Data is the life blood of an organization. But only when you need it. When you collect too much, you put risk on both your organization and for any individuals that data belongs too. For a long time, the wisdom has been to collect as much data as possible. So how can CISOs embrace data minimization that doesn’t clash with the needs of the business?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining me is my guest, Mario Trujillo, staff attorney, Electronic Frontier Foundation.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Material Security
Full Transcript
[David Spark] Data is a key asset for any organization. But with increased prevalence of data leaks and compliance requirements, when does it cross over into being a liability?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me for this very episode as my cohost, you always adore having him on. We get lots and lots of email saying how much we love Geoff Belknap. It’s Geoff Belknap, the CISO of LinkedIn.
[Geoff Belknap] Hey, everybody. And keep sending those two emails that we sent to David, saying we love me. I read every single one of them.
[David Spark] Well, those two emails, what they do is we just have an auto sender send it to us every couple of days to remind us. But, yeah, they say the same thing each time. But…
[Crosstalk 00:00:52]
[Geoff Belknap] And I need that validation.
[David Spark] We are validating you right now.
[Geoff Belknap] I appreciate you all.
[David Spark] Our sponsor for today’s episode is Material Security. Yes, secure your productivity suite with Material Security. And I’m going to explain how you can do just that a little bit later in the show. Today’s topic, Geoff… I’m very excited about today’s topic because of also who our guest is as well, because we don’t get a lot of lawyers normally on our show, but we do for a specific reason on this episode.
Let’s first talk about the topic. We’re seeing increased risks when it comes to organizations holding data. It’s not just from cyber attacks either. An increasingly complex patchwork of laws and regulations put additional risks of fines and other penalties on otherwise data hungry organizations. So, what framework should organizations use to determine when holding data has an actual to the business and when it becomes a risky liability?
And I think this is really interesting because it also has a lot to do with privacy concerns, and it’s a customer service issue here. And also a legal issue around privacy as well. So, do you think…? I mean, like spoiled milk, does data go bad?
[Geoff Belknap] I don’t know if data goes bad, but certainly the cost of holding data or the risk of holding data, just as you pointed out, increases over time. And when you’re faced with a very difficult challenging of protecting an enterprise or a business that uses data in any way, having more of it is riskier.
And it is not an easy thing to do have the conversation about when you should get rid of it or whether you should collect it at all, so I’m really happy our guest is here to kind of help us think through this very challenging thing that almost all CISOs, security and privacy professionals face.
[David Spark] Yeah, and it is a tough conversation to have with the business because the traditional response is, A, “We need it. It’s core to our business. We need it to market.” Sometimes it is technically the business, too, for that matter. So, there’s a lot of thorny issues to go through. And, yes, thrilled to have this person here with us from the Electronic Frontier Foundation, also known as the EFF.
It is one of their fantastic staff attorneys, Mario Trujillo. Mario, thank you so much for joining us.
[Mario Trujillo] Yeah, it’s good to be here. Thanks a lot.
Whose issue is this?
3:23.136
[David Spark] Aldo Febro, who is the CISO and privacy officer at Continuant, said, “A CISO needs to share three aspects of data collection to business units – financial impact, modern business strategy, and administrative burden.” Kind of nicely isolated there. Aldo goes on to say, “While information is an asset, properly managing assets is not cheap.
Modern businesses are also considering ‘asset-light’ as a strategy to be more agile and competitive. On the externalities, growing numbers of legal and regulatory compliance will for sure add administrative burden.” That is a really nice isolation of the problem right there.
Vaughan Shanks of Cydarm Technologies said, “Data management is determined by a combination of societal values, laws and regulations, organizational values, brand strategy, and organizational risk appetite. Assuming we don’t want to break the law or mislead stakeholders, we then need to decide where we want to be on the brand trust spectrum between data exploitation and respect for privacy, and what risks we are willing to accept in the event of a breach.” These are two really fabulous isolations of the complexity of the problems here.
Is there anything they missed in terms of…I mean in terms of sort of the simple part of this problem here, Geoff?
[Geoff Belknap] Oh, I think simplifying this problem is nearly impossible, but I think Vaughan and Aldo really did a great job here. You know, the more sensitive that I have, the harder my job is. The more I have to protect. And you always want to be having that continual conversation with the business that is collecting this data ostensibly for a strategic business purpose to help them understand that the more we collect, the higher total cost of the program, the higher the total potential downside risk is.
