On April 5, 2023, TalPoint hosted a webinar on Privacy in 2023: News, Trends and Best Practices. The conversation is led by Jordan MacAvoy, Founder and CEO of TalPoint and the speaker is esteemed privacy expert, Dr. Maxine Henry. Below is the full transcription of the conversation and you may access the webinar by clicking here.

Jordan MacAvoy: Thank you everybody for joining us today to talk about privacy in 2023. Today we’re going to be covering news, trends, best practices when it comes to managing your program. Before we go ahead and get started, I’m gonna go ahead and introduce both myself and our fabulous speaker today, Dr. Maxine Henry. First, I’m Jordan MacAvoy, founder and CEO of TalPoint. For those of you who aren’t familiar with us or what we do, we’re an information security focused marketplace that connects businesses to subject matter experts like Maxine in the areas of security risk, privacy and compliance. And today, I’m joined by Dr. Maxine Henry. Dr. Henry is a privacy expert with deep knowledge and experience across many areas of security and compliance. She’s worked with well known publicly traded companies, private enterprises, she’s helped advise governing bodies on how they can craft privacy policy. And she has a broad knowledge on a variety of different frameworks, you can see the long list below her picture in the screen. And we’re excited to have her here today to help us demystify what’s going on in privacy. And without further ado, let’s get into the agenda. So today, we’re going to be covering just kind of the state of privacy, what’s going on at the state level, at the federal level, things going on globally, that you may or may not be aware of, we’re gonna get into emerging topics and trends and things that are going on that you should be aware of, because they’ll impact how your company is managing your own privacy program. And then we’re gonna get into some details around how you can navigate all these challenges, but also, you know, focus in on creating a program that’s scalable and enduring. And so with that being said, Dr. Maxine, thank you for joining us. And we’re excited to be talking to you today.

Maxine Henry: Hello, everyone, and welcome to the privacy outlook for 2023. Hopefully I can share some good information with you. So just a couple of things, some current privacy laws that features around some of the laws that have taken place recently. So just the current state of privacy in the US for 2023. Right now, there are five states that have privacy laws on the books which are California, Virginia, Colorado, Connecticut, and Utah. A couple of these laws actually go into effect July 1, that would be Colorado and Connecticut,  and then Utah will go into effect December 31. Now, one other thing about the current state of privacy in the US, there are currently 19 states that have active legislation and process meaning they’ve either introduced bills, some of the bills have passed, they may be working them, but there are 19 states that are currently working on privacy laws. And then I think there’s 22 states that have done absolutely nothing. And we don’t see any action or any inner laws or any type of bills or legislation being introduced in those states. And you can take a look at the map there.

Jordan MacAvoy: Maxine, just a quick question for the 22 states is the prevailing thinking there that those states are waiting for something to happen at the federal level?

Maxine Henry: Good question. I believe that is what they’re waiting on. However, we do know that there is a privacy bill that has been been introduced. And I do believe those states are waiting for that legislation to pass.

Jordan MacAvoy: Awesome. And just to all our attendees know, if you do have questions as we’re going along, feel free to pop them into the q&a section. And we’re going to have we’re going to have some time at the end to get into questions. So jumping back into the presentation,

