Click for Full Transcript

Intro  0:01

Welcome to the She Said Privacy/He Said Security podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:20

Hi, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and a Certified Information Privacy Professional and I provide practical privacy advice to overwhelmed companies. And I’m joined by my man, steamboat man,

Justin Daniels  0:40

Justin Daniels here, I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from databases.

Jodi Daniels  0:56

This episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology that ecommerce media agencies and professional and financial services. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, visit Red Clover Advisors. Here do we have today? Do we have today? I don’t know. steamboat man. Who do we have my new name for you? Every time you wear that steamboat shirt.

Justin Daniels  1:42

Well, I’ve got five of them. place to visit so I

Jodi Daniels  1:47

had to expand with just Colorado so isn’t only in the same place every day.

Justin Daniels  1:53

Yeah. Okay. So we’re welcomed in joined by Andy Lunsford, the CEO and Founder of BreachRx, a technology company that automates privacy incident and breach response. Prior to founding BreachRx, Andy spent 15 years working in privacy law and large scale commercial litigation. Andy has a BA from Washington and Lee University, a JD from the University of Arkansas and an MBA from the Wharton School of the University of Pennsylvania. Wow, I have all these degrees to I just didn’t go to Wharton.

Jodi Daniels  2:31

Ah. Andy, it’s so great to have you here today. Thanks for joining us. It’s awesome to be here. Thanks for having me. You didn’t think you were you thought you were coming on to a podcast you didn’t realize it was the Jodi Justin, silly show. So we shared a little bit about your background, you write privacy attorney, but you also have this this business background. share a little bit more about who is Andy, how did you get to founding this technology company? What kind of prompted the journey here?

Anderson Lunsford  3:00

Yeah. So I started the early days, my legal career working on data breach litigation. So the early 2000s. These were the cases that went before the Federal Trade Commission, which was the first real litigation we saw in the United States around data breaches. really got hooked on it at that point, but then kind of took a diversion towards hardcore towards commercial litigation for a while I built a litigation consulting company with my brother and a few other partners in DC. But ultimately wanted to get back to privacy back to cybersecurity, and felt like there’s a real opportunity to help companies manage and handle privacy incidents, cybersecurity incidents better just seen company after company go through the crisis that is become data breach response. And so that was sort of the foundation, how can we use software to automate many parts of this process and really just make it a lot easier for companies to handle these events, because they are going to happen to everybody?

Jodi Daniels  3:57

Well, it is a really fun, fascinating journey. I always think it’s really interesting to see how people become entrepreneurs and start companies to thank you for sharing.

Justin Daniels  4:06

Absolutely. Why don’t we get to the heart of the matter? And can you talk a little bit about what exactly in the privacy and security realm? What problems does BreachRx solve?

Anderson Lunsford  4:18

Sure. So we the big focus for us, as I kind of alluded to was helping companies be proactively prepared. So one of the main reasons people have this sort of crisis feel whenever privacy incidents and cybersecurity incidents happen is because they really don’t know what to do. And so there’s a lot of scrambling to figure it out a lot of manual review, etc. under a lot of stress, because everything has very short timelines in this space. So what we solve for is helping companies get themselves in a place where they know exactly what to do whenever these incidents happen so they can really go from Okay, we know this event has occurred. Let’s execute our plan. Let’s bring in all the players that we know are going to help us through And let’s execute that plan. One of the things I often talk about with customers is, you know, you know, these, these incidents will come up in the news, they’ll be before regulators. And so what story? Are you going to be able to tell? Are you gonna be able to say to the regulator, oh, we didn’t know it was gonna happen, we scramble to figure out what to do we kind of ran around with our hair on fire, or did you have a process in place that was very proactive, you know exactly what you were going to do, you executed that response. And then you’re taking X, Y, and Z measures to improve to make sure it doesn’t happen the next time, that’s going to look a lot better for your customers, it’s going to feel a lot better to the regulators, and really reduce the cost and risk the business faces whenever those things happen.

Jodi Daniels  5:45

So when people when you’re talking to companies, what is some of the resistance that you get in that you hear? And how can we help educate? Why because you said something so important, that is to help reduce the cost and the risk. And oftentimes, it feels like people say, well, but that won’t happen to me. And I’ll just deal with that later. And they view the risk as not a real risk, or they’re just, you know, pushing it down. So what where do you feel that resistance is and and what are some of the stories maybe that you have to help share and educate? Why no, no, no, the the risk is real, it’s here, and why the investment upfront, is really going to help be a better choice.