And it makes sure that the upside value and certainly the value that we’re creating for our customers, and our members, and the people that we are producing a product for is relative to the cost of having this data. That it makes sense. And in many cases, it does make sense to do that, but I think where we get into trouble is we just forget, and we kind of Hoover up everything that could be collected and just keep it forever.
And I think we now at this phase of maturity in the data space and certainly the data security space…we’ve learned keeping everything forever is not really reasonable, and there’s just not as much business value for that as people might have thought originally.
[David Spark] I think you bring up a really good point of just making sure the business is literally weighing the risk of, A, collecting the data, and, B, holding onto the data. Yes, they are making the risk decisions. But understanding those two very critical aspects every time they choose to collect it, that that is factored into the decision.
All right, Mario, what are the sort of variables you’re seeing when you’re working with organizations about these issues? Is there sort of an aspect of this that we’re not seeing here? That it’s like, “Hey, this is a risky area, too, and a legal minefield.”
[Mario Trujillo] From the security perspective, I think everyone is coming to the table from a cost benefit analysis or a risk based analysis, and that’s a good thing. And so there are all these different factors that you can kind of use as levers to pull on and off to enhance privacy. And so I see them as maybe in five large buckets, and I think the two quotes that you read from are pretty good.
But I see the first big bucket as a lawyer. I see the legal costs, and so that’s the legal costs of if something happens, if you have a data breach, if you’ve misused the data, how much is it going to be defend a lawsuit, how much is it going to be if you lose that lawsuit, how much is it going to be if you settle.
I think the second big bucket that I look at and that I’ve advised companies on before I was at EFF, when I was a privacy attorney for larger companies, I looked at the reputational damage, and that’s something that’s hard to quantify, but it is there.
If you have a data breach, are your customers going to come back? If you’re a business to business company, are the businesses going to sign up for your service? I think less another bucket that I look at is talent and employee retention. This one I don’t think is as big as the first two, legal costs and reputational damage.
But if you’re a company that is privacy focused, you can attract higher talent. You can attract security and privacy professionals who have those values, and you can lose those professionals if you’re not living up to that standard. And so I think that’s a factor. That’s not a large factor. And then the last thing is administrative costs of storing the data.
That can be just manpower. That can be money you have to pump in to create all these policies. But it can also be these tangential things that you don’t really think about.
And so I think about Google storing location data. They just came out with a blog post in December saying that they’re going change the way they store location data, and that’s particularly because they were subject to thousands and thousands of what…these things called geofence warrants. And so when a company like Google stores data that it can access, other people are going to go hunting for this data – in this case law enforcement.
And so that creates this additional administrative burden that Google has to respond to these 5,000 search warrants. And so there’s a lot of these hidden costs that only show up once you’ve already stored the data, and you found out all these new uses from other people.
[David Spark] Your data could be of interest to others. And, yeah, that’s interesting. It’s not maybe a legal issue, although it is definitely some privacy concerns. But if someone wants access to it and it is someone with a warrant, and you’ve got it, you better produce it. And that’s going to only introduce cost, nothing else.
[Mario Trujillo] Correct, yeah. You have lawyers who are responding to that, but also it creates these secondary reputational damages as well. And so that creates another cost. The legal issues and the reputational issues, they’re almost always intertwined.
Does anyone understand what’s going on?
9:55.698
[David Spark] Duane Gran of Converge Technology Solutions said, “In sectors where they process high volumes of sensitive data, I’ve had some success promoting privacy impact assessments. Get line of business management to buy into reducing the exposure early. It helps when your colleagues already the data as having an element of liability.
If they don’t, you need to educate them on this dichotomy.” Aldo, again, Febro of Continuant said, “For business unit involvement CISOs should engage them in privacy impact analysis exercises.” So, similar to what Dwayne said. “Get them to be creative, to achieve the same business objectives with a more limited data set.” These are good, creative suggestions.
And Shantanu Bhattacharya of Siometrix, “Data captured can be categorized into four categories, essential for providing services, essential for compliance, desirable to derive interesting insights and others. First two categories need to be captured more often than not. The third category should be captured based on cost benefit analysis, and last category should not be captured.” So, I’m going to start with you, Geoff, again here.
