Click for Full Transcript

Intro  0:01

Welcome to the She Said Privacy/He Said Security podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:20

Hi, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and a certified informational privacy professional, helping to provide a practical privacy advice overwhelmed company and I’m joined by

Justin Daniels  0:37

Jodi Daniels’ sidekick Justin Daniels here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breach

Jodi Daniels  0:55

This episode is brought to you by Red Clover Advisors. Oh, I forgot the drumroll. There we go. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SAS, ecommerce, media agencies, and professional and financial services. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there is greater trust between companies and consumers. To learn more, visit redcloveradvisors.com. And today, I’m so excited to welcome Andy Dale to the show. Andy is General Counsel and Chief Privacy Officer of Alyce, a super cool company that is redefining direct mail as the only personal gifting platform that provides a personal experience at scale. And Andy has an amazing range of experience with specialties and advertising, being a general counsel. And he’s also a certified informational privacy professional. So Andy, welcome to the show.

Andy Dale  2:03  

Hey, thanks for having me.

Jodi Daniels  2:04 

We’re excited that you’re here. Justin, you’re gonna kick us off.

Justin Daniels  2:08

I thought before we get started, what did you think of your RSA experience?

Jodi Daniels  2:12 

My RSA experience was a fantabulous experience except Andy and I used to get together in person at the IPP conference where there was, I lost count however many like 5000 10,000 of our closest friends. So I did kind of miss out on the 50,000 of my closest friends at RSA. That’s like a lot of Yes, and it was San Francisco, you’re happy, then Francisco is my happy place. But I do hope that we can get back to in person. And Andy, we can have our in person get together once again,

Andy Dale  2:41

maybe 22 is a big gonna be a big year for events big year for gifting. So people at Alyce are my current company are thinking a lot about what our products and services will look like in 2022, in particular, because of that, that people are gonna miss that. I think and crave it. I

Jodi Daniels  2:59

think you’re right, you could maybe

Justin Daniels  3:00

privacy could be the gift of anonymity.

Andy Dale  3:06

There’s no such thing as anonymization. You know, like, according to the GDPR.

Justin Daniels  3:11  

Monday morning, no, GDPR. unavoidable? Yes, I know. So, Andy, why don’t we start from the top. So, you know, talk to us a little bit about how you got started and your evolution to where you are now.

Andy Dale  3:25

Yeah, thanks. I, you know, like a lot of people, I sort of fell into privacy in in through different, you know, avenues in my work, I was in a law firm and didn’t touch it, really. And then when I went to TD Ameritrade, it was sort of crept in, and I sat right next to the chief privacy officers office. And so it came in as it does a lot of times in contracts. And I started to understand, you know, I guess this is pretty important. And he was the first person that I’ve ever met, that had a CI PP certification. He had it on his wall. I was like, What is this? And he was like, yeah, it’s this thing. You know, it’s pretty new. You know, it was it was, I think, you know, he was certainly the first person I knew that had a certification. And at the time, the IPP probably only had, you know, 500 or 1000 people in it. And so just kind of like, through him, I understood kind of what the issues were, and I saw him come up in contracts. And then I left the company. And I went to God, as you alluded to, to an ad tech company, and I moved to Boston. And as I was talking with him about it, he said, you’re going to have a ton of privacy issues at that conference. And I said, What do you mean, it’s just cookies? And he laughed, and he was like, you’ll see. And, you know, lo and behold, like, the first day I got there, I sat down with our CEO. And I was like, well, so other than the obvious things, I was the first lawyer at that company. And so other than the obvious things, what should I focus on, you know, and he was like, just privacy is going to be a huge, huge thing. And this was probably 2013 around that timeframe. So or end of 2013, early 2014. And so And obviously he was right. You know, it became it became really important. I got my certifications and started really being able to help the ad tech company. And then from there a couple other companies, but always, always going to companies that have data and personal data as a critical element because I don’t, I don’t like to choose stuff that’s simple or easy.