Anderson Lunsford  6:33

Yeah, well, I think there’s a couple of it’s great, great question. It is definitely the case you’re seeing it, I think, a change in the market in general, just because the news is this constant feed of Oh, now someone else got hit with ransomware. You know, why? And then.

Justin Daniels  6:50

So Andy, I want to add one thing, see if we had, you know, we could have done we could have just add a breakaway to the c span testimony of the CEO for colonial pipeline. Was he on right now?

Jodi Daniels  7:02

We can we can do that in the presentation version.

Anderson Lunsford  7:09

Yeah. So anyway, I think there is a little more recognition now, I think, than there was when I say when I first started the company in 2018, that this is something that impacts all organizations, it’s not just the big guys that are the big targets, we’re seeing all kinds of small businesses being added to so that you know that education is helpful. But I think one of the pieces that tends to have the most impact for companies is talking about out it’s not just mega breaches that are in the news that this that we’re helping you prepare for, it’s all the smaller stuff, too. So there’s all kinds of privacy incidents, like an employee loses a laptop, or there’s a misdirected email of customer information that goes to the wrong customer, or the case of a pharmacy that provide the wrong prescription information to to a different patient. All those things are privacy incidents. And they all have a process that has to be followed and documented to handle that. And so it’s important that you have a good system in place to deal with that. And the less you do to prepare for that the more disruptive it is to the business, the more your employees are going to spend time dealing with that rather than the actual purpose of your business. And I think that disruption, you know, there’s a lot of different stories of just minor things that happen to companies that can disrupt them for months. And I think understanding that risk, usually is pretty impactful when I’m talking to customers.

Jodi Daniels  8:33

Thank you, thank you for sharing, I think it’s really important to help people understand why it’s why it matters, why we’re here, why we’re talking about it, why you build a company around it.

Justin Daniels  8:43

So I guess, kind of building on that point. Andy, I’d like to get your thoughts on how have customer resistance or customer concerns evolved from what you had in probably 2018 19 and 20. And now, of course, with all of ransomware being the number one topic in the news, has the conversation with your prospective customers changed and how they think about how your product can help them?

Anderson Lunsford  9:11

Yeah, I mean, I think it goes a little bit back to what we were saying is that there was some that some thought of like, these events only happen to someone when they’re unlucky. They’re, you know, this is like, unfortunately, it happens to you. So sometimes I would hear the comment, like, Oh, I hope I never have to use a product like yours. Yeah, because there’s this thought that it’s not going to happen. But I think it’s become so ubiquitous. The people see it as like, Oh, yeah, I’m, you know, I couldn’t get gas, the gas thing when the colonial pipeline happened, or look at all these small businesses that have gone out of business because of these events. And so there is more and more recognition that you should prepare for it like it’s going to happen to you because it will and it’s You know, not enough to just have a checklist in place of, Okay, I’ll call outside counsel and they’ll take care of it. For me. That’s not there’s too many pieces, moving parts that are necessary to push forward whenever these events happen that doing that is not really going to be sufficient when it comes to the end of the day.

Jodi Daniels  10:20

A lot of times people think and you’ve mentioned it a little bit already, the big breach, the big event ransomware, it’s a big thing, business email compromise, it’s a big thing. At the same time, there’s other inadvertent privacy disclosures that can happen. So how does BreachRx help address those types of inadvertent privacy disclosures?

Anderson Lunsford  10:42

Yeah, great question. So one of the kind of easy example that I give a lot of times that one of my advisors went through his company, one of the things they do is they have to scan customer checks, or as part of their regular part of their business. Unfortunately, at one point, their corporate scanner broke down. And they decided an employee took it upon themselves to download a third party app off the App Store to start scanning customer checks. Unfortunately, this was a disclosure of personal and customer information to this third party. So how he had to handle it without our products in places he’s he drops everything he’s doing, he hires two law firms to do a what we call like a 50. state regulatory analysis as to what should the state regulations applies given this certain scenario. He also then spends 10 employees time over the course of two weeks to review hundreds of contracts to figure out what contracts apply. All for this really what would seem on the outside is kind of a minor event, an employee, download a third party app and scan some checks. It ended up costing them, you know, upwards of 50k, when it came to the legal outside counsel bills, and probably 400 hours of his employee time, just to manage that incident. With our product in place, we have automation built in so that when that event happened, he could have started executing the response, all the team members that have responsibility to work on that event would get tapped in to start working on it. And they could really go in to end with a minor event like that in less than 48 hours, rather than this huge time suck this huge kind of scare, because we have all those regulations built in all the contract obligations are built in. So they really don’t have to do any of that manual work whenever an incident happens. So a