You’re kind of nodding your head about like what should and shouldn’t be done here by Shantanu’s advice. But also, the advice from both Aldo and Duane about privacy impact analysis exercises for the business to understand I think are also very interesting. What’s your take?
[Geoff Belknap] I think these are all really great points. Before we get started though, I want to point out, this is not necessarily all on the CISO. Most organizations, if they are professional businesses, and they’re building those businesses strategically based on data that they are collecting from others, they almost always have a privacy function.
So, the CISO is going to be a partner to potentially the chief privacy officer or chief data officer. And this is something you should do together. I wouldn’t recommend a CISO do this completely by themselves. Always reach out to your best friend, the GC or the chief privacy officer. Or if you have a privacy council, do it together.
It’s going to be a great exercise. The other thing I want to point out is that the answer is most people don’t understand what’s going on.
Businesses are not individuals, but individuals make up the business. And all those individuals want to do the right thing for the people they’ve collected this data from or wherever they’ve gotten this data from. And if you can have this broad conversation about the categories of data, and what it matters, and how the impact of collecting that data is either from a security or privacy perspective, or even better, both, the more informed those people are, and, honestly, the better choices that they make on the long run.
I think it’s really great to think about the categories of data here, but I think the reality is most businesses are not going to collect data that they won’t use for a strategic business purpose.
Because the reality is, just like Mario talked about, it costs money to collect that data. Very few people are in business to collect data that they are never going to monetize, that they’re going to use for a strategic purpose, that might impact somebody’s privacy in a negative way. At least not intentionally.
So, I think it’s a little hard to make that determination. But at the end of the day, it’s really good, I think, to frame it this way, to get people thinking about how they should be making decisions when they make a product change or they implement a new feature, and it’s going to create a new pool of data that people like security leaders have to protect, and people like privacy leaders have to make sure you’re making good decisions about.
[David Spark] Excellent advice. All right. Have you done this privacy impact analysis or know anyone who has, Mario?
[Mario Trujillo] There are about a dozen state privacy laws that have come into effect in the last couple years. One of the sort of baseline privacy protections that are in almost all of those laws are privacy and practice assessments. And so I’m not sure if this was a thing that companies were doing beforehand.
But in the coming years as these privacy laws start taking effect… They’ve taken effect in places like Virginia, and Colorado, and California. Those privacy impact assessments are going to be required, and they’re going to be required to be turned over to the government when the government asks for them.
And so this is sort of a baseline privacy protection. You know, it’s actually finding out what’s in front of you. That’s a good start. That’s not the end of it though. You find out what’s in front of you, and then you create policies around these best privacy practices. But this privacy impact assessment is sort of the ground floor to do any other privacy work.
[David Spark] Now, I don’t know if this is your responsibility, or maybe you’ve heard stories, but have you seen an organization make an impressive sort of privacy leap to deal with it for their own security, marketing competitiveness evenness, even, and also to deal with all these new regulations that are coming?
Have you seen sort of any sort of impressive leap that a company has made?
[Mario Trujillo] Usually you see that leap after sort of a regulatory investigation, which is unfortunate.
[David Spark] Well, yeah. Usually it requires a push. It does, it goes, “Hey, guys, let’s shift all our business efforts to worrying about privacy concerns.” That usually doesn’t happen just on its own, does it?”
[Mario Trujillo] I think it can happen with the help of lawyers and privacy professionals, at like creating a new privacy policy is a good first step to undertaking this analysis because the lawyers, the people who are writing that policy, have to understand what the company is holding, what they’re doing with it.
And so that can be sort of a good sort of yearly touchstone to do that.
[David Spark] Have you seen something that maybe is a common sort of behavior with a company, they’re like, “Oh, if you’re doing this, you’re going to get dinged,” kind of a thing? That everyone should look into this now. Is there a common behavior you’re seen that sort of raises red flags?
[Mario Trujillo] I’ve seen a lot of litigation in the last couple years about data sharing with Facebook and Google in particular, like the storing of cookies that in a regular business might be sort of benign maybe, but it’s a particular company that holds sensitive data, or it holds data where you can infer a lot of sensitive behavior from that.
[David Spark] Is this something akin to Cambridge Analytica type stuff behavior?
[Mario Trujillo] No. So, let’s assume that you’re an online business that acts as a platform to medical therapy, and you’re sort of the go between, between the therapist and the consumer who wants the therapist. Let’s say you have cookies and pixels on your website that helps you with ad targeting. And so all you’re giving is sort of like a hashed email address, and so that seems a little benign.
