Click for Full Transcript

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.


Jodi Daniels  0:22  

Hi Jodi Daniels here I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional, providing practical privacy advice to overwhelmed company.


Justin Daniels  0:37  

Hello Justin Daniels here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.


Jodi Daniels  0:55  

And this episode is brought to you by Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, e-commerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, and to check out our new best selling book, Data Reimagined: Building Trust One Byte at a Time, visit Are we ready to? Oh, we’re, where did that come from?


Justin Daniels  1:44  

I just figured it out after just preparing for today’s show. I think we’ve got the clash of the privacy Titans. We have our US privacy person. And we have our expert from up north on Canada. So why don’t you Why don’t you go ahead and introduce our other privacy Titan. And then I’ll you know, tell you guys, one minute, two minute and I’ll be refereeing today, as opposed to being a co host.


Jodi Daniels  2:13  

Well, let’s get started. So our guests understand all of this laughter that is happening. We have Cat Coode, who is one of Canada’s top 20 Women in cybersecurity and 21. She is the founder of data and privacy consultancy Binary Tattoo. She is backed by two decades of experience in mobile development and software architecture at BlackBerry. She helps individuals and corporations better under sight. I can’t speak better understand cybersecurity and data privacy. I’m just so excited to get started that I can’t say all my words. Because Cat, I’m so excited to have you here on the show. We’ve been doing these really fun videos over the last several years together. And we’ve never had the opportunity to do this podcast until now. And so, welcome to our silliness.


Cat Coode  3:08  

Yay, thank you. There’s no battle here. We’re just both really passionate.


Justin Daniels  3:14  

We’re going to enter we’re going to we’re, we’re going to ask you, you know, how did your role evolve today, and then I’m gonna read out, you know, the rules for today’s discussion, and then I will simply referee and let you to go.


Jodi Daniels  3:30  

Alright, Cat, tell us how you got to where you are today bring us from, you know, the BlackBerry devices to the modern


Cat Coode  3:38  

set privacy, my superhero origin story. So I was at BlackBerry, picture it. No, I was at BlackBerry. And I was working on handheld and mobile development when iPhone was released. iPhone is super cool and way sexier. And everybody was like I’m not using BlackBerry anymore because iPhone is infinitely cooler. And the reason why people thought it was cooler was because it was integrating your data from one app to another to another. So you could seamlessly download some new app and it would automatically pull in your contacts or organize your calendar for you. So we had spent many, many a year at BlackBerry very intentionally creating a device that didn’t do that. Because we didn’t want your data shared. We wanted you to control your data, we wanted you to have Enterprise privacy. So you when you worked at a company, your company data and your personal data were separate. So this was my big aha moment when I saw everyone jumping ship from the company that was very well segregated and separated to the company where everything was mushed together because people thought it was easier to have their data shared across a bunch of apps and services. And they did not appreciate the privacy and security concerns to have that happen. So that’s that’s when I launched my company. So I launched my own consultancy about a decade ago, which makes me feel old to teach in To help educate people and help people with privacy and cybersecurity.


Justin Daniels  5:04  

All right, so for our listeners, this is the way Today’s episode is going to go down. I will be the one asking the questions, or bringing up our topics. And we’ll have discussions about Canadian law from our Titan from the Great North. And then we might have questions or a perspective from our Maven in the US. So are you too ready? No low blows, no colorful metaphors. keep everything clean, and we’ll get this party started. That’s a good fun.


Jodi Daniels  5:39  

I told you I can’t do movie lines. But I’m really good at phrases in songs.


Justin Daniels  5:46  

Canadian representative, are you ready?


Cat Coode  5:48  

I’m ready.


Jodi Daniels  5:49  

Hey, I’m reading. All right. Good stories. All right.


Cat Coode  5:54  

got so worried today. That’s what we’re doing.


Justin Daniels  5:57  

Obviously, there was something a few big news stories in the past year from Canadian regulators on data privacy with Tim Hortons and Home Depot. I’d love to learn from your perspectives. what can companies learn from these cases, and maybe it’d be helpful for one of you to give a little background


Jodi Daniels  6:16  

that’s, I give the floor to you. Oh, Jonah, start with Tim’s whichever one you find the most fun?


