27

FILED Season 2 finale: The best moments from our second season

It’s the finale of FILED Season 2, so Anthony and Kris take a walk down memory lane, reviewing their favorite clips and discussing themes and events from a busy year in privacy, cybersecurity, governance and records (and AI).

They also discuss:

Resources

Transcript

Anthony: Welcome to FILED, a monthly conversation with those of the convergence of data privacy, data security, data regulations, records, and governance. I'm Anthony Woodward, CEO of RecordPoint and with me today is my co-host Kris Brown, RecordPoint's VP of Product Management. We're here again, at the end of another year, and another season of Filed is being wrapped up.

This is episode 15, season 2, and we've had a lot of fun. And just like last year, we're going to spend today talking through some of the highlights and see how some of the themes have been consistent throughout the year. And in this discussion, we'll take turns to point out some of the key clips and some of the key experiences both Kris and I had as we go through the year.

How are you going, Kris?  

Kris: I'm excellent, Anthony. It's been a big year. I can't believe we're all the way at the end of the year again, but really looking forward to rolling through this season.  

Anthony: Yeah. And it's been a real year of solidification of change on so many fronts. You know, this year has seen, I think I was looking at the data and I know I'm weird like this, there was 62 global elections this year.

It's actually a high point in the history of the world of a single year with global elections. And we're seeing, you know, further even unexpected elections in France and other places. So, it's really been a year of solidification of change. I think we're all experiencing that. You know, as we start to look at the key topics for us, some massive headlines that have really encapsulate that change.

And if we go all the way back, So, very early in the year, you know, that kind of January time frame, we have to look at that first big announcement. And for me, that was really the Medibank hack we saw here in Australia. We saw the Office of the Australian Information Commissioner noted around 9 million Australians data was exposed in that process.

It was one of those bizarre things where the company didn't even have 9 million customers, but there was 9 million pieces of data out there. Mind blowing. The commissioner again has been very clear about this. Medibank just had too much information. They actually didn't have 9. 7 million customers. It's a much smaller set of active customers they actually had, but they had 9.

7 million Australians pieces of data. So, I think, you know, number one, there's a concern at risk.  

Kris: Yeah, correct. And I think Carly made it very, very clear in the ABC interview and I've read and looked at many of the other pieces of press that she's done and even just things that the OAIC has put out.

They're really looking for that. Egregious, persistent violation of people's privacy. Yeah, that's right. The whole situation was a reminder that the company just literally held onto too much information. Certainly, we've seen that many do.  

Anthony: Yeah, it's a real vivid example of what can happen. I, you know, there's played in that clip when you're just not focusing on removing data.

It's such a basic thing for an organization to do, but. Clearly, when you forget about it, it has a big impact, and you have an obligation to do it. And I think that obligation really ties in very nicely to the next clip and one of my next highlights where that focus is really needed. And in fact, we need legislative ways to approach that focus of thinking about data governance and having those removal processes.

Kris: Yeah, throughout the year here in Australia, we were all waiting for the government to introduce legislation to amend the Privacy Act. A reminder, about two years ago, Attorney General Mark Dreyfus put forward in a report that the law should be reformed, and they came forward with over a hundred recommendations.

Now, we know that the government agreed to these, uh, in, some of them in principle, uh, some of them obviously directly, and then, the first tranche of changes was announced in September of this year, and as we record today, the bill just passed both Houses of Parliament. Before we jump into a clip from that episode, I want to hear from another episode with Civic Data Director Chris Brinkworth, where he discusses how people should be preparing for that reform.

Chris Brinkworth: So, I think there's just understanding at the moment, what technology you're using, why you're using it, why you're sending data there. And are you being very clear about disclosing it? And also, if you're keeping a copy of that yourself, as you rightly know, why, why are you collecting this? Why are you storing it?

How are you going to use it? Is there a real benefit to it? And don't get me wrong. One thing I do always say to my clients and prospects is if you're going to send all of this data to a company you've never heard of from 15 years ago. But some bad actors actually bought that domain name and now they've reversed engineering and collecting that data.

If you're sending all of that information, why not keep a copy yourself? Because if you keep a copy of that yourself and you have consent to use it, you've been disclosing exactly how you're going to use it. You can do so much of that from a machine learning perspective, modeling perspective, product design perspective.

So, if you start to understand what you're giving away that creates a risk, you can also start to understand how you could build value if you think privacy first, privacy by design, protecting that data, what it's used for. So, that's what I'd say is understand what you've got, where the risks are, how that applies to your existing pricey principles based on future, but also what is the opportunity?

