Click for Full Transcript

Intro  0:01

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.


Jodi Daniels  0:21

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional, providing practical privacy advice to overwhelmed companies.


Justin Daniels  0:37

Oh Justin Daniels here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.


Jodi Daniels  0:55

This episode is brought to you by Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SAS, ecommerce, media, and professional and financial services. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, visit I got three, three that without the case of the giggles, I’m so excited.


Justin Daniels  1:34

I missed the giggles that was fun. Well, we have a great guest on the show today. It’s Daniel Solove, who is the John Marshall Harlan research professor of law at George Washington University Law School. He is the president and CEO of TeachPrivacy, a company that provides computer based privacy and security training to hundreds of organizations around the world. He is the author of 10 plus books, including his most recent Breached, why data security law fails and how to improve it. Hello, Daniel, welcome to the show.


Daniel Solove  2:10

Alright, thanks so much for having me.


Jodi Daniels  2:12

We’re really excited to have you here today. And I remember hearing and meeting with you and teach privacy when I was early on in my career in privacy. I’d love if you can share a little bit of detail on your career arc. And also what helps you to launch TeachPrivacy.


Daniel Solove  2:30

Absolutely. So I began becoming interested in privacy and researching about privacy in the late 90s. I took a course in law school on internet law, one of the early courses on it, the internet was just starting to blossom as a commercial. Its commercial existence. And I was fascinated by it. I thought there were a lot of really interesting issues. And one of the most unexplored issues was privacy. So I started researching and writing in that area. I began teaching in 2000 and had a privacy course at that time there was very, there was hardly anything out there. Hardly any schools had courses there, I could count the number of Chief Privacy officers on one hand, the IPP wasn’t around. You know, HIPAA was just coming into being so much hadn’t really happened yet. But it was really fascinating. And the questions about, you know, what would the law become? How would things develop? How will things develop? We’re just an endless source of things to think about and write about. So I really became deeply involved in the field. At that time, I thought, originally, I would just do, I would just do cyber law broadly. But as I got more into privacy, I realized that wow, that this is a bigger world than I thought. So it’s kind of like going down a rabbit hole, and then suddenly realizing, oh, my gosh, I’m in I’m in Wonderland. Now. There’s so much here. So ultimately, I had one other way each, each time I finished a paper, there were two or three other ideas I had for others. So I got deeply into privacy. And then about 12 years ago, I had been doing some consulting for a number of companies and lawyers. And I feel increasingly thought that, you know, there were greater needs in this area for something a little bit more systematic than the consulting work, which was haphazard, you know, and I founded TeachPrivacy, which is a company that provides computer based privacy and security training to organizations because one thing I learned talking to a lot of privacy officers was that training was a key function in in their job. But it was often something that was not really done particularly well, at their organizations a lot had, you know, canned training that would be rather dull and lifeless, are written by folks that really didn’t know the field by external vendors that just weren’t really experts in the field. And also, it was created by folks that weren’t teachers, which is something the weird thing about kind of the elearning industry is that they’ve dispensed with, I think, two of the most important things when it comes to education, I come from a background in higher education. And so they’re, you know, the key things are one, you know, the subject matter if you’re teaching, and to, you spend some time thinking about what’s effective teaching, you actually teach, and you have experience teaching. And one thing I saw in a lot of the elearning materials that I encountered, was that they were not created by people who had any teaching experience at all, then thought at all about pedagogy and what makes people remember something and how to make something engaging. And they also know was created by people who really didn’t know the subject. So I thought, you know, this is where I can make a contribution and create a, a useful company, to provide training in areas where I understood the law and understood what was required, and also where I could use what I’ve learned teaching, and put it into practice in braiding my material. So that’s what I’ve been doing for the last 12 years. And I still am teaching as well and writing, I’m still a professor, so I now do both.


Jodi Daniels  6:58

Excellent. Thank you so much for sharing, I always learn little tidbits and just find people’s careers super fascinating.


Justin Daniels  7:05

So what do you think are the business goals that all the training that you have developed, promote?


