Cybercrime is no chilled glass of Sauvignon blanc
on a hot summer’s day.

Wine About Cybercrime is a cybersecurity podcast where we invite cyber experts to take a break, enjoy some wine, and discuss the latest challenges and pain points in the field.

Episode #1: Data Privacy Hangover

On the premiere episode of Wine About Cybercrime, our host Cheickna Mané sits down with Bill Rankin, Cybersecurity Compliance Manager, to complain about data privacy regulations during data breaches. Through lots of laughs and a few glasses of Cheickna’s chosen J.L. Quinson Côtes de Provence Rosé, Bill fills Cheickna in on all the headaches that give him a data privacy hangover.  

Watch along with a glass of rosé and let us know if you too have a data privacy hangover! 

See Full Episode Transcript

Bill: Don’t mind me.

Cheickna: [laughing]

Cheickna: Don’t finish it all before me!

[ theme music ]

Cheickna: Welcome to Wine About Cybercrime, where we pair wine and the latest cybercrime. I’m your host. My name is Cheicknana Mane, Service Desk Analyst on the SOC team at ECS and certified sommelier. With my colleague, Bill Rankin,Project Manager, Governance, Risk, and Compliance.

Bill: Well, thanks Cheicknana for having me. I’m here to whine about data breaches.

[ buzzer ]

Bill: No, I’m not. I’m here to whine about privacy regulations and data breaches.

[ buzzer ]

Bill: No, I’m not. Today, I’m here to whine about data privacy regulations and data breaches.

[ chime ]

Cheickna: Today we’re pairing data privacy with this French rose, which is J.L. Quinson et Fils, from the Southern part of France. This rose is amazing. It has a lengthy touch of strawberry on the nose. French oak barrel, twelve month, and it has a mild touch of spice and Herb de Provence. And what I like about it has a little bit of dryness and strawberry touch. If you want to try.

Cheickna: I think it’s time.

Bill: You’ve been talking about it. I think it’s time to try. Here, cheers.

[ glasses clink ]

Bill: Oh, wow. That is fantastic.

Cheickna: And good a rose will give you a little bit of spice finish, though not too overpower with a soft finish. So, it’s not as fruity, it’s not as dry.

Bill: I wish I had this great of a welcoming any place I went to. So, thank you so much.

Bill: Well, before we get into what I guess I’m here to talk about, I am going to try this cheese here real quick.

[ chewing ]

Bill: Do you see that?

[ laughing ]

Bill: Well, I hope in editing that they let that period sit for a while and don’t fast forward through it,

because that is genuine. That is fantastic. Wow.

[ video game sound effect and glasses clink ]

Cheickna: This is an interesting topic. You know, I grew up in France, and the United States is a big country. But is the data privacy in the United States, is it really different than the one in Europe where I grew up?

Bill: Yeah, that’s a really great question. It is significantly different from where you grew up over in Europe. You know, countries like France and other members of the European Union, they fall under the jurisdiction of the GDPR, or General Data Privacy Regulation. Here in the US, we have no such regulation, and that’s really what I’m here to whine about. Every state has their own data breach notification. And as a company, each company has to understand what data breach notification is applicable to them. They have to understand the nuances of each of these breach notification regulations. They all have little differences about the amount of data, whether or not the data is encrypted, whether or not it’s encrypted but the key is till safe in the event that you have to alert somebody. You know, and as a consumer, I’ve received notifications from companies that they may or may not have had a data breach. And at this day and age, though, I’m confused as to my information may or may not have been involved in a data breach.

Cheickna: But you know what I don’t understand is like, first they want your money, they want you to buy something. They want you to use the service where you have to spend money. But I don’t get it, is when there is a data breach, everything they want to do is cover their own back. I don’t want to use the other word, but they want to cover themselves first by sending a letter to us to say you might, you might not be.

Bill: Exactly, yeah. And how do you not know? And regretfully, there’s really nothing that we have. There’s no mechanism that we have to hold that company accountable for telling me explicitly whether or not my personal information and or my financial information was ever part of a data breach. There are states that are leading the way, like California. Virginia just had a privacy regulation passed. But once again, if we continue on the way that we’re continuing on as a nation, companies are going to have to contend with 50 other—instead of 50 data breach notification laws, on top of that they’re going to have 50 consumer privacy laws. And then on top of that, whatever else they have to do: the sectoral laws that we have here, like PCI, like HIPAA. It really just kind of leaves a bad taste in your mouth, you know, completely different than this rose, which leaves a great taste in your mouth. Oh, and you don’t have any.

Sorry.

Cheickna: [laughing]

[ video game sound effect and glasses clink ]

Cheickna: I live in Virginia here. Let’s say I travel frequently to go to California.I buy some stuff in California, I come back to Virginia. Are those regulations applied to me or no?

Bill: Well, so, it depends.

Cheickna: As a consumer.

Bill: Yeah, as a consumer. So you, as the individual, no, you don’t fall under California’s Consumer Privacy Act.

Cheickna: My information can be spread all over California?

