Why Knowing Company Data is Every General Counsel’s First Privacy Move

Intro 0:00

Welcome to the She Said Privacy/He Said Security podcast, like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st Century.

Jodi Daniels 0:21

Hi. Jodi Daniels, here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels 0:35

Hi, I am Justin Daniels, I am a shareholder in corporate M&A and tech transaction lawyer at the law firm, Baker Donaldson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cyber security risk. And when needed, I lead the legal cyber data breach response brigade.

Jodi Daniels 0:57

And this episode is brought to you by Hello. Oh, we’re going with silence. Okay? Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. You can’t laugh when you were when you missed your ding. That’s just the way it goes. And yes, everyone we do our our intro is live here. So here we go. Red Clover Advisors works with companies in a variety of fields, including technology e commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business. Together. We’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best selling book, Data Reimagined: Building Trust One Byte at a Time. Visit redcloveradvisors.com, so we start our I started singing, and then we got into a Beach Boys conversation. Should we have some tunes?

Justin Daniels 1:52

I think you’ve had a lot of coffee.

Jodi Daniels 1:54

I did not have a lot of coffee. I’m just happy it’s sunny out. I had a nice panel at a local IPP event. It was all fun. Okay, no beach boy singing. Well, maybe our guest, who also likes the Beach Boys, maybe she’ll sing.

Justin Daniels 2:11

I think you should sing. You have a really good voice.

Jodi Daniels 2:14

Well, that’s very kind of you, but I guess we’ll go back to privacy, maybe a little singing. So today we have Talar Herculian Coursey, who is the General Counsel and VP of HR for ComplyAuto, a SaaS company serving auto dealerships in the US. She was previously GC for VISTA Ford and a file clerk associate and partner at the National Labor and Employment Law Firm Fisher Phillips. We are so glad that you were here with our silliness today.

Talar Herculian Coursey 2:42

Well, thank you for having me. Do you still want me to talk about who I am? That was really funny, that look that you guys did with one another.

Jodi Daniels 2:52

I do. I do want to talk about who you are, but without you, and he didn’t quite get the look

Justin Daniels 3:00

see til our I’d sometimes do things on purpose not to get the look because she doesn’t think that her demeanor doesn’t tell the whole story, which it does, which is probably more than our users, our listeners want to hear. So setting that aside so Talar tell us a little bit about how your career journey evolved to where you are today.

Talar Herculian Coursey 3:21

Okay, so I know you wanted the short version, but I’m going to give you my version. It all started in fifth grade in Saudi Arabia. I wanted to be a movie star after being Mark Antony and Julius Caesar, my dad said, No, so I became a lawyer. And my dad said, Look, you get to act and you get a steady paycheck too. Isn’t that funny? But it did start when I was 18. I was a file clerk at Fisher and Phillips. It’s a national labor and employment law firm. Started when I started. I still have the coffee mug where they only had five offices, and now it’s like, I don’t know, 2030, maybe more. They’ve got, like, 1000s of lawyers. So that is the reason that I became a lawyer, came back as an associate, made partner, and then I’m going to take you way back, because I was talking to a therapist, and she says, don’t you fight for a living. I said, I’m a litigator. So I guess you could say that she goes, You don’t strike me as a confrontational person. I said, I’m not. And then had my light bulb moment that maybe litigation was not the right thing for me. And got recruited to go work in house for VISTA Ford in Southern California, working remotely from Salt Lake City for almost 12 years. And then got recruited to my current role at ComplyAuto continuing to work with car dealerships. So I’ve been working with car dealerships since I was 18 years old, and I am not 18 anymore. I just turned 51 actually,

Jodi Daniels 4:54

I love that you were remote working before that was really. A thing and super common. So I can imagine you have all kinds of interesting stories to share about that, but we’re going to talk about auto dealerships. And I know a little bit about auto dealerships, having worked at Cox automotive for a really long time. That’s actually how I got my start in privacy. I did the privacy pro Yes, I built the privacy program at Cox automotive moons ago. And I think many people do not always appreciate the volume of personal information that car dealerships have. And I thought maybe we could kind of set the stage and help many people here listening are probably drivers in the US, and maybe help them understand a little bit what is the kind of data that car dealerships collect, and maybe share some of the examples they might not be thinking about. Yeah.