Daniel Solove  7:11

Well, I would say that, you know, in, in the the minimum, it’s to comply with law. So at the very minimum, there are certain privacy laws that require companies to do training. And so it’s to comply with those laws, that’s the minimum, the next level up is to mitigate risks. So you know, the more companies know about certain topics, such as how to handle various types of data, how to do basic end user data security, all these help reduce risk that something could go wrong. So that’s kind of the next level up. But ultimately, I would say, you know, the real, the best goal would be more than those two things, it would be to, in fact, help create a culture where people really understand privacy. And an organization really cares about protecting personal data. And they really take it seriously, they go above and beyond to learn about things that they don’t know, beyond just the minimum they need to know. But they really want to excel in privacy, they want to be proud of how they are handling privacy and how much people know about what they’re supposed to do. And so that’s I guess, the ultimate goal would be to have that kind of a robust program where, you know, people aren’t just doing what they have to do, because the law tells them to do it, where people are doing more than just enough to worry about risks to the company, but are doing something more broadly about thinking about privacy as something that is a ethical responsibility to protect their customers and clients and even their own data, their own employee data.


Jodi Daniels  9:08

Can you share some examples of where you think companies are doing a good job as you talked about that training program, where it’s above just maybe the check the box? They did it one time a year, but they’re doing something a little bit more comprehensive? Yeah. So


Daniel Solove  9:23

you know, a lot of number of companies that will put out not just the annual, you know, 20 But we’ll have other things to reinforce knowledge, you know, quarterly refresh on a particular topic, you know, quick micro learning of five minutes or less. You’ll have, you know, other supporting materials, handouts, newsletters, cartoons, things just get people thinking about it, so that they don’t just think about it one day out of the Hear their periodically reminded of some key things they should be thinking about it also to have information available so that if someone is has a question or needs to learn about something, they can quickly learn about it. And so it’s great when you know, some companies have this information available to people so that they can educate themselves. And I think if it’s done well, I think the training need not be a chore and need not be painful that, you know, a lot of the programs I saw are horrifically boring and really long and really dry. And so no one would subject themselves to that torture unless they’re forced to do it. I’d like to change training. And I think the best organizations make training, engaging and fun and something that people say they want to do not just have to do.


Jodi Daniels  10:58

So you’re laughing. The giggles,


Justin Daniels  11:00

I know, because our next question is, as you talked about, horrifically boring. So what methods do you use? Or do you see that make such training interesting, and ultimately more impactful to the people that are taking it?


Daniel Solove  11:15

A bunch of things, I mean, first of all, I think it’s important to be brief, you know, a lot of training is needlessly throws information at people that they really don’t need to know. And that’s distracting. And it just loads people up with a lot of useless stuff, I think, you know, cut to the chase, and really cover what’s important. Don’t waste people’s time. Also, I think, thinking about how to make it engaging, being concrete, using engaging imagery so that when people are looking at something, it comes alive, and it’s memorable, and it’s fun to look at, I think that training should really be fun to look at. And engaging that way. I’ve seen too, so many other programs that barely use images, or they’ll just kind of use a kind of very bland stock imagery that that really is cold, or doesn’t really stick in anyone’s mind it just forgettable images that’s just kind of see in in an ad or something like that. So I believe in using something more more creative and fun and lively. And the images that would stick in people’s mind. And to use a lot of them, I believe it’s very important to be very visual. And also, I think that it’s important to be passionate about privacy to really care. Because you know, as an instructor, if I am not conveying a genuine passion for what I’m talking about, it’s hard to imagine how someone taking the training is going to really be passionate either. My job is to try to show just how important this is how interesting it is to really draw in my audience. And I think that’s really important. And see so many trainings are done by these narrators who might be slick and how they sound. But they’re kind of robotic and lifeless, and they don’t really seem to be into it. And I think that’s a really important people need to feel like they’re being taught by a human being, and that they’re really being spoken to as a human being. They’re not just kind of someone reading some script, you at them, but they really need to be taught. So that’s really what I try to do I really try to focus on everything I create is, how am I going to make this interesting? How am I going to make the audience engaged? How am I going to get them to really care? And how am I going to be respectful of their time? So that, you know, I can, you know, keep them interested. Because ultimately, I I really enjoy every program I create, I take a lot of time and care and picking the images so that I’m happy with what I put out. If I’m not excited about it, if I’m not interested in it, how can I expect my audience to be so I really want to make sure that you know, I’m going to create something that people are going to love. And that that will stick with people that then then people will remember if someone really cares and puts time and effort and really tries to speak directly to you. I think that that really has a big difference in the audience’s reaction to it.