Jodi Daniels  5:21

That makes sense. It’s actually about kind of a similar story. I was doing ad tech, and then there was this privacy issue and who is going to help solve privacy. And that’s how I got into it. It was 2002, it was actually 2011. When the IB came out with their little ad choices, I clearly remember the article was this two paragraph article around our choices. And that led me down this very deep rabbit hole of researching privacy, ad choices IB and, and entered the industry. At the same time,

Andy Dale  5:49 

I went to a conference Jodi in DC. It was the Association of national advertisers ad an ad law and policy. Because my my main client, one of my main clients at TD Ameritrade internal client was our advertising and marketing team. And so I said to that chief privacy officer, like maybe I should go to this event, and I went, and I came back and I was like, there’s this icon thing that people are putting on ads. Now. I think this is something we should we should do. And of course, what do you think happened? He was like, Yes, then you should be the one that figures it out for us. Yeah, that’s how it

Jodi Daniels  6:23

works. Yeah, how it works. So

Justin Daniels  6:25 

kind of bringing it forward to the present day. Can you talk a little bit about what are the biggest privacy issues you deal with on a day to day basis as the GC,

Andy Dale  6:33

I mean, right now, just in as a company, the stage we’re in, it’s International, it’s me trying to make sure that as we go global, we’re doing that, you know, with privacy in mind, before I joined, one of the first things I did when I met, you know, the founder and CEO, and the head of product at the time, was to start, you know, just brainstorming and whiteboarding and talking about international for them, because they had a lot of questions about how to do that. And we spent the first nine months of my time at Alyce not going global, but making sure we had sort of the baseline privacy infrastructure to go into Europe. And and so we spent a lot of time working on that. And we were also you know, setting ourselves up to raise money. So then we raised money. couple months ago, we closed a financing round. And now you know, a lot of our customers are, are pushing and we’re we’ve just released, general availability for the UK and Europe will fall the rest of Europe will follow in a couple of weeks. And, you know, we have other countries on our on our roadmap. And so it’s that’s what’s consuming me now is making sure we can do that in a in a way that feels, you know, fast enough for a tech company life but but also responsible with with the table stakes in place.

Justin Daniels  7:47

Have you found when you’re dealing with the privacy in Europe, that there’s a real difference when you deal with it in France or the UK versus Germany, for example?

Andy Dale  7:57

Yeah, I mean, this probably goes back more to my time at data zoo, when we had a wholly owned subsidiary in Germany, the way data Zoo entered Europe was buying a company in Germany. And that was both culturally cultural differences between the US company and the German subsidiary. So and then understanding, you know, we always hear well, so in Europe, privacy is viewed as a fundamental right, whereas the United States, it’s sort of viewed differently, that that was very clear and evident, I think you have to experience that before you really can get what that’s like you can you can think about that or see it on paper. But it really is different. And then it varies, as you noted, Justin, by country. So our German colleagues had a very different viewpoint, then we had a team, a small team in France, and they had a very different viewpoint, it was, you know, generally the same. But we were also at a time when the landscape was evolving, it was pre GDPR. Moving into and past the GDPR. So while you had you have you had the directive, prior to the GDPR, you had all these different countries with different laws implementing their own sort of viewpoint, and then the GD versus a harmonize that, but it didn’t really still, because there’s still cultural differences. And this is what we’re struggling with, in terms of, of how fast we can launch in Europe with Alyce as a product. Because if we, if we launched a gifting marketplace in the UK, there are going to be different privacy and cultural norms from a consumer in France versus someone in London or, you know, another part of even another part of England. So we have to think through like what, what’s the actual privacy difference? And what’s the cultural difference as well.

Jodi Daniels  9:36

I’d love if you can share a little bit more about that. So as you’re developing the product, there’s a product lifecycle, right there’s the the beginning we were thinking about it are a variety of different considerations. How much is it going to cost people legal, all kinds of things. And obviously privacy So help us understand a little bit how do you incorporate privacy in the product development lifecycle, whether it be a new one or sort of an existing thing? And someone wants to expand on it. What does that look like bunch of different