Anthony: Great advice there from Chris. As that legislation goes through and becomes an act, there is so much that we can learn from in that clip. And so much of that episode even really got into the nitty gritty of how to handle. The changes that you're not seeing just in Australia, but globally, just that thinking alone is a great frame of reference and it's really worth paying attention to.

Kris: Yeah, and certainly once that tranche one dropped, you know, we rallied the troops here at Fylde. We brought back Chris Brinkworth and also introduced ElevenM's principal Cassie Finlay. So, here's a clip of Cassie giving an overview of the announced changes, and then we'll hear from Chris on how companies are reacting.

Cassie Findlay: There are some really important items in the agenda that Dreyfus introduced. So, for example, the tort for serious invasions of privacy, which brings in the possibility for individuals to seek redress for harms as a result of really serious intentional or reckless breaches of their privacy or misuse of their information.

And That's both intruding upon their seclusion physically into their space, or indeed the sort of more online versions of that around cyberstalking. And it extends to individuals and companies misusing information in a way that is reckless and brings harms. That's something that's been on the cards for a long time, so I don't think it was a big shock to anyone that that one came through.

The Children's Online Privacy Code, as well, is a welcome announcement. This is something we've seen in other jurisdictions around the world putting in place, um, Some requirements, in addition to the baseline requirements of the Privacy Act, but requirements that will address certain ways of designing, for example, educational technologies that kids are being presented in schools and put a bit more of the onus onto the developers and the providers of those technologies rather than the poor schools and parents who are trying to navigate this stuff and work out is my children's data safe being ingested into this tool, being used by this tool.

It's going to be a bit of a way off. that code, but it's a very welcome introduction. Interestingly, one of the only reforms that is actually going to be reflected in organizations, privacy programs in a sort of very specific way is the requirement to be transparent about automated decision making and that one, the requirement will be that you describe how you, if you are using automated decision making in your privacy policy.

And of course, that one's in response. In part to things like the Robo debt case. And again, that trust concept that at the first step to being upfront with consumers and users of your services is to make sure they understand what you're doing with their data.  

Chris Brinkworth: This combination of automated decision-making tool infringements has actually, from what I'm seeing, but a lot of people on edge going, right, we do need to get on top of this.

And I think just that alone will help to clean up a bunch of. stuff that's been happening that will prepare people for the other stuff anyway.  

Kris: So, we're a few months out from this episode now and the announcement itself, but I think that summary and the reaction is still very valid. You know, what have you been seeing out there, Anthony?

Anthony: Ah, yeah, look, for those that have been paying attention, not only have we seen the legislation roll through both houses of parliament, we've now seen people talking about Tranche 2. We don't know where that is, there's an election coming here in Australia next year, I'm not sure why Australia wasn't part of those 62 elections I already talked about at the beginning of this episode, but, um, we're certainly going to see.

Do you have a sense of it, most likely, Chris? You know, what are your predictions?  

Kris: Yeah, look, I was actually just this week at the International Association of Privacy Professionals conference in Melbourne, the Privacy Commissioner Carly Kind was on stage for a keynote and certainly at this stage, it's unknown.

I think, as you say, there's an election coming. I think the industry would have loved for her to, to step up and say, here is an exact timeframe for these things. But, but certainly she was a bit circumspect about with the election coming and, and obviously the legislation itself still very, very much in the getting done point and becoming that act.

We're not quite sure yet, but there is certainly hope that we're going to see this sooner rather than later.  

Anthony: For the listeners out there, the legislation, Tranche 1, only just was approved today as we record the episode, so it is really the evolving landscape and going back to those clips we just played with Cassie, there is so much relevance there about those changes that really lined up.

Very little amendments from the announcement to what was approved by both Houses of Parliament, literally this morning. So, it is somewhat hot off the press as we do this recap of the year. As we kind of switch gears a little bit though, we've been quite Australian centric with the new legislation coming down.

It's quite an exciting time, but there's been so much going on in the world. And I really want to unpack what we've been seeing, not just in the privacy part of the three legs of the school, as we like to describe it here on file, but also in the sub security elements of that. So, as we look further afield, we've had a great conversation with SolCyber CEO Scott McCrady, who joined us in June and really focusing in on those midsize companies and how they're solving their security problems when they don't have these large teams to deal with them when there are these patterns of trying to engage with what is an ongoing 24 7 risk.

Without the investments that make that way. It was a really great discussion. And I really think this clip stands on its own.  

