Keeping Up With Current Privacy and Security Regulations

Host (00:01):

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professionals helping to provide practical privacy advice to overwhelmed companies.

Host (00:19):

Hi, Justin Daniels here I am passionate about helping companies solve complex cyber and privacy challenges throughout the life cycle of their business. I do that through identifying the problem and helping them come up with implementable practical solutions. I am a cyber security subject matter expert and business attorney.

Host (00:40):

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SaaS, e-commerce media agencies, and professional and financial services. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there is greater trust between companies and consumers to learn more, visit RedCloverAdvisors.com. And today we’ve a very special guest. You’re supposed to introduce who we have. Oh, I’m doing, yeah. I changed it up on you. You threw me a curve ball. I  want to see if you’re paying attention. Okay.

Host (01:33):

I usually get scrutinized for that at home. All right. We have an old, long time friend here today. It’s Mike Grindell, the executive vice president operations security officer. At 22 squared, he’s a senior executive with experience in leading change and driving business results. His purpose is to work with and impact individuals and communities deeply so that they can find meaning and purpose and be inspired to be their best selves for years to come.

Host (02:15):

Mike, welcome to the show. I’m so excited to have you here today.

Mike Grindell (02:19):

Glad to be part of it and looking forward to it.

Host (02:22):

I think what’s so interesting is your career journey and I’d love if you can share how you got started and really how privacy and security joined you in your career and how it came into your umbrella.

Mike Grindell (02:37):

You know, it’s interesting. I get asked often, how did you know, a senior HR guy from the Coca-Cola company become a, you know, a security and privacy expert at an advertising agency? You know, I started out my career in retail, I worked for Federated Department Stores. I had a little left hand turn and worked at City Court Mortgage for a couple of years in sales, not my thing. Then I worked at the Coca Cola company for 16 years. I got my MBA. Went to business school while I was there. And I got to my late forties. And I just knew in my gut that you could work for a company that was building a good business. And it was also doing good things for their employees and building a good culture. And I was very lucky to find 22 Squared. You know, mid-sized advertising agency based in Atlanta and Tampa and got going with 22 Squared. And I learned that my thing, if someone says, you know, what is your thing? My thing is strategic implementation. So I take difficult, challenging business challenges, organize the right people, organize the work and we’ll deliver on time, probably under budget. And most importantly, people will feel great about what we’re doing.

Mike Grindell (03:59):

So as I got into advertising, you know, in the early days, say five to 10 years ago, you know, we started seeing clients and I’m going to say this in air quotes, which I know you can’t see on a podcast, but client security addendums. And in the early days, they may have been a page or two, but then they started being, you know, 100 items or many, many pages or many, many rounds. And there wasn’t anyone at the agency owning those so to speak. So I started getting involved in those more and more. And then I started learning that there had to be a framework we could operate against to kind of be prepared for these security addendums. So I’m going to say six or seven years ago, we did our first SOC II  type two at a station, learned all about the trust services principles and the AI CPA and all of that world.

Mike Grindell (04:58):

And when we got to where we had a good routine and cadence around that, but then we realized that that clearly wasn’t enough. So now we’re, you know, we’ve written an incident response plan two and a half years ago. I got my CIPM designation two and a half years ago. We’re in the throws of data mapping for CCPA. We’re trying to decide whether we should do pen testing this year or put in a SIM platform. So that’s kind of all evolved. It’s the industry, clients and my role at the agency have all come together.

Host (05:43):

So Mike, it sounds like from what you’re is during the course of your work, you identified an area that you thought was important that the business wasn’t fully appreciating, that sounds strangely familiar to someone else’s career.

