Integrating Privacy Across Healthcare, Retail, and Business Operations

Intro 0:01

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:22

Hi, Jodi Daniels, here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels 0:35

Hi, I am Justin Daniels, I am a shareholder and corporate M&A and tech transaction lawyer at the law firm Baker Donelson, advising companies in the deployment and scaling of technology, since data is critical to every transaction, I help clients make in four business decisions while managing data privacy and cybersecurity risk, and when needed, I lead the cyber legal data breach response brigade.

Jodi Daniels 0:58

And this episode is brought to you by Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best selling book Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com, it’s kind of a gray, dreary day here. It’s chilly with the rain, it is chilly, and it’s the holiday season. I’m not feeling as excited because it’s so cold.

Justin Daniels 1:43

How come you didn’t have a hot cup of coffee?

Jodi Daniels 1:45

Did but it didn’t work because it’s so darn cold. But today, we do have a really great, awesome episode. I’m so excited to welcome Natalie LaPorta, who is the Chief US Privacy Officer for Walgreens. She is focused on a wide range of privacy matters that impact us, patient and consumer data privacy, including state and federal data privacy compliance, complex contract negotiations, digital privacy, de identification, AI, analytics and marketing, just to name a few. So Natalie, we are so excited that you are here with us today.

Natalie LaPorta 2:22

Thank you. I’m excited to be here. That’s your job.

Jodi Daniels 2:27

Yeah, you apparently need your hot cup of something, which is not —

Justin Daniels 2:30

I don’t drink coffee.

Jodi Daniels 2:32

Yes, I know.

Justin Daniels 2:33

So Natalie, can you give us a window into your career journey?

Natalie LaPorta 2:39

Sure. Yeah, you know, I had a, probably a kind of a non traditional route. I started and graduated in law school, out of law school in 2008-2009. It was a bad job market, and I, you know, honestly, wasn’t sure I was going to do. I had been working as an as an intern at Walgreens, and they invited me to stand as a law clerk after I graduated from law school, and so I did that, and I was, you know, still con trying to, trying to find something else, but it was tough, and I was fortunate enough that they an opportunity became available in the compliance department, and at that point it was a privacy role in the compliance department, but there was no privacy legal really focus at Walgreens, the privacy legal Work was kind of done within the various commercial legal business partner practices. But I, you know, I thought, You know what, this is, legal adjacent, and I’m going to learn HIPAA, and I’m, I’m, you know, I’m going to get what I can out of this role. And it was interesting, because I thought, you know, no one cares about HIPAA and privacy like I can’t, I can’t do this forever, right? I’ve got to find a way out. But I found myself really partnering with the other subject matter expert lawyers and advising them on HIPAA. And I think it kind of became their, their go to, right? Because they were being asked to advise on HIPA, which was not their specialty, right? It’s just to kind of tack on to more general, you know, reviews of agreements. And then in 2012 I had an opportunity to leave and go into private practice at a law firm as an associate. So I worked as an associate at sentence for several years. But during my time there, I think I was there maybe two months before I got a call from Walgreens, and so like we want to hire you to do the privacy legal work for the company. So. So they were a client, and I did a lot of the privacy work, and, you know, in addition to a lot of other health care work at the firm. So I did transactional work health care regulatory work. I actually did some tax exempt bond finance work for health care systems as well. So I got some good experience there, but never left the privacy space. And in 2014 I got a call from the Privacy Officer at Walgreens that time, and she said, You know, I think we finally decided, like, we need privacy lawyers, like dedicated privacy lawyers at Walgreens, and I want you to come back, and I want you to build out the function. And so it was really hard to leave the firm, because I was really fortunate to have a great firm experience. But I liked being in-house. I liked being part of the team. And so I came back and I hired two lawyers and we kind of started to build out what that’s going to look like. How are privacy lawyers going to exist at Walgreens? How are they going to collaborate with the other commercial and subject matter expert attorneys at the company? And so I did that for a number of years, and then at the beginning of this year, my boss, the chief privacy officer, decided to leave and take an external opportunity. And she said, You know, I think that you’re the right fit for the Chief Privacy Officer role. And honestly, I wasn’t sure. I hadn’t contemplated it. I She was a great boss, and I enjoyed what I did, and so I just, I wasn’t sure, but, you know, I was fortunate enough to be asked to step into that role on a full time basis, and it’s been great. I have a wonderful team. I enjoy kind of getting to do the legal parts of it and the compliance parts of it, and having that ownership and accountability for the program.