Scott McCrady: Everyone wants to implement AI to have their own personal chat bot. like, well, where's the data boundary? Because the data is everywhere, right? So, to your point, it's becoming real, real for people as they try to figure out how to like get leverage that they don't have grasped with their data and where it is and what's being done with it.

Where we sort of view this is we've left the perimeter sort of behind and we went to identity. We'll talk about privacy in here in a second. So, when we built SolCyber, we said, we're going to build all of our detections around identity going out versus perimeter coming in. So, the reason for that is starting to go to where you are, which is how do we get better grasp of where the problem really sits?

And the problem, generally speaking, is with the human, then the tech, then the perimeter, right?  

Kris: Yeah, it's fascinating. And Scott was talking in June, think of the amount of evolution that's gone on since then. When we're speaking of cyber security, it's evolution. We're looking at the other guests that we had this year as well.

We had uh, Rivial Data Security CEO, Randy Lindberg. He joined us way back in April and talked about, among other things, how cyber security arms race has accelerated. And yeah, thanks to, I think the topic du jour, AI.  

Randy Lindberg: As far as externalities go, when you ask the question, my mind jumps to artificial intelligence because it's being used on both sides, right?

The bad guys and the good guys, and now the arms race has kind of escalated and sped up in certain cases because, you know, we've externalities. One thing that jumps to mind is. Fishing just kind of your standard email phishing attack, right? That risk has changed significantly. So, if you did a risk assessment a year ago or two years ago, shoot, even a year ago, actually, you know, six, 12 months ago, it needs to be updated because phishing attacks are better.

You can dig into the statistics, but when you look at phishing attacks, it used to be that vast majority of them were written by somebody. Who was English as a second language, it looked like it was just poorly written. Now, the attackers can go out there regardless of what language they speak. With the right prompts, they have chat GPT or something like that, some kind of large language model.

Writing an email for them that's, you know, in our case, in perfect English. Grammar's correct, spelling is correct. It looks like a legitimate email. And so, one of the means that users had of just noticing, you know, just detecting phishing attacks is kind of gone now when you have artificial intelligence available to the attackers as well.

So that kind of externality, those things are coming in the security side, of course, we have artificial intelligence now to defend against that. So, again, that arms race.  

Anthony: There's so much conversation going on about AI and how the linkage to cyber security and the approaches. Up to needing to be holistic about how you think about things, what a company focus on because you can't have AI, which is really the absolute meat that make things work for organizations is what we're seeing is a thing.

But you need to do that building on strong foundations. And that was a really clear message from Clayton Utz, Cyber Principal, Brenton Steenkamp, who joined us in August. Had an amazing set of capabilities that they have and how they're approaching the market to think about these things. Well, let's let the clip speak for itself.

Brenton Steenkamp: I'm not saying that we have to talk cyber at every meeting, but the point being is, is that if organizations aren't appreciating this. On a more frequent scale and not in talk, not only at the governance level, but at an operational level, at a in acting level, then we are not going to move into a position of true resilience of truly understand what our risks are if we know what our data holdings hold and if we know what our, let's call it the crown jewels are embedded in a certain area and we've done the necessary to it.

Mitigate the risk bit from external internal threat. It changes the behavior that follows when an organization is faced with a potential ransomware event, or for that matter, a serious data breach or leakage event. It changes the response process. It changes the remediation process. And it changes the potential outfall from a reputational litigation aspect as well.

And that brings in a holistic approach around how we as an organization, as individuals, but also as in state react to these events.  

Kris: Yeah, I was lucky enough to catch up with Brenton at the same conference that we were talking about a moment ago and still hearing. More and more of these same stories and the importance of embedding these niche issues into the entirety of the organization.

Another guest, up level founder, Raashi Gupta Erry, we discussed with her the need for a holistic approach, though, in this case, she focused on the need to get privacy away from the lawyers. So, let's listen in.  

Raashee Gupta Erry: A lot of the strategies I think the companies can adopt are very fundamental and also, they are cross cutting.

They are not just legal practices, but they are more practices that are strategic, that are rooted in data, and data touches all functions in an organization. So, a big one is data minimization. So, that's becoming a big theme here in terms of this whole premise of only collect the data that you want, or you absolutely need.

I think gone are the days when you can collect anything and everything and say, okay, we're going to keep it, or we may use it at one point or the other, and nobody's going to question it. So, that. Doesn't exist anymore. Data minimization is a big thing, and that applies to various components of an organization, whether you're in product, whether you're in IT, whether you are in marketing, whether you are in sales or obviously legal looks at it from a perspective of regulations, right? So, that's a big thing. And that comes alongside with it. Looking at a lot of the guidance that some of the regulators are putting out, they are not necessarily regulation or a letter of law, but they are more like guidance and practices that signal some of the things that they are looking at and it gives you a soft sort of nudge.

in terms of what businesses should be doing or should not be doing or where they may be focusing their attention on in future. Third thing is really understand where your business is in the present time. So, doing it more in the form of gap assessments, like what are some of the current issues that you're facing?

