On July 31 Jason Likins, Ripcord’s VP of Products, joined Heather Stratford, founder and CEO of Stronger Tech, to discuss how to Navigate Data Privacy Regulations with Digitization.
Stratford, a cybersecurity specialist who speaks regularly on the topic, presented information to dispel myths about the General Data Protection Regulation (GDPR), and answered questions about the California Consumer Privacy Act (CCPA) that will go into effect in 2020.
Likins then shared insights on personally identifiable information (PII), and how to leverage technologies to comply with these new data-based regulations.
Watch the replay:
Moderator Nicci Boots: Hi there, everybody. We are just now getting started with the broadcast of our webinar to navigate data privacy regulations with digitization. We have our speakers here. And we see that people are still signing on. So we’ll just give it about a minute and then we’ll get started. And also, we absolutely encourage everyone to ask questions. We will more than likely be reserving time at the end of the presentation to address those questions. But if you have something that you wanna know an answer to right this minute, that’s fine. Go ahead and ask the question and I’ll direct that to either Jason or Heather. But yeah, I’ll just give it a few more second here. Looks like we’re getting some attendees signed on. All right. All right. Well, to get the webinar going today, I’d first like to introduce our wonderful speakers, Heather Stratford and Jason Likins. Now Heather is the founder and CEO of Stronger International. That is a cyber security consulting and training firm based in Spokane, Washington. She’s also an established speaker. She travels the globe, sharing her insights on cyber security and data privacy. She was also recently named as a 2019 Tory Burch Fellow. Now Jason is the VP of Products at Ripcord. Ripcord’s the world’s first business to offer robotic digitization. He also spent a good chunk of his career at Open Text, a company that develops and sells enterprise information management software. So both of our speakers today are very well versed on the topic of data management and the tools and technologies necessary to follow new data privacy laws. With that, Heather, would you like to get us started?
Heather Stratford: Sounds great. Thank you for the introduction. This is such a hot topic. And everybody is asking questions. Does it apply to me? Is it relevant? Where is it going? There are a lot of unanswered question. I’m hoping to cover a lot of ground, and Jason has great expertise as well. We can answer questions towards the end. If you want to type them in, we can see them as well. I’m gonna do a little bit of overview as we start. Hopefully everybody can see my screen here. Okay, hold on a second. Hopefully everybody can see my screen and we can talk about privacy and GDPR. She just did an introduction. I was named as a 2019 Tory Burch Fellow. Also last year I was given the Women in Business Leadership Award from Whitworth University. Where I normally like to start is to talk about the trends in cyber security. And I think everybody knows this, but sometimes it’s nice to look at the actual numbers. When I started using this slide three or four years ago, it was different. The numbers were a lot lower. But since 2013, 14 trillion records have been stolen or breached. That means that every second, 72 records are being breached. Like I said, three to four years ago, that number was about 50 to 55 records per second. So we’re actually going in the wrong direction. We’re actually moving away from, you know, not being as secure. And so when you put this out there, you think about, okay, we’re going in the wrong direction, we’re having more and more breaches, how is this relevant to my organization or my business? Notable breaches. And these are just a handful. I mean, we’ve got the Marriott breach, which has been in the news quite a bit recently because of the fine. eBay, Equifax, Target, these are all names that we know as consumers. I have a red card for Target, right? I have stayed at a Marriott before. Many people have these, and these names in the businesses that they use regularly. I like to point out that Aadhaar is on here. And I often ask people for a raise of hands, if I could see you through the computer, how many of you could tell me what Aadhaar is? Probably not many of you. And that is because in the US, it wasn’t as largely publicized. But it was a breach of one billion records. And what is that? It is the equivalent that India has for their social security system. And what’s significant about this is, this notable breach has biometrics involved with it. Biometrics are eye, thumbprint, things that are not