Maxine Henry: So current privacy laws have some common features they apply to controllers, they also must meet a certain threshold for revenue and volume requirements. Consumer Rights are like the biggest thing that you should know about these particular privacy laws. That means that consumers now have some rights to opt out of being targeted for any type of advertising. They have a right to request their information, have their information deleted, actually make sure that it’s accurate, or either requested a copy of the information from the company. So that’s one big thing. And then it also sets restrictions around what can be collected, how it can be processed in terms of sensitive information. And then any contracts that you have with third parties. Language has to be in those contracts related to data privacy, and the collection of PII information. Also, the five states, all of them have exclusions for any law that’s already on the books that protects PII information, that would be HIPAA and GLBA. Next slide. So California, the great state that I live in, has passed CCPA, several years ago. And now CPRA changes actually go into effect, which actually amended some of the provisions of CCPA. And the first most important one for any business that has employees is human resource data. And business to business contact data is now in scope and California. Also, one of the other things that is kind of critical is that contractual agreements have to have language specifying the data that you’re collecting, who it shared with, and how that information is handled, as well. And then the other thing is contractors are also now in scope in California. Unfortunately, a lot of people here who work on 1099. So that actually brought those individuals in line with CPR as well. And a couple other things about California, there’s data minimization standards that have been put in place also, as far as though CPR or CPRA. That means the collection and sharing of information has to be protected. And that you can only use it for the process, the process of that you’re actually collecting it for meaning once you collect the data, you can’t expand your scope without providing consent notice to the individual. Next slide. On the privacy front, the American data privacy and protection act is still in Congress, it’s being debated. I think the last update that I got on it was late December, it has moved, a couple of times, the language has been changed. But we still haven’t seen much traction on that and don’t have an idea of when we can expect to see a final bill for approval. Also expect to see more aggressive enforcement by the FTC, around children’s privacy. This is one of the big areas that a lot of activity and enforcement action for the FTC has been focused on lately, because a lot of children’s data has been breached, because they are on a lot of these social media applications. So that is one area where I would say you want to keep your eye on. And then also, in the area of AI, a lot of companies are using AI in their processing. And note that data could be breached, and a lot of it will have PII information in it. So that’s another area I expect to see some enforcement laws and some changes. And then unfair data practices, meaning how you’re collecting the data, what you’re doing with it, how you’re storing it. And then the SEC is also proposed a cyber disclosure rules, and we expect to see those take effect sometime this year. And then there’s two set of cybersecurity rules that are proposed as part of that one is notice. And then the second is rulemaking. And then just so you know, a couple of these companies that are listed on this particular slide have actually been fined by the FTC because they either breached data privacy regulations, or because there was a some exposure on just off the authorized exposure of privacy information. So there were fines levied to cost some of these companies, and some of them were pretty hefty.

Jordan MacAvoy: Maxine, just a quick question on the fines any sense as to the size of fines that companies are facing these days?

Maxine Henry: Ah, several million. There’s just been several of these particular companies where the fines were in a couple of 100 million, 25 million, I think the one company had $245 million fine. So they’ve been pretty hefty. And I think it really just depends on a couple of things. One, the type of data that’s been exposed, how it was exposed, and the vibe You have records. So the more of course, the more voluminous the exposure, the larger the fine. Awesome. So on a global front, data privacy laws have have have constantly been evolving. And Europe has been really, really, really busy. They’ve pushed through three major data privacy acts in the last couple of years. And they do one of them does take effect this year. And then also, they have proposed a new law. So the European data privacy act, which actually goes into force in June, is really around setting up governance for how data is to be used, creates a framework for trust and privacy for sharing data back and forth. And then the digital service does that DSA goes into force in January of 2024. It’s regarding electronic transmission of data. And it’s actually update the EU 2000 electronic commerce directive. So if you’re familiar with that, this one actually replaces that it goes into force in January of 2024. And then the artificial Act, the AI Act was a proposed law that’s supposed to focus on common regulatory requirements for artificial intelligence. So there’s been some work on that. It has I don’t think I don’t believe it has passed as of last week. But it’s it is a proposed while. And then in the US, the digital markets that the DMA is scheduled to go into effect that went in February of 2023. It basically looked at online transactions, online commerce, information that is passed across, I would say advertising companies regarding illegal content, transparency, of any type of activity or data that you’re trans transmitting as far as advertising, and then also making sure that there is some transparency and no distance.

Jordan MacAvoy: Awesome. And it looks like we had a comment in there from one of our attendees, who mentioned that besides the fines, they’re also forced to stop the infringing practices.

