Building a Privacy and Security Strategy for the Cloud

Intro 0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:22  

Hi, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional, providing practical privacy advice to overwhelmed companies.

Justin Daniels  0:37  

Hi, Justin Daniels. Here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels  0:54  

And this episode is brought to you by Red Clover Advisors. You’re very giddy today.

Justin Daniels  1:03  

So well.

Jodi Daniels  1:04  

We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields including technology, SAS, ecommerce, media and professional services. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, visit redcloveradvisors.com. You’re ready for today’s episode?

Justin Daniels  1:33  

I think so. Are you ready for today’s episode?

Jodi Daniels  1:37  

I’m really excited to bring a friend to both of us. Bill Tolson. Bill is the VP of Compliance and eDiscovery at Archive360. Bill brings more than 25 last years in archiving, Information Governance compliance, and eDiscovery. Bill has worked in a range of high tech organizations from consulting firms and startups to multinationals. Bill has off authored four ebooks, 1660 plus articles and hundreds of blogs. And now you’re joining our fun podcast, you’re gonna have to have like podcast at the end of that intro going forward. Welcome Bill to the show. Well,

Bill Tolson  2:20  

thank you, and thanks for inviting me, and I’m really looking forward to this.

Jodi Daniels  2:23  

Absolutely. So Bill, we always like to kind of understand you. In the intro, we gave a little bit of the career arc and some of the areas that you’ve worked in and the kinds of companies so help us understand that a little bit more and how it evolves to what you’re doing now.

Bill Tolson  2:41  

Yeah, it’s it’s been a long road. I’ve been around a long time I’ve I’ve actually been in the high tech industry, pretty much consistently, consistently, since I graduated from high school. And I won’t say when that was but you know, in in, in the, you know, information governance, eDiscovery archiving kind of realm I’ve been in it for like God said about 25 years, I originally got involved in information management and archiving for regulatory compliance and eDiscovery. Back in 2001, when I was working at storage tech here in Boulder, Colorado. In fact, I wrote the original business plan for their first email archiving solution. And that that’s when I really really got focused on on compliance, regulatory compliance and eDiscovery. But also, the need to archive data for those for those reasons. And since then, I’ve been involved in some form of archiving or or eDiscovery. Ever since, you know, I’ve been Tachi data systems actually spent several years at a consultancy, basically, running the eDiscovery and regulatory compliance practices at the console. And so I’ve kind of seen it from both sides, both from a vendor point of view as well as from, you know, a client consultant, helping them look at these things. And then And then additionally, I was I was at a company called recombined several years ago, one of the one of the pioneers in, in eDiscovery software really utilizing this idea of, of machine learning and AI for for discovery. We call it back then pretty predictive coding now now I think what a lot of the terminology for decoding is really changed to technology, Assisted Review, computer rater, review those kinds of things. But I’ve been I’ve been an Archive360 for going on six years now. And we have basically years ago introduced a cloud archive The Information Management platform that that really was, was really focused on addressing eDiscovery, as well as regulatory compliance and what to do with all that information, how to hold it, how to secure it, those kinds of things. So it’s been, it’s been really, really interesting. And I’m really actually glad that I’ve been able to kind of stay with the same focus for for this number of years.

Jodi Daniels  5:26  

I know we’re gonna dive on in on that intersection of eDiscovery, and data retention, and privacy and security, and maybe a little Colorado chat as well. You’re in our favorite place. Good. Remember, it’s a privacy podcast, not a Colorado podcast.

Justin Daniels  5:45  

Breaking up, I can’t hear what you’re saying. Well, Bill, just having come off a webinar that we participated in together, maybe will cover some familiar ground, so why don’t we start with how privacy and cyber is evolving now that we have so much work that’s being done on the cloud? Yeah, that’s, that’s,