Jodi Daniels 7:02

Well, congratulations. Very exciting to have such a big opportunity and such an extended role, kind of intertwined between in house and external and kind of coming back to the in house side. Yeah, while you’ve been there, there’s been a steady growth of privacy laws and the expansion of what health data even means. So curious, if you can share, how has the privacy program adjusted to incorporate all these new definitions and requirements, right?

Natalie LaPorta 7:34

Yeah, you know, I think it’s been, I think actually, fundamentally the most important thing. And the thing that I think makes our program successful and our team feel successful, is understanding the business and really, you know, not just you know, policies and procedures are important, you know, to show that you understand the law and that you’ve got these fundamental foundational elements to comply, but really where it’s at is figuring out how to make that mean something to your your your team members, right? So understanding that you know the marketing team is going to be impacted differently by the privacy requirements than maybe the analytics team or the IT team, for example, right that they, they are interested in different components, and it impacts them differently and trying to come up with tailored not only just tailored training, but I Think just building those relationships so that you know when you hopefully you’re going to invite invited to a call, right? And there’s a new program, or there’s something new that someone wants to do, and hopefully you’re getting invited to that call, so you know what’s going on. But if you really done it right, they may even anticipate what you’re going to say, right? Because you’ve been clear, and you’ve kind of given them a sense of, like, why does it matter? To me, we know what, what are the things that we care about, and why do we, why do we have to care about them? So, yeah, that makes sense.

Jodi Daniels 9:13

Yeah, it’ll just keep growing more fun. Yeah?

Natalie LaPorta 9:16

I mean, I think too, like, you know this, when we went from, you know, everyone knew, because we’re, you know, we’re a hybrid covered entity under HIPAA. So we have this portion of our business that is a pharmacy, and it’s covered by HIPAA. And then you have kind of, what we call at the front of store, right, the retail business, that’s, that’s not covered by HIPAA. And so everyone, I think, for a long time. So, okay, we know phi, that’s the HIPAA data. We got to be really careful with that. We really can’t use it for much, right? But everything else is kind of like, oh, you know, we’re less worried about that. So it was this shift of like, okay, you know, now you have to care about everything, right? Everything is basically regulated, and so you keep. And say, well, it’s just, you know, PII now, and in fact, like, you really can’t be talking about PII. We’re talking about PI, right? We’re talking about personal information, which is more expansive than just the things that people came to just generally understand are going to have some level of protection, like name and address and email address. Now it’s this, you know, socializing, this concept of no that that advertising ID that you thought, you know, was anonymous for years and years, is not anonymous, and you have to treat it differently, right? So, you know, I think it is. It was already tough when maybe someone new and come into the company, maybe they hadn’t been, you know, at a at a HIPAA, regulated health care provider before, right, understanding all of the the regulation that fits around how you not just how you disclose that data, but how you use it internally. But then, you know, layering on top. Well, I actually now — all of the retail data is regulated too. So, you know, basically everything you do, you have to really think about, you know, what the things we say a lot are like, name is not. Name is not name, right? So, if the name came from the pharmacy that is regulated by HIPAA, if it came from, you know, a front of store, little T purchase that you know that is, that is not HIPA, that is probably some state privacy law, or FTC, or something else. And so, you know, trying to get people think, you know, think about the data that they have, understand it, understand the data province, and then what that means for them. That has been, you know, it’s an ongoing, you know, training and retraining, and just trying to make sure that we build those strong relationships with the business, so that they want to include us, right? And so we want to be a partner, and not just someone who says yes and no and that we can, you know, they can start to understand where we’re coming from, and kind of even feel like they know we’re going to say before we say it.

Jodi Daniels 11:58

The definitions are so important. I talk to companies all the time. They still use PII, and we have the same exact conversation. And then my favorite one is, I only have name and email, or name email and phone. I don’t have any financial data, we don’t have credit card data, we’re fine. Or we don’t have any health data, we’re fine. And I say, Well, congratulations, you just have less to worry about, but email actually counts all by itself, with the definitions are incredibly important. There’s a lot of education for people who don’t do this all day long in all different parts of our organizations. And so to everyone listening, you cannot emphasize and explain definitions enough.

