By Jason Hoenich on Nov 15, 2018
Privacy expert and Habitu8 advisory board member Debra Farber has dialed in from a conference in Belgium to talk all things privacy with Habitu8 founders Chad Loder and Jason Hoenich. Like all good webinars, this one kicks off with a conversation about food, and if you thought Belgium was all about waffles, you’re wrong—it’s about chicken, gravy, and potatoes.
Next up, the guys share some details about the shiny new LogMeIn case study, which shows how LogMeIn completely changed its game by trading out bad content for Habitu8’s behavior-changing content. Remember: Gamification, leaderboards, and all the other gimmicks just don’t match up to having the right awareness training content.
Jason did an “interesting stuff” feature in the last webinar, and he’s decided it’s a pretty valuable addition, so here are some interesting things worth knowing:
- Bruce Hallas: Jason didn’t know cybersecurity expert Bruce Hallas had a podcast, but he does, and Jason highly recommends listening to Re-thinking the Human Factor.
- Dementia prevention: This one is personal for Jason, because his family is dealing with dementia right now. He found a mushroom called lion’s mane (you can find it at Whole Foods, people) that has been proven to reduce dementia symptoms as a neuro generator.
And here are three from Debra:
- Digital ethics comic: At a conference, Debra got a copy of The Cartoon Introduction to Digital Ethics and highly recommends it.
- Read this: Strategic Privacy by Design by R. Jason Gronk.
- GDPR updates: More than 70,000 data protection officers (DPOs) are probably going to be hired as a result of the 2018 General Data Protection Regulation.
Privacy: Why Do We Care?
It all started with HIPAA, which has a fairly technical security rule and a privacy rule that was focused on training and writing policies down—and this got bolted onto privacy training efforts across the board, Debra explains.
Whereas HIPAA deals with protected health information (PHI), GDPR and the new California Consumer Privacy Act focus on personally identifiable information (PII) and protect anything that is linked to or linkable to an identity. So privacy training now has to take personal data into consideration.
Interestingly, Chad points out, GDPR doesn’t introduce the right to privacy, because that’s inherent in the European Union Charter of Fundamental Rights—GDPR just says, “Here’s what we do about that privacy.”
Privacy vs. Security: Part I
Security deals with how you deploy controls to protect your enterprise from identified risks—you know what your boundaries are and can fairly easily roll out patches or fixes. Privacy, on the other hand, is more complicated because it involves business processes and internal risks. Chad notes that security is usually relegated to a specific department, whereas privacy has to be a company-wide focus for anyone who deals with data.
Privacy is all about responsible governance with personal data, Debra says, and it just makes sense to think about privacy in this way.
Privacy Where You Work
The team starts to discuss how the size of your company will determine how privacy is organized at your company, but it starts with really embracing and leveraging the internal privacy expert. Debra says working with the privacy expert (and respecting him or her) to architect the right policies is crucial. And the really important thing, Chad notes, is that most employees at an organization can’t really differentiate who does what; they just know it happens. So creating an integrated, digestible security and privacy training program and policy is priceless.
Also, it’s important to make sure your DPO doesn’t have a conflict of interest, and you should think of him or her as an ombudsman or internal audit officer. So, you probably don’t want your CTO or chief privacy officer or CISO to be a DPO. And by probably, Debra means most definitely. As Chad says, when you’re a DPO, you’re basically the rep of the data subjects and you’re helping keep the company accountable.
Regulatory and Compliance Requirements
According to Debra, pretty much every privacy law originates from Fair Information Practice Principles (FIPPs), which encompass the principles of notice, security, choice, transparency, and accountability. But the way these principles are deployed is going to vary by enterprise, and the laws are constantly changing.
And the basis of creating a compliant culture is to take all the laws and the technical regulations and make them digestible for all employees, no matter where they are in the business—basically, make it employee friendly.
Privacy vs. Security: Part II
Chad puts it this way: Security can be boiled down to checklists and making sure you’re following processes, but privacy is taught most effectively through scenarios. Unfortunately, most people get their training the moment they start at a company and are given zero context about their day-to-day activities and how the information is applicable to their actual job. The training is usually compliance-driven, and many times the policies are thrown together without a second thought, opening companies up to liability issues.
Privacy 101: Stuff That Works
Debra says there are three basic points to focus on with privacy, including data minimization, anonymization, and limiting access.
- Data minimization: The more personal data you collect, the greater the risk of a breach. Chad notes that there’s inevitable tension between big-data scientists and the privacy team, because for the data team, everything needs to be kept forever. Never fear, Debra says that these teams can work together to architect a powerful privacy plan. There are tradeoffs (Chad goes into a discussion about ZIP codes), and Debra says the focus should be to collect as little information as possible to achieve your business goals (e.g., we want to send you a free pizza for your birthday, and we don’t need the year or even the day you were born to do that—we just need the month).
- Anonymization: Anonymization is great tool for sharing info with third parties who need to know insights but not specifics. The term, Debra says, is used differently in the EU versus the U.S., where it’s not even included in any legislation, and it’s most commonly used in regards to HIPAA. In fact, Chad cites a study that, in most parts of the U.S., you can find out who an individual is based on their gender, ZIP code, and birth date. Basically, it’s not a perfect or even accurate science, but it’s a good control to use.
- Limiting access: Time is running out, so Chad zips through this topic by saying this means that if you don’t need access to it, you’re not going to get it!
As an organization matures, role-based training becomes more and more critical for departments, including HR and marketing, which are pretty murky. These departments often don’t have a good handle on what they can and can’t do based on GDPR and the California Consumer Privacy Act. Also, Debra says, the product team and engineers need to have some solid training so they have a relevant understanding of how privacy affects what they do.
Jason throws what the best training looks like in this nutshell: Tell people what they need to do. Don’t give them the entire background and history. Just let them know what to do and how to do it. Chad adds that, with in-depth training, let employees pull the relevant training that applies to them, and don’t force everyone into the same training modules.
Q&A on Privacy
What are the typical career paths for privacy professionals?
Public policy, privacy engineering, legal, privacy research ... basically the sky’s the limit on potential careers within the privacy sector, says Debra.
Are there any policies or laws that prevent security awareness professionals from outing repeat offenders publicly?
It’s important to have something in your sanctions policy regarding how you intend to handle someone who continues to respond in a phishing simulation. But if you have training and people are continuing to respond to phishing scams, you’ve got to follow through with something. It’s not enough to send employees a nastygram just to tick the box saying you trained them. In fact, what Debra has seen work is tying incentives to performance.
Remember, Chad says, employees don’t fail training. The training fails the employees. So it’s important to have policies in place so you don’t “surprise” employees with sanctions that they didn’t know were coming. Jason says you’ve got to engage with repeat responders and understand the learning curve to best change the behaviors of those repeat offenders.
Watch the webinar here. Don't forget to download the notes from the webinar!