Cat Coode  6:24  

All right, so Tim Hortons is is the Canadian Starbucks in case someone doesn’t know importance was originally a hockey player is a of course it was. It is a coffee chain, you literally can’t throw a quarter in Canada without hitting a Tim Hortons or Looney can throw a loony that would be a better analogy without hitting a Tim Hortons. So Tim Hortons had an application that they were selling or for free, sorry to download onto your your your phones that would allow you to order your coffee and your doughnuts and your sandwiches. And as part of that app, it had a geolocation feature, which totally makes sense. So you can say, hey, I’m in the middle of nowhere, where’s the closest terms, you open up the app, it tells you where the terms is, you place your order, you drive to that temps, great. Very specifically, in the privacy notification for Tim’s it said that the location would only be used while the app was in use. So presumably, that means if I’m ordering food, it’s tracking my location. Otherwise, my location should not be tracked by this app. Great. that all made sense. Some individual in Canada decided to request a copy of all their information, which is something we have a right to do here, you can contact any company in Canada and say, I would like a copy of everything I that you have on me. And it took a lot of doing. But eventually they sent him a copy of this information. And included in it was his location tracking on 24/7 all the time on his phone, including out of the country. So this was escalated, and it was said, hey, you know what, you guys not only were you doing this when you really shouldn’t be tracking someone 24/7 but very, very specifically, you had indicated that you were not doing that. But then you were anyway. So that is the background of Tim Hortons.


Justin Daniels  8:08  

Yes. So I’m asking. I’m the referee here today. So can you give us a little background? Why in Canada, you can go to any company? It sounds like in Canada, we’ve got an overarching federal law that cuts across. Can you talk a little bit about how that situation works on Canadian law?


Cat Coode  8:29  

Yes, so we have picked it up a P that has no I’ve never heard it pronounced the same way twice, even by our own privacy commissioners. So you can say it however you want. But it’s the Personal Information Protection and Electronic Documents Act. So anyway, that that act, which is nationwide, has some rules in it. So we don’t have like GDPR has in Europe, we don’t have a right to deletion nationally yet. We’re hopefully getting that we don’t have that yet. But we do have a right to be able to access the data that a company has. And we also have the right to amend data that somebody has about you.


Jodi Daniels  9:06  

Now, before you go, Mr. Referee, I have additional information I’d like to garner because many of our listeners are getting used to kind of this GDPR thing and CCPA and all the other state laws that we have here in the US on individual rights. And one of the questions that we get asked all the time, and I’m kind of curious from a Canadian perspective, is what kind of data do I really share back do i do i really share everything that I have, or you know, obviously Tim Hortons might have all my doughnuts and my bagels and my coffee orders and maybe it probably didn’t store my whole credit card. It probably maybe stored less for or maybe didn’t even store that and my maybe my birthday, but other companies are going to have a lot more data. Can you share maybe some guidance on what you’re seeing companies do from how much they can give and how that relates or compares rather to the other laws, just some for some perspective. So a company is like, Oh, wow, I didn’t realize that about Canada, I, I already have this for GDPR the states where it might fit?


Cat Coode  10:12  

Yeah, that’s it’s a great question, because it’s not very well defined, in my opinion. So hopefully, when we get a new law, which is our C 27, which I’m sure will be renamed three times before it shows up. But hopefully that one will have a much better definition of what that means. So if we do have the same rules, that if you’re going to take data, and you’re going to reuse it for analytics, it’s supposed to be de identified or it’s supposed to be anonymized. So technically, you should not be able to produce a whole set of marketing data on someone and say, Hey, here’s your behavioral habits. Because really, unless we, we, we can discuss this one. But unless you’ve asked someone for permission to do that, you shouldn’t really be tracking them all over the place. So really, the data you should have is whatever is associated with their account. That’s what it would be. Now I always come from the butting heads with the marketing world because I like I come from the transparency like I’m all about trust. So you shouldn’t give back the individual everything you have about them. If you’re hiding something you already know you’re doing something wrong. You’re like, can we not give them that data, then you know, you shouldn’t have that data. So to me, you should be giving them everything that you have that’s associated with their account, whether or not that’s data that they created, or it’s data that was inferred about them based on connections or demographics. That’s also data that should come back.


