right now is. Trying, to figure out how do we look across all of these different laws and figure, out what applies when I actually, found the gdpr, to be a very helpful thing for many, companies, and that it helped. To create. More consistency, across Europe, and we're, seeing Asia and Latin America following, similar models, so, in that respect, it is a little easier but that's. Part of what, you just said is part of the challenge of our day to day job. Jessica. Danielle you'll let me know if someone. Is uh okay, yeah, has a question online so thank you until. Then sir well. We've already picked on lawyers and lobbyists so I guess I'm hit already but. I'm. A benefits, lawyer I'm David Levine and a question I have is our space is a space that people don't pay any attention to it's, like twenty three trillion dollars of assets that sits there nobody, talks. About it but we face the same challenges, that you're talking about on the broad base here but, there's already a lot of laws out there we're talking about a national standard. But. A lot of your businesses each of you bleed into different areas like take Verizon verizon start, as a phone company as a media company and other types of coverage as you adapt, your areas, how do you what's. Your thoughts, on how do we in with existing laws like, in our world we've got Bramley twily we've got HIPAA ERISA, we've all these laws that are acronyms that most people here don't want to hear but. The idea is how. Would you see that we can bring things together, given. That there's already a bunch of areas with some standards. It's. A really good question it's something that I've thought a lot about. Karin, Zakaria, speaking, now if, we were starting from scratch, what. I would propose is that we have a national, law that covered all areas including what you're talking about I think, it's so important, that we figure out how to get to that finish. Right, now that it's not what I'm suggesting or what brought Verizon, suggesting, so laws like HIPAA and gramm-leach-bliley. I would, leave as is and exempt, those services. From this. New national, privacy, law that I'm talking about but, you. Know if Congress wanted to tackle that also I am not opposed, to it I just think that's a pretty big lift, practicality. Matters I understand yes I. Would. Agree with. Heather. Brush. From Reuters a question, for Karen so, back. In June motherboard pointed, out how, the. Four major US carriers were, selling location, data or, sharing, it with, these third parties that were in there where. Then sharing, it with other companies, with. Sort of lacks oversight. Just. This month they found that these practices were still continuing, at, least with a couple of the carriers I mean, what you. Know what, is the the issue why is it still sort of ongoing why has it taken so long to unwind. Some of these agreements I. Can. Only talk as, to, Verizon but, yes last, summer, there were some articles, on this issue and just, to make sure everybody, understands, it. We, have certain, services. Let's say roadside, assistance, you have somebody, who's a triple-a. Not, to pick on triple-a here but they're a company who we all know so, there's a triple-a customer, who's on the side of the road who, does not have the, Triple A app they, call in to triple-a, and as, part, of the service, the ivr says, are, you willing to have your, wireless, company, give us information so we can locate you on the side of the road if the, customer, says yes then. A. Request. Would come in to Verizon for, the location, of that customer. Same, thing basically, works for the other three major wireless carriers, so. Last. Summer there was press. Around the fact that. Services. Like what I just, used were being misused. By. Some companies, and we. Went we Verizon went and looked, at the protections, that we had put in place for these programs we. Had requirements, in our contracts, that they that information, that was shared only, be used for the specified, purpose, we, at. The time had only certain. Use, cases approved, and we. Were do we had hired a third party auditor, to make sure that the information was only being used in the way that we said it should be and because.

Of This stories. Last summer when we looked at it we decided to basically shut down we've arise and decided to basically shut. Down those programs, as is, and to, redesign it so that the only way the, equivalent, of the triple a customer's, information, would be shared with Triple A would, be if the consents, come directly to Verizon and we notified everybody, that as, of, November, the programs would be shut down so. What happened we started getting requests, for extensions, and, we turned virtually, we've arise and I want to make this very clear that's what Verizon, did we turned down virtually. All of the requests, for exceptions, with one exception, which was roadside, assistance, because, we had for roadside, assistance companies. Come to us and say we're, just not ready to do this directly with you this, is the winter months we really feel like there's a public safety issue here, we don't want to be leaving people on the side of the road so, can you please extend, us until the end of March and so, Verizon, granted an exception again, only two for roadside assistance companies. And. Everybody else we closed down and I think that's why you'd see in the motherboard the recent motherboard story and the accompanying podcast, that, they weren't able to get that information, from Verizon. I, hope that helps answer your question. Shawn. Yes. Shawn Martin itsp magazine, NCSA. And LinkedIn thanks for putting this on and hosting us today. So. We have laws and regulations, to help the. People that want to do right do, right, but. Not everybody plays by the rules. So. For, fraudsters, and cyber. Criminals, how important, are technical. Controls, to, kind of shore up the areas where things. Are left open where. Companies fail to. Actually meet the meet the laws. So. Technical. Controls are really important, I don't think it's when. You're talking about companies I'm not sure if you're talking about companies like LinkedIn, and Verizon, or you're talking about the third-party fraudsters but. Technically. It's, the companies. That don't follow the rules right okay yeah technical. Controls are really important, and it's another big change, that I think we've seen over the last five or ten years where companies. Now have chief information security officers. And we used to nod and as we, were preparing for this one of the things that Kalinda said to me is one of the things that we used to focus on was the stolen laptop and, you.

