Click for Full Transcript

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.


Jodi Daniels  0:21  

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional, providing practical privacy advice to overwhelmed companies.


Justin Daniels  0:35  

Hi, Justin Daniels. Here I am a technology attorney who is passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.


Jodi Daniels  0:55  

And this episode is brought to you by like the weakest drumroll ever, Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SaaS, ecommerce, media, and professional and financial services. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, visit So today, we’re gonna do something a little bit different. What are we gonna do? It’s just you and me, baby. That’s it. I just care about the dog.


Justin Daniels  1:38  

Very true. What’s up, basil?


Jodi Daniels  1:41  

Well, well, we opted to do for this week is do a top five topics and lessons that we have seen in 2022. So far, in just four months of the year.


Justin Daniels  1:54  

So I’m gonna go first, really did anyone notice if you can see Jodi, she has a shirt for earrings and her lipstick all perfectly coordinate,


Jodi Daniels  2:04  

it’s purple kinda day. It’s all about coordination, I guess so. So our top lesson, I guess we’ll call them top five lessons of 2022 is that we find companies are skipping the data inventory. And they might be going straight to the tactical, I need a privacy notice, or I need to just get a contract signed. And we really encourage a data inventory for so many different reasons. The first is that it’s the foundation of a privacy and security program. It helps you find where all of the data is, why you’re using it, which is really important to help you figure out what law you need to comply with. And if you can, or should, or can’t use the data. It helps you write the privacy notice. And it helps you figure out what data you actually have to secure. And it also helps you from an individual rights perspective. So that when Jodi comes along and says, I’d like for you to tell me what data you have, you actually know what data you have, because you’ve done a data inventory. Now, Justin, I know you have some thoughts on data classification, which would fit into our data inventory discussion?


Justin Daniels  3:17  

I do, because what I’m starting to learn is think of the different kinds of data that you are collecting, like email, with your name, or credit card information, but what about the video that might be collected? Even if it’s in a public place? How do you assess how sensitive that data might be? And what I’m starting to figure out? Is that kind of video data in and of itself, even if you don’t have audio that’s really sensitive data. And if you do a data, inventory mapping type of exercise, you may typically uncover I didn’t really know we collected that. And then we say, okay, how do we classify data? Because Jodi doesn’t the way that we classify data kind of setup for what kind of collection parameters or use parameters we may put around it as well as security?


Jodi Daniels  4:05  

It does. I said that in the beginning, you are totally listening, right?


Justin Daniels  4:09  

Absolutely. I was wanting us to reiterate that very important point. But I know what you’re driving at since I happen to be married to you. So thank


Jodi Daniels  4:17  

you, anytime. Glad to help. All right, Justin, what is lesson number two?


Justin Daniels  4:25  

Lesson number two? Well, you know that we can’t have a conversation without talking a little bit about web three. And so one of the things that I am seeing this year in the web three category with all these NF T’s and decentralized finance things is, it appears a lot of these companies who were very entrepreneurial, want to scale so fast, they’re forgetting about what


Jodi Daniels  4:48  

privacy and security.


Justin Daniels  4:51  

Exactly. So what is very interesting to me is watching companies like xe infinity, who has the most popular player earned combination NFT cryptocurrency game in the web three universe was hacked this year for $625 million, a tidy sum. And when they peeled back what had happened here, even one of the representatives, one of the C suite folks said, Hey, we’re going 100 miles an hour and things tend to break. Well, in order to get people to play a game Jodi, how much do you enjoy having to wait? Or if you have dial up in a service is inconvenient? You have a lot of patients for that.


Jodi Daniels  5:29  

Let’s dial up no patients.


Justin Daniels  5:32  

Exactly. So if you want to have fast transaction speeds, when you’re minting NFT’s and then playing a game where you get cryptocurrency, you need fast speeds. And what people don’t realize is the Ethereum network itself is slow. So how do we make it faster? Well, we build things on top of it since since a platform but we also centralize the validation function of hey, is this a valid transaction? And on top of that, what happens? Well, if one person gets hacked, and they control five of the nine, or a majority of the what they call nodes to validate a transaction, they have now become my common point of failure. And that’s exactly what happened in that example. And what I’m seeing repetitively when you’re reading the news and watching companies go to market it, it’s all about how fast can we get there as quickly as possible and Damn the torpedoes, the security and the privacy, we need to have people using our product. And that’s what matters. And the privacy and security consequences are unexpectedly familiar.