Jodi Daniels  11:28  

One of the other big differences I think, is really important to highlight. We’re obviously talking about consumers here. But one of the other pieces, we have GDPR that covers employees. And in the States, we have one of five states that covers employees and b2b. What does Canada have for employees and the b2b context?


Cat Coode  11:51  

So we don’t and so it’s it’s interesting, because the way that that law is structured is very much about personal consumer information. And then even when they rename them, it’s going to be some kind of consumer electronic is always about the end user. We don’t cover the employees in the company. It’s like when when there’s an internal breach, I’ve had clients saying, Do I have to report this, and I’m like, if it’s your employee data, it’s it’s not part of what’s reported into our breach system. Like when you report a breach to a Privacy Commissioner, it’s for end users, it’s not for the internal people at the company. So that is something we are we are sorely missing. One thing Ontario did introduce was the surveillance law, which is really interesting. So it’s, I think it’s a Bill C, this is where my non lawyer Ness comes in. I don’t know if it’s a bill or a law. But essentially, all Ontario companies that have more than 25 employees have to document all of the ways they are surveilling their employees and why and what they’re doing with that information. And then they have to have that available to every employee, so they know about it.


Justin Daniels  12:51  

So can I wanted to ask a follow up, which is, I’ve been to Europe actually, when they passed when GDPR went into effect. So when you’re in Europe, privacy is a fundamental right. In the US. It’s kind of company first government, consumer last. Canada from a cultural perspective, where does Canada sit when it comes to trying to balance commerce, government surveillance and privacy rights?


Cat Coode  13:19  

We are fully in the middle. We are we are a little bit of A and a little bit of B, because we are the way they are proposing our next bill, which is again, a nationwide privacy standard is very much let us continue with innovation. How can we find a way to protect users and still have innovation? Where are the ways that we can can use information and one of the things that’s been called out on that one is that the government seems to have unlimited ways to use it for research. Like it’s like, Oh, and one of the ways we could do this is if you’re a company that works for the government, you can freely give them all this data so they can analyze the necessity. Now we’re like, wait a minute, that doesn’t make sense. So So within industry, you can’t send it but government you can. So there is there’s still that element of how can we have more data and use more data and look at more data. But it is also individual first in terms of very, very clearly our principles are minimizing what you take, being clear and transparent about what you’re doing with it, only using it for the purpose for which you’ve collected it, and only retaining it for as long as needed


Jodi Daniels  14:22  

for that purpose. One of the other interesting differences is in Europe, there’s no floor and many other laws, honestly global globally, outside the US there’s no floor from a revenue or employee or record perspective, if you’re in scope. And here in the US on all kinds of laws, not just privacy, we have all kinds of floors, you have to have this many employees or this much revenue or this many records. What about in Canada? No,


Cat Coode  14:49  

we do not have that. But one thing we haven’t discussed actually, which does differ from Canada is that every province has their own health regulations, which if they are more stringent than PIPEDA, then they overrule that one. And if they’re less than PIPEDA is the standing one. I think there’s two provinces that are just covered in general. But we cover health information is any information having to do with health practitioners? That is about health. Whereas in the US, of course, like anything covered into HIPAA has to be like from a doctor or from a pharmacist, we don’t we don’t cover it that way. Like we we cover health more broadly. And our health regulations are quite stringent. So our health regulations have better definitions. As an example, if you were to create a health app in Ontario, you have to have an audit trail and a log of every individual who has access to record and what they changed in that record. So so we have much better rules around how we handle health information.


Jodi Daniels  15:51  

Well, we could probably learn a lot. There are health systems are it’s I can’t solve that. Now. It’s not even worth any any further discussion. But you mentioned provincial laws. What about the Quebec? Law that speaking of bills versus law, no law, but working with you? I learned it was Bill 64. Law 25. Look at me. Yeah. Got my numbers. Right. So he’s traveled about that one.