Know That was the issue ten, years ago, it's. Know it no, longer takes very much of my time and I'm assuming no longer it takes very much of your time as opposed, to the bigger, issues, and. As. I said that's why those technical, controls are so very important, I. Have. Two more questions. So. I had a question about I guess. If the if you, see the law catching. Up to or understanding, the idea of data that is, not. At the present time classified. As like identifying, information, that might be worth I, guess. Like reporting, but. If you've. Heard of some big data concepts, like hey. Anonymity T distance and things like this where. In combinations, of data. Or metadata about someone, can. Identify them, and whether. We. Will get to a point anytime soon where. Companies, will be required to disclose that it will not be allowed to collect such. Data on anonymous. Visitors. Etc. I. I. Think. Your question was are we aware, of these. New, ways of taking, aggregate, or other forms, of pseudo data. And, identifying. You think that that will be addressed, or addressable by law I, think it absolutely has to be addressed, and. You know the gdpr does, segregate. The different types and levels of data so. They do talk about pseudo. Anonymous data. We. We are all operating. In a world where we're constantly thinking about the different categories, of data we're dealing with and I think any law that were to come into play would have to think about that personally. The. Players over the last question oh thank you so hi I'm Kevin wells from groom and thank you for your time today. Kind. Of listening. At the messaging that's been gone from kind of corporate America and even looking at the comment letters they've submitted to agencies like the. Commerce. Department, there's, been a lot of focus on kind of things from GDP are controlling processing, permissible. Uses getting, consent where, there still hasn't. Been a lot of discussion. Is really an relates, last question what, is data so, what data are you covering what data is in what data is out do you have use on kind, of how that should break down I. Think. That. Is a great question because today. Data. Is, almost everything, right so how do you any, longer define, what, is personal data what is not personal, data so, you, will find that most companies today are very conscious, of the fact that all, data it, can. Typically be identifiable, and if you look, at our privacy policy or, any other company's privacy policy I think everyone, takes some acknowledgement. Of the fact that this concept, of what. Is personal, information, versus. What, is just data in general is beginning. To come closer together to just all being personal, information, so. You. Know III. Agree. With Kalinda you have to to, some extent you have to look at how. The information, is being used or who it's being shared, with to, have, a, I. Guess. A fuller. Sense, of what the protection, should be around it, but. Yeah. I mean especially. In, the hands of as, we were talking about just a minute ago sort, of criminals. Or people who want to misuse data. It. Is, you. Know getting more and more clear, that data, can be or, certain types of data can be realized. Let me put it that way I knew. You. Listen. Thank, you very much Kalinda, Caron and, and, by the way you see both Jared, and Peter listed. The, government, shutting. Down impacted, a lot and certainly, impacted those two as well but. They were originally, scheduled to be here so. The government said. Even in fact in my six-year-old daughter who, works at a dry cleaner who had to lay off for a weekend because not.