Bill Tolson  6:08  

that’s been interesting. And I’ve been involved with the cloud for boy, probably 10 years now. But, you know, one of the things I’ve noticed just lately, when I say lately, openly, you know, over the last three, four years, before, prior to three or four years ago, it was really tough to get organizations, companies, especially larger ones to really adopt, you know, the cloud completely. And, you know, they would talk about, yeah, you know, we’re looking to eventually move our data centers up into the cloud, or looking for cost savings and things like this. But, you know, three, four years ago, they were still hesitant to move sensitive data up into the cloud. And that that has really changed. I mean, you know, everybody’s been talking about digital transformation, and so forth. But with with the additional security capabilities, that that, you know, the big public cloud providers have now like Microsoft, Azure, AWS, you know, Google those, those folks, I mean, they they employ 1000s and 1000s of security people, as well as, as privacy people, and regulatory people, all kinds of things. So, the the, the attitude from, say, CISOs, chief information security officers, to hold back sensitive data to now looking to move everything up there, including, by the way, healthcare providers, they were the most reticent, they didn’t want to put, you know, PHSI up there. But now, it’s, you know, full court press, we need to get up there to save money and so forth. So, you know, some of the things we’ve seen over those last three or four years, you know, be beat, you know, they they’ve basically taken on the stance that yes, we’re going to move in the cloud, but now they’re looking at how can we upgrade security, I mean, they want, they want to encrypt their data, which common sense and glad they want to do that. That’s, that’s one of my faults with with other things that we can talk about if we get the time. But, you know, they’re asking about very particular things, I want to I want to encrypt my data, I don’t want the cloud provider to do it. For example, I want to have my own encryption keys, instead of the cloud provider using their encryption keys to encrypt my data. So there’s, there’s that they want to manage their own encryption keys. So that, for example, and this sounds really paranoid, but it but it’s true. You know, a couple years ago, you know, we had large companies looking at, you know, our cloud offering. But they were saying, let’s see, we don’t we don’t want to put our sensitive data up there. And have you encrypted and holding crypto keys, because what if the US intelligence agencies, you know, serve the cloud provider with a secrecy warrant? We don’t want that we, you know, we don’t we don’t want them giving and encrypting our data and then giving the data over and then being told they can’t even tell us that they did it. I’m sure that didn’t happen very often. I don’t know Justin, if you have different different stats on that, but that they were they were paranoid about that. And they’ve really gone to this point of I want complete control of my of the security of my data while in a third party cloud. So that’s been one of the one of the biggest things and then you know, things associated with that, you know, encrypting key storage but but also, you know, this this idea of, you know, there’s there’s enterprise or infrastructure security, but there’s also individual data security and and really nowadays with the sophistication of the kinds of attacks we’re seeing, you really need to have bolts that used to be that, that companies would think of data security as, as perimeter security, we’ll see, I’m not gonna let anybody in that shouldn’t be there. Well, you know, with phishing and smishing, and all these other kinds of things, you know, people can jump at pretty quickly, and then they’re in what other capabilities do we have around protecting individual sensitive files?

Jodi Daniels  10:31  

It seems like you have a question. No, you go first. Oh, that’s so nice. It happens. You mentioned some of the different tools that you’re starting to see companies want to add on top, can you share a little bit more about maybe some of the common ones that you’re seeing? And if a company is interested, maybe they’ve moved everything to the cloud, but they haven’t done all of those extra layers? What might be some of the ones that they’d want to start with? Well,