Cat Coode  16:22  

Yeah, it’s our it’s our Canadian GDPR. So I’m hoping the rest of the country follows suit on that one, um, the Quebec wha have going to be French. Now. It’s the community on deck, say def Namaskar, or we call them the Chi the C Ai. It’s the Chi. The chi is the commissioner in Quebec. And they have honestly better rules for everything. They have strict rules around biometrics. So if you’re using a biometric in your company, you have to justify the whole necessity over proportionality for Quebec, you have to explain why that biometric is required. So if you’re like, hey, cool, we’re gonna change the facial recognition on our front door. Unless you have like government security behind like that door, you don’t need facial recognition, the risk of collecting the facial recognition far outweighs whatever you’re protecting behind the door. That’s a no, there’s stringent rules around artificial intelligence for the Chi like you have to, you have to actually articulate in your privacy policy, if somebody’s information will be used in some kind of machine learning and what what the algorithm like what what kind of thing is being used on their data. So the Chi has all of those rules already, which is really great. And then on top of that, now, when they released this law 25, slash Bill 64, they are the first province to have the right for deletion. They have a three year rollout plan last year was the first year and then they are now requiring data protection or privacy impact assessments on anything with sensitive data that is now a requirement as opposed to a nice to have, they are requiring that you have some kind of individual this appointed as your data privacy officer. So there’s there’s a whole long list and they’ve scheduled it really nicely, where they’re like, here’s the three year deployment of how you can get on board with this, this privacy action, and they do do fines. So like All hail the Chi because so the Ontario Privacy Commissioner, Alberta and British Columbia have been really good with health. They’ve been all over that stuff, because they run the health as well. But it’s Quebec that’s come in with the best law for individuals so far.


Justin Daniels  18:22  

Do you think that has anything to do with that’s the French province? Is there anything cultural behind that?


Cat Coode  18:27  

They think they’re their own country? We’ll go with that. I don’t know. I don’t know the commissioner well enough, but it’s that each Commissioner kind of has the ability to do what they want in their province. And that’s it’s a good question. I don’t think it has to do with them being French. It’s interesting, though, because if you have clients in Quebec, and you’re like, Oh, I’m wondering what I need for privacy, let’s say the privacy impact assessment, I remember the first time I went on there to download their template to make sure I was meeting their criteria. They only had a French version,


Jodi Daniels  19:00  

the English that Kenya and France does that all the time. Here’s our guidance. And then the rest of the world is supposed to follow it and figure out how to translate it. Yeah.


Cat Coode  19:11  

And it does apply to people in Quebec that are that are like if again, if you have an American company and you have clients in Quebec, it applies. It’s like GDPR that way if you’re serving European customers, you’re serving the Quebec why then it


Jodi Daniels  19:23  

applies. Its consumer only those still so it wouldn’t have


Cat Coode  19:27  

been a yes but they have they have a number have different laws and things in place. Like their health law is its own thing as well.


Jodi Daniels  19:37  

Understood. I just wanted to have that clarity. For companies if they were doing business, it still wouldn’t cover your employees and it still wouldn’t cover if it was a b2b context.


Cat Coode  19:45  

Not right now.


Jodi Daniels  19:47  

Okay. We’re here.


Justin Daniels  19:49  

All right, you too can go to separate corners. Well,


Jodi Daniels  19:51  

I go Are we going to this this other spray that we we were having so much fun. I guess


Justin Daniels  19:57  

before we go there, I want to one thing for the Both of you. So I’ve done work with either European companies coming to the US or the US company going to Canada or Europe. And it sounds to me like, if I’ve got a business model that’s dependent upon this collection of data, you could be in for a very rude awakening when you have to deal with cultural differences or the different laws. I mean, just sounds like going to Canada, I could be dealing with the national law with, with countervailing province law and bills, and is that about size it


Cat Coode  20:29  

up? It’s a pain in the butt. Yeah, we’ll go there. But anyway, not having that in the US right now. Like I feel like with, with all of the new state legislations coming out, people are like, well, I don’t have clients in California, like if you it’s not going to matter, like, it’s not going to matter. Because if you have clients in the US, eventually, someone’s going to fall under one of these states. So you’re not gonna you’re not going to check in and say, Are you from Virginia? Are you not from Virginia? Does this apply? Does it not apply? Like I, to me, if gee, if you hit the GDPR gold standard, then you’ve covered pretty much everything off. It’s it’s really like Canada’s considered adequacy for GDPR data transfer at the moment, right now. So we don’t need like, like the data protection agreements in the SEC, we don’t need them if you’re moving into Canada, because the government doesn’t have the access to the data the way the US has access to data.