Mike Grindell (06:14):

You know, I don’t know that it was that the business wasn’t fully appreciating it. It was a growing recognition that we had to mature our security posture in order to be able to compete for the kind of clients we want to work with, you know, fast forward to today, you know there’s now a parent company over 22 squared called Guided by Good. And there’s two divisions, 22 squared and trade school Trade school. I was a content production agency and has clients like the Home Depot and FedEx and Shark Ninja 22 squared, you know, 98 year old creative digital analytics, advertising agency, publix, Baskin Robbins, Southeast Toyota Truest Bank. Well, you can imagine the security and privacy requirements of those entities. In fact, last year, one of our banking clients during COVID during the pandemic, we completed a two day security audit remotely, which was a lot of work, but it’s table stakes now. And so you’re exactly right. What, what we saw was we needed to have this capability and I had the energy and interest to learn how to be capable in the area.

Host (07:40):

It’s funny that you say that Michael, because I think maybe you’re not giving you and your organization enough credit because I’ve handled multiple ransomware events for healthcare organizations. And one said, well, wait, we’re SOC two compliant. And then I’m thinking if you’re SOC two compliant, why didn’t you have multifactor authentication for your remote workforce where the whole incident originated, but yet in that regulated industry ransomware and the costs from breaches is the highest. So if you’re telling us that you were able to do persuade your organization to do this without having to have some type of ransomware event, then it seems to me that your organization is on the forefront of doing the right thing before they learn the hard concepts.

Mike Grindell (08:31):

Yeah. I, I agree with that. What our, our CEO sits on advertising association round table. And what he always brings back from those sessions is that we are further along than, than many. And certainly as an independent advertising agency. Now, I’m also aware that just when you think you’re making progress, you know, you’ve got to mature your security posture, you know, double, and you know, this year I’m working with some outside advice to determine what is the next security framework we need to I always struggle with the right word adhere to align to, and we’re doing an evaluation, whether that should be ISO two seven zero zero two. I’m just going to use a bunch of lingo here. And I think where we’re going to land is that ISO two seven zeros are two plus SOC two type two will be right for us. And you know, we’re going to do a matrix against our client’s requirements and a matrix against you know, our business and do a gap analysis and then figure out what we need to do close that. But that’s a lot of work. It’s a lot of work. Yeah.

Host (09:43):

It is a lot of work. And I want to echo what Justin’s shared. I was going to say something fairly similar and actually ask, because there are so many advertising agencies that don’t recognize and appreciate the need and the value for a security program. And then, you know, soon we’re going to flip and talk about the privacy side, the use and collection side, not only the security piece, can you share maybe just some of the, kind of the themes, maybe when you went through the SOC two or now that you’re evaluating maybe what is next? What are some areas that maybe an agency who, who hasn’t done all of these things today, but could take away and say, gosh, I really should focus on pick your number two, three of, of what they should start in on.

Mike Grindell (10:25):

Yeah. And I, you know, this is probably going to sound terribly basic, but I think at the core, what our clients want to know from us is that the right people have access to the right things and only the right people to the right things. So what I would tell any agency is at basic, you need to have a very good provisioning program, including your third-party tools. You need to be able to, to say to yourself and to your clients, that these people have access to these things. These people do not have access to these things, and that you’re managing that. And that you’re enforcing that through a quarterly password reset program, multifactor authentication to your comment earlier VPN and all the other things that, that ensure that Jodi, Mike and Justin are the right people and that others are not the right people. You know, of course all the other things, good firewall, good incident, response plan, you know, all those other things. But if, if, if I was going to tell an agency, if there’s only one thing you do have active directory, a really disciplined provisioning plan and a secure way to know that only the right people have access to the right things.

Host (11:42):

So, Mike, I want to ask you one other question, because this really relates to a lot of the value proposition of Red Clover. And it’s this talk to us a little bit about how all of this work that done in security comes up in the sales process for your company, because you’re doing this so that your customers have trust to all the things that you said, but too many times, maybe customers aren’t asking the questions. So talk a little bit about how this may come up in the sales cycle for your company services.

Mike Grindell (12:16):

Yeah. Great question. I, I, in the last two years, I can’t think of a new business pitch where at some point privacy insecurity came up and certainly once we get down to the scope of work there hasn’t been a new client that didn’t ask us to agree to a framework, you know, a large delivery client. We onboarded last year Express. They said, you will adhere to ISO two seven zero zero two. And you know, for me, I want to be in front of that.