Bill Tolson  11:02  

you know, in my mind, and and, you know, I asked people that I talked to, and I’ve talked to many state legislators who are doing privacy bills and stuff. What, what, what are those? What are those absolute must haves for, you know, protecting data, you know, and in my mind, privacy and security are very closely, you know, hide together, you know, you really can’t have privacy unless that data secure, and, and so forth. But but, you know, they’re there. They’re looking at what, what are those? What are those features functionality, for example, in a cloud that we can turn on and and really forget, not not have a full time management staff trying to manage it? Because that’s, that’s one of the advantages of, for example, SAS platforms in the cloud, is it to set it and forget it type of thing, you know, the SAS provider manages most of that. Now, looking back what I just said about, you know, CISOs, wanting more control about security, there’s, there’s a not so happy medium, between those things. But, you know, I think the first thing that I hear professionals brain, one of the first things I hear professionals bring up, especially with with from coming from CISOs, and so forth, is what data do we need to protect? And how are we going to protect it? And usually, the first step is, does that mean we need to encrypt it? Now, I’m a big proponent of encryption, it’s technology that’s been around forever. Nowadays, especially in the cloud, where you get the economies of scale with, with the availability CPU up in the cloud, you know, you it’s not like you need to buy, you know, 100x servers do the encryption decryption that can be done on the fly within the cloud. So there’s really no reason not to be encrypting it least sensitive data, as you move it around and move it up into the cloud. And that’s, that’s one of the biggest ones, and then understanding that the other the other one is most CISOs. And most sea level that I run into, haven’t, don’t understand what data they have. They are many of them are still are still focused on, well, gee, I need to manage the records and all the other, you know, crap. You know, we let the employees take care of well, that 95% of that corporate information that the employees are supposed to be managing, number one, they’re not. And number two, it’s chock full of all kinds of sensitive material, you know, PII and bank account numbers and, and driver’s license numbers and all kinds of things that that the management doesn’t understand. And with the new laws that are coming up, companies have to be able to understand what’s in that in that content and and that they have to manage it and secure all of it, not just the record.

Jodi Daniels  14:13  

Absolutely. And as the privacy person here, who always emphasizes data inventories to help make sure we can understand the kind of data we have. So we understand how we’re using it and where else it’s going, which is really important to help comply with the privacy laws. You also need to know where all that data is, or you can’t protect it, or know what vendor it’s at. Make sure that you have the right vendor, all kinds of employees are picking their favorite vendor out there that may or may not be doing what we want.

Bill Tolson  14:44  

Well, yeah, and that’s that’s where you get into the idea and it crosses over with discovery as well. You need you need to be be creating and keeping up to date data maps. You know, you need to know where all the information is whether it’s a record or not, you know, where is it in discovery? You will have to go, you know, find all relevant information doesn’t matter if it’s a record or not. That’s why That’s why, you know, data maps are great. But even even here with, with looking at security, if you don’t know where the data is, how are you going to secure it beyond just the perimeter security, I did work years ago as a consultant with a large electricity distribution company. And they won I first off, I started doing inventory of all of their, you know, servers and storage and all kinds of stuff. And I asked them, you know, give me give me a list of where, how many servers you have, where they’re at, you know, what they’re doing all these kinds of things. And they came back and said, Well, we think we have about 900. And we sort of using this way, and this, this was a power distribution thing, you know, under, you know, homeland security, protection, all kinds of neat stuff. And after about six months, we found that they had over 5000, servers, with all kinds of very sensitive stuff on it that they didn’t even know they had. So you know, how they were having issues with power distribution, I understand why

Jodi Daniels  16:17  

you’re giggling over here. Go ahead. Giggle monster.

Justin Daniels  16:21  

I guess the question I had when we talk about the data map is, so let’s assume you have a ransomware event. They encrypt your network. Well, if you don’t have a data map, how do you even know where the data is during the event? Because it’s all encrypted. And I’ve had multiple events where the client has screamed up and down. There’s no PII. And of course, you do the forensics and you find it on somebody’s laptop or in for other places, while we don’t put data there.

Jodi Daniels  16:50  

Yeah, but it’s there. Oh, yeah. As Bill said, your employees put it there.

Justin Daniels  16:55  

Especially with the remote workforce, when you work from home, and you were having crazy slow times on the VPN people like, I’ll just download it to my C drive when I’m done offload it back to the corporate network. Well, now, the copy of that data is sitting on their personal computer.

Bill Tolson  17:10  

Yeah, well, I’ve seen reputable market stats from you know, the big market research firms that that estimate that anywhere from 75 to 80%, of all corporate data stored on workstations and laptops, that the company centrally cannot access, it doesn’t know it’s there can index or anything else. So you know, all that data sitting on on my laptop, that’s a lot more than any data that I’ve created or put up, you know, within a central repository that the company manages. And that’s, that’s just, that’s just high tech, corporate culture. I mean, and, you know, for years, and still, most companies look at that and say, well, that’s that’s the, that’s the employees, I only care about the records. But that’s where all a lot of the IP is the corporate know how the sensitive data and all that kind of stuff. So I think we’re reaching a point where culture has to change over the next several years where all data is managed, not just the stuff that that, you know, flows through centralized systems. Well,