changeable, not just a social security number or credit card number that can be eliminated. So as we look at it, the notable breaches are getting more frequent and they are getting larger. What happens to your data after a breach? Many people ask me, “Well, who cares, right? “What happens to it?” Well, what’s significant is, let’s say you were in the Marriott breach. I know I probably was. Your information is there. The question is, are you using the same type of personal information everywhere? So one of the things I like to talk to people about is, you know, is that information the same? So is the password and username that you used for Marriott the same that you use another place? Now let’s take this to a business level. Is the business login and credentials that you are using specifically for certain SAS services, certain things that you do in the business, are they the same? So if it’s breached, do they now have a master credential that can get into other places? So the question is about your hygiene when it comes to password management and if that information is out there, how valuable is it because what else can it lead you to? So let’s look at some of the regulations. We know about GDPR, or the General Data Protection Regulation that was out of the EU. I like to go backward and look at what’s happening. We have areas that have heave regulation right now, areas that have very limited regulation. And privacy is one of those areas that everybody’s talking about. For example, this is labeled at CCPA. So in the United States, California has come out with their own law because the federal government has not come out with a federal regulation for the whole country. If we go down to Brazil or Argentina, Brazil has the LGPD. It is their answer to the GDPR. Lots of acronyms, right? If you go over to Asia, you have South Korea and Japan, you have powerhouses of technology that are looking at and passing stiff regulations specifically about data and the privacy behind that. What I’d like people to realize is, when they talk about, “Oh well, the GDPR, “it doesn’t affect me,” it might not. But it is the largest regulation affecting the most number of people. And so that makes it a precedent and lots of other places around the world are following suit with something very similar or taking bits and pieces of the GDPR. So we’re gonna talk a little bit more specifically about the GDPR itself, but then also the CCPA, because in January 1st of 2020, the CCPA will go into effect. So how does that affect us as organizations, business owners within the United States? I think this is an interesting slide as well because it helps show where data is not being protected. You can see that there’s a big shift towards regulation of some sort. What will be helpful for global companies that have work and employees and products in lots of different locations, it would be helpful to have it all similar, right? It would be helpful to have a regulation where you’re being compliant in the United States but hey, would really like to go to Argentina. How come they can’t be close to the same regulation? Well, they’re not. But that is part of doing international business, knowing the similarities but also the differences of going into that new market. So how does this really affect people through the industry, the company, and also the individual? On an industry level, it is making all industries look at what information that they are holding specifically. I often consult with organizations and they say, “Well, how do we come GDPR-ready?” And my first question to them is often, “Well, do you have business in the EU? “Do you have employees in one of those 27 countries?” There are seven different questions that can be asked. Do you hold data specifically on individuals that live in any of those countries? If that’s the case, then yes, it does apply to you. And the question is, is the data that you’re holding, is that data important? Does it help run your business? Is it critical to your infrastructure? Is that important for running your individual business? But if it’s not critical and you’re just holding it because maybe someday you’ll use it, or maybe someday somebody will want to pay you for extra information you have, then you need to think twice about holding that information. So we’ve got industry, the company level, and from an individual level, we’re all starting to think a little bit more about why people are holding our data, what they have on us. What is the GDPR? Why do we care about the GDPR? I like to step backwards and just say a little history about how the GDPR came about. Many of us know about the history of World War II. World War II, there were great atrocities that were committed. And Germany