Maxine Henry: Yes. So our next privacy news is around third party cookies, let’s say goodbye to those cookies, bye, bye. They are going away. The actually, they’ve actually a couple of companies, Safari and Firefox have already phased them out. So what are cookies, they track your movement, they, they target you, they measure your activity so that advertisers can use that data to serve you up, of course products and services. And Google was actually phasing theirs out for Chrome at the end of this year. And so basically, cookies will be functionalist, and we won’t use them. And then why consumers why this happens. And what does this mean to you as a consumer, it basically prior to this, the data privacy laws coming into effect, you had little to no control over the information that’s collected and shared, and used to analyze your buying and your I guess, your internet usage. Now, with the data privacy laws coming into effect, especially California, it gives you control to opt out to tell the companies you do not want to want them to track your movement or the sites that you’re looking at. So it puts the and puts the power back in the hands of the consumer who basically you’ll have the ability to block and delete to tracking activity. And then privacy knows complaints and litigation. So last year, we kind of had a record number of new complaints, especially in California, related to data breaches and authorized access to privacy information. And these three areas were primarily I guess you could say, two of these areas were primarily California related and then one actually extended outside of California to Illinois. website tracking was one of the major ones where of course you visit a site captures your personal information, it’s collected And it’s stored. And then they use that information to do whatever they want to do with it, whether to analyze it to sell it to someone else. And then as a result, there was a violation of what they consider anti wiretapping, law, and companies like Zillow, Lowe’s, I believe Expedia and AutoZone, just to name a few were some of the ones who actually had complaints filed against them because of this. And then on the next front was the Telephone Consumer Protection Act TCPA. This is where you get these robo calls or automatic calling calls sent to your phone. One of the problems with this is that sometimes they’re able to capture any texts or any information on your contacts. And as a result, the violation for the TCPA also has been more aggressively enforced. And then the big IPA, the biometric Information Privacy Act, the first lawsuit concerning this one was done out of Illinois, and I believe it was Rogers versus BNSF railroad where they were collecting fingerprints of individuals. And they had done it like over a six year period, and I believe there was over 46,000 instances where this occurred. And because of it, they did it without the individual’s consent. And they kept that information in a database, and somehow or another, it got exposed. And then, just below, you’ll see some other companies that were hit with fines that were that were involved in violations are related to data breaches as well. Next slide.

Maxine Henry: All right. So major, major privacy trends for 2023. Of course, the elimination of cookies, the US EU privacy framework is still kind of in development. And that basically takes over the safe harbor agreement that we had with EU some time ago. I know there’s still some work on it. And hopefully, we’ll get it nailed down so that there’s some a solid process and a framework for EU US data transmission. One thing I will share with you is the EU did a study and they found that the EU had initially thought that the US cyber security, I guess, company companies that were had cybersecurity and were transmitting that our cybersecurity was not as solid or strong as the EU, they have now determined that companies here in the US have as well as has a strong cybersecurity foundation for their organizations as well. And then other trend is protecting children’s data. I can’t say much more about that. I know, there’s a lot of, I guess, scuttlebutt in the privacy world about how to protect children’s data, what data companies should be allowed to have, how to have the FTC and some of the other privacy laws start to enforce companies that violate the utilization and collection of children’s data, especially when that data is caught up in like privacy breach. Or it’s just an unauthorized disclosure of cross border data transfers, of course, that goes back to the EU. And then vendor due diligence is also starting to take a little bit more of a prominent phase, because of the fact that so many companies do businesses with second, third and fourth parties. And we’re sharing data across to those companies all the time. A lot of that data is PII data, and a lot of those companies have been breached. And as a result of it, they causing the question, who’s the data processor and who’s the data controller who’s responsible for securing that data. So just keep in mind that you should be doing some due diligence with your vendors to make sure that their systems are as secure as yours. And then additional privacy trends, I’ll just make a note of two that I think are most important. One is the NIS directive and is to which actually, is going to be like the cybersecurity framework for Europe. So keep that in mind. If you’re doing business in Europe, you will want to take a look at that particular directive and get yourself how to align with the requirements of it because it is going to be something that the EU is going to start pushing forward with all of the companies that do business there. And then the other thing would be data localization. Because a lot of companies have financial information. One of the things that has happened, especially in some of the like Asia Pacific company companies, they have data localization requirements, meaning that if data was created there, it has to stay there. So just be aware of that, and then increase, should I say requirements around company and company health data. And this really looks at extending your reach of for how data is used in your organization, not just on your laptops and your computers. But also, a lot of people were using their phone to take meetings to send notes. So if PII information is also involved in that process, and you’re storing and storing it on your phone, be aware that there will be some more requirements probably coming.