Many People were dropping off their clothes so Peter, and Jared. Impacted. By that very same thing thank. You all so very much for our participating, in this segment, we're gonna have our, next. Session, here in one, moment so thank you very much. Please. Welcome Larry Magadh CEO. Of connect safely org, and panelists, for improving. Your company's, privacy, posture. No. Well. Thank you very much, so that announcement we just heard I'm told that was, that's. Called the voice of God so it confirmed what I've always known the God as a woman so, now we know. My. Name is Laurie maggot, and I've mentioned, I'm CEO of connect safely org, which is a non-profit. Safety. Internet safety privacy and security, organization. And if. Some of you recognize my voice, I'm also the CBS, News, technology. Analyst, and if you see me panicking, towards the end of the segment of this session, it's, because I have my daily live segment on KCBS f-350, where, we're going to talk about today, data, privacy day and what, we talked about the session and maybe, I'll repeat some of your questions I don't know we'll figure that out it's, 350, but it's, a pleasure to be here before. I introduce the panelists I'm going to put in a little commercial this is data privacy day which, is actually one of two important, internet, safety. Rell. Essex whatever, you want to call related Day is coming up within eight, days of each other next, Tuesday, Tuesday February fifth in addition to I just learned being the State of the Union address, is also. Safer internet day which my organization, coordinates, for the US so. We're having our big event in Seattle which will be streamed we're having an evening event if anybody here lives in Seattle you. Can bring your family to our evening event and you can DVR, the State of the Union we will not be playing it, but. We. Certainly hope, to have people there but it's, a great pleasure to be here and I am very, excited to be moderating, this particular, panel because, I've. Given a lot of thought to what, is, a responsibility. Of different stakeholders, when it comes to protecting. Data in the previous panel we heard a lot about government clearly. Government, does have a role and I suspect it's gonna have an increasing, role in my, organization, connect safely we focused primarily on consumers, so. We talked a lot about what people can do to protect themselves to, protect their own data to, protect their security, because there is no such thing as privacy if there's no security, everything. From passwords, to being, careful what you post on Facebook etc, etc and, all, of that is important, but, I often think of when I think about both data and security or privacy and security I think, of the transportation, analogy and many, of us drive cars and when. We get behind the wheel of our car we have a fair amount of control over our fate not complete we can be t-boned and something. Bad can happen to us it's totally not our fault but, if we're sober and careful, and don't.

Text And have our seatbelts and, drive, a car with airbags, etc, we are really doing a lot to, increase. The probability that we're going to arrive safely, when. It comes to both privacy and security that's. Sometimes true sometimes, we are masters of our own domain, like what we post on Facebook and what, we choose to use for passwords. But, sometimes more like drivers, in a car we're more like passenger, than a bus and. We. Are vulnerable to what, the bus company or the bus driver. Happens. To to do as we sit idly. In the bus now in. Some ways we could have chosen I guess we could be very careful what bus we take and maybe, inspect, the tires before we get on and make sure it's a reputable bus company but, sometimes we don't even have that level of control sometimes we are literally victims, of companies who, for whom or company's, problems. Emerge from companies for whom we don't even if they have a relationship like a credit bureau that, we have a relationship, we didn't choose to and so, it's, very difficult for. Consumers to have a complete. Agency. When it comes to protecting our privacy which is why it is so, important, that folks. Like Visa and Palo Alto Networks and Verizon, and all. The other players that are, at this conference do. Everything they can so that the bus is as safe as it possibly can be, so. With, that as an introduction, for, me I'm going to turn it over I guess we'll do John because ease first on the list John. Gertz for the vice president of global policy, of Visa and followed. By Lourdes Lourdes. To. Ricci Charette, shaken, not bad the, senior privacy counsel for Palo Alto Networks Oh John. What do we start with you thanks Larry um delighted. To be here I I, am the chief privacy officer at, visa where I've been for almost. A year and a half and. My, team does the legal, aspects of privacy information governance, and, what we call privacy, operations. Before. Coming, to visa I. Was at. ADP, for, a long time we'll make a plug because ADP, is another company that's been very. Involved with NCSA, over the years in fact the. The. Current chair of the, NCSA, is an old colleague at ADP or a former. Colleague a young person. And. We at ADP I had a succession, of I am. A lawyer but I had accession a succession, of roles in both legal. And security areas. Thank. You Larry and thank you John happy data privacy day everyone. Who are here at LinkedIn and joining, us live online, I, am. So thrilled to be here to, celebrate, data privacy day with you and to help spread awareness about, this. One of the most important issues of our time data privacy, as, Larry. Mentioned I'm Lourdes Tourette Shah I'm senior, privacy, counsel at Palo Alto Networks a, cyber, security company, whose. Mission is to protect our way, of living in the digital age and I help, support that mission by weaving, privacy, into our products and daily operations, and prior. To joining my current company I worked, as outside, counsel with. Other, companies, and also as an, in-house, privacy, program, leader.