Justin Daniels  18:21  

I think one question I wanted to discuss with Bill is I’m thinking maybe today, we can put the Badger hat on Jeopardy since the Wisconsin legislature, I think, at least their House of Representatives passed their privacy bill yesterday, and I guess it heads to the Senate. So with that in mind, when I wanted to ask the question of, you know, how is the proliferation of state privacy laws impacting what your business does, Bill? Well, you know,

Bill Tolson  18:52  

for the longest time and currently, I think God told me if I’m wrong, but we have three real privacy laws, Colorado.

Jodi Daniels  19:03  

That’s right, those that are passed, not quite effective. 2023. And we’re gonna have a big celebration Bill,

Justin Daniels  19:09  

what state is included in this three?

Jodi Daniels  19:13  

Privacy podcast, not a Colorado podcast?

Justin Daniels  19:17  

Yes. But the two have just intersected this Colorado is has passed a privacy law. And there you go.

Bill Tolson  19:24  

I’m scheduled to do a podcast with stay at Colorado State Senator Paul Lundeen. Here in the very near future about he’s one of the two co authors of the Colorado bill. But I have been I have been interviewing others Kevin Thomas from New York Senator Marsden from Virginia. Actually, Steve Elkins from Minnesota. And I, one of the things I don’t know if you saw this, Jodi yesterday, David Straus, well known This guy runs and runs private. He’s a he’s a lawyer at Husch Blackwell, I think. And he tracked all this stuff. And he was on a webcast yesterday, he was saying that just this year in 2022, there were 2627 23 or 27 states introduced new privacy bills. And obviously, not all of them are gonna pass, maybe not half of them, but eventually, over the next couple of years, you know, we’re looking at a lot of states, you know, probably more than 2525 3035, they’re gonna have their own privacy bills, or privacy laws. And, and, you know, in, in interviewing these the state, the state senators, they all, you know, kind of admit, and rightfully so that, yeah, you know, we look at Washington State’s bill that still hasn’t passed, and we’ve looked at, you know, other bills, and we take bits and pieces, and, you know, we look at California’s and kind of stay away from that, because it’s, it’s, you know, they consider it a little bridge too far type of thing. But eventually, they’ll get there. But the problem is that, the problem that’s going to be is that all of these state laws are going to differ slightly, yeah, they all kind of have the same rights, but their definitions are different of what a data controller is, versus the processor versus this versus that. Their exclusions are different, you know, who they’re excluding, you know, within the state, what businesses, those kinds of things, and there’s the all of these differences really add up. So what we’re looking at, starting now, going years down, the line is companies are going to have to be able to manage many, many, many different laws that differ slightly based on the geography of the PII they’re collecting, and why they’re collecting it, those kinds of things. And that’s not even, that’s not even taking in consideration, you know, all of the foreign data privacy laws. Now, I so I think companies are going to need to much more granularly manage all of their data, and really manage it against all of these slightly differing privacy laws. And that’s gonna, that’s going to really require some some, you know, real investment, but also dedication, CPU, all kinds of things. And, you know, I asked the state legislators that I said, you do see what this is going to do, because none of them really think that the federal government is going to come up with a superseding federal law that takes them off the hook. So at least not in the next couple of years. That’s what they all think. And I sort of agree. So what what companies are looking at is they’re going to be looking for solutions that can handle that kind of legal granularity so that they’re not, you know, inadvertently violating all these all of these privacy laws. And by the way, I mean, one of my pet peeves with all of these laws, is they all use almost exactly the same, the same, you know, descriptions of what the expectation is, and the one that really bugs me is they all say, you know, must use a, you know, a reasonably, you know, secure capability of securing a date, I forget what that said, but they all use almost exactly the same, the same, you know, sentence, and it’s so wishy washy, that it’s almost unbelievable. I mean, you know, that you tell me, just, you know, could could could could a first year lawyer beat this whole idea, not that I’m saying your first lawyer, your lawyer by any means, but could could could an attorney beat this office? Can an attorney beat this idea of what was reasonable? You know, I mean, that’s open to interpretation, you know, but all saying must take reasonable practices to secure the data. So what I’ve been asking him is, why don’t you say that you must use nowadays zero trust or you must use you must encrypt all data while in transit and wallet, rest. And they all kind of, you know, sit back and say, Well, no one told us to put that in the bill. Well, I think Bill, now part of