In terms of compliance that your company may be facing right now, if there are gaps, then really understand that. And that gives way to an assessment for risk tolerance. So, let's say you have numerous gaps, but then some are probably easy to close, and some are longer on a longer horizon. So, having an understanding of how much risk a company is willing to take and how much is at stake or not at stake is very important.

Kris: And then we had a third guest, Votiro VP of Product Management, Eric Advigdor. He had the same feedback. He said that all the disparate teams were dealing with the issues in their own patch, security for the security team or SOC compliance for the lawyers. Let's hear him. Let's hear it in his own words, how he explains what's going on.

Eric Avigdor: One of the biggest trends I've seen in the maybe the past 12 months is that if in the past security was a security team's issue that was with the CISO, with the security team, with the SOC, they deal with it, done. Compliance and privacy were a thing for the compliance team. Using the words of good friend who is a CISO, the compliance team is mainly, they're mainly lawyers.

They know what we can do, and we can't do. They just don't know how to do it. What's happening in the past 12 months is that compliance teams are starting to realize that the problem set is so big that they cannot resolve it on their own. And that problem is starting to now overlap with IT problems, which is why your chief data officers, your compliance officers are now going to IT saying, I have these set of problems, how can you help me?

So, we're starting to see a situation where first, IT is now piled with a new set of problems, but that that problem could potentially overlap with some similar problems that exist within their space, their cybersecurity space. So, we talked earlier about the intersection of malware and ransomware on the front end, exfiltrating data, then on the back end, hey, we have sensitive data, how do we protect it from being exfiltrated as well?

So having that discussion between these two organizations is fascinating and being able to facilitate it is convincing us that there's a new world that we need to adjust to, and that new world must include preventative elements. Otherwise, the task is just way too big. Teams would need to double or triple in size to be able to tackle the new data protection problem.

Anthony: Amazing to see how in sync these old guests are. It's a common thing we've seen throughout the year. Where the technology can solve these things, the standards and the drivers are there. It's just bringing this together and allowing executives and boards to pay attention to it. So, far, all of this has been pretty big picture.

And as we start to draw to a close on how we've rounded the year out, I wanted to surface some of the best advice we've had from guests this year. I know, Kris, you have some really interesting takes from what you've seen. But for me, when we spoke to DataCo co- founder Denny Tyrell in September, he was really uncompromising when he said, just stop sending raw data everywhere.

And that's such a theme for me for this year. There is so much raw data everywhere and people are really dealing with it. But let's play that clip.  

Danny Tyrell: Just stop sending raw data or storing raw data everywhere. It sounds like a really boring thing to say. And I know you guys probably have a lot of Thoughts on this in terms of what you do inside of organizations, but there's just no excuse for it anymore There's so many different approaches and I do want to get to the point of talking about the right use case and getting through But just know that there's no excuses for some of these large scale Data breaches because you just sent the data to the wrong place or I've just been storing things for so long it's just like get the fundamentals right because It doesn't matter how much we want to try to think about a greater future and what we can all do together and the best uses of data, if people don't do the right things in terms of the fundamentals, we're just going to keep seeing these breaches and we're going to keep getting more legislation and we're going to lose the trust of the individual consumers, kind of to your point before, Anthony, and that's really what's going to harm us all.

So, it's kind of like, think big and talk about what you can do, but you have to do the basics right.  

Kris: And another quick tip. From RecordPoint's very own Dr. Miles Ashcroft, not only is he fantastic at tipping fantasy football, but he's also able to help us identify the difference between risk and compliance.

And at least in his opinion, so, which from my side, I tend to agree with, well, usually anyway.  

Dr Miles Ashcroft: The way I tend to think about risk and compliance is almost as a continuum and there is an intersection between them, and they sort of overlap. But one is not the same as the other. And I think it's often a mistake that practitioners make and also companies make when they start to think about compliance as their means of ensuring that their business is, for want of a better word, safe or risk free, you can tick all the compliance standards that you like.

So, compliance for me is more around adherence to standards, adherence to regulatory requirements, adherence to particular internal policies that you may have. But it sits within this much broader, I suppose, superset of risk, and risk is really taking a different approach, whereas compliance is more bottom up, like I've got a set of things that I need to comply with, and they're at a quite micro level.