Natalie LaPorta 12:40

Just keep on doing it right, or even just conceptualize them, right? It’s like, I’m, I’m not going to write down a definition for you, but even just generally, right, like, just about anything relating to a person is probably going to be regulated in some way, right? So, you know, and if you think that you have deidentified it, that means something really specific, right? And you’re — in most cases, that data is going to be helpful. You’re not going to be able to label it, de-identified by yourself, so you really are going to be having to seek counsel if you think you’re going down that route as well.

Justin Daniels 13:10

So speaking of your retail business, seems one of the things that retailers of all stripes are struggling with is a lot of shrinkage. People coming in, things getting stolen of that nature, and just would love to get your take if, for example, I’m a business person. I come in, I say, hey, Natalie, I have a great idea. We should just put cameras in all of our stores that might have facial recognition, and that ought to really put a dent in shrinkage. What might that conversation look like?

Natalie LaPorta 13:37

Sure, yeah, you know, we especially, we’ve always been an innovative company, right? We want to innovate. We want to use technology, you know, in a very positive way. That said, like, there, there is a lot of technology out there and with varying degrees of risk, right? So, you know, it’s not the conversation usually starts with, like, let me, let me, kind of look under the hood, right? Like, what kind of technology do you want to use? Let’s see how we really categorize it, right? I think there’s a lot of vendors out there who will say, oh, no, no, no, this is not biometric data. No worries, right? And then we’ll look at it, and we’ll say, Well, you know, like, I think a lot of courts might, you know, disagree with you, right? Or I don’t think it’s going to be so clear. I think this is something that could give you risk from a litigation perspective, right? So, you know, it really is a matter of understanding what is the goal, right? Reducing shrink and keeping employees and customers safe is really important, but you really have to understand, well, you know, does the technology do that? Right? How? How well do we think the technology will actually solve the problem? And then, how risky is the technology? There are like so there are a lot of varying degrees, even within the same type of products and how they do things, I think that have different levels of risk, right? There are certainly different ways to capture data that are going to either have a greater or less likelihood of triggering those state biometric privacy laws. And so I think that it’s always an open conversation, of course, like, yes, we it’s important. We know, as a company, we want to keep people safe, and we want to produce shrink but let’s look at it. Let’s see, let’s see how it actually works, what type of safeguards we can put in place, and if it’s feasible or not.

Jodi Daniels 15:41

Did you have a follow up with like you’re about to say something,

Justin Daniels 15:43

I just had a follow up question. Like, when you are asked to look at all these different technologies that could implicate biometric data, other types of things, how far does the conversation get where some sales person or other non lawyers saying, we think this is not biometric data, before it lands on your desk to say, I looked at this and don’t quite disagree or don’t quite agree with that, you know?

Natalie LaPorta 16:07

I don’t, I don’t really think too far, you know? I think that we really, it goes back to that concept of like, making sure you have those relationships and people know what the risks are, right? It’s part of our job as privacy professionals to educate the business and know, like, what’s out there, what’s happening, you know, what is where the movement in the industry is and where the risk is, and so, you know, I think that there, you know, we may even sometimes get to that conversation right with a vendor. And, you know, because that makes everyone feel better. But, you know, sometimes we can just see from the documentation, like this is going to be a problem, but giving them an opportunity to respond will certainly always do that. But you know, I think that those conversations can be a bit tough with the vendor, but I think also, like they don’t really have a leg to stand on. It can be pretty self-evident to the business.

Jodi Daniels 17:07

And I think what you’ve been sharing is reflective. This is hard work that involves conversations. And so many times people are trying to automate as much as possible, and they might be trying to automate things in the business when it comes to these privacy risk compliance evaluations, it takes conversation, it takes time to ask questions, gather information, and I think that’s one of the pieces I hear people might forget. They’re trying to kind of get straight to the answer as quickly and as simply as possible, and answer this form that actually yeah, it takes this time, this collaboration between probably multiple stakeholders, potentially multiple rounds of conversation, to be able to get to a place, whether it’s a yay, a nay, or an in the middle.