was part of that scenario. And I don’t wanna go deep into that, but we know that there was tracking done to certain individual groups. There were bans. There were people labeled. And they were tracked by this personal data. After World War II, Germany was very careful and said, “We are never going to let this happen again. “This was an atrocity that we are not going to repeat.” And so as Germany split and we had East Germany and West Germany, West Germany made sure they had laws protecting people’s privacy and data. When the Berlin Wall fell and East Germany and West Germany combined back together, West Germany very clearly said, “You must adopt our privacy laws.” And so East Germany adopted them. So now we have a whole Germany that has strong privacy protection for its residents and constituents. Who is the largest one country with the most number of people in the EU? Germany. So when the EU was formed Germany said, “We’re the biggest “and you’re going to adopt our laws, “because it’s privacy and we believe strongly in it.” So that’s how it got brought into the EU. Now in 1995, it was shown to be, in 1995 it was shown as a key component of the base GDPR. And as technology evolved, it took 20 years to get the news rendition. Six years to put into place and now, May 25th of last year, 2018, it was put into place. But if you know where it came from, you understand why in the EU they look at it’s your information and we wanna make sure that it’s not just given freely to everybody and everybody can have it. And if you wanna have it back, then you’re able to take that information back safely. Let’s look at some of the fines that are involved with the GDPR. There are two tiers of fines, 10 million Euros or an annual global turnover of 2%, whichever is greater, or up to 20 million Euros or 4% of annual global turnover, whichever is greater. And these are big numbers, right? You look at it and you say, “Wow, that’s a lot of money. “But is it really gonna happen to me?” And that’s the question everybody asks me. “Heather, is it really gonna happen to me? “Do I really need to pay?” And I’ll say, “Well, people say that about taxes, too. “If you fudge on your taxes, “someday it might catch up to you. “And if it catches up to you, “you better have documentation in place, “you better have those receipts, “and you better be able to explain “why you put a certain number “and why you paid a certain way.” Now, every year, are you going to be questioned on what you turn in for taxes? Probably not. But if you’re a repeat offender or something big happens and you’re audited, absolutely. So it’s the same thing. There’s low risk areas or there’s high risk areas. If you’re a high risk company or organization, you better have your documentation in place. If it doesn’t happen this year, maybe it’ll happen next year. What you don’t know is when you’ll be breached. And that’s when everything starts to be triggered. So the triggering point is literally out of your control. Now, you can protect against it. And you can be 100% sure you won’t be breached. If you do no Internet work, have no servers, have no technology in your business, I can guarantee you 100%. But if you have technology, if you use the Internet, if you have computers in your business, then I cannot guarantee 100% that you might not have a breach. So how big is your exposure? The latest fines in the GDPR, Google, $57 million. Now to me, I look at that and say, “Wow, that’s a lot of money! “$57 million.” For Google, I mean, that’s a drop in the bucket, right? That’s a very small amount. But it’s very, it shows the trend. It shows, hey we’re looking, we’re listening. Now this was just from one country. So remember, the GDPR gives fines based on the country it’s coming out of. So Spain can give a fine, Germany can give a fine, Ireland can give a fine, right? It can be, it can grow as well. Now we look at Marriott. Marriott, $123 million. Okay, I’m, like, “You’re right, that’s big.” And the latest one recently came out, British Airways. $230 million. All right, so some people are saying, “Well, those are big numbers.” Yes. And what people don’t realize is, there’s a backlog. So as soon as the GDPR went into effect, they started having people put in, saying, “This person, this organization.” And their backlog is about six months. So we will start to see through the fall and through next year a lot more fines come out as those individual breaches or major violations of the regulation as they are reviewed, they will then have a determination and it will come out. So we’re hitting the tip of the iceberg. We don’t know. But 230 million, yeah, you’re starting to take notice. And I know British Airways is pushing back a little bit on that. But what