Host (12:52):

So in essence, without all the hard work that you’ve done, you could get pretty far down the sales path with a customer. And then you get to the MSA, which, you know, you’re on the 20 yard line in the red zone. And you see that. And if you don’t have that or something pretty close to it in place, that deal goes sideways for probably minimum 90 to 120 days, or you may even lose the deal.

Mike Grindell (13:14):

Exactly. Right. And, and then you’re playing catch up and spending more money than you would’ve if you would’ve just played good offense. So I absolutely view this world as a strategic business objective.

Host (13:28):

So to that comment and to kind of connect these, you know, I’m seeing a lot of companies in all different industries promote what their privacy and security practices are at the very early beginning of a sales cycle. Can you share, how does that play out in the type of work that you all do?

Mike Grindell (13:48):

You know, certainly you know, we have a large healthcare client in Florida. We have a couple of banking clients and certainly to even get into those pitches, you have to talk about your privacy and security credentials right up front. You know, it doesn’t come up front in all of them, but certainly in those more regulated industries. So, you know, we, we, we proudly talk about being SOC type two, you know, compliant. And I hope in a year to be able to say that  we are ISO two seven zero, zero two, I don’t know the right word compliant with here to it. We aligned to it. And, and those things are good markers showing that we’re maturing as a company. And that’s really how I talk to them.

Host (14:38):

I’m sorry. I didn’t mean to interrupt you. I was just gonna say, I think I see a lot of companies say we adopt or adhere to XYZ standard is what I see a lot of companies say kind of confusing adopt line, pick your flavor,

Host (14:53):

Just say we’re ISO or NIST compliant. Yeah, indeed.

Host (14:59):

With all of that being said, what do you think is the biggest challenge you’re facing today to help manage these privacy and security obligations?

Mike Grindell (15:12):

You know, we’re a 450 person organization with a six person IT team, for me, it is bandwidth resources and sequencing. So I would love to tackle ISO to seven zeros or to putting in a SIM platform and pen testing this year. But in what order do I do those and what new roles do I need to add? And, and, and what obligations will that commit me to, I mean, it’s one thing to put in a SIM and pen testing, but what will those programs reveal? And then, you know, the classic now, you know what you didn’t know and, and what will it take for us to solve those things? It will, we will now find out. So for me, it’s resources, new roles and sequencing.

Host (16:06):

So Michael, another thing related to your comment about bandwidth sequencing and resources is, you know, just listening to you talk obviously you have to consider CCPA, Virginia just passed a privacy law. You could be implicated under New York  for some of your clients. You’re a vendor under the department of financial services under a separate New York cybersecurity law or to this

Host (16:37):

So my question is in this ever-changing cybersecurity and privacy landscape, how do you stay current on these laws and their implications for your, for your company?

Mike Grindell (16:47):

Great question. We’re very fortunate. We have a chief legal officer that works for us here at Guided by Good. And she actually just hired a privacy specialist. So Debra just joined us. And like, she just did a deck for us last week on the new proposed privacy law from Florida, which I was not all that close to. So again, this is a resources issue to your question. If you want to stay current and maintain eyes on it, you’ve got to have somebody doing that. I mean, I could spend all my time keeping up with all that. And candidly, I don’t want to, I’d like to have somebody who’s, who’s telling us, you know, here’s the, here’s a new coming legislation and here’s what you need to be prepared for now using CCPA as an example, you know, that is one place where we’re not as far along as we want to be.

Mike Grindell (17:42):

We’re completing data mapping now to determine, you know, what data we’re collecting, what we do with once we collected what our disposal cycle is, so that we can make sure that we’re compliant with CCPA and then the right language with our clients. You know, fortunately for us, we only collect information as a requirement for our clients. We’re not just out collecting information, we’re only collecting information for their media campaigns. So, you know, ideally we’ll be able to craft the right language with them that they’re responsible for CCPA compliance. We’ll do our part, but they’re responsible.