Talar Herculian Coursey 5:50

I mean, they collect so many different kinds of information, and like the financial data, you know, because of the financing that they do, I think what would be more surprising to listeners is they’re actually regulated, like they’re a bank. You know, auto dealerships are, like, one of the most highly regulated businesses in the country, because they’ve got everything from, you know, the financial information to OSHA and hazardous waste that they need to worry about. So they’re very regulated, and they’ve got, like, extensive, you know, financial information, information they’re getting from putting, pulling, you know, credit and also the the information now that’s available through connected vehicles, online browsing history. I mean, it goes on and on. I don’t I don’t think people realize how much information they collect, but I will say, having worked with dealerships in this privacy space for almost three years now, at ComplyAuto, our dealerships are so vigilant, and they do really good job of cracking down and making sure you know they’re doing everything humanly possible within their control in order to secure the data. And I should I get to the next question that you you may or may not be asking me about, like, they don’t have control over it’s, it’s third parties, you know, and I’m sure you you realize that in your line of work, it’s not necessarily unique to car dealerships, but that is their greatest area of risk, because no matter how good they’re doing and clamping down and being compliant, if something goes astray with, you know, one of their third party vendors. They don’t really have much control over that.

Jodi Daniels 7:48

How do they manage the data that they do have control so, for example, when I walk in and I have to give a driver’s license so that if I, you know, drive the car away, they know who I am. What do they do with things like that, or inbound leads that I might have? And there’s certainly a plethora of third party companies that they’re working with. There’s also a lot of sales people, front desk people, that actually have that information. And then there’s probably, because you start talking about the connected car piece, we’ve had different discussions about that on the show because it we have manufacturers, and you brought up the dealership part, so that might be sort of an interesting part too, to talk a little bit about as well. Well,

Talar Herculian Coursey 8:36

I mean, you raise a really good point when it comes to, like, the sales people and the employees. How does everybody like to communicate today? It’s via text message. It’s mobile. It’s like, you know, instant communication is what they want. And a lot of sales people are communicating with customers, you know, via via text message and messenger and dealerships need to be aware of this. You can’t ignore it, no matter what your policies say. You know what. You know you’re not supposed to be using your cell phone and you’re not supposed to be text messaging. The reality is they’re going to anyway, and so address it head on. We, we have a product, it’s called ComplyCrypt, that our customers use, and so it allows for their employees to be able to communicate both with the customers as well as finance when they’re, you know, gathering missing information or whatever it is that they need, so that it’s through an encrypted channel, so that it’s safe. So in terms of, you know, what are they doing with the data? I mean, each dealership is going to have their own policies, and they are need to comply with the safe GLBA safeguards rule, making sure that they’re protecting all of that information, but like on our end, when it comes to the software that we’re providing, it’s making sure that we are facilitating secure and safe channels for comm. Indication and making sure that you know data points are protected at the dealership, so that you know we can avoid a ransomware attack or another security incident.

Jodi Daniels 10:15

That makes sense. Thankfully, we haven’t bought any cars in a little while.

Justin Daniels 10:20

When we do, it’s so entertaining.

Jodi Daniels 10:22

That’s a whole game.

Talar Herculian Coursey 10:25

I know. You know thing or two about car dealers. What kind of vehicle are you in the market for? Might be able to get you into a nice Ford. What do you think Bronco

Jodi Daniels 10:36

Broncos are popular amongst the teen girl market? Actually, one of our daughters friends got one of those really, wow, yeah, they’re really popular in that universe. We are. We are not yet we still have a driver who’s learning how to drive. So we’re just gonna focus on, you know, two hands on the wheel and staying straight.

Talar Herculian Coursey 10:58

Jodi, are you talking about Justin? He’s still learning how to drive.

Jodi Daniels 11:00

Oh yeah, yeah, that is true. We did have a conversation actually, about okay, driving.

Justin Daniels 11:06

Apparently, I did not. I drove too close to the right side of the road. I have

Jodi Daniels 11:12

a knack to be able to tell when people are going to the right. It’s kind of like how I have another strange knack for looking at floors when they’re dipping it’s another weird thing that I have a capability of. Long time ago, when I rent an apartment or a condo, or I’d go with friends, I could always tell when the floor was sloping or looking at houses, when we would go house looking, I could always tell when the floor was dipping. It’s sort of similar, like cars going to the right floors dipping. I don’t know, strange.

Talar Herculian Coursey 11:41

I have never heard of that skill. That’s pretty special. I thought you’re gonna say you also have a knack about, like, making everything about privacy,

Jodi Daniels 11:49

you know, not, not always, but, but we, we can figure out how to connect that, because now we are shifting, like, to the right or shift someone say shift to the left and put privacy first, and you’re changing that’s how I’m changing gears. We’re changing gears. Oh, very good. Okay, that’s your cue. Mr. Justin

Justin Daniels 12:15

so So Talar talk to us a little bit about as we talked about this shift around digital buying, online financing, and then to me, the biggest one is the connected car, because I will not connect my car into or my phone into any rental car that I purchase because of my the data and the privacy. So maybe you can give our audience a window into this shift in these areas.