Justin Daniels  21:20  

All right, ladies, we’re going to move on now. Now we’re going to talk about the Atlanta based company Home Depot. So, Cat, you want to walk us through what happened with Home Depot, and then we’ll get the point perspectives of our two sisters of privacy.


Cat Coode  21:38  

So I think are we agreeing to disagree on this one, maybe. So Home Depot did that innocent lovely thing, which I hate when you push privacy on to your employees that I mean, everyone should understand privacy, but I hate when the onus is on the employee at the the customer facing end to do the work. But when people were out buying their hammers and their nails or in Canada, the shovels, it’s always shovels and snowblowers. But when when people were buying your shovels, and then the person at the checkout would say, Would you like an email copy of your receipt and people said, Sure, and they gave their email address. Turns out that email address was actually being passed to Meta. And when it was being passed to Meta, Meta was using it for its own targeted advertising on Facebook and Instagram and whatever else they’re doing in the background. So the argument that’s being made by the commissioner, and it’s in front of the Privacy Commissioner of Canada, is that the individuals who gave their email addresses did not give consent to have their email addresses used in this way. That’s the background. I agree. Because I always remember what would I want? If I said, Yes, you may have my email address to send my receipt, my assumption on that is that the email is not going anywhere else other than to send me that receipt.


Jodi Daniels  22:53  

I agree on that. I think the the question I haven’t and many others have is the what were they supposed to do? If you take any other company that’s doing the exact same thing? So you know, Sephora is doing something totally different. So if you take any, any other company, that is also, would you like your email receipt, and then they’re taking that because then the marketing team says, oh, let’s go take all the emails, and let’s upload them. And we can do targeted advertising. And in that concept, that’s where Facebook, but they’re not the only ones. There’s other companies that can do the same thing. are utilizing those emails? I completely agree it should be disclosed, it should be more transparent. The question I have, and it doesn’t feel clear, is what is that consent supposed to have looked like? Is it supposed to have been? Can I use it for marketing purposes? Can I use it and share it with a third party? Do I have to list all the third parties that is, you know, how do we learn from what they did and and blasted all over the news for? What do we what do we take from that? And what can someone do going forward? I’m very curious to see if you have any thoughts or what you’re hearing peers, and others say?


Cat Coode  24:10  

Yeah, I think like a part of this issue. And it’s like, to me, this feels like a form of data brokerage, because it is because you’re taking data and combining it with other sources of data. It’s, it’s not what people expect with their with their personal information. And we’ve gotten on this train for the last 10-15 years in the marketing, world marketing and commercial where we’re all like, hey, we have the data, we should use it. Look, we can track this person all over the place. We know that they visit these other sites, let’s let’s do this appropriately, they put this in their basket at Amazon. So next time they go to visit this other site, pop it back up again and see if they still want to buy it because it’s sitting in their basket. Like I get where the notion comes from from the advertising world. But that doesn’t mean that that data ever should have been used. And that’s where I’m always stuck on that data never should have been collected. It never should have been combined and there shouldn’t have been any way for two data sources. To say, Hey, I’ve got this and I’ve got this, let’s paint a bigger picture of this person. Like I always joke with people, it’s like your doctor, and your boss and your spouse and your kid and your best friend getting in a room together and saying, Okay, now everyone tell each other everything you know about me, like, you would never want that you would never want that to happen because you disclose different information to each of these entities. So I can’t see a world where anyone in unless unless they were really comfortable with it would want to disclose data from source to source to source to source. So ultimately, I think we have to get off the train of saying, Hey, how can I do this with consent? And say, How can I find better ways to serve my my customers in my market without using other data sources to