Host (18:25):

Absolutely. I mean, in that scenario, you’re a service provider presuming you only use the information on their behalf and you also need to be able to, so for any agency listening, who might not be as familiar with those obligations, I’m just sharing that part of the other responsibility is if Jodi’s a clients of Truest and makes XYZ request, there’s a potential relationship that you might have with Truest, depending on what type of activity you did, you might need to be able to support them. So knowing where all that data is, is going to help you be able to manage your obligations in that, that scenario. Yes. I wanted to switch gears for a moment. So we were talking about security and those standards and the privacy laws and how we’re keeping up with them. Actually, the day of our recording is a big switch in the advertising industry with Apple releasing iOS 14.5. And that, you know, now you have not only laws, but you have technology coming into play, trying to decide how everyone should be playing together in the, or, or not playing together in the sandbox. I was hoping that you can talk, what does that mean to your clients? How do you educate clients and kind of just your view, I’d love to hear, what does Mike’s view on this new phase that we’re entering?

Mike Grindell (19:47):

Yes. Oh, the cookie less world. 

Host (19:51):

That’s where else, I mean, now personally, as you know I like cookies now. They’re gluten-free chocolate chip for when we get to meet again, but right now we can just talk about cookieless marketing.

Mike Grindell (20:02):

So we have two groups that focus on media. We have our media team that, you know, it’s media planning, media buying, and then we have a large group called digital investment, which is the whole MarTech stack at tech stack. You know, we’re, we’re collecting anonymized data and all that, that world. And all the technology and privacy that goes with that. So that team has been working on this change for months, many, many months. They’re closer to it than I am, but it is clearly a big shift in the advertising space. I don’t, I don’t think anyone’s fearful of it. I think there’s other ways that technology enables advertisers to present relevant information to consumers when they want it. And we’ll figure out how that works outside of the cookie world. But I don’t think we’re going to find ourselves in a place where Jodi isn’t able to find the thing she wants on the web and get served the information that is helpful to you, but, you know, the technology mafia is going to do whatever they want to do. And that’s, that’s how I refer to them that, that, that, that is quite a crew.

Host (21:17):

Awesome. You got some thoughts? No, I don’t think he’s going to name names.

Host (21:22):

The mafia crew are,

Mike Grindell (21:26):

To me, it’s just, it’s the biggest players, you know, it’s, it’s Apple, Google, Slack you know, Microsoft, you know, they’re, they’re making the rules and we’re all just trying to keep up with it.

Host (21:42):

What about global privacy control? Has that been kind of you know, we’re talking about individual rights, each company needs to be able to honor them. Now you have this concept of the technology, maybe being able to do that, which again, would change the business process, the internal process, everything about it. Is that been something that’s been discussed or it’s a little bit too early on to really decide what’s happening.

Mike Grindell (22:09):

One, I think a little bit too early and to our scope while we’re proud to be a mid-sized private advertising agency, we currently do not have any global business. So we were, we were largely able to Dodge GDPR though. We did have to sign Google’s addendum and Pinterest, you know, please sign this or we’ll, we’ll cut off services again, very mafia type tactics. But we would like to have a global client. We would, we would relish the opportunity to do that. So I think for us, Jodi, it’s still a little bit of wait and see.

Host (22:51):

All right, well, I guess one other thought I had was how do you approach managing privacy compliance? It sounds like it might be a collaborative effort between you, the chief legal officer, because not only do you have the legal part, but now you have to operationalize the compliance. So how does that work from your perspective?

Mike Grindell (23:14):

So we created a compliance team. I want to say two and a half, four years ago, the members of the compliance team were myself, the CFO, chief legal officer, and now this privacy specialist and a contract manager. And so we have a cadence with that team and we bring forward anything that comes up in privacy, anything that comes up from security we agree to priorities. We agree to programs like, you know, this effort that we’re engaged in with, with, for CCPA and data mapping, that’s a lot of work and we’re working with a third-party to help us through that. And you know, that compliance team and that compliance cadence has been very, very helpful to us.

