Episode 31: Discussing Data Privacy Regulation with the CPO of NC

Transcript

Bill Tolson:

Welcome to Archive360's Information Management 360 Podcast. My name is Bill Tolson and I'm the vice president of compliance and e-discovery at Archive360. Joining me today is Cherie Givens, chief privacy officer for the State of North Carolina. Cherie is a certified information privacy professional and an attorney with more than 20 years of experience. Welcome, Cherie, and thanks again for joining me today to discuss this really interesting topic that I've been following for, gee, a year, year and a half now in my podcast around privacy, data privacy, and data security, information governance, all of those kinds of things. They all sort of tie together. But again, welcome, Cherie.

Cherie Givens:

Thank you, Bill. I'm happy to be here.

Bill Tolson:

All right, let's get right into it. In going through your press and stuff like that, I saw that I believe you're the first chief privacy officer for the State of North Carolina. Can you tell us what were the driving factors for the state to create your position?

Cherie Givens:

Sure. I'm thrilled to be the first chief privacy officer for the state. And the way that this came about is that there is a provision for the secretary of DIT is also the chief information officer. So he's both the secretary and he's the chief information officer. And within his powers, he has the responsibility for privacy for all of the state's information technology systems and associated data. He also has the ability to hire within that realm to add to his management staff in order to fulfill those duties. So the hiring of my position was part of that.

Cherie Givens:

He came from Washington State where they also had a chief privacy officer. In Washington State, that role was put in through statute. And so he had the chance to work there and get a better understanding of all of that, although he already obviously had an understanding of privacy. But he was able to see the impact that having a chief privacy officer can make. So I was thrilled that the position was created in North Carolina.

Cherie Givens:

At the time that I took it, I think I was the 13th of the 14th chief privacy officer. And now I believe there are 23. So it's still relatively new. And it really was due to him knowing how important that is and separating it out from security that I think that it is the reason that it was created.

Bill Tolson:

Yeah. Now, that's a great foresight on his part, especially with all of the movements and stuff going on around the states and at the federal level with privacy. I think states are going to be well served by having somebody like yourself helping out. In Colorado, I don't ... Actually, I think I looked. I don't think Colorado had one. But in my past podcast I've talked to several state senators around who were authors of privacy bills and how they went about it and everything, and really, really interesting recordings.

Bill Tolson:

But following up on that, now that you're relatively new, but the position is new for the state, what in your mind and what in your boss's mind, what is the state chief privacy officer going to do? What are you going to be responsible for? What's your main focus?

Cherie Givens:

Wow. Well, that's interesting. So when I was looking at the position, I looked at what the job description was to determine if it was going to be right for me. And it really mirrored a lot of what I had done at the federal level. So it mirrors a lot of the same responsibilities that you would have as a chief privacy officer for a federal agency. And so I do a number of different things. Really, I think I find this particularly interesting because it seems to vary depending on the state, what you would necessarily do or be involved in, I guess because it's so new.

Cherie Givens:

So some of the things that I do include, so far, I've adopted a Fair Information Practice Principle for our agency. I've created the office privacy and data protections website that offers guidance to the agencies and to others. I've created privacy points of contact and executive branch agencies. So this was to grow and mature our privacy awareness and also privacy in the different agencies. I've also established monthly privacy meetings to share privacy best practices and mature the program I've embedded.

Cherie Givens:

So I've looked at it not just based on what I was required to do, based on the job description. But also where I've seen privacy needs to be involved. So one key area for me was to embed privacy into contracts, into data-sharing agreements, into the procurement-review process. We've also launched a privacy training pilot. So training and privacy was also one of the aspects. And then further along on that is that we'll be building on that and creating role-based training.

Cherie Givens:

We do specialty training. So for HIPAA, FERPA, things like that. I also offer a number of different services to the state agencies. Since in my role, what I'm doing is providing guidance for the program overall at the state level, I provide guidance and consultation. So I'll meet with people from different agencies to discuss privacy issues and help to work forward to a path of, how can we solve this? What's the best way that we can go about it? I do procurement-related reviews. I do privacy incident response and breach support.

Cherie Givens:

I also help agencies with, I guess I would call it, federal alignment support. So some of our agencies get federal funds and are responsible for things like HIPAA compliance, FERPA compliance, and things of that nature. And so what I do is work with them to make sure that how they can comply with these rules and with the requirements. And then also, what are the best ways that we can implement them?