Jodi Daniels  25:43  

do that? Here’s where it might be slightly fun, because I still agree with everything you’ve said, where it should be in the spirit of what someone expects. And if I give you my email for my receipt, I think you’re giving me a receipt, and that that might be it, or you’re going to send me yes, this is an interesting battle is the comfort level, if I gave you my email at Home Depot, use that same email to then tell you put you on their email list and send you their weekly newsletter so that you buy the ice melt that you needed, and it’s spray now. So here’s some flowers. That’s kind of one use in their own ecosystem, compared with sharing it to a third party. And I think most people probably wouldn’t say, Sure, go share it to a third party. Because most people are like, well, who’s the third party, they’d want to have more information. But I do think some people like marketing, because they want it to be personalized. They want to know, you know what I knew I just have a home. You know what, I don’t know what else I need, like, what else am I supposed to do in spring summer home depot, please tell me actually, I might want you to be able to do that. And having worked with a number of marketers, there really are good marketers who are trying to educate, and these are the tools that are available to them, and they’re using it. So there’s this balance, I think of I don’t know, if it’s never consent, I think it’s about what does that consent need to look like? That would make a commissioner happy and be transparent and make it not be the longest list ever possible? Because then that’s not meaningful anymore?


Cat Coode  27:25  

Yeah, I think we’re I think we’re going back to privacy by design principles where everything is off by default, and you have the option to come in and ask for more like, I don’t I iOS updated like a month ago, and I had downloaded a new app to my phone. So I went in just to flip the switches on that one app, and then realize all of a sudden, all of the apps on my iPhone, were allowing Siri so if anyone does have an iPhone, there is a setting in there. Red says Can Siri do this? Consider you do this consider to do this. So I have the actual voice assistant turned off. But Sirius still the thing in your phone that says, oh, typically when you are you take a phone call with this person, the next thing you do is use the calendar. And so series will like here’s the calendar or you’re always in this app, this is probably the one you want to go in. Like I have an overview of living in the States, Bolivia’s Libby’s the Library app. I like books on tape. So I funneled through all my audiobooks through like so it knows when I go in the car, I know that Libby is the app I probably want because I probably want to put a book up. So the that kind of thing. It’s like there are some apps where I’m like, yes, please include this, please go through the data in here and include it. And there’s other apps like sure, go through my Libby, that’s fine. But don’t go through my contacts, I don’t want you in my contacts, because then you’re giving that information back to Apple and doing other things with it. So the we are really supposed to have the privacy settings are supposed to be at their lowest possible denominator until you opt into it because I’m not disagreeing with you, you should be able to send an email and say, Hey, we can give you more information about this, this, this and this, Hey, looks like you’re buying a new home. According to Castle, which is our emails, regulation in Canada, if you have legitimate business with someone, you can reach out and email them at least once because they have a legitimate business with you. So if someone has come in and purchase something from your store and giving you an email, that’s enough reason for you to use that email at least once with an opt out at the bottom to say, hey, now you’re on our newsletter, as long as they can say no, I don’t want to be. So that’s okay. But But yeah, I hear what you’re saying. Like it’s it’s totally legitimate to say, hey, you’ve shopped yours? Can we interest you in other things, but I don’t want third parties involved in that even if, but other people might I don’t I don’t want third parties involved in it at all.


Jodi Daniels  29:40  

And that is what makes the world go round. Because there are different people and different things. I’m not saying that I necessarily want third parties having all my data either. But I do know people who actually really like personalized information and value value some of those ads that they have bought when they weren’t looking for XYZ. Yeah, I


Cat Coode  29:59  

appreciate that. And there was an episode of superstore if anyone’s watched it where this the one main character was going crazy about how everyone tracks you online. And he says to this other woman, you know, they track you everywhere. So they can figure out your preferences. So they can only advertise the things you actually want to need. And she looks back at him. And she’s like, that sounds really useful. I was like, you didn’t really useful and I’m with you. I’m like, I get ads, all that I’m like, Oh, that is the hoodie that’s on sale that I have been looking at. So thank you. But yeah, but it’s it’s also like, I don’t mind if you know, I’ve clicked on some ads. But there’s other things. It’s like, I makes me question sometimes why I’m getting marketing for other things. It’s like, what do you think I’ve been? Why am I getting be that now,


Jodi Daniels  30:39  

that might be actual sale of data. But we’ll save that conversation for another time.


Justin Daniels  30:46  

So the two of you realize, of course, the more that you share the information, someone has to be responsible for securing and preventing unauthorized access to this information, which that could be a separate episode. But we know that companies doing that well is doesn’t happen uniformly.