Host (23:56):

That’s interesting. You note that the CFO is part of the team. What was the reason for selecting that particular individual? The C-suite

Mike Grindell (24:06):

It’s interesting Guided by Good is a creative agency and family of agencies, but it’s also a very operationally disciplined company. So the CFO is a direct report to the CEO. So she actually chairs the compliance team.

Host (24:24):

Got it. Excellent. Excuse me, while we have coffeeholic over here, he’s just so choked up about all of those compliance and all of these discussion points. I’m curious if you, one of the other areas that I talk about a lot is using language to be able to connect you had mentioned, right. Really using it as a strategic business advantage, and that plays in two different places that plays in you and your customers. So your sales cycle, but then also on behalf of your customers, are you seeing kind of an uptick from the connection in your sales cycle or also, you know, on behalf of how your customers are handling it? Because obviously they’re coming to you saying, I need you to answer these 20 page scab DPA’s or attendance. And in the process, they might be really incorporating privacy into their business as well.

Mike Grindell (25:28):

You know, it’s interesting. Our clients want us to be serving the most relevant information to consumers based on who they are. So in some respect, they want us to get closer and closer to data. And the same hand is very important to our clients. It’s very important to us that we’re handling data very appropriately, that we are very cognizant of privacy laws, that we are very respectful of privacy, and we have the right security infrastructure around that. So it’s not a, it’s not a tension. It’s an, and how do we deliver relevant, exciting impactful advertising information to consumers that’s relevant to who they are and in a way that is respectful respects their privacy respects our client’s privacy requirements. So it’s an ant. How do we do both?

Host (26:30):

I really love how you mentioned that because I actually think that, and how you recognize your clients want to get closer, which gets you closer to more data. And I think that will prove even more so in a cookie less world, because there’s going to be such an increased reliance on first party data, which means now you actually have before we might’ve had cookies and while that’s considered digital data, it was different than my name and my email. And there’s going to be such a push for having more first party data that I think all the efforts that you’ve been doing on privacy and security, and really having a strong program to protect that will, will really prove beneficial for you and is something that all organizations really need to be mindful of.

Mike Grindell (27:13):

Yeah. You know, listen, it’s been a crazy 18 months in any category you want to call it pandemic politics you know, however you want to put it. I still think we still think our clients still think. And I think most people think if you show basic respect to people and privacy is a basic respect. I mean, I, I love it. How the European union considers privacy a basic human right, that people, people people want to be doing business with companies that have a good moral compass that have a good purpose and, and respect them. And one way you can show respect is to handle privacy correctly.

Host (27:54):

Absolutely. Thank you so much for sharing.

Host (27:57):

So yeah, I just struggled to see how we get there without some laws and regulations that have teeth, because as you pointed out with the social or the technology mafia, their business is predicated on all of this data because as we now live in the 21st century, that data is the number one asset that a company has. And so I agree with your comments wholeheartedly. It’s just, again, I want to give accolades to your organization because when I get involved, their incident response policy was called Justin. Cause we saw them on a webinar and it’s a real mess. And I just don’t know how we get companies to appreciate that. Privacy is a competitive advantage with their customers when there’s so many incentives aligned to gobble up and vacuum up as much data as we can to market with people. And yeah,

Mike Grindell (28:55):

I agree completely. I mean, when we took creating our incident response plan very, very seriously. I mean, there’s a section there for you know, who do you call, what were the authorities? And we took the time to make an appointment with the regional FBI. Gentlemen, that’s responsible for cybersecurity. We went out there by Mercer University, went through that 18 checkpoint security check, and we met with him and we have his cell phone number and how to reach him. I don’t want to try to figure that out when I’m in the middle of a crisis. And so I, I agree with you, it, it takes work, but it gives me comfort that we have that plan in place

Host (29:38):

As well as it should. So with all of this that you’ve learned in the business world, what is the best personal privacy tip. And then I’m also going to ask, and you shared a little bit about some of the basics that accompany could do. I’d love if you could share another one. So kind of what is a best personal privacy tip and then maybe one more to do for someone who’s not as far along as you are.