Cherie Givens:

Then, I'm also going to be rolling out a data breach exercise support. So part of what I did at the federal level before I came to the state was do data breach exercises that focused on PII. And we're actually going to be doing some of those in October with our cybersecurity symposium. But I do those sorts of things to really help agencies to prep and figure out where their weak spots are. And then we also have a Privacy Threshold Analysis. So a PTA or sometimes you might have a PIA. And this is an assessment that we go through and look at.

Cherie Givens:

And I've worked with our security folks to roll out one that's a combined one for our state. So instead of having to do a separate security review, which is what had happened before, now that I'm introducing privacy into the mix, we've created one combined one that's based off of the format from Homeland Security. And it looks at privacy risks. It asks questions about Fair Information Practice Principle. So what is the data that we need? Can we minimize the data that we are asking for? How can we mitigate risk? What are those risks? Those sorts of things.

Cherie Givens:

I also work with them on maturing their own privacy stance. So some of our agencies have privacy points of contact, but then for DHHS, we have a privacy officer there. So depending on their level of development and where they're looking to go, we do that. Then, in 2023, we're planning on rolling out an assessment to align with the cybersecurity framework to look at it, looking at the NIST privacy framework. And looking at how agencies can assess how they are progressing with privacy in that respect. And I think-

Bill Tolson:

Wow.

Cherie Givens:

Yeah, there's still so many things. I'm trying to think. I mean, I've been here going on nine months now, and that's a lot. But I think I've covered most of what ... I mean, I'm definitely covering all the things that was in my job description. But then other things that I think need to happen.

Bill Tolson:

You've obviously already accomplished a great deal and have a lot on your plate. One thing that just occurred to me, and I know we haven't talked about it before, but would you or your office act as a consultant to North Carolina businesses around data privacy helping them? Or not necessarily doing stuff for him, but kind of acting as a sounding board for, "This is the kind of stuff that's been going on. Look out for these kinds of extortionware types of things"? Or is that something that would be taken care of by somebody else in the state?

Cherie Givens:

Yeah. Well, we have an Enterprise Security & Risk Management office, and they handle a lot of that sort of stuff. We have a joint task force as well that keeps up with that sort of information. But I would assume that most businesses would have their own privacy officer or they might reach out to their own legal counsel on those sorts of things. But we do have some of that information on our website that gives guidance to businesses. Particularly, we have something on here for small businesses, things that might be of use to them. And I think it's in business resources.

Bill Tolson:

I know-

Cherie Givens:

Yeah, so we have general guidance in there to help them. But right now, my role does not expand to that level. But I have done outreach by attending some of the meetings and talking about ... A lot of the businesses wanted to know, what should they expect now that there is a privacy office? And how is it going to be different to deal with the state, moving forward?

Cherie Givens:

And I do see that as my role to really reach out to those businesses and let them know, "Hey, my role is not to make it more difficult for you to contract with the state. It's to make sure these things are in place. And I do see that as part of what I do or would do is to try to make it as easy to navigate as possible to not have any surprises for businesses when they are interacting with the state.

Bill Tolson:

Sure. Yeah, no, I know, I know. And that's a question that even our customers are going to ask a lot. Businesses, large businesses, small business, where can they get guidance or best practices, those kinds of things around data privacy and, or security? And I know-

Cherie Givens:

Well-

Bill Tolson:

... in present ... Go ahead.

Cherie Givens:

There are a lot of really great resources. On our webpage we've added FTC's guidance on cybersecurity for small businesses, which I think is incredibly handy. And then also the Centers for Medicare & Medicaid Services guidance for complying with HIPAA. So there really are lots of good places that you can reach out to, to get that kind of understanding.

Cherie Givens:

And we already have a lot of that built in because the federal ... They've been doing this for, what? 22 years now. So a lot of that's built out. And we can look and use some of their guidance with that. And I find that particularly helpful. So I try to point small businesses to those areas that could help them.

Bill Tolson:

Yeah, that's great. And President Biden's executive order last year, he did set up basically an information clearinghouse with an large industry group that, basically, the job of this group is to work with the Federal Government as well as industry. So they can share things like, "Well, this new ransomware attack is starting to happen. These are the things we've done to combat it."