Jordan MacAvoy: Maxine, just real quick. And we have a we have an attendee who just popped in another quick comment around the California Age Appropriate Design Code Act. Are you if you could just provide a quick commentary on that for our attendees? But is this the one of the next big trends in privacy is?

Maxine Henry: I believe so. Because, like I said, a lot of the breaches have that had of late have happened, have also involved children’s data. And part of what I think is going to happen is that there there is already COPPA but I believe that is going to be modified or updated. Or there may be an additional law that will come down the pipeline real soon, because we know a lot of we know a lot of children are online, they’re on Facebook, they’re on Instagram, probably not so much Facebook as much, but they’re on TikTok, they’re on Instagram. So they, you know, they’re sharing information and sharing some of their personal information. And as well, they’re sending up their accounts. So these sites have been breached, and their data has been captured. So one of the things that I think is going to happen is that the legislation is going to start looking at, you know, how it how how do we protect that data? What information should you be capturing as well?

Jordan MacAvoy: Interesting, we have a TikTok question as well, we’ll save that one for the end. But it wouldn’t, it wouldn’t be a privacy webinar without one.

Maxine Henry: Exactly. So if you if your company is involved in collection of any type of personal information, this is probably your current landscape. You know, as I look at across the state five years ago, when GDPR came on board, you knew that you had to if you were collecting credit card data, you had to be compliant with PCI, you also know that you had to be responsible for any type of stocks, Oxley requirements that are SSA, ease at the time, I believe was 16. And now it’s 18. So and then GLBA. So given the fact that we’ve thrown five other states in there, that makes your privacy requirements are much broader, and they have to be a lot more stringent. So here’s where TalPoint can really help you with mapping the requirements that you have with the different types of requirements, privacy requirements that your organization will need to be responsible for, and help you setting up a real practicing program to address all of the requirements for privacy across your organization. Next slide.

Jordan MacAvoy: Awesome. And interestingly enough, I haven’t seen the updates that are on this. I don’t know if you have any thoughts on that. Maxine. There was a number of published by Gartner in 2022, saying roughly 10% of the world’s population is covered by a privacy law today. But they forecasted that by the end of the US either 2023 or 2024. It was going to be up to 65%.

Maxine Henry: And it is because everything we do, if you think about it, everything if you go on a site and you sign up for, let’s say, you know, just to get an email notification from a company or if you purchase something, you’re giving them your personal information. So yeah, I can. I believe that to be true.

Jordan MacAvoy: Really interesting. Yeah.

Maxine Henry: So let’s take a look at it how your organization has to overcome some of the pain points for privacy. And I call this my 555 plan, or my 555 outlook on how your organization should take a look at privacy, some of the issues that you as an organization will run into, and I kind of grouped these into three major categories and five items each, and I’m just gonna touch on a couple. The first one in terms of organization is understanding your data sources. And your use your meaning your justification. For us, that is critical, especially if you’re doing business with California, or the EU. That is one of the major things they do they look at why are you collecting and using this information? And do you have a justifiable business reason. And then the next thing is, can you respond to a data subject access requests, meaning I’m a consumer, I want to know what data you have about me if it’s accurate, if I can ask you to delete it. That particular thing is one of the key driving forces for GDPR. And and also for California, you also have to be responsible to make sure your organization has a way to respond to customer requests as well. Under Privacy and Security, looking at your technology and your assets. That means understanding what systems you have, where that data lives in those systems, and what processes are associated with that technology in your assets. And then putting in process some make some type of data minimization, whether you use anonymization, or data masking, to protect the information that you’re collecting and processing and sharing. And then look at the volume of data that you have and think about what happens to my organization and my customers. If I have data loss or data quality issues. Under Data Governance, you want to take a look at your data privacy lifecycle end to end, that means from the beginning and creation, whether you’re capturing this information off a website, whether your customers or your employees are providing that information to you all the way until the end of that lifecycle. When that data is destroying, you got to classify their information, make sure you understand who has access to that data, have a retention policy in place for all your data types. Make sure there’s a disk, written detail documented Destruction Policy, and that you conduct data at assessments periodically. Now, here’s another area where Torpoint can really help you because they have a process on a plan that can take you through putting together an entire data privacy program, and how to manage the retention and destruction and making sure that it’s defensible and is documented. Next slide.