Jodi Daniels  14:44

I think that could apply to all kinds of presentations. If people made presentations slightly more interesting. I think everyone would listen. What are your thoughts when it comes to almost role based training and how does the marketing team need the same training that the finance team does in the product team, right? So different parts of an organization. Everyone might need the base level, but different parts and organization might need something a little bit extra special. Can you share a little bit about your experience and how companies are approaching those needs? Yeah,


Daniel Solove  15:17

I mean, privacy is particularly tricky that way with data security. The same things apply to everybody, right, you know, don’t click on suspicious links, you know, be Be careful about, you know, a variety of different things. But he’s not really his role specific. Privacy is very complicated, because we’re in a sea of privacy laws. And all these laws are different. And the laws apply to different things. So marketing has its set of privacy laws, their privacy laws for dealing with different kinds of data, depending on where a company does business laws that are different from state to state and country to country. laws that apply to children’s data, which are different than laws that apply to health data and laws that apply to financial data. And so depending on one’s role at a company, and what particular things a company is doing, and what types of data a company is gathering, that’s going to require different sets of training, because the laws first of all have different terms for the data. And this adds to the complexity is laws refer to, sometimes they’ll call it personal data, sometimes they’ll call it personal information. Sometimes they’ll call it personally identifiable information, HIPAA calls it protected health information, pH i. And then different other laws call it different things, you know, FERPA, the law that regulates education records, calls it an education record. So really just understanding some of the basic terms and the basic requirements, which vary from lot of law does require some differentiation from the roles. That said, there is something in common with a lot of privacy laws, there’s sort of a basic set of things that are important to know, for privacy, there are common points and some of the privacy definitions, there’s also common ground and why privacy matters, why it’s important, why you should protect it. And there’s also some common ground and some of the basic privacy principles like data minimization, and, you know, confidentiality and other things. So I think that core could be taught in the the kind of central course that everybody gets. But then if you’re dealing with different departments that are dealing with different issues and types of data, you’re going to need different training. So HR, which might be dealing with people’s health information, will be dealing with HIPAA, and they need to be trained on that. But the rest of the organization won’t really need that training. But there might be a department that is dealing with marketing, and so they’ll need to know, things for marketing, such as you know, the laws that regulate sending out unsolicited commercial email in Canada that that’s the law castle in the US. That’s the law can spam. Also, you would need laws dealing with are you telemarketing? Are you texting? You know, there are laws to regulate those activities. So it does become complex, because privacy law is this complex group of different laws.


Jodi Daniels  18:45

Do you find as just a follow up to that, that companies are organizing by the content? So, or by each of the different laws? Are they smooth? I mean, I appreciate the idea that you just talked about, right with different principles. But sometimes when you have to get into the nuance of here’s the tax law versus here’s the email law, versus Oh, we also have student, so let’s pretend we’re a student situation, right? And I might have FERPA to deal with, are you finding that companies are segmenting? By the different laws? Are they trying to group it together and maybe just share what you find to be effective?