Andy Dale  10:05 

sort of vectors there to that question, but I think it all starts with the culture you create when you join the company. And it helps being the general counsel as well as CPO to be able to do that the CPO can do that too. But they, you know, you kind of need your privacy champions within the organization. And they can even be consultants, like if you’re working with Red Clover or another consultant, they need to be your champions as well, internally, your outside counsel can do that too, if you if you if you have them interacting with other members of the team. So I think setting a culture that we care deeply about data privacy, and that it’s a relevant piece of the the privacy by design cycle that we’re trying to run is important. So that means everything from talking about it a lot. Having privacy one on one kind of you know, in this culture is in this day and age, rather zoom calls, where I walk through things and answer questions and give people a lay of the land and spend a lot of time with our product team just talking to them about privacy so that they can understand that my role when I’m in when I’m wearing my product council hat, that that role is a true mix of privacy and sort of go to market legal work. So you set the Cultural Foundation, and then it comes down to a little bit more like as you narrow more actual practical things that are happening, like what are the privacy checkpoints? In the requirements that are written up by product managers? And where are they? And what are they? And you know, at what point are we revealing things? And then when are we doing an impact assessment? And when are we? When are we doing that along this sort of spectrum of product development? And so a lot of that is develop your champions, and then have open conversations with them about what process are you creating for product development? And where does privacy fit in? And I don’t like to be a person that says yes or no, or having like a veto, unless it’s an insane proposition. I like it to be more like checkpoints along the road, you know, so that we’re up to up to speed on what’s happening. So that we can say from the very beginning, well, you know, you want to use data this way and not this way.

Jodi Daniels  12:11

I think that makes sense, especially that you’re having that conversation throughout the experience. So for anyone listening, who is trying to figure out how to incorporate privacy throughout whatever new products, or new services or new ways to use data, that that’s a really helpful, helpful point, it doesn’t always have to be sort of at the very beginning and only at the end, but really to be part of that conversation throughout is sounds like been very successful, that you’ve seen in multiple organizations. Yeah, I

Andy Dale  12:39  

mean, it’s a lot like planting seeds in a garden, you know, like, like telling people over time, these are the things that are important, like, Who’s the what’s a controller? What’s a processor, you know, see, this is what ccpa means for the United States, there’s a looming federal privacy law, maybe maybe not giving someone some like context around what’s happening in the world, and then doing that as well with just not just your product, people, but also the engineers, and let them know, there’s different ways to talk to different, you know, segments of the business. And so making sure that if you’re thoughtful, you can highlight the things about privacy that are important to those people. Like for example, with an engineer, I’ll say things like, I’ll give them the background and I’ll start talking about things. And I’ll say By the way, this is like knowing about knowing at least some stuff about privacy is huge for your personal resume and your development as an engineer like this is all it’s only getting more prevalent. This isn’t this isn’t going to be any less prevalent. It’s good like cyber privacy, any of it anything you can learn about security and privacy. It makes you well more marketable. And it’s just a feather in your cap, you know, for future jobs. And they like hearing that and surprising.

Justin Daniels  13:53 

Andy, I’m going to begin my question next with the R word, R word, the R word. So typically when I’ve been involved with certain companies, and they have a ransomware event, one of the things it does is it lays bare every mistake you’ve made with your privacy program, like companies who can’t tell me where their data is because they never did a data inventory. And so given business you’re involved in now is heavy in the marketing space. Why do you think that companies struggle so much to make privacy a part of their culture, especially when if you have a security incident with ransomware any problem with your privacy program is laid bare completely to everyone in the company and your customers?

Andy Dale  14:33

I mean, honestly, it goes beyond ransomware to any security incident really, literally, you know, opens up vectors you weren’t aware of and weren’t thinking about and I think one reason Justin is that we have this so many new laws at the moment that constantly companies are retrofitting like so you’re retrofitting you know data subject request scripts and technologies against You know, systems that weren’t built for that, because not because it was wrong, it just was built during a different time. If you look at, you know, PCI compliance and systems that were built prior to that standard, like, of course, you have to go back and retrofit things. So they built things, the way they knew how there was basically no regulation of that buyer. And then you have to build forward, I think, now we’re getting to a little bit of a better place where people are, you know, potentially thinking about these things earlier on. But I don’t think we’re at the point yet. And I’d love to hear from y’all on this, if you’ll think this too. Like, I don’t think we’re at the point yet where, you know, CEOs and founders of tech companies are like, from the very beginning, unless it’s a privacy tech company from the very beginning. Making that in from the from from Jump Street, I don’t think it’s happening yet. So you’re always doing some amount of retrofitting. And then, and I think, Justin, especially in security, I think people are still just always viewing unless it’s like a heightened concept from the get go, you know, like, we’re storing a bunch of really sensitive information from the get go, a lot of people are like, build, build, build, build, build, build, build code, code, code, code, you know, data privacy, security, like months, or years later down the road, oh, I need to see so I don’t have the money for that. So third party consultant, get me get me where I need to go up to a point to get through diligence and raise money, okay, keep going, keep going, keep going, maybe I’ll hire a security engineer, keep going, keep going. And just, maybe I’ll have an incident, or maybe I won’t, and, and they are waiting. So