Jordan MacAvoy: Maxine, just a quick kind of trying to keep it a little bit more conversational. But we are getting a bunch of questions, which is awesome. We have a super engaged audience. One of the one of the questions, which is specifically on this topic that you just mentioned, is, you know, if you’re a smaller company, and you don’t have a large enough team to help with privacy, you know, obviously TalPoint can help. But where do folks get started? Do you have any thoughts on that?

Maxine Henry: Well, I think the first thing you have to do is take a look at the data that you’re collecting, do you meet the threshold for each of the locations that you’re doing business in, if you’re not doing business in Virginia, then you don’t worry about Virginia. But if you’re here in California, and you meet the revenue and the volume threshold, and you know, you’re in scope for CCPA, if you’re not doing business in GDPR, that’s related to GDPR in Europe, then you know, you’re not in scope for that. But what I would do is probably contact PowerPoint, and ask them if they can do an assessment of your organization that would at least give you some idea of where you might have gaps. And then you can work with them, like on a project basis to really kind of figure out what you need to shore up in your arm in your organization. I know a lot of companies are small, but a lot of companies may not necessarily be in scope for CCPA or CPRA or GDPR. So you have to first take a look at what you have in terms of your data sources, systems that you have the data on, and then determine exactly where your gaps are. So I would start there and probably reached out with to contact Jordan and have him work with you to do an assessment at first and once you have that assessment, you could work on your gaps. You want to work on them independently of topic, but you would be to my recommendation would be better to work with TalPoint to have them help you remediate those gaps and get your compliance program in shape.

Jordan MacAvoy: Jumping back into the presentation. Next slide. There you go.

Maxine Henry: So how do we future proof our privacy program. So I have just kind of put this into five buckets. Now, when you look at privacy depending on the size of your organization, if you have a small organization, and you have more of a domestic footprint, there are about 45 things that you need to do. But if you’re a large organization, and you have a global footprint, that list can go up to like maybe 110. So just be aware, here’s where top point can really help you identify what those data points that you need to comply with, and how your organization needs to structure your privacy program for longevity, because we do expect more states to come online, they all have similar features and similar. So that’s the elements to them. So you want to build a privacy program for the long haul, you don’t want to just do a one off, you want to build a privacy program so that as these additional states come online, your privacy program can handle it, you can be compliant with them, you may have to make additional changes to contract languages or update your policies. But that’s the minimum scope that you will have to do. So the first is identify your data. And I think I’ve talked about that, assess your data. And then sorry about that. That’s okay. And then take a look at how you secure and protect your data. Put together a vendor management program, and then scope your organization for continuous improvement. And continuous monitoring.

Maxine Henry: And I’m gonna get into how do you cannot take a look at this at a high level, the first thing you want to do is develop a data inventory of all your assets. And it needs to be comprehensive, that means not just your on prem but your cloud applications, any applications that you should get yours using as integration points between you and your third party vendors, and then discover all the data and the data sources that you have. classify that information, tag it label it so that way, you know, this is PII This is confidential, I need to make sure I protect this, this needs to be behind a firewall, etc. So you want to look at your devices, your applications, your cloud services, your on prem, your third party vendors, and then take a look at your email your check your applications in integration and any information that you receive those data types will help you identify your your PII data. Now, once you do conduct your discovery, the next thing to do is to assess your organization to see where you are in terms of establish privacy standards. And you can use a cybersecurity framework for this, I recommend one that has the privacy elements in it. TalPoint can help you pick the right one. And use that to set up your controls and to assess your organization against all of the elements that you have for your devices and your data types that data sources. And then once you have that inventory, they can assess your organization, it’s always best at least to have an independent assessment done the first time because that way, they will get to the nitty gritty of where your gaps are, and help you form a proper remediation plan that can be done in a reasonable amount of time. So top point can actually reach out to you and help you with this process. But this is going down the path of building your your privacy roadmap or your privacy plan.