Natalie LaPorta 18:00

Yeah, no, I think that’s absolutely right. And I think that, you know, a lot of times, or even just historically, right. I think a business owner is trying to solve a problem, and they get a vendor that says, I can, I can solve your problem. And they don’t want to have to understand, like, how the sausage is made. They want to just say, okay, great. They said they can do this. I’ve got the budget to do it. Like, can we just do the thing? And it’s, there’s more of a, you know, there’s more obligations on that business owner to not just solve the problem, but to understand how the problem is going to be solved, and to be able to help push to get the information that we need to really assess what the risk is, right? Maybe, you know, there’s been certain times where we, I’ve thought, well, I don’t, there’s no way this is going to work. And then we start kind of pulling through all the facts, and we go, wow, like, this vendor really has done something unique, or, you know, they’ve really considered all these key issues. And it’s a lot, you know, it’s, it’s not as concerning as I initially thought. So you really, you know, vendors are going to kind of dress things up to, you know, solve a business need, but really, like, have they put in the time to think about what the risk is, and if they’ve addressed that for the user, I think, is pretty, pretty critical.

Jodi Daniels 19:15

For someone maybe just starting to build a program, or maybe they have a smaller program, what would you tell them? What advice might you offer?

Natalie LaPorta 19:27

Just in general, in general? Yeah, yeah. I really think it is making sure you have those relationships you know at your executive level, that they understand, you know what you’re trying to do and why it’s important. I mean, if you don’t have the buy-in from your leadership, you know it’s not going to — that message is not going to be pushed down, you’re going to have a hard time getting people to care, right? People want to know the — understand the why, right? Like, I don’t want to just blindly do this thing. You told me to tell me why I should care, right? And, you know, good or bad, there are a lot of examples, you know, in the news and in the media about why you should care, right? Like, whether it’s a, you know, a data breach, or it’s in, you know, FTC investigation, or it’s, you know, litigation, you know, unfortunately, a lot of privacy has been at the forefront of a lot of the media for various reasons. And I think bringing through some of those examples and telling them, you know, why they should care, and really how that, you know, helping to build that strong privacy program could really reduce risk. And I think, you know, make sure you’re telling a good story, also from a public perception perspective as well, right? You can show that you thought about it and you understood it and you really worked hard, because you’re never going to get it perfect. But if you can show that you thoughtfully came out with a plan and you execute it, and whether that you know fails or succeeds, if you at least have a good plan, right, you’re at least gonna have a good story, I think, for a regulator, and that you can be more open to working and solving problems from that jumping off point, good advice. Thank you for offering.

Justin Daniels 21:22

So kind of honing in on that a little bit more. But what is your philosophy on building a strong privacy culture within a larger organization, you know, such as a Walgreens?

Natalie LaPorta 21:32

Yeah, you know, I really think it is. You had to find a way to show value, right? Like that. You can’t get yourself in the room first, right? You have to be invited to the meetings where people are discussing what it is they want to do. And you have to want people to want you there, which means you can’t show up and not say anything. And you also, you know, can’t show up and just say yes or no. You have to be. You really have to be. We talk a lot at Walgreens, about, you know, being a part of the business and solving problems and working together. And really, it sounds so simplistic, but it really, I think is true is you have to figure out what it what are we trying to do? What might the privacy problem be, and and what are some ways in which I think we can either execute or modify whatever it is that we’re trying to do in such a way that would reduce risk, and a lot of that too, is knowing who the other key stakeholders are, whether that be You know it, or whether that be other legal counterparts, and figuring out, like, if I know that my pharmacy law counterpart is going to have an issue with something that’s happening, it doesn’t help them the team. If I just say, you know, my part’s good, right? Well, you know, I think we’re going to pull in pharmacy law, we’ll have a conversation. We’ll talk about what they need and what I need, and maybe how we come up with a solution that would work for the business, right? So I think really just figuring out how the business works all the people you need, you know, issue spotting, of course, and figuring out how you can put together some options that we think will reduce risk.

Jodi Daniels 23:27

Now we talked about the business wanting cool new technology privacy. People are also looking at a variety of different technologies with privacy enhancing technologies and or privacy emerging technologies. Are there any that you’re excited about?