Justin Daniels  12:33

follow up question. I wanted to talk a little bit Andy, and that’s near and dear to your attorney client privilege, hard as it is mine. Talk a little bit about how BreachRx can. Basil is weighing into how attorney client privilege. Indeed, talk, talk a little bit about how BreachRx the product works when it comes to preserving privilege, because these, even the inadvertent ones have an over tone of attorney client privilege that has to be considered.

Anderson Lunsford  13:07

Sure, yeah, one of the biggest things that a company needs to do whenever a breach happens is get outside counsel involved early so that they can provide that oversight that direction, to allow you to make those communications and that advice. They’re giving privileged, which I’ve spent so many years in partial litigation, the non attorney communications are always the smoking guns that come up in court. And so the earlier you can have your arms around up, the better. What BreachRx does, and that way is that we’ve built it with outside counsel in mind, so they can be on the platform with you tapped in, when these incidents happen get involved right away, which is another piece when you’re talking about short timelines. But by having outside counsel, directing ship, and in a lot, and also setting up a lot of these plans for you, it really gives you a much better position in court to say, hey, this was legal advice. It was a legal tool that executed this that helped us execute this work. It’s not something that’s used for other business purposes. And in the end, therefore, it should be protected. That makes sense. It does.

Jodi Daniels  14:17

Now, at the same time, a lot of companies think and you also mentioned this a little bit, oh, that’s after that’s for the big companies. And you know, I’m I’m smaller, I’m not an enterprise company. So no one’s ever going to find me. What does a typical customer look like today? And really, who should also be thinking about a software like this or a process a way to be able to help manage in the event that they have to deal with an incident?

Anderson Lunsford  14:47

Yeah, I mean, I think in a lot of ways, the smaller companies have, they don’t have the resources to put the bodies on it, that a big company does and so really utilizing a tool like that. This is a way to kind of punch above your weight a little bit and say, okay, we can actually sort through this. And, you know, maybe, you know, unfortunately, for small businesses, I don’t understand up my mind, or there’s, you know, a data breach puts a large number of them out of business for good in a lot of that is because they’re not prepared to handle it. And to be able to sort through this, they just kind of have had their head down in the sand. And when it happens, there’s a lot of outside counsel bills and a lot of litigation that they kind of set themselves up for by not being proactively prepare. So, yeah, I’d say as far as you know, our our customers go anytime there’s a, you know, I think, if your other sides of an organization that you have either a GC or privacy team, yeah, absolutely going to be a great fit a great fit for us. But even if you’re smaller, and you have somebody else that has privacy among among a lot of other duties, this is a great way to really give them a whole set of knowledge and actions that they can take whenever these incidents happen, that really would be more of the practice of the bigger company would have, but they can they can execute that much earlier, because they have the technology.

Jodi Daniels  16:14

I think a key part is also important to emphasize is it’s the technology is really there to help facilitate the knowledge and the communication across all the different stakeholders, because it’s really not just the legal teams issue. When there’s an incident, there’s a number of different people, and maybe you can speak to, you know, the types of people who might be involved in an incident and in a tool like this.

Anderson Lunsford  16:40

Yeah, yeah. Great, great question. Great point, the every incident involves much more than just the security team or the legal team. And I think that’s probably another misconception, if somebody hasn’t been through an incident before is you actually have multiple parts of the business involved. You have communications involved compliance, the business units themselves, who often have the relationships with the specific customers, or the business partners, all of those people have roles and tasks and things they need to get done whenever these incidents happen. And so our platform allows all those people to collaborate together, communicate as necessary, stay fully up to date on what one person is doing, and another person’s doing. Without software in place, the current status quo is doing daily stand up with all the people involved. And so there’s this kind of lag and knowledge of, Okay, what did you do yesterday, what happened? And by working together real time, you really get more and more efficient, this process? And that’s one of our major goals.