But, yeah, you attach that to the sensitivity of the company, and you’re actually revealing that this particular user is looking for therapy, which is very sensitive. And so we’ve seen a lot of lawsuits around that kind of data sharing between Meta and other companies used for ad targeting and ad attribution.
So, that’s an easy example. There is a 20-year-old privacy law that protects the privacy of video data. And so any company that has videos that’s sort of sharing data with Meta and Google have been sued because they’re actually revealing the videos that people are watching, and that’s one of the few areas that’s protected by current existing privacy laws.
Sponsor – Material Security
17:54.224
[David Spark] Before I go on any further, I do want to mention our absolutely awesome sponsor, and that would be Material Security. Remember, I told you at the top of the show, secure your productivity suite with Material Security? Well, guess what? Microsoft 365 and Google Workspace aren’t just applications.
They may have been at one time, but now they’re critical infrastructure. These environments are home to all your people, your content, and your communications. So, securing these today requires a heavy set of disjointed tasks that leave blind spots and coverage gaps. Here’s what you need – Material Security.
It’s the only solution that is purpose built to address risk across this whole environment with the focus and depth required to make a difference.
So, Material provides a unified suite of cloud email security, user behavior analytics, and data loss prevention purpose built for both Microsoft 365 and Google Workspace. Material integrates in minutes via Microsoft 365 and Google Workspace APIs with zero downtime. Customers get a single tenant isolated instance and complete control over the underlying infrastructure.
Material works with organizations of all shapes and sizes. That means your size. If you’re using Microsoft 365 or Google Workspace, that’s you, and it’s your shape and your size. So, learn more about their advanced security for your cloud productivity suite at their site. It’s just material.security.
Go there, check it out.
What should we be measuring?
19:36.823
[David Spark] Rob Oden of Roblox said, “What is the reason you need to collect this data? Too often, we collect data because we can, and we might have a specific purpose rather than because of an identified need that can’t be met in other ways. This is similar to when cyber programs first integrated SIEM tooling, and we grabbed any data we could because we might have a need later.
It wasn’t until vendors like Splunk started charging per gigabyte that we began to purpose driven collection requirements.” And Yasir Ali of PolymerHQ DLP said, “Minimizing data collection up front can be a hard sale, yes. Understanding uses of data is usually a day two exercise that generally requires storing the user info somewhere as an interim step.” So, you brought up some very interesting issues in our last segment, saying that you may be holding the data right, and you’re not passing on information, but it can be inferred, hence the concerns there…the privacy concerns here.
In these cases here, we’re just sort of just talking about minimal data collection. Are you running into just sort of excessive collection? Like, “What the heck were you doing thinking to collect that in the first place? I mean this is nothing but trouble?” Mario?
[Mario Trujillo] You can look at data as an address, or an IP address, or a phone number, but… And so it seems benign in that way. But as I was mentioning in the earlier segment, it’s not only health data that’s sensitive. It’s what you can infer from the data. So, any bit of data can be sensitive if it’s used a particular way.
You’re not always seeing data being collected that shouldn’t be collected that on its face is extremely sensitive. It’s just these secondary uses of data that can always… It can be used for sensitive purposes, and it’s actually the purpose based sort of uses that causes the most problems.
[David Spark] This actually gets to a response… And we’ve all heard this before, where people don’t seem to be concerned with their privacy because they say something, “Well, I’ve got nothing to hide.” But what you’ve described here is it’s not about hiding something. It’s about what access people can have to you and your information.
Yes, Mario?
[Mario Trujillo] I think that is a common criticism of least restrictive privacy laws is that, “I don’t have anything to hide.” I think that misses a broader point, that privacy should be viewed as more of a human right. And so it’s a good for its own sake, but it’s also sort of a right that is a protection.
It’s a gateway protection for a lot of other rights like the protection of expression. So, if you want to be able to speak freely, you need to be able to access information without feeling like you’re being watched. And so it’s a gateway to freedom of expression. It’s a gateway to just information security, that your data doesn’t get breached.
It’s not only privacy for its own sake, it’s also privacy for expression, for security.