Daniel Solove  19:19

I think both. It depends on it depends on two things, you know, the employees role, and then also, your what particular laws are governing and what those requirements of the laws are for different kinds of employees. Because for some employees who have just a limited amount of contact with data, they really don’t need to know that much more than just the basic privacy principles. Yeah, keep it confidential. And here’s basically, you know, some of the basic data hygiene, you know, don’t look at data, you shouldn’t look at data minimization and so on. And they were They probably don’t need much more than their ones who are more involved in handling the data and are going to need a little bit more information. So, for those folks, they will need something a little bit deeper than just the basics. And so that would depend on the particular laws that are regulating them. In certain cases, the laws might, you know, what they would need to know, wouldn’t be very detailed. But in other cases, they might need to know a fair bit depending on the role, if they’re, you know, handling a data subject access request, they’re going to need to know a lot more than if they’re just, you know, on the phone with a customer. And if they’re handling, you know, if they’re on the phone with a customer, they just need to know what they can and can’t do when they’re calling out, for example, or if there are responsible for sending out mass emails, or handling a newsletter for a company that’s marketing, they will need to know a little bit about what they can and can’t do. But it also depends on how a company structures that you know, what guidance does it give those employees? Do the employees how much autonomy do they have employees have to do that. So if the employees can, any employee can just say, Hey, I’m gonna create a newsletter, and they can create it and send it out, they’re going to need to know a little bit. If on the other hand, you know, you can’t send anything out without some higher level approval or guidance, then the higher level would need to know that, but that employee would just be following orders, I think needs to know a little bit. But a lot of times, what you have in companies is it’s their large and complex organizations, the larger ones, and you’ve got a lot of different departments, and they’re all doing different things. They all have their own data collection and data use. And it’s, it’s not fully centralized, it’s a lot of folks are doing different things. And a lot of times people are doing things, and they have no idea that there are these privacy laws or privacy issues involved. And so one goal of training is to teach them and inform them, you’re not so fast, be careful, because you might think, Oh, I’m just sending out an email, I’m just going to create a newsletter, I’m just going to make a phone call, you know, or I’m just going to, you know, take this data and do something with it. And they don’t realize that these things have implications and consequences can trigger laws can violate laws. And so I think it’s important that they understand that these things are complex. And then anytime anything involves personal data, they really need to understand enough and ask, because I think a lot of what the training is about is getting people to understand that there are times when you need to ask before they just do something, because so many problems happen because someone just does stop does something without really thinking about and understanding what the implications are for privacy. And if they just brought on someone from the privacy team early and asked them some questions, these problems can be averted. So a lot of the trainings is to tell them and teach them that these things are complicated, and they don’t have to become experts in privacy law, but they should go and ask the experts in privacy law at a company so that they can can avoid these problems.


Jodi Daniels  23:46

I’m telling you like that idea of bringing the team in early to ask the privacy and security.


Justin Daniels  23:51

I just laugh because I presented earlier this week at a conference. And that was the idea of in technology. How can you do anything these days without a cross functional team of business people, security, privacy? You just can’t but it just continues to happen. And I love to hear what you say I just wish it were more of the reality. And it’s not


Jodi Daniels  24:13

Well we just need more training.


Justin Daniels  24:14

More training? Absolutely. Well, there’s a reason why the Daniel’s written over 10 books. Yes.


Jodi Daniels  24:21

Lots of education.


Justin Daniels  24:22

Yes, lots of education. Well, I guess we like to ask everybody who comes on our show this question. So from all of your experience and writing of books and teaching of classes, what is your best privacy tip?