Jodi Daniels  17:37

Justin I’m actually gonna throw a question to you kind of connected to this, because I couldn’t someone say, well, but I have a great project management system, I’m just going to put all the tasks and all the people and all the information that I need to do in that project management system. What, why might that not be a good idea?

Justin Daniels  17:58

I would say it’s not a good idea, because it’s not tailored to the specifics that you need to do from a breach response, knowing a little bit about the BreachRx product, they lay out for you all of the regulations in all 50 states. So if I’m legal counsel, and I find out from the forensic report, the types of data that has been identified, I can go and use the BreachRx platform to quickly identify which states may be triggered in terms of breach notification. And a typical project management program isn’t going to be tailored the way that the BreachRx tool is tailor to really help me be more efficient and be more responsive on critical issues like that.

Jodi Daniels  18:42

I think I would add the access level controls the concern of encryption, the concern of putting kind of going to your attorney client privilege, you’d be putting really sensitive, potentially legally damaging information in a place that is not really suited for that type of information.

Justin Daniels  19:03

Yeah, I think it’s fair to say another benefit of the BreachRx product is potentially having communications and talking about how we’re going to respond in an environment that’s not compromised by the hacker, because if they’re reading the emails, and they know what you’re gonna do, they can wreak a lot more havoc as opposed to using the BreachRx platform and tool. So that’s another area of what makes it a interesting product for this type of situation.

Anderson Lunsford  19:30

And I had a story that one of the law firms I was talking to, they were saying that they were in the middle of working through an incident and they had gone over email to schedule a stand up call to go through whatever all their next action items are, well, the emails have been compromised. And so the ransomware owners actually showed up on their conference call and threatened them even more. And so it was obviously just it It’s just a reality email is obviously they know as a sensitive place that’s going to be one of their biggest targets. So you have another place to do this communication that’s encrypted and safe. To huge advantage whenever this reference events happen. Yep.

Jodi Daniels  20:13

Yeah, old fashioned phone is really a good place. Well, excellent. So, you know, given this world that you live in, we always ask our guests the same two questions. So what is your best personal privacy or security tip?

Anderson Lunsford  20:32

Sorry, I was thinking of the same two two answers for you. One is the kind of the like, the most normal answer the one other ones kind of a little bit more fun. First is, you probably hear this a lot. It’s having MFA engaged ever multi factor authentication, with a password manager and authenticator whenever you can. So not every service you offer you subscribed to you has that as an option. But if it is, you absolutely should use it. And then the more fun one is, I’ve recently read that a lot of the malware out there isn’t 100%. But a lot of it has a sort of piece of it that if your computer has Russian language or Chinese language in like as a toggle English option, it won’t infect the computer because there is malware has been built in in Russia and China and they don’t want their own computers. So I haven’t heard that. I don’t think that’s probably 100% and hoping I’m sure like once that gets known widely enough, that will no longer be the case. But you know, if you want to add the Russian language to your computer, it might save you some malware.

Justin Daniels  21:41

That’s an interesting one. Yeah, we haven’t heard that one before I put the Cyrillic alphabet on my computer immediately. You can go have fun with that. Well, turning to off the topic of security when you’re not building your business, what do you like to do for fun?

Anderson Lunsford  22:01

The biggest passion outside of work I have is live music. Now the pandemic Unfortunately, it was hard for me on that I couldn’t couldn’t guess the lobbyist guy did a lot of Spotify, listening and sharing playlists with friends and stuff. But I’m going to see live music is such passion for me. I just find it really restorative and just been a big part of my life.

Jodi Daniels  22:24

Well, do you do you play or sing to or just like to listen?

Anderson Lunsford  22:27

I have no musical talent. I was in seventh grade band played trombone was very short lived.

Jodi Daniels  22:35

Right? Yeah, he’s a foreigner and they need they need fancy dog in the world. The world is round. Well, Andy, thank you so much for joining. Where can people find you to learn more?

Anderson Lunsford  22:46

Yeah, our website obviously, you can reach out that way you can reach out to me via LinkedIn or email as well. We’d love to talk to folks that want to want to be more proactively prepare for incidents.

Jodi Daniels  23:01

Wonderful. Well, thank you again for joining me really appreciate it. Awesome. Thanks for having me, guys.

Outro  23:10

Thanks for listening to the She Said Privacy/He Said Security podcast. If you haven’t already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.