[David Spark] Geoff, I want to just isolate this one comment Yasir said at the very beginning – minimizing data collection up front can be a hard sale, but it’s not so much the minimizing. I think it’s also, A, having that conversation, but, B, what we’ve been talking about with Mario here is understanding the connectivityness of this data.
Like can we think this far down the road of how this is getting connected and used?
[Geoff Belknap] I think the best thing you can do as a security leader here is introduce that context – that you as a… Well, if we assume everybody who is building products that collect data are well meaning and well intentioned, they are focused on the solution that they are trying to bring to market that’s going to add value for you or for their customers.
And it is a… I think Yasir puts it perfectly. It is a day two exercise sometimes to think about what does this really mean in the aggregate, what insights could be derived from this, and what is happening unintentionally that I am facilitating here. And I find the best way to frame that conversation is something Mario sort of alluded to earlier, which is what’s really important to a business is a brand.
A lot of members and customers really want today a relationship with your brand. They want to be with you for the long haul. It’s not transactional, necessarily, like it used to be. And if you’re going to maintain that positive brand relationship with your customers, you have to kind of take this stuff seriously.
Your customers will absolutely leave you if you have a breach in a way that exposes them personally, that impacts their privacy or their right to privacy personally.
You don’t have to bring necessarily politics into it, but you just think as human how you would fee if these associations got made. If you said like, “Hey, we know this guy is shopping for these kinds of products and also looking for mental health solutions.” That’s not something that you want exposed.
Look, your email gets exposed, that’s not great. But these details about your life get inadvertently exposed connected to it, that is now a serious problem that you have building that trust back with your customers. And so I think when you frame it that way and you help people see it, you can really accelerate that day two conversation.
[David Spark] That’s a really, really good point. And I hear this brought all the time. Because when people think about it, you try to… Because we’re dealing with privacy… Try to make this personal. How would you like this to happen to you, your mother, your sister, your dad? And literally paint the picture.
Then they’re like, “Oh, this is more serious than, “We have a column of this information.” Because when you start saying that, that doesn’t make any sense to anyone.”
[Mario Trujillo] I think Yasir, he brings up a good point – this is currently a day two exercise. I think the punchline for me is that I’m going to be advocating for stronger data privacy laws, and I think one of the things stronger data privacy laws can do is it can make it more of a day one problem just because that changes the financial incentives for the business.
[David Spark] And we have seen a history of regulation doing this. Geoff?
[Geoff Belknap] I just want to underscore the best companies in the business are doing exactly what Mario is talking about here. We call it in the business privacy by design. And that certainly sounds very cool, but all it means in simple terms is you’re moving that day two to conversation to day zero.
Moving it before day one. You’re building that conversation into the design and implementation of that product before it ever comes to market. I think what I have seen personally in that case is you have much better privacy outcomes in those situations.
Can anything be done?
26:32.011
[David Spark] Paul Culligan of Data Defense Solutions said, “Strong privacy laws,” that’s what we’re talking about here, “will help by defining what types of personal data can be maintained and for how long, and also define the controls that must be in place. Having specific laws to point to makes those decisions easy for security teams on what can be maintained, getting the budget required to secure the data, and implementing internal controls around who can access the data.
Without restrictions, most organizations keep more data with the thinking that there may be a chance to monetize this in the future, and that’s not usually a battle that security teams will win internally.” Neal O’Farrell of Brainisphere said, “How about weaving data ethics into privacy conversations, and how viewing the data from an ethical perspective – like recognizing the real humans the data might represent – might encourage employees to be more careful and less greedy.
If you can’t protect it, don’t collect it.” That’s an interesting last line there. The idea of if we’re all the sudden sharing this with Facebook, and we can’t kind of control what Facebook does, this changes the dynamic, doesn’t it, Geoff?
[Geoff Belknap] I think it does. Although I think a better example would be there are too many companies out there that are trying to monetize scraping or collecting information from other websites, and a lot of times what you’ll see is since these are very small, sometimes fly by night outfits, or because they’re making their money sort of remonetizing data other people have published, they don’t always think about security.
And a lot of times, that stuff will just get left on the open internet, and people’s data will get exposed. I really think in these kind of situations… And you know what? I’m casting these companies in a bad light.
There is some people that do this for good. But you really have to consider if you have no ability to protect data that you collect, if you have no ability to think through the repercussions of the data that you’re collecting, if you have no forethought behind just raw monetization of that data, I think you have zero business collecting that data.