Maxine Henry: Then the next step would be the securing and protection of your information. And that’s establishing your data privacy, protection and security measures. And here is where I think you need to focus on privacy by design and the seven principles associated with it. That’s the information management system the risks, controlling your risks, looking at your laws that you are applicable to meaning what privacy laws do I have to adhere to establishing a management process and a plan and then protecting your systems and then access control, incident Response, business continuity and disaster recovery. I put those in the last block bucket because And when you look at the privacy principles, that is one of the key areas that is impacted when there’s a breach. So here, you want to understand what your privacy requirements are in relation to the types of data that you have in systems. And then you want to make sure you apply the necessary controls to protect those systems and to protect the data. And then you want to use the privacy by design principle. And that starts from the beginning from when that data is first created, all the way until that data is destroyed.

Maxine Henry: Now your vendor management aspect really is very critical. And like I said earlier, one of the key areas that you seen when their data breaches this information was shared or lead to it was breached over there with unauthorized access, and it somehow it will involve your vendor. When you share information to another party, that vendor should be responsible for the data just like you are. So you want to look at your applications, you want to look at any API’s that you have how you are putting PII on any type of Exchange like SharePoint or if you’re giving vendors access via OneDrive, or EDI. Make sure you have ironclad agreements with those vendors and that you do your due diligence. That means from the onboarding of that vendor, your procurement process your contracts, you make sure they’re the languages in that contract to protect you and your customers, when you share their information, and then access, how you grant them access should be documented. It also should be noted in the contract has how data is going to flow. And you need to assess those vendors annually to make sure that they are living up to their contractual agreements and their SLA, God forbid one of your vendors has a breach. And then you’re drawn into the process because you haven’t noticed the right contractual agreements. And you haven’t done an assessment on the vendor at all. And you’ve been doing business with them for a while. So take a look at your applications, make sure all of that information is specified in your contract. And then monitor the vendor, make sure that there are any kind of risks that come up or any kind of breach that comes up with that vendor, that it’s noted. This is why you want to assess your vendors on an annual basis on some level, and make sure that there is a breach management and reporting process established between the two of you. So setup, onboarding, and an ongoing process to assess your vendors, and make sure that your vendors are adhering to their contractual agreements just as you are with them.

Jordan MacAvoy: Maxine, just a quick question, How often do you recommend once you’ve done that initial assessment in all borders folks to do regular regular assessments with your vendors.

Maxine Henry: I would suggest annually. Some companies that you would do business with will have slack to reports and they will do a factual report, they’ll send you that report annually, or they’ll send you the every three year report. But as a result of it, I would also if for no other reason to protect myself and to provide defense the bone defensible position if I’m ever breached, or put in a situation where a violation complaint has been brought against the organization, I would have an annual assessment of my vendors.

Maxine Henry: So then continuous monitoring and improvement. So here is one of the main things that you as an organization can control. You may not be able to control someone breaching your organization. But if you put the right protocols and security controls in place, you should be able to bring those to a minimum. First you want to assess all the information, you want to validate that information. And then that is part of the reason why you want to have an independent assessment and TalPoint can conduct one of those for you. They can take a look at the way your data is structured, how your data is structured, where it’s located, tell you Oh, and your application here is has a weakness or you’re not. They don’t have the right security controls on this particular application. So your data subject to data leakage or in your data loss. And then make sure that once you Have that assessment done, you go back and take a look at how you need to remediate any of the gaps that are found. Look at cost of making sure that those remediation items have been completed, it may be costly, but the fines will be more, more costly. And then protect your information. Take a look at how you need to structure your applications, your security controls your configuration management, your change management, all these things go into part of your protection response. process protection activities, we’ll take a look at which policies and procedures you have in place. And then also make sure those things are mapped to some cybersecurity protection controls. So that in the long run, if you are breached, you can have some defensible documentation to show to the authorities. Hey, we did everything we could, but we got hacked and we got breached anyway. And they will take that into consideration. Doing nothing is kind of like not the best approach. And then how do you respond? Well, once you have all this information, you have your assessment done, you have your controls mapped, you look at your data, what is your response to if in fact you are breached? How do you How fast do you get your your red team together, and they actually do the necessary investigation to find out how that breach or unauthorized disclosure of data occurred. So it’s important that you have that documented, it’s important that you have a plan documented and not just a policy, but an actual plan. And you should test it periodically to make sure it actually works. And also part of that which is not mentioned here. But training is also very, very critical. And then take a look at privacy and security, your framework that you need that you select, I can say I would suggest picking the most comprehensive one, and try my best to become compliant with that one. Your security controls and objectives will be your guiding force for what you need to do, and how you need to do it. Make sure your policies are updated and your procedures are linked to your to your policies. Do Fannie and have a vulnerability management plan? And then manage your vendors. I can’t say that enough.