Talar Herculian Coursey 12:39

Yeah, well, it’s, it’s just, you know, increasing basically the surface area for potential incident. But, I mean, you raise a really good point. I don’t think people realize that when they’re connecting their phone to a vehicle, the amount of information that’s going to be shared with that vehicle, and, you know, possibly the dealership that they purchased or released the vehicle from, but also the manufacturer, potentially. So you should definitely think twice when it comes to a rental vehicle. That’s a really good point not to connect it, but even with your own vehicle, and I forget where it was, and I suspect we’re going to be seeing more and more of this. I think it was a state out east where they’re now requiring the dealerships to to erase all of that data when they get the trade in vehicle from the customer, to ensure that you know that that data isn’t going off to someone else.

Jodi Daniels 13:47

How are dealerships so with that type of requirement, in your opinion, I don’t know if you’ve worked with dealerships or how verse Do you think they are in actually executing on that requirement?

Talar Herculian Coursey 13:59

Well, I mean this specific one. It’s fairly new, and so I don’t really have experience to say whether they are they aren’t, but I will say, you know, I did work at a dealership. I was at Vista Ford for 12 years, and I, even though I was working remotely, I would go out once a month and, you know, walk around the dealership, get to see people and whatever, and like everything. Everything is digital and online now. So like the technicians, you know, you think of a auto mechanic, and you’re, you know, you’re thinking of him with like a wrench and all those other tools he’s using or she’s using, and they still have that, but so much of what they do is digital, and they, I mean, I think that they are really good about vigorous training for these technicians to ensure that they are keeping up with the latest and how to, you know. Both keep the vehicle physically safe as well as the data that is in the vehicle and keeping that safe. So like I said, I don’t necessarily have personal experience with this specific new law that’s gone into effect, but I will say that the amount of training that I’m aware of is pretty vigorous, and I expect that all the technicians are going to be trained to be able to do this.

Jodi Daniels 15:26

I would love to hear more about the type of training on the privacy and the data part, because I think a lot of people listening might not have thought I need when they bring their car. Gosh, that technician should also have privacy training, or maybe they have, I’m sure, actually, all of our listeners have thought of that, but the broader audience maybe hadn’t, where it would be interesting to know what does that training look like. Because I think if I broaden this beyond dealerships, there’s a lot of a lot of listeners who have companies where they have a corporate office, and then they’re going to have people in a field. And so for me, this is really similar where, how do you get someone who’s in the field working on whatever that item is, and they have access to data, how do, how do they get trained? So can you share a little bit about, maybe, how are dealerships thinking about training people who have had to already learn a new technical skill from going like super all physical to digital, but, but in this lens, the the focus would be, how are they learning the how to keep the data safe?

Talar Herculian Coursey 16:37

Yeah, that’s a good question. And I mean, training is so important, right? Because it doesn’t matter how much we know as leaders at a company, if, if the information isn’t conveyed and properly taught to our employees who are out on the front line, then you know all that education doesn’t do us any good, right? So we have to be able to convey that to them. One of the components of the software we provide to dealerships includes training, and we get compliments all the time about the quality of our training. And there’s a few reasons for that and and I think one of the main most of us who are creating that content, we’ve worked at car dealerships, so these people, the technician, the sales person, the F and I person, when they’re watching our training, we’re speaking their language. It makes sense to them. We’re not talking about, you know, a remote workforce. When I’m providing training to a car dealership, they’d be like, you know, how does that apply to me, so we customize our training so that it’s very specific and applicable to the employees of the dealership and it makes sense to them. It’s accessible because, you know, we do it online. We use a lot of gamification. Our content instructor, facilitator, she’s actually formerly a grade school teacher, and so she uses a lot of that, you know, instruction in making the information bite size and digestible by the people who are watching it. But the other really important thing you know, as it relates to cyber security is fishing simulations. I’m going to go back for a second, if we have time, because I want to tell you about my disciplinary history. I’ve been written up two times in my life. The first time I was 16 years old, I was a hostess at Claim Jumper restaurants, and I was written up because my smile was not genuine enough. The second time I was written up, I wrote myself up because I failed a fishing test when I was at Vista Ford and I didn’t write anybody else up, but I literally did discipline myself. It is now in my record that has been I think, the most impactful training as it relates to cyber security for our employees, because the the phishing simulations that we use, they’re they’re real life, you know, potential third party vendors that employees at a dealership would interact with, and so we are keeping them vigilant of, you know, the potential risks that are out there. I was trying to remember, I know there’s statistics everywhere, and I might be making it up, but it’s like at least three quarters of the incidents are because of employees, and I’m not talking about just about car dealer dealerships, but in general, in terms of potential cyber incidents. So I think that that is, you know, one of the most effective kinds of training that there is. And I don’t know. We had a chance to talk about this, but it’s like in the auto industry, when you’re talking about a security incident, the one of the largest happened just last year, and it was a major software provider and a major software provider to the automotive industry. I think probably more than half of the dealerships in the country were using it, and because of the ransomware attack on this third party provider dealerships had didn’t have access to any of their online financing and tools that they needed for, I think, up to two weeks they were using like, pen and paper to sell cars and to service them, I mean, and the impact on the industry, I think, is close to a billion in terms of lost revenue as a result of this. So this goes to my point earlier, about like the biggest risk is third parties. So because of the incident on this third party that, you know, they didn’t have access to them, but what ended up happening afterwards, and it’s horrible, because the you know, hackers are so opportunistic after this incident occurred, there were, there were directed efforts and attacks by malicious actors posing to be it or technicians of this third party service provider to the to the dealership employees trying to, you know, get them to give access to sensitive information So they were trying to take advantage of, you know, this horrible incident that had happened anyway. All that to say is I think phishing simulations are one of the most effective training tools as it come. As it relates to cyber security.