Prior, To joining Palo, Alto Networks handling. Privacy, and gdpr issues and incident response. I've. Got some questions that have been shared with the panelists but I'm gonna add a little just slightly. The, first one is what does business is what is the case for businesses for privacy. And why should companies of all sizes care. And when. We say all sizes I want to start obviously. Very large companies but also companies that are essentially zero that I haven't even started yet and so, I think this is a good place to introduce not only why it's important, for, large companies but why it's important for startups, and perhaps, even venture capitalists, who are funding startups to, be thinking about privacy, at the very very beginning before. The product came out so in other words when you build, a car you put the brakes in first. You don't wait for the first accident before you add brakes. Sure. Thanks, Larry I'll get started, then um I, think, you know it's a great segue from the last panel where we talked where at the end it was, the fact that there's. Just all. This data and it's all personal, information so, any company. All. Maybe a little bit of an overstatement but certainly, a lot of it is, any. Company, that's, starting up is going, to deal with personal information whether, it's a data-driven business, or not companies. Have employees. They. Have customers they. Have suppliers, so, they have real pure, p.i in those cases they're, getting contact, information, they get for. The employees they're processing, a ton, of very, sensitive personal. Information and, then of course as they figure out what. Their business model, is they, are looking at how they are going to collect. Data utilize. Data shared, data. Destroy. Data. And. So forth so I think, you know any company that whether it's a mature, company or. Or. An idea, has. To think about the lifecycle, of the data that it is going to ultimately handle, I. Think. There's a very strong, case, business. Case for privacy and I, say this for three reasons first. Privacy. Is, being demanded by customers, both both, in the b2b and b2c context. Secondly. Bad. Privacy, practices tarnish. You, know company's brand reputations, and we see that all over in use and in headlines, and and lastly. Privacy. Violations, are very, expensive. Know, I want to go back to the first point about customers, demanding privacy, we see that both in the b2b context.

When. Deals are, getting. Negotiated. And certain companies can't you, agree, to certain privacy, obligations. Because they haven't simply, haven't done the work of building it into, their. Their, product, or their business operations, we've, also seen, some studies, and the numbers aren't quite there yet in the b2c, context, where privacy, is is. Slowly. Becoming, a consideration, in purchasing, decisions, I frankly. I think I saw it was 35% I. I wish it were higher but. It. It. Is encouraging, and and lastly, as Larry was, suggesting. Earlier, we've, also seen. VCS. And acquiring companies, have. Or, include. Or consider privacy, during the valuation, period, or during due diligence, when they're when, they're assessing. Their target companies if, I can challenge you a little bit quickly. Then only I. Agree. With you that customers, or consumers should, be looking at privacy but. Unless it happened to be the subject of a Time magazine cover its face book is this week or unless the, company happens to have had a major data breach which has happened to number of companies how, do we know I mean when I go out and purchase a product most. Of the time I really have no idea what. Practices, the companies engage in I mean they may have they may have a privacy policy but. That doesn't really tell me a lot about their practices, I. Agree. And and I think. That's why we have, to innovate, in this area and not rely on privacy, policies, and come up with better, ways to provide, notice, in transparency, you. Know what I'm struck, by and I'm delighted that the conversation, about the business, case for privacy. Has been focusing, on the consumer, because, I think a year ago these conversations. Would have been focused when we talked about the business case for privacy, we've, been talking and sat, in so many of those conversations where. The business case for privacy, was all about compliance, and all about the four percent fines. Possible. Under gdpr and that you know that actually helped move the ball in some respects and got a lot of companies thinking about it but at, the end of the day what. Really should be driving privacy. And what this conversation is illuminating. Is, is, the clients, and the consumers. And the people whose data that we process and if the laws are doing, it right and if the companies, are doing it right it's figuring, out how, to be. Transparent. About, the collection, process collection, and use processes. About that data in a way that enables, consumers to make sure to, make choices and that gets and that's really hard it's, not as easy as writing you know a privacy, notice when you're collecting all sorts of information through. Sensors, and other IOT, devices. The consent. Model that we've grown up with this is is. Gotten. Much more complicated, but, I think it's good that we're talking about that and we're not simply talking about the. Enforcement, actions. And and. And 4% fines, or what, kind of actions we're gonna see under, you, know not. That they're not important, conversations, but what type of action we're gonna see under. The mirror under, the CCPA, in the myriad, of other laws that were now seeing. In state legislatures, or, possibly, at the federal level you know it gets even more complicated if I think about my connect at home and down my connected car there. Are so, many devices, from so many companies you, know coming from so many countries that. Are connected, to my home, router and that are or, my cars whatever, it's got in it it's got some kind of a router or modem I don't know but, the point is that that it's very difficult and many of these don't even have a user interface I mean my my, door, lock doesn't. Have a screen, or or, a pad, on it it's just this thing. That opens and closes based. On codes that are sent to it from an app that I have absolutely no idea how it works and I'm, actually fairly tech savvy and have no idea how it works and so, I think that we're at a point now where there, has to be trust and. Did. That trust because you, know we could always deal with big brands I mean we know and trust be then Palo Alto Networks with, their big companies, and very. Credible but sometimes you want to buy something from a start-up because it's got a really cool product and you want to support these two guys in a garage or wherever they deck or two gals in a basement wherever they are and so.