Jodi Daniels  16:34 

it sounds like a very familiar story and how you just described that is what I feel like Justin, you’re saying all day

Justin Daniels  16:41  

until some of the investors have their portfolio companies have a ransomware event. And then magically, they are born into how they view security. And candidly, we’ve had investors tell us, hey, when I’m making an early stage investment of you know, privacy and security follow on out well outside the top 10 of the most important issues that they face. And then to your point, they don’t build it into the DNA of the product. And then later, when they try to, as you say retrofitted, it’s typically not done well. And then if they suffer a ransomware event, they get it or they go into due diligence on an m&a deal. But I have to tell you, even in the m&a deals, I’m still very surprised by how many companies don’t do the level of diligence on cyber and privacy that they should,

Andy Dale  17:26

I think, also did not to go too into the weeds on m&a. But one thing that’s impacted that is wrapping warranty insurance. So now, you’re you’re getting backstopped for these reps and warranties that you’re making by an insurance by an insurance policy. And it’s causing, in my view, the buy side of an m&a deal to make stronger reps to have stronger requirements for reps of the target. And then the target is sort of incentivized to just agree to it. Because they’re backstop with insurance and it’s viewed as a risk shifting game, as opposed to a will will my program does x y, z swell rep to Xyz and then I’ll go sell the company. It’s a different game now. And so I think we’ve like we’ve like moved the ball away from things that that just and maybe in your in your calculus, they’re like, don’t create better security, or privacy practice net to that end?

Justin Daniels  18:21

Well, I think that’s interesting, Andy, because I guess what I’m starting to see is the insurance market, when it comes to ransomware premiums are going to skyrocket, coverage is going to go down even one ensure a xa has gotten out of the ransomware business and my expectation is what’s going on in the cyber insurance market will start to impact whether and how cybersecurity and privacy is insured under reps and warranties insurance policy, because my view as an attorney is cyber and privacy risk on an m&a deal is potentially purchase price and beyond risk

Andy Dale  18:55

for the buyer. They can be right, depending really, depending on the nature of the data that’s involved.

Justin Daniels  19:00  

Just ask Mariot,

Andy Dale  19:01 

I mean, it’s an it’s an interesting time.

Jodi Daniels  19:04  

So with that being said, What advice would you give to other general counsel’s especially new ones coming into a roll way?

Andy Dale  19:15  

I mean, it’s such a such a broad question, a lot. Lots of GCS, I think have their own kind of 30 6090 plan that they execute when they walk into a company. I mean, I think personally, my view is that I like to walk in and assess things and not blow anything up right away. Because I just think that’s, it’s responsible, it’s reasonable, it’s rational. I’ve seen it go the other way. And I don’t personally think that goes well. So like, Listen, get get to know people try to understand the culture of the company. Those are a lot of, you know, sort of less, less practical things. I think on the practical side of things, you know, I sort of mentioned getting some privacy champions in the business. And that means getting getting deep, pretty quickly with the product like understanding as much as you can about what the tech actually does, and how it works. Spending time with engineers spending time in the platform, like using the platform and making sure that the tech works, or rather that you understand how it works, because I find that when I’m going to negotiate a contract, or as we discussed reps and warranties or anything privacy related, when I’m product counseling or anything like that, it the more I can know about the tech, I’m just a way better Attorney for the business.