Jodi Daniels  6:43  

So lesson number three is a little bit Oslo in your camp, talking about contract mistakes,


Justin Daniels  6:51  

contract mistakes. Well, one of the things that I’m seeing increasingly happen this year is, let’s say, We’re Red Clover, and we’re going to buy a cloud provider, well, maybe there is a part of that cloud provider that has hosting, but that’s provided by someone else, there may be another part of the offering that is remote access, that’s by another vendor. And so what I’m seeing is, you’re not really buying a product from one vendor anymore, you’re really buying some type of integrated offering. So when you’re doing your due diligence back to Jodi, what kind of questions are you asking around? What kind of data is getting collected? What vendors touching? What data? What sub processors do they have? I have to sit there and whiteboard out? Where is the data flowing through? Who is providing what service? Because if you don’t do that, then you may have gaps in your understanding. Because really, Jodi,  when you buy something from a vendor, what’s the reality you’re just buying what the worst security from the vendor who’s least compliant?


Jodi Daniels  7:57  

Oh, that’s an interesting way to think about it. I think the other thing that people need to remember is to even consider some of the privacy and security pieces in their contracts. And to find all of the different vendors, see if we do less than number one, which is our data inventory, we can then identify all of the vendors, a lot of times people will go just to their IT team and say, Okay, tell me all the vendors or the assets or software we have, and they’re forgetting that so and so in marketing or HR went and got this really cool SAS tool, and might not have found what their terms and conditions would be, which then ties into what you were just talking about.


Justin Daniels  8:38  

Because I think it’s really interesting to have a privacy policy or a security agenda. And what you now find is pretty commonplace on middle market agreements on up as to how all of this works. If your data has been processed by two or three different vendors or they have custody at some point in the process. How do you know that unless you whiteboard all that out, and if I’m on the side of hey, I’m making an offering that is an integration of four other vendors like the payment processor, the hosting and others? Well, what did I put in my contract about their obligation to cooperate with me if there’s a data breach or a problem? Because if I don’t have anything in there, and then they have some blanket, legal limitation of liability for say, $10,000 and they get breached, and it impacts my customer journey? Are you going to be mad at that vendor or me who you’re expecting to fix the


Jodi Daniels  9:27  

problem? Will you because I don’t even know who this other random vendor is? Just No, you?


Justin Daniels  9:32  

Right? And if my liability is much higher to Jodi, my customer than this vendor who had the problem? What does that mean for me?


Jodi Daniels  9:40  

Oh, there’s my little horse. I’m gonna say spaghetti toes. All right, let’s move on along. Myths are lesson number four, is that we continue to see that cookie banners and the way cookies are used are still not right. There are many, many websites It’s where they have zero cookie banners, or they have them set up and have treated all cookies created equal, and most likely, are those who have a global presence. People in the United States and people, let’s just say in the EU, for the EU, it’s really an opt in approach. Most companies in the United States don’t really love the complete opt in approach here, because you’re going to have a much smaller audience, the United States is still a little bit more of an opt out approach. So what should people be doing? They should do a cookie on it, you should have a tool to help you scan all the cookies on your website, and identify which ones are the chocolate chip? Are they snickerdoodle? Are they oatmeal raisin? Or are they the kind like Google Analytics and Facebook and a long list of others? Actually, just yesterday, I was shopping at a very popular retailer, I won’t disclose who. And there were 30 trackers on the website. And in fact, what was actually super frustrating is to use the chat feature, which was the only way I could communicate with the company, I had to disable a cookie because my cookie blocker said it was blocked. I had to disable the cookie blocker to be able to chat with the company. And that’s kind of a poor user experience. You really want to understand all of the different cookies that you have on the site. Do that cookie audit, do that cookie scan, make sure you have the right language, one of my personal pet fee. Pet peeves is just an if you have except what’s the natural opposite of accept? decline, right? Many times you’ll have a banner that says except but when people think of the word except they feel like well, no. What if I don’t accept? What if I disagree? What can I do? And often there’s no option for them. So make sure you have a decline or reject or something else button on your cookies. So now that not all cookies are created equal. Review your cookie banners, and make sure you get your cookie banners. Correct.


Justin Daniels  12:04  

I’m thinking there could be a great cartoon with a chef doing the cookie audit with the cookies. On the what is it on the what do we call it when you bake the cookies on the little platter? Oh,


Jodi Daniels  12:14  

you mean a cookie tray? A baking sheet right now you don’t know how to bake. So you wouldn’t know that it’s all good.