Jodi Daniels  31:06  

Let’s switch gears, let’s go back to our companies and what they should be doing. Because one of the areas I know we’ve talked a lot about is on vendor diligence, where companies are failing, what and it’s really popular with, you know, we have our five laws here. And as a result, many companies are now wanting to do business with only companies that are doing their job. And it’s just a good best practice to make sure that you’re familiar with wherever your data is going. You understand what they’re doing with it. So you can figure out are you using it for other purposes. With that being said, what might you say would be three best practices that companies should be paying attention to, per vendor


Cat Coode  31:45  

due diligence,


Jodi Daniels  31:47  

vendor due diligence, three best


Cat Coode  31:49  

diligence. So one of the things in every contract has to have three points for privacy class to have incident response that indicates that if your vendor has a breach that they will contact, you has to have some kind of retention statement, I’m always surprised that it’s not in there, but it never is. That basically says when you cut ties with that vendor that they will delete and destroy your data. And you can even request proof of that destruction of data, but that they will not reuse it. And then the other one is some attestation to their security safeguards, because I eat there was a, there was a post on Reddit I captured because it said like, what’s something that’s illegal in the world but isn’t illegal in your job. And, you know, people like surgeons were like, I caught bones. But then there were a bunch of people going, Oh, I can access private credit card numbers, and I can access social security numbers. And they’re like, Yeah, as a developer, I have access to this whole database of health data. So part of the security safeguards, which Justin had alluded to is access to right there. We’re not safeguarding and we’re accessing all this data. So your vendors should, you should know that they are protecting the data that everyone’s sitting at that vendor doesn’t have access to the Personal information that you’re giving them. But definitely those three things. So that’s one thing you should definitely be looking for that. All vendors are not like there’s an assumption that and I’m like, I’m brand agnostic. But when it comes to especially bigger companies, you look at a Microsoft Office 365. They have data loss prevention built in, they have all sorts of ways of controlling things that you send. And then you look at Google. And Google’s agreement basically says don’t use us for sensitive info, we can’t make any promises. So you know, you get this thing where people are like, but everyone uses G Suite, or everyone uses this tool. So it must be good, I wouldn’t rely on the everyone uses it like you really need to do a little bit of due diligence on that. And then the third one is to have some kind of vendor checklist, I’m waiting my dream, my dream is that there’ll be some kind of tool that you could use that everyone uses. So you could automatically pull the checklist answers because as, as a like a SAS, or or a b2b vendor, these poor vendors are filling out these vendor checklists every day, and it’s a pain in the butt. And then as the company that’s falling in the third party, like you have to assess 17 different people’s answers, it would be really great if someone would develop a uniform, like vendor checklist. But that being said, I developed one I will say for a smart condo. And the smart condo is 17,000 different IoT devices. And it was it like I suddenly realized there was no vendor management. Like there wasn’t a solution that worked for them. So I had to come up with one where and then we had to determine and say, Look, if it’s this kind of data, you need this level of safeguards, but if it’s this kind of data, that’s actually behavioral data, and you need to make sure they have this level of safeguards. So in this world of IoT, where companies like fondos are bringing in data sources from 20 Different places into one app into one concierge or whatever they’re calling it, that is a really dangerous act. their size, and and they’re funneling all that data off. So yeah, so good good master service agreements or wherever you’re putting that information. Do your own due diligence, don’t rely on big names just because they’re big names and having some kind of vendor checklist, especially if you’re dealing with very sensitive data to make sure those vendors are actually really going to handle your data properly.


Jodi Daniels  35:21  

I think those are three very valuable best practices. Mr. vendor, write a contract, man,


Justin Daniels  35:28  

what are you going to add to that


Jodi Daniels  35:29  

list? Now we’re only going to do three best practices, I see. You’d like to add something you are more than welcome.


Justin Daniels  35:36  

It’s just the two of you have disagreed in such a friendly and constructive manner that that’s going to hurt ratings, the two of you should be throwing bombs, eliciting colorful metaphors intact and peeling the other person’s credibility on something unrelated to this, you know, the common crazy stuff we see.