you don’t wanna be is the poster child for fines coming out. So what is the CCPA? The CCPA is the California Consumer Protection Act. So it is different than the GDPR. It covers people within the, let me go back to this, within the California space. There are some very different stipulations. One is, the CCPA is not for smaller companies. So if you don’t have a lot of data or your revenues are only in the, you know, a million or two, you do not have to be compliant with the CCPA. So there’s very strict guidelines there. The GDPR, on the other hand, is for any size business. If they’re holding data, it’s for everybody. So that’s a big difference. Another difference is the CCPA is a state, not a federal regulation. It also has a component in it that allows for people, individuals, myself, yourself, your loved ones, if there was a breach, that we could sue. The GDPR doesn’t have that. And the CCPA allows for us to say, “Hey, you had my Marriott information,” and it will allow for large class action suits. I have no idea where that’s gonna go. I have lawyer friends who are, I mean, it’s a hot topic right now. Our society’s very litigious. Everybody has their own opinion on that. What we do wanna do is step back and realize California is stepping up and they are trying to regulate something that has not been regulated on a national level. Now, HIPAA, PCI, HIPAA for medical records, PCI for credit cards, these are national, these are things that everybody has to deal with. But there is no national standard yet. For example MST which everybody says, “Well, I’m MST-compliant.” Well, that’s great. That was out of the Commerce Department. And it really doesn’t go far enough. So that’s what the CCPA is. So what’s happening in the federal space? Right now, there is kind of a tug-of-war, and we have it at different points in the US history, about who controls the right to set the law. Who says, “Okay, federal government, “step up and put something in place”? Or, “California, good for you. “You’re protecting your citizens “and it’s a state’s right.” So if we look at this, we are completely split on who really has the ability and who should set these standards. Right now, and I checked this just this week, there are 260 individual state resolutions specifically for cyber security and privacy going through state legislations. It is encompassing 45 different states, some of them heavier than others. California very heavy, New York very heavy. Some states have said, “We want cyber security education “all the way down to kindergarten.” And they’re legislating it for their state. There are three states right now that have passed that. So right now there’s a lot of fighting back and forth, just saying, “Federal government, “do we have to pass everything individually?” Some states say, “We want that right.” I believe within the next three to four years, we will have more of a consistent plan moving forward. But right now, it’s a mess because every state is stepping up and doing something different. So is your organization going to be affected? That’s the big concern. I have several large organizations where the CISO or the Chief Information Security Officer talks to me privately and says, “We have a low threshold for the risk. “But we know we have to be GDPR-certified. “It’s coming. “We’re gonna tag our information. “We’re gonna figure out what we have. “We’re gonna label it. “We’re gonna work with companies like Ripcord “to be able to figure out how to get rid of some, “digitalize others, so that “when there’s a more federal regulation in place, “we’re ready to go.” Is your organization going to be affected? I’m saying, hands down everybody on this call, the answer’s probably yes. The question is, how fast can you get there and who do you need to bring in to help you? What organizations, consultants, different people can help you move to be in compliance? There’s two sides to being compliant. One is, you actually have a 72-hour incident response plan. Do you actually have these things in place? The other side of it is, do you have the 22 different documents that the GDPR requires? If you don’t, talk to somebody, right? Talk to somebody like me or some other consultant that could help you figure out where you’re at and how to move forward. The question is, just don’t stand still. Because if you were given a fine, what the fine is based on is how much you were trying to be compliant. Were you putting in effort? Were you trying? Did you put things in place? Did you have a strategy? So get something in place. Thank you for listening to my part of this. I’m gonna turn this back over to Jason, who is an expert in this area as well. And then we can answer more questions at the end. Thank you very much.