Bill: Well, but the company you interacted with, they may fall under CCPA. So what that means is that company may be obligated to follow CCPA guidelines. California Consumer Privacy Act guidelines. And that means that they may have to have a good privacy program, which means you inherit, for lack of a better term, some of the protections that are afforded other California residents because they are under CCPA. But what you don’t have, is you don’t have the right to perform certain actions under the CCPA, because the CCPA does not cover individuals who are transient within California, so they’re just visiting. They’re there on vacation. They’re passing through as it were. There’s a couple of different things that you could look at. And one of which is—to me, the most important one is that lack of standardization across all 50 states and having that federal omnibus privacy regulation that’s written in a way that takes, I think, lessons from what GDPR, Brazil, all these other countries throughout the world, what they’ve done and how they’ve really put privacy and consumer privacy first in a regulation and learn the things that were great about them and things that weren’t great about them. And let’s take those lessons learned and apply it to a federal regulation here. Let’s come with good guidance for companies. Let’s come with a good explanation. So me as a consumer, I can start feeling more comfortable, and I can start getting more relevant notifications, because we have a great regulation and because these companies have guidance on how to implement that regulation. And so that leads me to another point. Cybersecurity and privacy, are they two different things? And they are, they are based on completely different principles but yet, they intersect with each other. There’s a saying that says: You can have good cybersecurity without good privacy, but you can’t have good privacy without good cybersecurity.

Cheickna: This is why companies need to have a partner that has a very strong SOC team around. Just to analyze the root causes of a breach. Where the data breach happened, how did it happen? When and how and how can we solve that problem now?

Bill: What type of information was in the data breach?

Cheickna: And how to stop that data breach.

Bill: So, working with a company like that, if the company where I had my data breach they may have been able to send me an email and say, “Hey, we suffered a data breach, but your information was not a part of it.” Or they could’ve said, “Hey, we suffered a data breach, and your information was a part of it, and here’s what information was in there: it was your name and your mailing address.” Well, you know what? Maybe I don’t expect identity theft protection because my name and mailing address was taken out. Now, if they said portions of your credit card, social security number, things like that. Then, yes, I would definitely, hopefully expect identity theft protection as a minimum of recompense for having my data breached like that. But that’s just where we’re not at here in the US. We’re sort of still just laissez-faire about it all, and we let people, companies do what they want with our information. As a US citizen, that really really grinds my gears. Now, with the meat board or the meats here that you have…

Cheickna: Charcuterie.

Bill: So, say that word for me one more time.

Cheickna: Okay, as a French person, I’m going to bring my French accent. Okay, [speaks French], okay. Call it—charcuterie.

Bill: Charcuterie.

Cheickna: Close enough.

Bill: Okay.

Cheickna: So, like in the south. But close enough.

Bill: Yeah, yeah. It’s got a little ‘y’all’ in there, right?

[ laughing ]

[ video game sound effect and glasses clink ]

Bill: So Cheicknana, as an analyst on the SOC, how do you feel about, how does this make you feel knowing that you are at the forefront, the first line of defense for companies who trust you to perform this service for them and you need to provide them with this type of information.

Cheickna: You know, that’s another interesting question right there. What I like about, in the SOC team, is not only do we work for our company, but we also have customers that we look after 365 days and 24 hours. And when there is an alert, we jump on it right away. We have a team of talented people that look at the in and out of the root causes. And then from there, we come to a conclusion of it. And not only do we come to a conclusion, we come to a conclusion with a better solution to avoid the repetition of the same scenario, data breach.

Bill: And if I were to, say, use you as a consumer, as a client, partner with you, we’ll say, I could have a reasonable expectation that you guys would be able to provide me with a good understanding of everything that occurred, right? A good problem analysis like you said, and what happened, how it happened, what was done to me as your partner, and that’s, from a privacy perspective, that’s invaluable. These privacy regulations, when they talk about cybersecurity, they talk about ‘adequate’ cybersecurity protection, and it’s almost impossible to define adequate. I can tell you what an inadequate cyber security program is. An inadequate cybersecurity program is a cybersecurity program in which data was breached from your organization because you weren’t adequate at that point in time, right? So defining adequate is difficult. But working with a service like yours, it sounds like that at least helps to lay the foundation for an adequate cybersecurity program, because I could trust that—one, there’s a 365, 24 by 7 monitoring, and I know that I’m going to be made aware of and have all the information I need in the event of a data breach.

[ video game sound effect and glasses clink ]

Cheickna: Today, we learned a lot about data privacy, and about rose, I will tell you there are a lot of different types of rose. You have different type of rose within France, in Italy, in America, in Spain, all over. There are different types of roses, different types of grapes that are involved in those roses.

Bill: And that’s a great comparison, because as a consumer, what we’ve been whining about is: I have different types of privacy, data breach notifications, and consumer privacy acts that I have to understand, and it depends on what state I’m in. But you know what? I’d rather have a lot of different roses than a lot of different privacy regulations.

[ glasses clink ]

Cheickna: There we go.

Cheickna: If you want to meet the challenge

Bill: and make a difference,

Cheickna: please visit ECStech.com

[ theme music ]

[ glasses clink ]

Tasting Card

Careers

If you want to work with ECS PROs, apply to one of our open positions today.

Recent Episodes