Again, It's very difficult, for consumers to have a sense. As to whether, they're getting the privacy they deserves I'm. Not sure that was a question or a statement but, you're more than welcome to respond to it I, certainly. Agree and it's something that we discussed, offline, or, before this panel is that you. Know when is the right time to think about privacy and, and I think we all agree that we. Do it from the very beginning if you're a data driven company then. From, the idea stage before you build, your product. You. Should be thinking about these, privacy, questions, these, features. And, and and, instead of as a thinking. Of this of broad block or a privacy, or a legal checkbox, I. Would challenge, everyone. Especially, those in the design, and engineering and product. Industries. To think about it as a challenge. To innovate, to do better in this in this area, more. Comment before my last question is I had lunch the other day in a no-name. Diner operated, by a small family, and I. Was despite. The fact the government was, closed at the time I was, actually pretty happy that there are federal inspectors, that go around looking at food so. That even this company that I had no basis to trust at least. Presuming, they were operating, within the law I had some basis to understand, that, they were using, reasonable practices, because we have national. Standards as to how food should be handled I don't, think we have national, standards as to how data should be handled so, and I know that was more or less the, last time so, the next question is with, so many changes in the privacy ecosystem, how can companies not only comply, but break through as leaders in privacy, and what, are the key factors that make them successful. Take. A stab at that, first. Of all it's maturing, your own program, I mean you're, not gonna strike out as a leader if you don't have the right program, in place and that's you, know whether you do and we we've, been talking about building privacy. Into the into the data lifecycle I'm not sure we use the term privacy by design yet, in this panel but that's what it is thinking, about what. You're doing with data from the first time you're collecting it see, how you're designing a product, to, the user, interface. So that your, your what. Data you're collecting and, how you're using it is made as transparent, as you possibly, can, notwithstanding Larry. The challenges, that you talked about about how how sensors, give you give, you notices, and and so, forth and it's gonna, have. Increased. Assessments, we call them P IAS generally. It's, how you do privacy, impact assessments, but it's actually having them mean something, and having a right process, so that you're able to demonstrate, some maturity. With. Respect to the. Evaluation. Of privacy, risks or the risk involving, personal information, as you collected store use it store it and, etcetera. And I, think you. Know I think, Kalinda, made an, excellent point before that, privacy is really cultural. And so, for a company to be a leader is you have to have that cultural, tone it's not simply, having some lawyers, thinking, about checkbox, privacy.

And Clicking, it what the, law says and doing what you have to it's building it into the design, it's, making, sure that all of your employees know. Privacy. Enough, to spot issues, to raise issues whether it's a privacy issue or, fundamentally, whether it's a security issue because, all, of these nice things that we're doing about privacy are really important, but well, at its, core one of the things that we want to make sure we're not doing is exposing, data and losing data, and. I think so, it's it's, all the employees, and it's setting the right tone for the top the leadership, has to think that privacy, is important, there's, no. There's. No substitute, for having that kind of effective. Tone. From the top in any. Organization. Whether it it's a large organization or. Start up with with, the top and the bottom may be closely related I. Agree. With everything John, just mentioned, you. Know there are certain. Can do to improve your company's privacy, posture, privacy. By design privacy. Reviews. At. The end of the day I think there are really two high. Level factors, that help determine whether or not your, your, company, is successful and, John mentioned one of them we. Both agree that culture. And leadership buy-in is important. I've seen it play out both, ways where without naming names you know company, a privacy. Team comes in and they spend most of their time instead. Of doing work. Evangelizing. And trying to convince leadership, that what, they were brought in to do is worth, funding. Or, staffing, and and and, and. Supporting. I've also, seen, it play out where on. The opposite end the privacy team comes in and in instead. Of. Having. To, direct. Their efforts towards. Convincing. Leadership. That this, program, should be done that we need to build, our GDP our compliance program, that. Initiative, was already dead there straight, from the top not just from the sea level but also from, the board, level and that, makes it, very easy to set, that tone, within the company the culture of privacy. Because. Then you get to do, the, daily, daily, gritty work of building privacy, into your company if, I may add, you know I focused, a little bit on the internal, aspects of building a privacy, program and the question was also about leadership in general so let's talk about you know the the external, aspects, to be a privacy leader, you also need I think what I referred. To before is table stakes and having that maturity of your program but, to be, a leader I you, have to be out there talking to your clients, whether, they're whether there are other companies and a b2b model, or whether, they're consumers, in a b2c, model, or both, most, likely both you need to you need to hear what they care about what, they're thinking about how, they care about what you're doing or what might might do with information.