Jason Likins: Great, thanks, Heather. That was a great introduction and background. Give me a second and I will bring up my part here. Can you all see my screen, or Heather? Okay. Heather introduced a lot of the background of GDPR and regulations. My part of the goal here will be to understand some of the principles of PII, personal identifiable information, which is kind of a basis of a lot of the regulations, and show you how to use some of the content management features and functionality that are available in the market today so you can leverage those technologies as a way to be compliant with those regulations. So what is PII? It’s an individual’s information which, when disclosed, could result in harm to that person whose privacy has been breached. So there’s a lot of things out there that come right to mind, name, social security number, date, place of birth, Heather mentioned also these days a lot of the biometric information. This is all kind of data that rises to the top, but there’s also a concept of linked personal information, where you can get not necessarily the person’s name, but you get enough other pieces of information about them where you can connect the dots and you can figure out who that person is. So there’s been research that has shown that having three key pieces of information, person’s Zip code, their date of birth and their sex, male or female, they can successfully identify 87% of individuals. I have that information, I can basically cross-reference it and something like a phone book and get that person’s name. So the linked information is considered as personal identified information even though it may not directly have the person’s name, social security number, et cetera, in it. More and more, there is also spatial. We all have cell phones. We should all assume that the applications that we download on our cell phones and use, when I get that free little app, there’s a price to pay for that. And that price is, I’m giving up some information about myself. In this case, a lot of times if you’re using maps, you can identify who a person is by just getting four points where they’re on in their daily routes. You can uniquely identify 95% of people. So this starts to get a little bit crazy when you start thinking about how much personal information is out there. In our case, we’re talking about documents for the most part. So a lot of this information is in documents, in files, and a lot of it’s in databases and line of business applications. So those include things like tax forms, academic records, all your bank information, your healthcare information, all the information your HR department has about you, as well as web form and things that you may connect to and fill out. I got a email the other day, I was staying at the Crowne Plaza Hotel and they said, “Hey, we’d like for you to go through this survey “about your stay and how you liked your stay.” And towards the end of it they asked, “Hey, are you male or female “and what basically age are you?” All of a sudden, all of their questions that were generic at first, like how comfortable was your bed, how clean was your room and these types of things, as soon as they asked this information, even though they didn’t directly ask me my name, basically started to become personal information. And the information they gathered through that web form would start falling under PII and then the regulations associated with it. So as consumers we kinda like these protections. It’s always nice to have someone looking out for our back. I want my data protected. I don’t want someone to use it maliciously or sell it. But as corporations, this can be a burden. But more and more the top industries, the top corporations, are treating this as a potential for competitive advantage. They are embracing the regulation and coming to market with this concept of data ethics. “I’m gonna collect your data, “but I’m gonna ethically manage it “and I’m gonna use that as a competitive advantage “for my competitors, versus my competitors.” Heather mentioned and had a nice list of recent activity in breaches of companies. I don’t know if you’re paying attention to the news, but on Monday, What’s In Your Wallet, I think that’s a familiar catch phrase if you watch TV for Capital One. And the joke was, well, on Monday they got breached, over a hundred million records. And so what’s in your wallet? The answer was, Tuesday morning, about 3.2 billion less than yesterday. It’s not just the fines. If it was just the fines, a lot of companies would probably say, like Google, other than the data ethics and wanting to be a leader in the space, they’d probably say, like, “You know what? “The risk and effort “to put all this data governance in place “isn’t really worth it. “I’ll just pay the fines when I get hit.” But it’s much more than those fines. So the article went on to say that the reputational damage, you know, what your customers think of you. Are they gonna buy your service afterwards? There’s a potential for political and regulatory actions and penalties, sanctions, that can really disrupt your business. The breach was, in this case for Capital One, was linked back to some of their service providers. And that service provider was Amazon. It was a person that worked for Amazon. So now Amazon is caught up in this, even though Amazon wasn’t the company that had the breach. Fines, 230 million. Start getting someone’s attention. Hey, when my stock price drops off cliff like this, when one of these breaches happens, and I’m losing billions of dollars and my shareholders, this is really why you wanna put these regulations in place or pay attention to them and do your best to satisfy ’em. So what are some of the principles of the regulatory compliance around the different ones? There’s a whole bunch of different ones out there, but it