Jordan MacAvoy: We have we have a great comment here prioritize vendors based on data shared if you have a lot of vendors.

Maxine Henry: That is correct, prioritizes vendors based off of the data that you share with them. That is one of the things that we know. Here’s their vendors, here’s the data here, your data types, but you won’t know that unless you classify your data.

Jordan MacAvoy: And I think that the takeaway on this slide, and Maxine, I believe this is our last slide until we get into some q&a is no matter no matter where you are, there’s always room to go up, right?

Maxine Henry: That’s correct. There’s always room for improvement. And one of the things that TalPoint can do is they can help you like not only build your data privacy program, they can also help you set up a roadmap for maturity and to build metrics for privacy so that you can manage and govern how your organization is doing in relation to privacy. It doesn’t help you know, does, you know, good to set up all this stuff and not look at it from a metric standpoint, and look at it from your performance. Awesome.

Jordan MacAvoy:  So just to remind everybody, if you do have questions, and we’ve got, we have a number of them in here, and we’ll get into them in a second, feel free to pop them into the q&a section. Before we do that, very quick plug for TalPoint we’re the host of the webinar, as you may or may not may or may not know tell points of security marketplace. We connect businesses like yourselves who are in attendance today with subject matter experts in the areas of security risk privacy and compliance. I mean, we do this in a super agile way. It allows you to move really fast and efficiently we can typically save you save you money while also helping you to fill critical skills gaps. And then we do it in a really simple way you get access to access to experts. Maxine is is part of our network but folks like Maxine who have deep deep subject matter expertise, and we become a conduit to to connect with those hundreds of experts who are on our platform today. And then on the other side of that, you know part of our job is working with with our experts to make sure they’re happy and engaged and can do the great work that they’re that they’ve built their careers around. And so you’ll be connected with people who are not just really, really skilled, tenured, you know, experts in these areas, but also, you know, who really love what they’re doing. They’re passionate about what they’re doing. And they work with us, because we help them focus more on the things that they love to do. So that’s the quick plug for tell point. We can get into some q&a. Now, here’s how you get in touch with us if you are interested.

Jordan MacAvoy: But Maxine, why don’t I jump in here and I can start to bring up some questions. First question is about AI. And we were chatting a little bit about this yesterday. The question is, what do you think about AI and chatbots, and, you know, all the changes in the in, in AI affecting the privacy industry. And I’ll kind of piggyback on that the thing that we were talking about yesterday, was just putting data into late large language models, and how companies should even think about how their data is getting into these things. What are your thoughts there?

Maxine Henry: Well, AI is very interesting, because AI brings about, of course, you know, large language models that basically capture all this data, it does some type of analytics has that information and some of the terms information is leaked. The data can be memorized. And a lot of times and includes private information, causing privacy concerns. And one of the things that, you know, you can do, of course, is use differential privacy, which actually help the data to help you analyze the data set and remove or mask some of the privacy information. I think there’s a lot to be done in the privacy space around AI. And I know it’s getting a lot of traction. So I would be cautious that if you’re using take a look at the information that’s contained in your dataset and try to proactively mitigate the risk of any type of exposure or data leaks.

Jordan MacAvoy: Yeah, I think it was, it was Walmart, I don’t know if you if you saw this, but I did. They kind of jumped out and said, Hey, Nobody’s allowed. Nobody at Walmart is allowed to use this. And then they retracted that the next statement. And so you know, I think a lot of companies are very concerned about what employees are going to be putting into those those models.