Bill Tolson:

Basically, having that clearinghouse of information I thought was really needed. And I'm glad they did that. The whole cyber attack environment is growing and changing so rapidly. And it really does affect data privacy. I mean, you can't have affected data privacy without data security or without affected data security's an obvious prerequisite. Well, and I know that you said in the earlier part of this, you do work with or work for that the main chief security guy for the state, right?

Cherie Givens:

Right, and I should mention that they also do outreach though to businesses. So that is happening. It's just not on a public-facing website, like some of the guidance that we have here that I mentioned earlier. Yeah. So-

Bill Tolson:

Right. Right. Okay.

Cherie Givens:

Yeah. So we are doing that, but, on the privacy side, at least, it isn't specific businesses. For me, I'm providing them more generalized guidance.

Bill Tolson:

Yeah, I would imagine as being a privacy professional like you are, and having the experience that you've had, you probably have ideas of what is needed to better secure data so that you can better make it privacy. And like I said, the Federal Government is now finally starting to lead in this stuff like telling all government agency departments, you must have multi-factor authentication, zero trust, PII encryption, all of those kinds of things.

Bill Tolson:

And those are all long needed. In fact, that's one of my problems, one of my issues with the state privacy laws that have come out, including my state, Colorado. I have some questions later on that. But the whole idea of reasonable security. What the heck is reasonable security? I mean, I've had attorneys basically tell me, any first-year attorney can make an effective argument about, "Gee, what we have is reasonable. Prove it's not," type thing.

Cherie Givens:

I would tend to disagree with that, but I guess that's a ... Speaking as both attorney and a privacy professional, I think there are clear standards that we can point to and you couldn't just come up with any argument to make it reasonable. [inaudible 00:13:54].

Bill Tolson:

Well, I'm glad you said that. I think that's fantastic. And yeah, I've done podcasts with lots of attorneys, like I say, state senators, and pundits, and all kinds of things, about that particular thing, that particular idea of reasonable security. In one podcast I published, I think two weeks ago with a gentleman named Chris Cronin. He actually was a coauthor of the Sedona Conference paper from last year on defining what is legal reasonable security.

Bill Tolson:

And I didn't even know that thing existed, and he educated me on it greatly. He was one of the coauthors. And it really comes down to this ... And you know the Sedona Conference. It's basically a legal think tank of very well-respected legal thinkers. But they basically narrow down the idea of reasonable security to what equals an algorithm. They have basically a mathematical formula that says, this is reasonable security. And I thought that was really interesting.

Bill Tolson:

But even more interesting, just in the last two weeks, there was a case settled against Wawa Incorporated. I guess this is a convenience on the East Coast. I've never heard of it. But I guess they're pretty darn big. And six states brought a suit against them because they had suffered a very large breach. And the states came back and said, "You didn't provide reasonable security." And obviously the company was fighting back and everything.

Bill Tolson:

They actually came back with a decision from the six states that says ... And Wawa accepted it. But basically it laid out a list of things that equals reasonable security. There was seven or eight bullet points. It says, "For these states and for Wawa and other companies dealing with PII, this is what you must do." And they included like PII encryptions, some other things. In fact, I'm writing a blog right now up around the whole idea of, did this case decision basically just actually define what reasonable security is? Well, we'll see, but it's a really interesting case.

Bill Tolson:

I apologize going off tangent on that. But that's the subject that really has been of interest to me for quite a while. And like I say, I've talked to the various state senators about them use ... They all use exactly the same terminology. I mean, almost word for word. And you mentioned Washington State. Turns out that Washington State was one, besides California, but Washington State was one of the first states that tried to pass state-level privacy laws.

Bill Tolson:

And they still haven't passed it. But for some reason, many of the states, and even the states with bills that haven't made it in, copied the Washington State law very closely. And Washington State used that as well. I've read the Washington State Bill, several bills that haven't made it the law yet, but they were really interesting. They were ahead of their time. I think they diverge from the California way of wanting to do everything. But that's another discussion.

Bill Tolson:

So question for you on cloud adoption. Many organizations, many states, many governments around the world have ... And President Biden's executive order basically said to the government agencies, "You must move to the cloud in this period of time, period. No exemptions, no nothing." Where is the State of North Carolina in moving to the cloud and what are your thoughts on that for the states and how it may affect data privacy and stuff like that?