Pertaining To them and to, regulators. And industry, groups what, are they thinking about is we, talk about the possibility, of federal legislation, how do we get involved in the last, panel really. Articulated, this at length but how do you get involved in those discussions, and I think leadership is being involved and not just waiting for things to happen I have a question for every in the room how many people here ever watch the episodes of Mad Men TV, show a minute so, I happen, to be old enough to have lived through the period or much of the period that that shows a place and I, remember watching an episode where people are having a picnic and they just threw their trash on the ground and walked away I remember. Watching episodes where people would be sitting around smoking in the office or drinking heavily in the office. I remember. Episodes where all of the executives, were men and women were only secretaries. And later, on we saw women executives, and my, point is that having, been, on this planet for now more years than I care to admit I have, seen enormous, cultural changes, right and I mean you. Name it it's misogyny, racism homophobia a lot of things that we at least to some extent have, started overcoming, so, when you guys talk about cultural shifts I think about both. How far we've come which is a good news and how, long it took which, the bad news for some major cultural, shifts and I guess what I'm asking is how do those same kinds of cultural shifts, apply, towards, privacy, security and. Just. You know good practices. When it comes to being custodians, of people's data. Getting. Blank stares I mean have you kind of touched on it I mean, you're asking if we've known yes there are those cultural, cultural. Shifts, we've certainly seen them I think gdpr, was one such shift we we. I agree with what Kalinda, said earlier I actually. Like. That gdpr, you know I think GT para is a good thing I think it's brought about a lot of changed, changes. From. Companies, because, they were, made. To pay, attention and so there. Are others there, are certain big data. Incidents, and data breaches or those, waves of data incidents. And breaches. That we've. Seen in recent years, that is. Also one of those, triggers. Of those shifts yeah, I think the blank stare was a little bit of recognition, in, fact that it's a really hard question because I'm, I've. Been old enough to to, have started practicing, law before there wasn't it you know before. There was really an internet and now we're chilling right with an Internet of Things and we're dealing with all these challenges, and as, we talk about how we confront, that as.

In. The cultural. Area, and in the legal area however we're confronting, it it's, hard, to, develop, the mechanisms. That, get us ready for the stuff that we don't know that's developing, now and we don't know what it's going to look like in five years so. How do we build programs, I think you know some of the principal based things that we've been talking about about, building privacy, by design and. And. Setting. The right culture, around data awareness, and so forth are critical, beyond, that I wish I had some more answers for you I must say though in many of the instances that I was talking about legal. Action did play a role one of the reasons why smoking, is down is because it's no longer allowed, you're, no longer allowed to smoke in most, buildings so you, can still smoke but, we, the government and its companies that made it so inconvenient, that, fewer people were doing it and one. Of the reasons why traffic deaths are down is because you worry, to wear seatbelts so there is again government, has, had a major impact on some, of these cultural shifts, you. Know I think, in in the area that we're dealing with though it's hard because I think government, lags, but regulation. Often, lags well behind technology, and so it was a long time before we realized, how, dangerous, smoke I mean after we realized how dangerous smoking, is before. We. Started seeing those kind of regulations, a long time after, we realized that you know seatbelts. Would be safe before we mandated, seatbelts, so I think that's a challenge I think it's when we have to address, but. It won't be easy from, a regulatory standpoint. So. Next question on my LIF give what, are some of the uniqu

2019-02-02 08:32

Show Video

Other news