Mike Grindell (30:04):

So my best privacy tip. And again, it may sound basic. As I tell people, when your company sends you that forced password reset, whether it’s quarterly or semi-annually, that’s the same time you should update your passwords on your credit cards and your bank. And I tell people if it’s important to your company to maintain good provisioning and who has access, why wouldn’t you be doing that on the things that are most important to you, your banking, your credit cards and your retirement account. And the other thing I tell people is, you know, if you’re not rebooting your laptop and your device, people often forget their iPhone or their iPad, at least once per week, you’re missing all the patches and the updates. So my advice is pretty basic. Cause I think those, those, those patching cadences and those rebooting and those password updates are very, very important.

Mike Grindell (30:57):

So to your second question, Jodi, I would say probably the second thing from a security posture is what is your patch, cadence? You know, I follow Krebs on security his site online, and every time he communicates the Microsoft patch, Tuesday information, I’m copying that over to the it team and saying, when are we patching? You know, we use Sofos and other tools to ensure that we’re, we’re pushing out updates, but you know, here’s a good place where the technology mafia gets you tangled up. You know, the new Apple operating system made one of our security applications out of date. In other words, that application wasn’t up to date with the Apple operating system. So older laptops running on the older version, forced us to refresh laptops faster than we wanted to, but, but I had to otherwise I was going to have machines that weren’t appropriately getting patched and updated. So I would say the second thing for any, any basic security program is, is a, is a good patching cadence,

Host (32:11):

Excellent tips. And thank you for sharing. Cause you know,

Mike Grindell (32:15):

Impedes good password hygiene because privacy and re and having to redo your password is

Host (32:21):

What it’s inconvenient

Mike Grindell (32:24):

It is. But I say to people, you wouldn’t put a big yellow sticky on your front door with your alarm code. So, you know, if it’s, if, if your bank account and your retirement account important to you and you’re counting on that for your quality of life, why wouldn’t you just do a basic password reset at least a couple of times a year.

Host (32:48):

And I’ve thought about that. And it’s the same conversation. When you say to a friend who you care about, you know, you should think about exercising more and eating better and if they don’t do it, and then they have to suffer some terrible health, which in the cybersecurity industry is of course, double extortion, ransomware. And then they are reborn into thinking about these things differently, which we get a whole different discussion about how to incentivize employees and people to do the right thing. But I agree with you, it’s just asking people to be proactive. It’s just a tough thing. People don’t like

Mike Grindell (33:23):

It is time consuming, but I say really like how many bank accounts and credit cards do you have? I have four or five. So it’s going to be 20 minutes of password changes,

Host (33:34):

Right? No abs excellent tips. So when you’re not telling employees to change their passwords or patching or figuring out if you should be doing ISO or NIST, what do you like to do for fun?

Mike Grindell (33:50):

So long bike rides on the weekend have become a road cyclist over the last couple of years. Morning walks and workouts with Debbie, a single malt scotch and my beloved Kansas Jayhawks basketball team. 

Host (34:07):

You got him at the bike and the outside. Yes. You had me at bike. Very happy. Well, listen, Mike, how can people find you if they’d like to learn more about you 22 squared? Where should they go?

Mike Grindell (34:22):

Linkedin is a great place to find me. All I ask is that people actually put something in why they want to connect with me and not just a standard LinkedIn. My Twitter handle is at Mgrindell and I’m on the employee directory at 22 squared.

Host (34:41):

Well, wonderful. Well again, thank you so much for joining us. You shared and hopefully inspired a lot of organizations who might’ve had privacy and security on the back burner and realize actually they can really impede the organization from a security standpoint and a sales perspective. So thank you so much for sharing all your great wisdom.

Mike Grindell (35:01):

Yeah, it was great to connect with you too. Have a great day.