Justin Daniels  20:36  

I find it so funny that you say that, Andy, because I’m on video number four of 27 for network architecture, because when it comes to security, and even the privacy parts, understanding how someone has set up their network when you have to talk to it, I don’t know about you, but many times I find I’m the one who is the interpreter between the it speak and the C suite speak. And it really becomes almost I think table stakes that we as lawyers will have to really become fluent with how security stack is set up the technology stack because I don’t know how to understand the technology product in the contract if I can’t visualize how the network and everything is set up.

Andy Dale  21:16 

So from a from a cyber security standpoint, that’s dead on, like my opinion is that the cyber lawyers that are the best are the ones that are very technical and are like picking through which databases you’re using, how you’re using them, what things are happening, they’ve spent a lot of time with CSOs they, they are on point. And actually, I would say it’s getting getting there as well for privacy. So on that same, some of the best lawyers in privacy that I have interacted with have technology backgrounds, or have just dedicated an inordinate amount of time to learning technology. Some examples, Julia Shulman, the general counsel and chief Privacy Officer of triple lift is the most maybe the most technologically savvy ad tech lawyer I’ve ever come across Jurgen Van Statten is the Associate General Counsel at Verizon, he understands ad tech deeper than maybe anyone at horizon, you know, so there’s a real benefit in in some of that investing that time and energy in the tech,

Justin Daniels  22:20  

speaking of privacy, what is the biggest privacy challenge that you are facing right now?

Andy Dale  22:26  

I think there’s two I mentioned going global, so the gap assessment that’s required to be done from multiple countries, that’s just hard to do. Whether you have a big team or a small team, and you’re talking about, you’re talking about Europe, you’re talking about Asia, you know, in Asia, every country has its own law or regime or doesn’t. And so it creates a lot of variability there. So you gotta have really good, really good outside counsel to help you assess the gaps that there may be and figure out how to how to close those gaps. So international is one. And then the other one is, I think, something everyone’s facing, which is within the ccpa. In the coming cpra the concept of a sale of data. To me, I’ve been I’ve been relatively outspoken on this, I just think it’s ludicrous. And so the definition of sale covers, you know, walking down the street and talking about something. So, you know, to me, I don’t know how it’s a challenge. You know, it’s a challenge, I think about a lot I think about everything we’re doing in the context of product Council, and dealing with vendors and third parties, and how are you going to, you know, use data really complicated.

Jodi Daniels  23:36  

So in the notion of kind of ad tech and sale, we also have not only what’s happening in ccpa cpra, but we also have actual technology changes that companies like Apple and Google are putting forth. So I’d love to hear your thoughts on kind of the world of cookieless marketing. And what does that mean, for a company like Alyce,

Andy Dale  23:58 

it doesn’t mean so much for Alyce, I mean, I’m as having been in an ad tech company, it was a very different, you know, it’s a different landscape moving away from cookies and towards some sort of email, hash email based identifier, or whatever solution is going to land. It’s different for those companies where ad tech is table stakes for an Alyce or my last company session. And you know, it’s it’s, it’s more about advertising for your business, and how you would utilize technology to advertise for your business. And I just think kind of the analysis is the same, which is we’re just no one knows where we’re in. We’re in a massive kind of gray area. And we’ve been that we’re in that place for a long time. And I think we’re just going to keep living there for a while. So people are going to keep advertising they’re going to keep using data. They’re going to keep sort of adjusting and augmenting their disclosures around their activities that they’re doing. I’m an over disclosure type person. So my, my privacy policy is going to state exactly what we’re doing with data Might not might not be short or clear, it might not be fun to read, but but that’s my take on it is we have no enforcement history around this stuff. So like, dirty little, you know, so like, people are gonna keep acting. And I think we’re gonna just gonna have to kind of see what happens, say mean

Jodi Daniels  25:16  

your policy can’t be concise and cover every obligation possible

Andy Dale  25:23  

111 could take the view that the regulatory framework has created an impossibility of doing what you just described,

Jodi Daniels  25:32  

I know, they say it has to be simple and concise, and yet include all these things that are long and possible to make it short and concise.