Natalie LaPorta 23:45

Gosh, no, I don’t have a really good answer for that. I’d like, you know, I think that we look a lot to technology that is going to make us more efficient, right? Do we have — can we do some, you know, robotic processing, you know, can we use bots to, you know, identify certain trending or issues for us? You know, how can we streamline things? I think that’s where our focus is at. I mean, I certainly think that, especially when you’re talking AI and reduction of risk. You know, certainly, privacy enhancing technologies are a component of it. But, you know, I think more often than not, we’re focused on technology that is trying to make us more efficient, trying to identify patterns, or, you know, things that we know may be high risk or that we want to an actual set of eyes on, and kind of freeing up the time for our team to be able to kind of be hands on with the things that matter most.

Justin Daniels 24:59

Have you demoed for your team, any of the AI tools that are little more specific to legal or privacy, like Harvey or, I know there’s like in-house counsel specific AI, any experience or initial reactions to any of those?

Natalie LaPorta 25:17

They haven’t, you know, as a greater legal division. We are, you know, certainly committed to looking at tools. You know, I think we always talk about, do we have the right tools to do our job and to do it the most efficiently? So I think that’s something that’s on our road map, but we haven’t specifically looked at any of them yet.

Jodi Daniels 25:36

Knowing what you know, we always ask everyone, what is your best personal privacy tip you might share at a party?

Natalie LaPorta 25:45

Personal privacy tip, maybe, I guess, you know, we also often talk about, people love to talk about, you know, oh my gosh, I I just talked about this, and now I’m seeing an ad for it. Or, you know, why? Why am I seeing this, that, or that ad? So it’s always kind of fun to talk to people about, you know, tags and pixels and how they work. And, you know, certainly the old, you know, do I, you know household ID is right? Like, be careful what you’re searching for, especially in Christmas if you know, if you’re searching for something for your husband, it’s more than likely that he’s going to he could figure it out, right? Like, I know I’ve said to my husband for like, Are you shopping for X for me? Because I didn’t look at that, and it’s my feed, and I’m guessing I’m getting it because you were looking at it. And we’ve got the same household I died to ourselves. So you know, those the brow you’re browsing and things probably aren’t as secretive as you think they are, and so if you’re okay with that, great, if not, right? There’s tools out there to try to help reduce some of that, right? You could do GPS, or um, DuckDuckGo, or some of those various types of tools, right, to help yourself gain some anonymity. But, um, yeah, I don’t know things like that.

Jodi Daniels 27:01

That is an excellent tip, because it is. You can give your gift, your items, away, especially if you, if you share an Amazon in the same you know, laptop and you’re buying for kids, and the kids might hop on you can’t. They might know what you’re doing, right?

Natalie LaPorta 27:18

Yes.

Justin Daniels 27:21

So when you’re not advising on privacy matters, what do you like to do for fun?

Natalie LaPorta 27:27

Oh, God, when I’m not advising on privacy matters, I’m probably either I’m probably at one of my kids sporting events. I’m coaching my daughter’s first grade basketball team, which has been a lot of fun. Both my kids are super active in sports. I’m probably on the sideline somewhere, whether it be basketball, football, baseball or some tumbling mat. That’s probably where you’ll find me.

Jodi Daniels 27:53

Yeah, Coach Justin, do you have any advice for Coach Natalie?

Justin Daniels 27:58

Dealing with kids today?

Jodi Daniels 27:59

No, basketball. You were a basketball coach for many years.

Justin Daniels 28:05

Just have a lot of patience. And you have to be tough at the beginning. You can be nicer later, but if you’re not tough at the beginning —

Natalie LaPorta 28:11

They’ll run all over you, right? The number of cartwheels that happen at a first grade girls basketball practice, you just embrace it, you know.

Jodi Daniels 28:24

Well, Natalie, we’re so glad that you joined us that people would like to connect. Where’s the best place for them to do so?

Natalie LaPorta 28:28

Um, certainly. I, you know, I’m on LinkedIn. Feel free to shoot me a message on LinkedIn. That’s probably the best way.

Jodi Daniels 28:39

Amazing. Well, Natalie, we’re really grateful that you came today to share with us a little bit about the health universe and privacy and cartwheels on the basketball court. So thank you.

Natalie LaPorta 28:48

Yeah, sure pleasure. Thank you.

Outro 28:56

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.