kind of boils down to personal identified information. And there’s some tenets of that, some principles of it. If I’m collecting information, it needs to be lawful and purposeful. Heather again mentioned, like, you can’t just collect data for the purpose of collecting it and one day later, maybe I wanna use it for something else or sell it out on the marketplace. It has to be a legitimate purpose to collect it and there has to be a specific purpose. Furthermore, I have to limit the scope of data that I collect and how long I can store it and keep it for that purpose. If it’s to get information about me and my stay, and once I get it and I bring that into a report, that report is now done. The purpose of the information collected was for that report. All of the other information that was kinda unique about my specific answers should be flushed and deleted as soon as possible. We are all data subjects. In this PII world, we’re the data subjects. And we have the right to request from a company, “Hey, what information do you have about me? “I wanna see it. “What are you using it for?” And I have the right to challenge it if I think it’s incorrect. So I need to have some sort of discovery capability. Imagine if you’re Apple or AT&T and you got hundreds of millions of customers and they start all asking, “Hey, what information do you have about me? “I wanna see it, wanna challenge it. “I don’t like what I see there. “I wanna be forgotten. “I want you to delete it all.” This is another data subject’s right that’s a tenet to a lot of these regulations. Notification when there’s a data breach. There’s a, depending on the severity of the data breached, it’s up to 72 hours where you have to notify all of your data subjects, all your customers, that, “Hey, we were breached. “Your data was part of that. “Here’s what we’re doing about it. “Here’s your options.” And you have to disclose that within 72 hours. There’s also these more overarching concepts of privacy by design. If you’re building a new application, a new tool, bringing something to market, it needs to consider privacy from the get-go and you need to design that into your application from the start. Furthermore you need to do impact assessments. Basically say, “If we do get breached, “what is our response time? “How are we gonna respond?” It’s kind of like a fire drill, right? I hope the fire never happens, but I wanna be prepared if it does and I’m gonna have a fire drill to make sure everyone gets out of the building, we know where to meet, and we know what steps we’re gonna take. And I wanna see what the impact of that is gonna be. So I wanna kinda do a dry run through one of these breaches. If you’re a certain size organization, there’s a new role that you’ll hear in organizations, Data Protection Officer. If you’re, again, a certain size dealing in certain industries, you have to have one of these persons on your staff or something like this that’s specifically looking out for the content that you’re storing, PII, and how you’re managing it within your organization. They also want you to do third-party training to your employees about phishing and again some of these impact assessments of, be aware of these strange emails asking for passwords or if someone’s trying to breach your organization, they’ll usually go in through one of your employees, try to get information about your maybe credentials to log in from that employee and then go use those to hack your system. Another kind of, on a wrap-up, third-party processing. So a lot of use service these days and outsource some of our company job functions. That does not obfuscate or push off the responsibility of your company’s requirements to meet the regulatory requirements to that third party. You can’t say, “Oh, I knew nothing about that. “I had the third party do it. “They got breached. “It’s their problem, it’s their liability.” The liability comes back to you. You cannot pass that off to a third party. This is all big, scary stuff. What do I do about it? The concept, again back to the goals here, is the regulatory requirements related to PII, which is basically data, there’s a lot of technologies out in the market today, whether it’s capture technology, content management, enterprise content management, document management, et cetera, well, these solutions are out there today. Most large organizations have ’em. And these products, these content management products, have a lot of functionality that allows you to meet those regulatory requirements. The best way to manage your data is by managing the metadata about your content. So you don’t wanna, the volume, the velocity, the variance of all your content is so large, it’s almost overwhelming to manage it directly. So what you want to manage is the content’s metadata, or more specifically, manage the content by understanding its metadata. And there’s a lot of tools out there today in the market, capture technology, OCR recognition technology, where you can classify and categorize different pieces of content using machine learning technology, and you can enrich that information and put these tags to it so that you could leverage that metadata and automate ways that you treat that data based on the regulatory requirements. So what does that data look like? Again we’re primarily dealing with content and data. Content is your emails, your PDF file, your Office, Google docs, comes in a lot of different forms and fashion, including paper. Heather kinda mentioned, like, “Hey, the only way “to really guarantee you don’t get breached is “you’re not connected to the Internet. “You don’t have applications that you run your business on.” Well, everyone has those. Plus a lot of organizations also have paper. So don’t forget about your paper. It has a lot of personal information on it. That physical stuff can get breached as well.