Daniel Solove  24:36

Well, um, I have kind of a weird view on privacy for like the individual like, what can you do? Because oftentimes, what can you do to protect your security? What can you do to protect your privacy? Because I think a lot of times everyone wants to end on a positive note and I’ll see these tips and articles. And I generally say actually, you can do a couple small things with it. The end of the day, you know, most of this is out of your control. So there’s a little bit of an illusion that people somehow could really seize their privacy and really do it themselves. And really, that they could somehow manage their security and keep themselves safe. And I just think that people need to realize some extent that no, you’re never going to be safe. And you can do a couple of things to make it a little better. But you’re not going to be safe. And it’s nothing you can do. And it’s important to realize this kind of rather pessimistic message, because in too often people then say, Oh, something happened to me, it’s my fault. You know, let’s just blame people because they didn’t do enough. And then we should really look at the fact that it’s companies that are doing this, and organizations and government. And this is something that has to be solved with law and policy, if we really want to solve it. Because it’s great if people do a couple of things here and there. But ultimately, that’s not going to solve the problem. Now, the biggest piece of advice I have is for companies to really do privacy. Well. My tip is that you need to understand what privacy is. And far too often I’ve seen attempts at privacy by design and attempts to design a privacy program without understanding what privacy is. And if you don’t understand what privacy is, it’s hard to imagine how you can protect it. And so time and again, you know, folks will say, you know, engineers will say, Oh, well, I’m protecting privacy. Yeah, I’m baking privacy into the thing. We’re doing privacy. Absolutely. We love privacy. And then he has what’s privacy, and they’re like, Well, we have some access controls, and we encrypt the data. That’s not privacy, privacy is so much more than that. And that’s, I think part of the problem is that the what goes on and what’s being held out is protecting privacy is really just protecting a couple minor things, a lot of times, there’s even confusion, and it’s really just protecting data security, but not really doing privacy at all. Privacy is really complex, I wrote a book, talking about what privacy is what privacy means. That’s called Understanding Privacy. In the book, I argue that privacy is not just one thing, it’s actually many related things, it’s a web of different things, and identified 16 Different kinds of things that privacy entails, the privacy involves. And if you ignore some of those, you’re really missing key dimensions of privacy. So I think it’s really important to get everything because if you’re missing stuff, you’re not really adequately protecting the information. So I think it’s really important to spend time thinking about what privacy is to really have a definition and understanding of it. And then you can actually protect it and measure whether or not you’re really doing a good job at at protecting it, whether you’re really being comprehensive, because otherwise, you know, it’s just doing a couple things, and calling it a day. But you’re not really, you know, protecting privacy, protecting a couple isolated things here and there without any kind of larger vision or goal. And I think that’s that’s a problem. And that’s why you you do have a lot of problems, or a lot of times people Oh, we do privacy by design? Well, not really, it’s only as good as what you’re, you say you’re baking in privacy, well, you know what you’re baking, what you’re baking is only as good as what you’re baking in. So, you know, I guess another way to say if you want to make if you want to if you’re making a dish or a recipe, and you’re leaving out 90% of the ingredients, what do you what do you make it? So that’s really important.


Jodi Daniels  29:08

I agree, I really liked how you have emphasized the overarching philosophy of what privacy is and that it’s not what a lot of companies they think is just here’s the checklist and here’s all the things that that we’re going to do with it. Now, when you’re not teaching, writing, creating courses on privacy and security. What do you like to do for fun?


Daniel Solove  29:29

Well, I’m playing tennis, traveling, which sadly, I have not been doing much of the last few years. But finally, we’re going on a family vacation very soon to Italy. So really excited about that. And really excited to kind of be getting back out into the world a little bit. So hopefully, you know things are good and that can happen. So that’s that’s definitely something I enjoy. Reading, I love reading literature, especially classical works. I have long taught a course in law and literature actually. So it’s something that I really enjoy. And it’s nice to read something, not just a bunch of law and policy books. So that’s a lot of fun to


Justin Daniels  30:24

oversee, to be, or not to be.


Jodi Daniels  30:28

Well, Daniel, where can people learn more and connect with you and TeachPrivacy? Where should we send them?


Daniel Solove  30:35

Um, well, I think, That’s my site for my company. I also have a blog on it. So if you just look at the top menu, click blog, I have a lot of things on the blog about things I’m creating, I also write about my scholarship, I write about the posts cartoons that I create. So it’s a great place, if you want to keep up. You go there. There’s also my newsletter, I have a newsletter. I send it out once a week, and it has information about the things I’m doing because I hold the number of events on this area. Some are pretty large, they get about 700 to 2000 people. I hold those events twice a year, one in the spring and one in the fall. And I also you know kind of do create a lot of different things from cartoons to whiteboards which are one page summaries of laws to my trading courses. And so all that is in the newsletter if you’re interested in want to, to keep up. Well, thank


Jodi Daniels  31:43

you so much. We really enjoyed the episode today and hope that companies reach out take a look at your cartoons and whiteboards are really quite awesome. So I highly encourage everyone to go and check them out. The thank you so much for joining us today.


Daniel Solove  31:58

Thanks so much for having me.


Outro  32:03

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.