Justin Daniels  24:25  

the challenge you have with reasonable security. If you and I were having a conversation in 2019, or 20 multifactor authentication was a nice to have you in 2022. On every deal I work on, it’s table stakes, it’s in the contract, you’re gonna have to really persuade me, which is highly unlikely that it’s coming out. Yeah. And so the threats are evolving. Now. As you know, I do a lot of work in blockchain and web three. And there’s all kinds of exploits around getting around the code for smart contracts and secure Hearing all of that. And so with the threat that evolves, it’s really kind of hard to write a law that gets down to that level of granularity, because over time, it will change just like we have, you know, the Securities Act of 1933. securities fraud. Well, that has really evolved, because now you can have securities fraud online, you could have it with an NFT, or some type of digital asset, because now that’s could be construed as a security. Yeah, that’s part of the challenge you have with security, because the threat and the technology evolves so quickly, the way lawmakers get around that is they use to your point, the wishy washy language of reasonable I do it in contracts all the time, because there’s certain things that it’s hard to have a five year contract and have that level of specificity. So what do people do? It’s reasonable.

Bill Tolson  25:53  

Yeah, yeah, I can I can, I can see that that point, point of view? Yeah. I just, I would like to see, you know, minimum procedures, you know, spelled out maybe, but I do I do take what you’re saying. It does does make sense.

Jodi Daniels  26:09  

What are you seeing companies do in practice today to get ready, like we said, for the three new laws that are coming, and whichever ones this year, will, will pass and join the privacy alphabet soup?

Bill Tolson  26:24  

You know, it’s funny, we will, it’s not funny, we deal with, you know, every size of company and in every industry. And, you know, we deal with, we’ve sold solutions into the big Wall Street banks into, you know, the big government agencies and those kinds of things. And they’re, they’re very aware of security. And, you know, I’m talking about non governmental agencies, you know, like, like the banks, like, like energy companies, you know, things like that. Um, so far, I have not seen any of them. Ask about anything having to do with privacy law. I mean, it’s, it’s disappointing. And it’s a little surprising, because it’s not like it’s a stealth topic. It’s out there, and there’s a lot of talk about it. But, you know, for example, one, one of the things that I that I’ve told, you know, these companies to at least watch out for is this whole idea of data subject access request disarms. And and what is that going to mean to a company, if a having to respond to lots of of data subject access requests, both IDC And Gartner have stayed almost exactly the same numbers that currently are back back last year, the average number of data subject access requests that the average company was receiving was 142 per month, at a cost of $200,000 per month, just to service those. And that was really based on two laws, GDPR and CCPA. What happens if you have 30 different privacy laws out there or 40 or 50. And and people are hitting, you know, corporate websites, filling out these forms saying what data you have on me, gee, that’s wrong, that’s wrong, I want you to delete it all, all this kind of being able to respond to that without having managed all of your data, you know, it’s going to be in the millions upon millions of dollars per year, just respond, just being able to react to these these privacy write requests. And to me, you know, the ROI of being able setting yourself up to manage the data and be able to query it and be able to respond to these kinds of actions is going to is really a an ROI kind of calculation as to, you know, what’s the cost of being able to do that versus what you’re going to pay if you can’t do it, you know, versus, you know, not not even taking in consideration the fines of not been able to respond to it, but just just the Corporate cost of trying to keep up with all of those things. I think it’s going to be massive.

Jodi Daniels  29:20  

I would agree. And I would add to that, I think, for some companies, if they have not addressed it, and and they don’t have a solid process, what else can happen is many companies have created some type of process, here’s the forum, here’s an email. And then people can still go through other channels. If I’m talking to customer support, and I’m not happy, I might make a request that way. If I know someone on a sales team, and I’m not happy, I might go through that way. If there’s no training, which actually California requires training, but if companies really haven’t solidified the process and trained, ongoing all those channels, not only are there fines and obviously just the cost cost to manage it. But there’s the potential loss of business that will happen as well, if mishandled.