Andy Dale  25:42  

And by the way, you know, the ccpa requires, I think you alluded to this, like sort of clarity and speaking, you know, on a on a more basic human level. But yet, like, the buttons for do not sell that bit like we’re advanced as options were completely ridiculous, completely ridiculous, it made no sense. And you didn’t even know like, which box was checked. And so, you know, leave it to the tech companies to figure out their own UI and UX for this stuff. But it’s not easy.

Jodi Daniels  26:11 

For sure, I actually would think it would put Alyce in an interesting position. Because if you think about people really trying to connect and create relationships with people, what you all are doing is, is an extension of that it’s a way to really create a strong relationship, and furthering the whole point of marker and marketing, which is connecting with someone building a relationship.

Andy Dale  26:31 

Yeah, I mean, I think it was it was solutions like Alyce did well, last year, when when companies were still trying to, and desire to engage with customers and meet them where they are, and have relevant and relatable conversations with them. I think it’s, you know, the question about AD tech is a little different, where you’re dealing with sort of this weird cookieless identifier environment with first party data, where customers are opting into that communication through either a marketing channel or some other avenue where a company has, you know, gotten engagement with somebody, and then and then is trying to engage deeper or further or have a deeper customer conversation, you know, or do account based marketing, where you’re trying to create conversations for larger kind of enterprise discussions. Yeah, I mean, like, these kinds of solutions are going a long way.

Jodi Daniels  27:24 

Yeah, I see a lot of companies moving to more first party data and more direct engagements. And I think those that might have played in the ad tech space will still do it thumb, but they’re looking for other ways to connect. And so I think that puts companies like Alyce, in a in a good position, obviously, different type of marketing, but kind of taking from one bucket and moving it over into a different bucket.

Andy Dale  27:47

If you look at traditional account based marketing, or sort of IP address focused, you know, marketing, there’s still obviously there’s room on that spectrum, or the funnel, if you will, from the top part of the funnel for advertising all the way down to kind of more one to one engagement where, where a company like Alyce is involved.

Jodi Daniels  28:08 

Sounds great.

Justin Daniels  28:09  

So Andy, what is your best personal cyber tip?

Andy Dale  28:13 

So my best tip would be if you’re in a young company, and you don’t have the buy in, or financial wherewithal to have a dedicated security person, make the case early and often and hard for at least an outsource third party security person to help assess your entire platform, your program, help you do sock two, if that’s what you’re wanting to do, or some other audit, and push that early. And don’t stop pushing that.

Jodi Daniels  28:45 

Okay, the advice now, when you’re not acting and serving as GC, and reading the latest privacy news, and chatting with your product friends, what do you like to do for fun?

Andy Dale  28:56  

with Alyce, we call it our five to nine, instead of your nine to five. We’re trying to focus on engagement, you know, with somebody so that when we have a business call, we’re not talking about the weather, we’re talking about something, you know, relevant and relatable, that my five to nine is my dad, you know, you can see behind me, so two to two young kids focused a lot on that, in this time of COVID been able to spend a lot of time with them, which is a silver lining of this. It’s great. And then additionally, I’m a big tennis player, playing tennis since I was six, though I play multiple times a week and one of the nice nice things has been being able to continue to do that. And then I guess the last thing would be a lot of a lot of cooking and baking and learning how to do stuff like that. And the kitchen has

Jodi Daniels  29:43 

been what’s been your favorite creation that you’ve learned over the last year. I got

Andy Dale  29:47  

really good at focaccia bread, so spent a lot of time working on that recipe and then additionally, just kind of baking with my seven year old just learning new stuff and things that are She’s interested in you know, tackling recipes and then my five year old drew a four tier layer cake all different colors for fun as a drawing and just said Dad can you make and so that was that was a fun challenge never made a tiered cake before setting up this great duo by good effort.

Jodi Daniels  30:19

Good. Excellent. Well Andy, thank you so much for joining us if people want to be able to connect with you, where’s the best way to do that?

Andy Dale  30:28  

Yeah, give me on on Twitter or LinkedIn. On Twitter. It’s @AndyDale23 and then LinkedIn, I’m very easily searchable.

Jodi Daniels  30:36 

Excellent. Well, thank you so very much. We really appreciate it. Thanks, guys.

Outro  30:44 

Thanks for listening to the She Said Privacy/He Said Security podcast. If you haven’t already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.