And I think people like Mario and the work that they’re doing to enhance our privacy laws in this country and others, that really…the teeth in that are made for people like that – that are just not thinking about anything other than monetization of that data.
[Mario Trujillo] I like Neal’s framing of it – weaving data ethics into the privacy conversation. As internal security professionals or privacy professionals inside companies, if you can advocate for that inside your company, I think you should do it. I think the general public probably shouldn’t rely on that though.
I think that’s why organizations like EFF and then states across the country are advocating for these privacy laws that kind of put those data ethics into a firm legal model. So, that actually puts a number on the value of privacy. And the EFF sees privacy as a human right, and so you can’t actually put a value on it.
But companies need to see the value in why they’re going to be protecting this data. And if you tie that to a law that has real repercussions if you violate that law, I think that’s how you turn these data ethics into something that really has teeth.
Closing
30:08.857
[David Spark] All right. Well, that brings us to the very end of today’s conversation. Before we get to the very close, I’m going to start with you, Mario. A lot of really, really insightful quotes here on this one, but I want you to isolate one that you think sort of typifies our discussion today or you felt hit a really good topic that you we should all be aware of.
Your favorite quote is?
[Mario Trujillo] I like the quote from Neal O’Farrell. That’s the quote that to me, as a privacy lawyer inside of EFF…that’s how I come to privacy. I do think that that needs to be paired with actual privacy laws, but I like the spirit of that. And if you have that spirit within technology companies, that’s the employee I want inside of the technology company.
[David Spark] Very good. Great job, Neal. And, Geoff, your favorite quote and why?
[Geoff Belknap] I agree. I think Neal’s quote is great. But not to steal Mario’s thunder, I’m going to go back to Yasir, who talked about minimizing data collection up front. Can be a hard sale, but helping people understand the impact of that data and helping make it not a day two exercise but maybe a day zero exercise, moving it to the beginning, that really helps people understand and really helps us ship much more private, much more secure products.
[David Spark] I like your line – privacy by design. Look at this… Have the discussion at the beginning rather than at the end, and having to deal to with lawyers, and fees, and all that kind of stuff, which is, no offense to you, Mario, not a lot of fun.
[Mario Trujillo] I don’t charge fees anymore. That’s one of the reasons I came to EFF.
[David Spark] Working at EFF is a different story. By the way…
[Geoff Belknap] The answer is if you don’t do privacy by design, you’re going to end up paying some lawyer way too much money at some point.
[David Spark] Exactly. By the way, for those of you out there that are not clear on EFF and their mission, obviously going to the Electronic Frontier Foundation, eff.org, to see more about what they’re doing. But we have been a huge, huge fan of the EFF for a long time. And we’ve actually…years ago, I made some fun man on the street videos for them.
And so we are just sort of… We’re very supportive and actually have had lots of friends who have worked at the EFF as well and are still there for that matter. So, my two cents for the EFF. And I do want to thank our absolute awesome sponsor, and that would be Material Security. Secure your productivity suite.
I’m talking about Microsoft 365 and Google Workspace with Material Security. It’s easy to find. Just go to material.security, and you’ll find it. Geoff, thank you, as always, for being awesome on the microphone. And, Mario, I think it would be better if you tell us what people need to know about the EFF and make a plea, because they always take wonderful donations.
I do know that, right?
[Mario Trujillo] Yeah, so the EFF recently came out with a paper called “Privacy First, A Better Way to Address Online Harms,” and I think we… Over the last year, we’ve seen a lot of internet proposals. Some of them good, most of them bad. We wrote this white paper mostly to try to reorient law makers onto what one of the big solutions could be on the internet for a lot of the harms that people are seeing online.
And we think that rather than taking a censorship first approach, which we’ve seen in a lot of proposals, that lawmakers take a privacy first approach and pass strong, comprehensive privacy legislation that has a private right of action that allows consumers to sue when they’ve been harmed – I think that’ll go a long way to address a lot of the problems that people have been pointing to in the last year.
[David Spark] Excellent point. Well, thank you very much, Mario. Thank you, too, Geoff, as well. And thank you to our audience. We greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please, write a review. Leave a comment on LinkedIn or on our site, ciso-dev.davidspark.dcgws.com, where you’ll also plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at david@ciso-dev.davidspark.dcgws.com. Thank you for listening to Defense in Depth.