Bill Tolson  30:07  

Yeah. And and getting back to your original question I, I am very surprised that these, these established companies with with with large or massive IT organizations with gigantic, you know, regulatory and legal departments the subject of, you know, how am I going to use your system to to help me comply with privacy regulations has not come up. And and now that you brought that question up, that, to me, that’s pretty surprising. And I think that, like you say, I think it’s a matter of education. And it’s a matter of them not being shown, told educated on what what the costs are going to be, if they’re not aware of these things, because, and, you know, this the probably better idea that the Colorado bill, Colorado, again, the Colorado Bill has as a $20,000, you know, fine, versus ending California’s is 250 200 220 500 to 7500, something like that. I think one of them just came out with 15 grand, but 20 grand, and that’s it that’s per, you know, kind of subject versus, well, gee, I get a I get a breach, and I’m going to pay out $20,000. Now, it could be $20,000 times 100,000. You know, so it’s the the downside with with all of these, and tying it back to cybersecurity is massive, you know, if you could breach you know, I think, tell me if I’m wrong, Jodi in I think I’m right. But with the CCPA originally, there was this idea of presumed damages. And I don’t know if it actually how I know, I know, I read a bunch about it. But the idea was, well, if you get breached and and you know, the PII was actually accessed, you don’t know, you don’t know, if it was actually copied, you don’t know, used if it’s causing damage to the end user, but the attorney general would would basically sue you anyway. And under this idea of presumed damages, and I think one or two other state bills I’ve seen are including that now to which you know, along with with, you know, private right of action and things like that. I mean, we’re looking at a war zone for companies around all of these, all of these privacy bills.

Jodi Daniels  32:41  

I think we know our next webinar topics, more education on this. There we go. Well said. So,

Justin Daniels  32:51  

Bill, what is your best privacy or security tip you would like to share with our audience? Well, you you

Bill Tolson  32:56  

already mentioned it. Um, and and I will hardly agree, but it’s always turn on multi factor authentication. And and if the system the application doesn’t offer it,

Jodi Daniels  33:09  

walkaway. I think that’s the minimum. Well, it’s a very popular one, we ask the same question to every guest. And that is the the leader, for sure. So when you’re not doing webinars and podcasts and educating and advising clients in the world of privacy and security, what do you like to do for

Bill Tolson  33:34  

fun? Well, as as we’ve stated several times, I live in Colorado, and I’m approximately 40 miles from Rocky Mountain National Park. So it’s a it’s a quick quick drive. So we spend a lot of time up in the park but also around it, you know, hiking in the spring, summer fall, and then during the winter when it’s not one degree outside well, we’ll go out there and go snowshoeing and things like that. So that’s, that’s, that’s a lot of fun. I also like to cook but you know, I make I make things like like, different kinds of bison jerky and things like that, you know, I don’t like cook meals or anything like that. But, you know, I make things to healthy snacks and things like that. But being being close to Rocky Mountain National Park and the various state parks like 10 miles from me, it makes it really easy to stay active.

Jodi Daniels  34:31  

That sounds lovely. I really enjoy snowshoeing, I picked it up a few years ago. Well, if people would like to connect with you or learn more about Archive360 Where should they go?

Bill Tolson  34:41  

Well, they can go to our website at www.archive360.com or they can email me and it’s bill.tolson@archive360.com Otherwise I’m also on LinkedIn and All these other places pretty, pretty easy to find. But look, I look forward to people connecting and carrying on the conversation.

Jodi Daniels  35:08  

Absolutely. Well thank you so much for sharing all of your insights into the world of privacy and cloud and security. We appreciate it.

Justin Daniels  35:18  

Thank you, Bill. Great to have

Bill Tolson  35:20  

you. Ya know, it’s been a lot of fun really enjoyed it. Awesome.

Outro 35:29  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.