Justin Daniels  12:22  

I’ve delegated that out to the CFO who likes to bake?


Jodi Daniels  12:25  

Yes, you have all right. What is lesson number five


Justin Daniels  12:29  

companies to the company is too small. Why do I need to care about any of the stuff that you to blather on about?


Jodi Daniels  12:38  

Oh, fancy word? Well, I have a lot of reasons for why one of the first is especially in the b2b environment. You’re a customer. Many times small companies are trying to work with large companies. And large companies typically don’t say, oh, you’re a small vendor, I don’t care what you do with the data. And you don’t have to comply with laws. No, no one ever says that. The big company says if you want to work with us, you have to do all the things that we expect of all of our vendors, which often means complying with privacy laws. I once had a small company say I really have to review this 18 page agreement, which had a long list of privacy and security considerations. And they said all we have is access to their core marketing systems to my answer was, well, yes, because you have access to the core marketing systems. That means you have access to personal information, you’re processing data access means processing. So in that situation, the company wasn’t set up to be able to work with that large company until it was able to show it had done all the right steps. So it’s a competitive edge. Imagine if you had the ability to say upfront, here’s how we work with the privacy and security obligations that companies have. And from a b2c environment. There’s lots of times where people will say, I’m kind of used to all these privacy terms and options. I want to be able to exercise them here. And most consumers are not reading privacy laws and have no clue that there’s an exception for small companies. The other example is, I went to the doctor’s office yesterday, I was complaining about their process, and Justin reminded me Well, it’s a small office. Well guess what my thought was? Well, okay, it’s still my house data and from a small office to a big office, they still have the same expectations. It literally wanted me to sign something. And I never got to see what it said. I was supposed to believe the person on the other side, telling me this is what I’m signing. And I said, Well, how do I know what I’m signing? There’s just this empty box. My expectations don’t change because it’s a small office just like is true. In the real world. We expect the same for all sized company needs to treat our data properly. I know you have thoughts on this topic,


Justin Daniels  15:04  

I would come at it from a different perspective, which is, well, of course you would. Well, I do the same thing as you did. Would it be any fun, no one be any fun, more fun to debate with you than to agree. With our viewers like to see us have a debate, you should let us know. We’d be happy to oblige. The perspective that I’m coming from to use, Jodi’s example, about the 18 page agreement is, if you’re not going to pay attention to privacy and security and leave it to the contract for the first time it gets considered reviewed, looked at, what’s going to start to happen is you’re going to either have your day deals delayed, or you’re going to lose them outright. So if you don’t want to pay attention to privacy and security, and then it comes across somebody on my desk, I have now in the last three or four months had several deals I’ve worked on get delayed, because once we went through the paperwork and said either you didn’t explain to us in your marketing, what data you’re collecting, how you’re using it, how you’re securing it? Or if you did, none of that is reflected in these documents, and to combine it with one of our other other threads today is if you are sharing that data with multiple vendors, where are you talking about your legal responsibilities or their legal responsibilities in these documents? If you’re not, then you haven’t really thought out back to Jodi’s point about the data inventory, how all of this data is flowing through all of your vendors, what their responsibilities are, and the business result that will come from that is delay, delay, or maybe you even lose a deal. So Jodi, you’re a business woman, does that sound like something you would want to do?


Jodi Daniels  16:46  

No, I don’t like losing deals. Well, to recap, our top five lessons for 2022 so far, is don’t skip the data inventory.


Justin Daniels  16:57  

Pay close attention on web three on how a lot of these entrepreneurial companies are achieving mass adoption that’s coming at the expense of privacy, security, and decentralization. Number three, dirty No, Justin, oh, I have to go again, you have to go again. Ah, such a pain. The next one is is what mistakes are you making in your contract process because you don’t appreciate that you are either offering a service that has multiple vendors integrating into your offering or you are buying a service from a vendor that is really an integrated offering so that the security of the of the vendor who does it the worst is your biggest problem.


Jodi Daniels  17:41  

Not all cookies are created equal. Review your cookie banners. Make sure you have them set up right. Don’t forget a cookie scan and find all the websites where you actually have cookies. And finally, no company is too small to need to consider privacy and security. In fact, it is a competitive edge and we’ll help you earn sales. So thank you so much for listening. We invite you to subscribe to the podcast on your favorite podcast listening player, visit us at Sign up for the weekly podcast email and be sure to visit us on LinkedIn.


Outro  18:24  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.