Heather: Um-hm, yeah.
Jason: That content is what’s referred to as a lot of times you’ll hear terms in the market, this is unstructured content, semi-structured content of these files. And then I have structured content in the database. The technologies, again, that can help you with regulatory requirements, it’s document, records, enterprise content management, document management, records management, enterprise content management. These are the technologies that are out there today that you wanna leverage with your unstructured content to be compliant. On the database side, it’s more structured. It’s rows and columns already in the database. And there’s technology out there for enterprise metadata management. So they take the same approach, where you’re not trying to manage all the data. It’s too overwhelming. I wanna manage the data’s metadata. For this purposes, we’re mostly gonna again focus in on content. How do I get this volumous amount of content categorized and tagged and how do I know what it is so I can therefore do something with it? The first step in being compliant is knowing what content you have, where it’s at, and what type it is so that you can determine how it applies to the regulation. For us, you bring all this content into a pipeline, a content pipeline, where it captures and analyzes the content using machine learning algorithms, again to look for patterns. And the patterns basically say, “Hey, I’ve seen this before. “This is a W-2 tax form. “That’s personal information.” So I wanna categorize it, it’s personal information, and classify it as a W-2 tax form. So I wanna do this across a wide range of content that comes in, bring it through this pipeline so I can get a very structured set of metadata about my content and I can keep that content in basically what we call a catalog. So I’ve cataloged now all my content, I’ve tagged it, I’ve organized it, I’ve put it in a structured way so that now I can bring that content with this structure into my content management repository into my line of business application. I now have the piece of content with all the metadata tagging and I can, within the application, set up rules and trigger that, when I see this type of content, now that I know what it is, I can treat it in a specific way. I can automate my compliance activities without having a person looking at the data and saying, “Hey, this is a W-2 form. “It needs to be treated this way. “Let me apply these access controls to it. “Let me apply this certain retention policy to it.” When it comes through this pipeline and you get this metadata, and you leverage the metadata in your line of business application, you can automate a lot of your compliance activities. This is the goal. So what does this pipeline look like? How am I enriching the data? Again I’m classifying it. I might classify it based on a vertical industry or a regulatory compliance. You know, maybe this is oil and gas content and it’s a well log. Is it categorized doc type, or it’s PII information and it comes from the healthcare industry as a categorization. Again I’m putting all that information I collect into a catalog as metadata. Then I’m gonna leverage that catalog later. But I can further go, and the technologies have caught up now with AI and machine learning that I can also apply rank, relevance and relationships. So I can rank this piece of content when I know what type of content it is, I know what type of information is in that piece of content, and I can score how severe or the risk is in the case of PII. Is it just a phone number? It has a low risk. Or is it a person’s social security number or medical records that’s a high risk? I can also provide some relevance to that document, which is basically, how confident am I that I correctly scored it to begin with? And I can use these score systems later for things like exception handling. This has a high risk classification but a low risk relevance. Maybe I wanna throw it into an exception queue and let someone look at it and confirm that it’s really a healthcare record that’s of high importance. And I wanna again make sure I treat it that way. And we’ve talked about connect the dots that are linked to PII. So we wanna see those relationships within content as well. One individual piece or record by itself may not be relevant. But if it’s related to and linked to or combined with two other pieces of information and content, it now becomes an exposure. So what are those links and relationships? Again and here’s an example of what that might look like specifically for a piece of content that come in and got originally classified at a high level as PII, and then its document type was this low risk online member form, or is it a high risk something that came from my doctor’s office? Again, for those compliance officers, it allows them to do a query in your repository and say, “I wanna see all of my personal health information “with a high risk that would determine “that it’s,” excuse me, “a severe catastrophic adverse effect “if this information got into the wrong hands. “Someone could potentially change my dosage “if they were very malicious. “And if