Cherie Givens:

Well, yeah. So we do have things in the cloud. We are in the process of moving more fully in that direction. For me, from a privacy standpoint, I'm concerned with ... I mean, we talk about a cloud, like cloud is ... And I think for people who maybe aren't familiar, it sounds like this amazing thing that covers everything. But to me from a privacy perspective, it really comes down to what is in the contract? How are you going to protect the data? Where is my data going to live?

Cherie Givens:

Is it going to reside within the continental United States? What is a level of protection on the data? What other tenants are in there? Those sorts of things concern me and would be of concern for me. Also, I'd want to know what's the availability of the data? Is this the system that's gone down before? I'm trying to think of the ... I mean, there's just so many different things that I would be concerned about.

Cherie Givens:

I look at it, I guess. And maybe it's because my legal background, but I always am really deep into the contract and what does it say and what exactly will I get? And when will we be notified if there is some sort of an incident or a breach? And what will we be able to do and find out? What sort of auditing is going on? How do we make sure that depending on the level of the sensitivity of our data, what is the background on everybody who could possibly have access to it?

Cherie Givens:

There's a lot that I would want to know and be comfortable with before doing that. And I think that I often hear a cloud talked about like it's this magical thing and everything will be solved. And yet, we see oftentimes when people put things in the cloud, if they don't have it configured correctly, it's no good. So that would be my concern. I would want to have all of that, look at it closely, make sure it is meeting what we need at the time.

Cherie Givens:

Yeah, I think there's real benefits to the cloud. It can decrease the footprint that we actually have to have. It can help us to be more resilient and flexible in all of these things. But equally, if we have contracted in for something that isn't what we need, it could be worse. So I think that I understand the position of why we would want to move to the cloud. But I think that it has to be thoughtful. I think that for each agency they have to look at where they are, who they're going to be contracting with for the cloud services.

Cherie Givens:

What's in that contract? Is the right level of security in place? Have we classified our data correctly? And is it going to be at a level in the cloud that meets with our needs? You make sure that we're not sharing it with tenants where it might be more likely to be attacked or there might be problems. Those sorts of things would be of interest to me from a privacy standpoint.

Bill Tolson:

Yeah, those are great insights. I mean, you hit all of them right there, probably more than I would've thought of. But some of the things that we're seeing now with cloud is, who owns the platform? Is it some third party or is it one of the Big Three? Microsoft, Google, AWS, whatever. And it all comes in your contract. You're absolutely spot on there. Do they do annual security assessments? By who? Is it from an outside source that's reputable? And now we're seeing with some of the emerging privacy laws, customers are starting to ask for Privacy Impact Assessments.

Cherie Givens:

And I think that's the right choice, yeah.

Bill Tolson:

Yeah, and is the sensitive data being encrypted? Where's the encryption keys being kept? Hopefully, not in the same cloud.

Cherie Givens:

That's right.

Bill Tolson:

Most people don't even think of that. But who holds the encryption keys? Is it held by, for example, the state or is it held by the cloud provider? And who has access to those encryption keys? And then the other thing that we've seen, and you mentioned this. I think you touched on it, is, you want to keep the encryption key separate, potentially on-prem or away from the third-party cloud.

Bill Tolson:

Because we've seen, especially European businesses who are looking at the cloud. They're saying, "Well, based on US law with the Cloud Act, and FISA, and all these other things, we want to be able to encrypt our data that goes into the cloud. But keep the encryption keys. So that the intelligence agencies can't go into the third-party cloud, say, 'Give me all of North Carolina's data,' or, 'Give me all of Archive360's data.'" I could give it to them, but it's all encrypted. So they'd have to come to actually decrypt it.

Bill Tolson:

And that's the Europeans based on some of the things that have happened over many years. Microsoft actually fighting in Ireland over this question about who owns the data on US servers in foreign countries. It's really opened up a bucket of worms in. And like I say, the list of things that you just listed off are right on. So people are very, very ... Well, let's put this way, they're not leery about the cloud anymore. But they have very specific wants.