Jodi Daniels  35:55  

I’m just too nice. I, I just, I could move to Canada. Everything’s nice. Well,


Justin Daniels  36:01  

as long as it’s near, bam. Great. All right. Well, I guess what I’m interested in knowing Cat given all of your experience in privacy, what is your best privacy or security tip? One best tip, we might be able to squeeze one day since we’re hanging out with your sister from another mother.


Cat Coode  36:30  

I don’t know why. Um, yeah, what? But the first, the first invest is, know your data, like data map, find it know what you have, how do you know what you’re protecting, if you don’t know what you have, that is always starting point number one is, know what you have. And then more importantly, if you don’t need it, get rid of it.


Jodi Daniels  36:52  

Now, I am going to flip this from a to a personal standpoint, because I know that you have evaluated a number of apps and programs that your kids have used kind of for like team sports or school and as a parent, you have to sort of evaluate these and you might have to use them. Are there any tips that you could offer parents who are listening on how to navigate that or what to look for?


Cat Coode  37:17  

Yeah, that one’s a really hard one. So there’s two things, there’s two problems here. One problem is that the schools are forcing our kids onto apps that they themselves have not done good vendor due diligence on for sure. Like there’s a whole bunch of stuff I know my kids are on or that I’m forced to use as a parent at the school. And I’m like I have, I have things on my browser that tells me how many trackers are on the sites. And I’m like, why are there so many trackers on the site in which I have to put my kids info that doesn’t even make sense. So there’s that there’s that part of it, which is, please raise issues with your school boards, like if you can like if enough people say, Hey, what is this app? And has someone checked it? Maybe they will? And then the other issue is what what do you let your kids on? I am I am a big proponent of getting your children off to talk. I know they love it. But you can watch videos of TikTok outside of TikTok but it is it really is tracking and coordinating contacts and all sorts of information across different individuals and making a lot of inferences that are not necessarily safe. So tick tock is I’m not a fan of. But in terms of using the other apps, it’s really about teaching your kids and yourself not to overshare the data on those apps. So again, privacy is not the I have nothing to hide privacy is the I’m control of my information. And I decide who I want to share with


Jodi Daniels  38:31  

very good tips. Now, when you’re not building privacy programs and talking all things privacy. What do you like to do for fun? Right in free time.


Cat Coode  38:42  

I know it’s free time I like to dance. That’s what I like to do.


Jodi Daniels  38:47  

Any particular type of music,


Cat Coode  38:50  

I’m Reg baton would be my favorite. I had a bucket list item to do a ballroom competition before the pandemic and I have not gotten back into finding a place to do that. But that was my that was the now that I’m old. What should I do with my life? And I’m like, I always wanted to do that.


Jodi Daniels  39:10  

One of my favorite classes in college was ballroom dancing. And they had it Monday, Wednesday, Friday at 8am. To make sure that the gives you really wanted to do it. Were there and there was a waiting list for the class. Did you pass? Yes, I passed but it was really fun.


Cat Coode  39:30  

That’s what matters, right? It should be fun.


Jodi Daniels  39:34  

It was really fun. And I’m telling you there was a waiting list. It was one of the most popular classes ever and it was 8am is really early. There’s not a lot of college kids. You’re like wow. 8am Friday, let’s go or Monday.


Justin Daniels  39:45  

I took wine tasting that was a good elective.


Cat Coode  39:47  

I also do dance as an elective. Learn something that I did modern in ballet.


Jodi Daniels  39:54  

Now, where can people connect with you to learn more and stay up to date on all things Canadian Private See, and


Cat Coode  40:01  

Canadian privacy so our actually our Canadian Privacy Commissioner is pretty good about putting out videos and things about our changes and how are all of our stuff works including breach reporting, because breach reporting is a big deal in Canada now. So if you just type in Canadian Privacy Commissioner or the relevant province that you feel like picking pick one out of a hat, then there’s there’s lots of good info there. You can find me at That’s Because I like to be difficult or Or on LinkedIn or on Twitter, but we’ll see how long that lasts with Elon Musk.


Jodi Daniels  40:40  

How would you rate our discussion here? Referee referee.


Justin Daniels  40:43  

I think we’ll call it a draw.


Jodi Daniels  40:45  

All right. Thank you so much for sharing your wonderful insights and fun humor. We really appreciate it.


Cat Coode  40:53  

Thank you guys.


Outro  40:59  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.