that dosage got changed in my database “of the doctor and the person we’re prescribing to, “they could overprescribe the customer, “mix medications that would cause this person “a severe catastrophic effect.” So these scores in ranks and relevance allows you to have a very good handle on your content so you could then apply automation, rules and triggers within your regulatory initiatives within your line of business applications. So earlier we talked about some of the PII regulations and themes and principles. Those are on the left. And on the right are some of the features and functionalities that are common in most content management applications. So privacy by design. I have to limit the scope and purpose and access that someone has to this content. If I’m classifying it through the pipeline, I can automate an access control list. I can automate who has access to this document by groups or individuals based on the classification. I can set up this rule in my content management system and it becomes an automated compliance initiative. Further, I have to limit the scope of storage. How long do I keep this information around? Content management systems have retention policies. If it’s this type of classification, keep it for 30 days and then delete it, keep it for seven years, then delete it, whatever those retention policies are. But you’re gonna leverage something that’s already there to help you with your compliance on limiting your scope of storage. “Hey, I’m a data subject. “I wanna see, Target, what information you have about me. “And once I see it, I want you to go in “and delete it all.” So the ability to search and discover so I can look up in these content management systems by a customer ID, by a person’s name, I can see all the content related with them, I can export it and share it and I can delete it from the system if requested to. Notification of data breaches, activities, your activity logging, and red flag metrics, like normally there’s a flow. Hey, if all of a sudden that flow, there’s a spike, where there’s hundreds of thousands of downloads where normal data is a thousand download, that all gets in the audit log. I can automatically get notified as an administrator or Data Protection Officer and I can see those breaches or get aware of ’em sooner than later so I can meet my requirements to do the notification within 72 hours of a breach. Encryption at rest and in transit, as I’m developing something, I’m dealing with customers’ data, it better be encrypted. I think Heather had that her slide as well. It’s like there’s trillions of things that got broken into. But I think it was like 4% were, you know, not encrypted. So most of it was not encrypted that got accessed. If it was encrypted, that was only 4% of those 14 trillion that got access to because it was encrypted. So make sure your stuff’s encrypted. In summary, the technology are out there today and content management solutions. Most people have kind of invested in those already, and they can be leveraged with new technologies of machine learning and AI within those capture pipelines to look for those patterns, to auto-classify, and auto-provide rank and relevance and use that metadata, passing it on to your content management, your line of business application, and where you can then align your regulations to have automated responses based on that metadata that came through the pipeline. So that’s our presentation for today. And hope you enjoyed it. At this point, I think we cross back over, let’s see here.
Nicci: The one question we have for Heather now, if CCPA is only California, then is the regulation regarding where the data is physically kept or where the person is from? And that’s from David Chase.
Heather: Where the person is from. So even though it’s California, it’s gonna reach everybody in the country because unless you are a mom-and-pop store right on the corner of, you know, Iowa, California is one of our largest states. So it’s about their residence. Think of it from the point of view of, it’s really who owns personal data? Let’s say I lived in California. It’s protecting me and the companies I am doing business with no matter where they live or where they do their business. It’s where I live. And I live, say, in California.
Nicci: That’s definitely a great question, David. And I want you to know, if anyone has any further questions beyond this, you can always reach us at email@example.com. And then Heather, did you have an email that you wanna share if anybody has any specific questions?
Heather: Yeah. I don’t normally give it out, but, you know, when I do big presentations. But firstname.lastname@example.org, T-E-C-H. Reach out to me directly, LinkedIn me. You’ve got questions, I’d love to help you, like to be a resource. If we don’t do the services, then I can direct you to people who do.
Nicci: Great, excellent. Well, I’d really like to thank our speakers again. This was excellent information. I learned so much today. I’m so grateful for this. But yeah, just make sure and let us know if you have questions, everybody, and have a great rest of your day.
Jason: Thank you.
Heather: Sounds great. Thanks.