Bill Tolson:

And we found, by the way, that five years ago, for example, healthcare organizations would never put patient information in the cloud because it was deemed too sensitive. Now they've kind of gone the other way. But again, it depends on that provider and how effective they are in protecting the data. I mean, do you have, within the cloud role-based access controls, like you mentioned, can you do field-level encryption? All kinds of neat stuff like that.

Bill Tolson:

But the cloud is a hot topic. It has been for quite a while. The Federal Government is going full blast into it. But obviously, with the feds, the Big Four providers have very specific separate federal clouds.

Cherie Givens:

Right, yeah. When I worked federal area, that was when the cloud was first being talked about there. And I can remember going through all these sorts of questions and having to really have it explained to me because I just didn't understand. And then when I realize it really is all about contracting, that it's just down to what you've actually contracted for. I guess that's how I see it. And so I always view it based on, what exactly am I getting and what do I need? And what happens in the event of a breach, or an emergency, or any other sort of thing that I need? And although it's not always practical, my favorite thing is to always be able to inspect what I want, right?

Bill Tolson:

Yeah.

Cherie Givens:

To me, that's always the thing, like auditing and accountability. As the person who's put the data there, I want to be able to go in and check this out whenever I need to. And make sure it's working as it should.

Bill Tolson:

Well, you mentioned putting data into a cloud where the data is not physically separated. But also potentially not even programmatically separated. So you want to look at separate tendencies within a cloud. How are those kept apart programmatically? Who has access? All that kind of stuff. So you're obviously finely tuned, at least the questions around it. Part of our business involves cloud. I won't get into that. But we're constantly working with both small and very large companies that have very sensitive data.

Bill Tolson:

And there are very specific things, like you just mentioned, in the contract. But also, technologically, what can be done to ensure that even if there is a breach, you're not going to be missing data? It's not going to be extorted. It's not going to be encrypted and then moved. Two years ago, I think ... Our company's a member of Cybersecurity Tech Report, which is an international organizational company that worked with the United Nations and [inaudible 00:25:03] around data security.

Bill Tolson:

And I actually wrote a blog for them basically saying, "Well, with this new form of ransomware, what if, instead of just encrypting their data, they actually stole the data and then threatened to release it on the internet?" But even if they went further and said, "I'm going to resell on the internet and then I'm going to contact the GDPR authorities and tell them you just lost all the data onto the internet, you're looking at a 20 million euro fine." And literally, two months later, that happens.

Cherie Givens:

Oh my gosh. Yeah.

Bill Tolson:

Yeah. So it's become a thing. The newer versions of extortionware is, besides just encrypting your data and extorting you for it, they're stealing all of your data and threatening the release it. In fact, I think it was on the Continental Pipeline where it involved PII from individuals that were buying gas and stuff. The crooks went to the individual PII data owners and extorted them as well. Yeah, it's getting nuts. It's getting very scary.

Cherie Givens:

How could you trust crooks to tell you? "Oh, if you pay us, we'll give you this data and then everything will be fine." They're crooks to begin with. They were [inaudible 00:26:17].

Bill Tolson:

Well, yeah, they already have your data. So they could extort you every month if they want to.

Cherie Givens:

Yeah, but what would be the impetus to not do that? They are already extorters. Yeah, I totally think that. And [inaudible 00:26:30].

Bill Tolson:

I have noticed that in a lot of the research and what the big data and market research firms are doing is that companies are less inclined to pay fines now. Not by much, but it has reduced a little bit. But the other side of that is cybersecurity insurance premiums are skyrocketing, which that's not a surprise.

Cherie Givens:

Well, so North Carolina doesn't pay ransomware now. They passed a law to stop that, right?

Bill Tolson:

Yeah, that's good. I mean, if they know you're not going to pay, then why would they take the time and everything to attack you if you're not going to give them money?

Cherie Givens:

Yeah, we'll see how that plays out. But yeah, that's my position now. I was asked a lot of questions about that from people in industry. I think it makes sense to me and it makes sense why we have to move that way. But I also understand that if you are a small company, or a school, or something like that, or a hospital, and you need that information right away, then I can see the other side too. But I can see why it's a no-win situation. Because once you pay, then you're just into a cycle of being extorted.