Risk is more at the macro level, where you're sort of looking at the business holistically and going, well, what are the threats to my business? What are the risks to my business in a broad sense? And then, how do I address those? So, ideally, they should sort of meet in the middle.  

Anthony: And just for a side note, particularly for Miles, who I know loves this podcast, I did beat Miles in the fantasy football in the week just gone.

So, um, big win to me, but, uh, I'm sure he'll get me back in the final to coming up soon. We're nearly done Kris, but one of my favorite episodes, and we really delved into detail, was Wanne Pemmelaar who runs filerskeepers, managed to run into Wanne at a whole bunch of conferences this year, certainly put a little bit of nectar and cucks away at different times debating these issues, but he did a really awesome podcast with this, and a really interesting take on the value of deleting data.

And how it actually makes you a trustworthy company. Let's listen in.  

Wanne Pemmelaar: I believe that data deletion or records deletion destruction is the ultimate sign of trust. It's basically when you tell your stakeholders, your customers, employees, we will let go of your data because we feel that your privacy security and wellbeing is more important than our short term, uh, economical gain.

Yeah. So, the fact that you can actually say, I dare to delete. Yeah. We even have a t shirt. I dare to delete data. We hand them out during conferences, but that is a real sign of that trust. And we have done a bit of a survey with another company, and it actually showed that if you are. Actively deleting data and you're transparent about it because you do need to brag about it.

You can increase the consumer trust with 50%. So, the fact that you, that, yeah, I got hacked, but I didn't have your data anymore, so there was nothing to share is something that people really, really appreciate. It's very scary because it's against human nature by origin hunter gatherers, we need to gather the items.

to survive. Yeah. And the same goes for information.  

Kris: And just one more from me, a final thought from our first guest of the season, all the way back to Dr. Darra Hofman, taking it right back to the start. We've talked about a lot of the high-level stuff this year, AI, privacy law, security, but let's not forget what underpins success in these areas and ensuring that you've got all of your data well managed.

And as you know, who's really good at that? Records managers. That's who. Dara had a great analogy for the field. Let's take one more listen before we say goodbye.  

Dr Darra Hofman: One of the fundamental challenges to my mind, because records are different from data governance. Like, kind of the functions, the things we're getting, are different.

are similar, but like that records understanding is missing. And I think until we have it, we're not going to be able to do the things we actually need and want to do in terms of protecting privacy and transparency in the way we've always expected them to be protected. And so how we make that jump, that shift, because we see all this like information governance, and these are all really important.

Areas within the field, but they all are united by that sort of fundamental records understanding that we all have, uh, you know, in the profession. And so how we do that branding, I think is one of the most critical pieces of what we do, because one of the things that you see now, of course, is pieces of what we do being broken off into all these new sexy competencies.

that don't have that understanding of those fundamentals that we have, and you see it getting done wrong because it's not under that broader kind of vision, if that makes sense. My husband's a plumber and where we've arrived at is that we're kind of like sewage. Everyone just knows it's expected to work.

No one wants to talk about it until the pipe breaks and there's crap spilling everywhere. And that's where we are right now. But no one wants to call the plumbers. Because it's not, you know, sexy. They're like, oh, why don't we bring in a drone to fix it?  

Anthony: Thanks for this Kris. It's been a real tour. I love doing this with you again for season two.

It's been amazing to sit here and really take these opportunities to speak with absolute experts in their field every month. We've had an amazing set of guests, and I thank them again for making the time and coming and having a conversation with you, but I also want to thank you, Kris, for co-hosting with me.

It's been quite a rush, and I'm really looking forward to Season 3.  

Kris: Absolutely, Anthony. I think it's been great. I'm looking forward to next year already. We've started the planning, so to everybody a happy holidays and looking forward to next year.  

Anthony: We hope you listener who are in fact the most important element of our podcast.

We do this for all of you that are out there listening. Please give us feedback. We're going to be back in your feeds next year. We have a whole bunch of really exciting guests. I think season 3 is going to even top season 2. I thank you all for listening. Have a wonderful holiday period. I'm Anthony Woodward, and look for us out on social media, searching for RecordPoint.

Kris: And I'm Kris Brown, and we'll see you next year on FILED.

See More Episodes

Enjoying the podcast?

Subscribe to FILED Newsletter.  
Your monthly round-up of the latest news and views at the intersection of data privacy, data security, and governance.
Subscribe Now

We want to hear from you! 

Do you have a burning topic you'd love to hear discussed?
Submit your topic idea now to help shape the conversation.
Submit your Topic