Jodi Daniels 21:58

I like how you made the Tweak to send emails that people in a dealership would really receive. I think that’s a really important takeaway for anyone listening, is to think about, how can you customize your phishing campaigns to send some that your business and your employees might expect to receive?

Talar Herculian Coursey 22:15

Yeah, I think the only complaints we’ve gotten about our phishing simulations is that they’re too real, like that, that they’re too real, that, you know, it works. People are, people are paying attention.

Jodi Daniels 22:30

Yeah, no, that’s, that’s a really good one. Yes, that’s

Justin Daniels 22:36

interesting, because now I think with artificial intelligence, phishing campaigns can be more targeted and better than ever. Like, how many phishing emails are you going to see anymore that aren’t well done? But having said all that, can you suggest for us what your best privacy or security tip to someone going to a dealership. Someone going to a dealership, yeah? Like, if I’m going to buy a car, what should I think of like, make sure

Talar Herculian Coursey 23:11

that they’re using encrypted messaging. It’s funny you mentioned this, and this was not prepared at all, but I recently had this experience where I was doing a lease buyout on the Bronco, and this dealership is not one of our current customers, and I will not name and shame, because that’s not how we play. They they were missing a document after I had left the dealership, and he called me and said, Can you just take a picture and send it over? I said, What encrypted messaging tool would you like me to use? And it was just silence. I was like, I have one. It’s called ComplyCrypt. I’ll send it to you encrypted, because there you know, the that the sales people, the service writers, the finance managers, I mean that they all have good intent, but they also have an interest in expediting the transaction, whatever that transaction might be, and what’s the most convenient thing to do is to text message. And that’s fine. And like I said earlier, be aware that people are using this, but there’s safe ways of using it. And so to to your point and to your question, Justin, What? What? One of the first things that I asked when I go, do you use ComplyCrypt and one dealership where I did lease my Lexus from, they said, why? Yes, we do. And I was like, very good. They’re obviously one of our customers, but this other dealership wasn’t. And so yeah, don’t be texting private information over to your sales people without encryption.

Jodi Daniels 24:58

Yeah. When you are not asking dealerships about ComplyCrypt and managing privacy and security. What do you like to do? For fun?

Talar Herculian Coursey 25:16

For fun, I I am a yogi, so I have a regular yoga practice. I actually got my yoga teacher training certification so that one day I can teach yoga. I published a couple of children’s books, as well as a couple of anthologies with women lawyers. So I like reading and writing is fun to me. What else I like? The pool I like playing chess with my son.

Talar Herculian Coursey 25:44

And I think that’s it really. Is this a really

Jodi Daniels 25:49

balanced, eclectic group of fun activities? Yeah, well, thank you. We are so glad that you joined us here. If people would like to connect with you, where should they go?

Talar Herculian 26:00

I am on LinkedIn pretty much every day. 24/7, not literally, but you know what I mean. And I think my handle there is TalarEsq is where you can find me, and that’s the best, place to reach me,

Jodi Daniels 26:22

amazing. Well, thank you so very much. We really appreciate it.

Talar Herculian Coursey 26:26

Thank you.

Intro 26:31

Thanks for listening to the She Said Privacy/He Said Security podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn See you next time.