Maxine Henry: Yeah, I think so to, which is why, like I said, one of the most, I guess I’m gonna say easiest, but the most, one of the most common ways is to use some differential privacy tools to help me describe and identify the patterns in the data set that would include PII, and then maybe withhold the information about individuals within the data set using the DEP. And it may won’t limit the should I say, possibility that data could be leaked, especially if you’re using that data set over numerous times, but at least can give you some, at least a starting point. Should I say?

Jordan MacAvoy: AI is gonna be a topic we’re talking about for for a very long time when it relates as it relates to privacy. I mentioned I mentioned tick tock earlier. One of the questions that we got was about the I’m sure everybody’s aware of this. The TikTok CEO just was in front of Congress, I think two weeks ago.  And the question is, with the heat that TikTok is taking, and just talking about federal privacy, like is that kind of the moment in time helping to escalate conversation around getting a federal privacy law in place faster.

Maxine Henry: You know, I would love to say, yes, but I know how our government moves a little slow. I think the fact that our president stated that TikTok should not be used on any government, computer within any government agency is a starting point. But will that jumpstart or will that fast track of federal privacy law? I don’t think so. What I am waiting to see is if there’s actually a ban on tick tock, and I don’t believe there will be I could be wrong But I just think that there’s a lot to do in that space in terms of looking at companies and applications like tick tock and determining where the boundary of one privacy and versus having the freedom of speech. So there’s a lot more to take in and to look at in that area. But I don’t think it’s gonna jumpstart or should I say or push the Privacy Act any faster.

Jordan MacAvoy: Interesting. kind of piggybacking on that. Another question was just about all the new regulations, and how companies should be managing all these different regulations coming down the pike?

Maxine Henry: Well, so one of the biggest things that I would think you as an organization would want to do is first take a look, like I said, look at the data that you collect, determine the states, and if there’s any global implications for the work that you’re doing, because that immediately narrows the field, and then pull top point in, have them do an assessment to help you really understand exactly what you’re working with what laws you have to comply with, within those laws. What are the clauses and the requirements that your organization has to be compliant with and help them help them really develop a plan to manage all the different types of privacy laws and map that across the organization? And I would probably choose, like I said, the most stringent, most comprehensive privacy or cybersecurity framework, and that’s what I’ve started.

Jordan MacAvoy: Interesting. I think we have time for one more question. And this goes back to the assessment portion. You know, I think you said before you start doing anything, you have to do that assessment to understand what your gaps are and what needs to be remediated. But how often should folks look to engage kind of an external third party to come in and do an independent assessment of their organization?

Maxine Henry: Well, I would definitely do an annually. If you’re, if you’re managing an enormous amount of data, and you have a lot of applications, and you have a lot of PII data, an annual assessment is normal. And the annual assessment by third party is even more and more. That is one of the things that any authority, if you’re breached, or you have a violation, they’re going to ask the first time, when was the last time he will assess your applications or systems, your processes, your procedures, your access controls? That’s the one of the very first thing so probably going to ask you for, let me see your assessment report. Let me see your gaps. Let me see your remediation process. So I would, I would think you want to kind of make sure that you do this annually, and get an independent your organization’s net. So let’s say in a position to do an annual assessment, because you have resource constraints, or you might have may not have the resources that have the skill set to do an assessment, hire TalPoint, and they can pull in the necessary people to do an assessment for your organization and give you that information. So you have it documented in the right format, that is suitable and defensible.

Jordan MacAvoy: Awesome. We got one last comment, and I’ll throw this in at the end. But this shows the pace at which things are moving. So I guess Iowa signed their privacy privacy law in the practice last week. And so yeah, so things are just moving super fast here. And Maxine, I would anticipate that you don’t expect this to slow down at all. If anything, it’s going to be speeding up.

Maxine Henry: Yes, and Iowa did sign of privacy law. I don’t have the actual date on which is going to go into effect, but I believe it’ll be 2024. I do believe it will have a lot of the same features as some of the existing privacy laws. And I expect more laws to come down the pike before the end of the year, at least one or two more.

Jordan MacAvoy: Super interesting time for privacy. Maxine, thank you so much for joining us today. To the folks who are on. We appreciate you attending. If we can do anything to help here at top point, our contact information is on the screen. And we hope to see you next time when we run our next webinar. Thanks everybody and have a have a good rest of your day.