Talking data privacy with the Data Diva

They call her the “Data Diva.” Debbie Reynolds, Founder, CEO and Chief Data Privacy Officer at Debbie Reynolds Consulting, is a thought leader in data privacy and cyber data breach response. We spoke with Reynolds about her work and her recommendations for keeping an organization’s data safe.

What areas do you concentrate on?

Reynolds: I’m a technologist who works at the intersection of law and technology. I work with organizations on digital transformation and helping them set up plans for data privacy programs. I work a lot with emerging technology companies – those that are bringing more technology-forward applications to the market, like virtual reality, augmented reality, mixed reality. I work with anything that you can think of that collects data on individuals.

My specialty is international data transfer. So a U.S. client might approach me because they want to sell a product in Sweden. I figure out the data privacy implications of that across the board.

Data privacy differs with jurisdiction?

Reynolds: There are tons of regulations about data privacy in different locations. I think the thing that corporations are surprised about is that the data regulations that they may be subject to in their location are different, based on the people they have data on.

Let’s say, you have a business in Indiana. You would need a license to do business in Indiana. But then let’s say it’s an internet business where you’re selling data or selling products to other countries or other locations. You may be subject to laws in those other locations, just by virtue of the fact that you have data of individuals in those locations, and they may have different rights based on where they’re located.

That can get complex.

Reynolds: Different states have varying data breach notification laws; they have different requirements, different definitions of what personal data is, and different interpretations on what level of data breach requires reporting.

The Federal Trade Commission (FTC) also has rules about data security. Typically, when someone thinks of a data breach, they think someone broke into the organization and stole something. But the FTC may consider it a breach of security if you transfer a person’s data to a third party without the person knowing.

In regard to securing data, what are the most important things organizations can do?

Reynolds: With outside risks, you don’t want to be the low-hanging fruit. In other words, you don’t want your organization to be the one a cybercriminal targets because your security isn’t up to par. So organizations need to do the simple, unsexy things like making sure that the servers you use are patched. Make sure the devices that are used within organizations are patched.

We all get those pesky notifications on our computers about updating your system, right? A lot of people ignore those or they don’t restart their computer. But those notifications are really important because they’re saying, ‘We know of a threat that’s out there, and if you do this upgrade or update, we’ll help to protect you.’ A lot of companies don’t keep up with those security patches.

A lot of security threats come from within.

Reynolds: Yes, you have to educate your workforce. A lot has to do with password sharing. Let’s say your company uses accounting software. You may not have enough licenses for everybody so you share the same password. If a disgruntled employee leaves the company and you don’t change the password to that software, they still have access to that data.

And it’s not always a disgruntled employee who poses a threat. Phishing is a huge threat. Employees can get an email where, if they click the link, they’ve let a cybercriminal into your infrastructure. [Phishing attacks hit their highest number ever in Q3 2021.]

Shadow IT is also a threat.

Reynolds: Very much so. Let’s say your organization shares documents in and out of the organization using Dropbox. But someone doesn’t like Dropbox and decides to use Google Docs. They start an account and put work information in that account. If that person leaves the organization, there are now data spaces that the organization doesn’t know about.

It’s really important that employees use apps that are blessed by the organization. It’s not about stifling individuality. The company has a responsibility to protect data and shadow IT makes it more vulnerable.

New forms of tech can pose risks as well.

Reynolds: I work a lot with IoT device makers. These devices are all collecting data about you. So you definitely want to be able to lock down those devices and know what they’re doing. I’m hoping to see more legislation around security in the IoT space. Companies are trying to push out these innovations as fast as possible, because they know the law lags and they can collect a lot of data in the meantime. If we don’t catch up with regulations in terms of tech, we’re not going to be years behind—we’re going to be light years behind.

Ms. Reynolds has been named to the Global Top 20 CyberRisk Communicators by The European Risk Policy Institute, 2020, and recognized as one of the stellar women who know Cyber by Cybersecurity Ventures in 2021.