Bill Tolson:

Exactly, because it gets around on the dark web that you paid, even if it's not on the front page of the Wall Street Journal. But following on the topic we were on before I diverted into all this other stuff. So in your chief privacy position, will your ... And you might touched on this and I might not have recognized it. But will your main focus be on consumer privacy, citizen privacy, or in just internal state government privacy between the agencies? Or a mix of all three or a couple of them?

Cherie Givens:

So I guess I'm a little unsure about the difference between citizen and consumer privacy. I mean, I'm concerned about the data that we're taking in. So if we're applying the Fair Information Practice Principles, we're giving people notice of what we're going to do with their data. We're only using their data for the purpose that we said we were going to use it for. We're not keeping it for longer than we need to. We're essentially treating people fairly in the way that they expect to be treated.

Cherie Givens:

And when I talk about it internal to the state, I say, "What if this was your grandmother and the state was getting information from your grandmother? She's going there to apply for a driver's license. And she thinks that she's given the state her information to get her driver's license. Is she going to expect it to show up somewhere else or for the state to then use that information in a different way?" And the answer is, no. And so-

Bill Tolson:

Or sell it.

Cherie Givens:

Yeah, so this is how I approach it is, would I expect this to happen to me? Or if you are one of the people who ... And it's upsetting to me the thought that there are still people who think, "Oh. Well, there is no privacy so I'm not going to worry about it." If you're like that, then still think of it for others. So I mean, I guess the line between consumers and public, or was it the consumers in the public? To me, they're the same on citizen data.

Cherie Givens:

And I don't like to say citizen, because I feel like all North Carolinians deserve the same rights and protections for us. So if we've given our word and said, "This is how we're going to use the data and it shouldn't matter if you were a citizen or if you're a resident. Within the bounds of our state, this is how we're going to handle data fairly."

Bill Tolson:

Sure. No, that's fantastic. And you mentioned something in there about how long you're going to keep it, only for as long as the original purpose. I don't know if you've had a chance to read some of the five state privacy laws. But that's a common factor across them is, now if they're collecting data from a consumer for whatever reason, maybe they want to download an ebook or something like that, to capture the data, they have to state what they're going to use the data for. And once that data's been used for that original purpose, all of the laws basically say that data has to be deleted.

Cherie Givens:

Yeah. So we have-

Bill Tolson:

I mean, you can't just keep it and use it whenever you want for anything.

Cherie Givens:

Yeah. At the state, we have data retention policies ... I mean, well, data retention schedules. And we follow those policies. So we're keeping it based on what the state has determined is the required amount of time. But what I'm doing is helping our agencies to think about this on a regular basis. Because I think part of the problem is it isn't that people don't want to do that. It's that data winds up here, there, and wherever. And the retention schedule doesn't necessarily follow it. And if privacy awareness isn't there, you may not realize it.

Cherie Givens:

So what we're doing is just really highlighting that, and reminding, and thinking about that. Because I think that everyone that I've encountered in the state so far has wanted to do the right thing. And been excited to be a part of this. And I think it is just a matter of keeping privacy there at the forefront. Implementing privacy by design. So to think about it right at the beginning and make sure you have mechanisms in place so that how you wanted to handle it responsibly, that, that mindset and those requirements around that data follow the data where it's going throughout its life cycle.

Bill Tolson:

That's a really a great way to look at it. And you mentioned you want to treat PII as if it was your grandmother's. How would you want it to be used or not misused? In fact, the Senator Kevin Thomas, state senator in New York, every year, he's been putting in new privacy bills for the state. Consumer privacy bills that haven't passed yet. But in a couple of his, he's in included a provision around the data collector and, or processor must utilize and hold the data as if they were a data fiduciary.

Bill Tolson:

Strictly for the benefit of the PII data subject, not for the betterment or what's good for the company. So yeah, obviously that has been a major sticking point for him and every time he just bought a law together. I haven't seen any other state do that, but states now are starting to write in the duty of loyalty or the duty of loyalty and care, which is a version of data fiduciary. And it's a sticking point, but-

Cherie Givens:

Yeah. Well, I guess to me I see that as the fair information. That's the fair information practice that is the foundation for the Privacy Act of 1974 and for most privacy laws that we see. And to me that makes perfect sense. If you're treating the data fairly, then that's really what you need to be doing. I mean, I wonder if part of it's not the language, I guess is what I'm saying, is that it might be the way that, that's characterized might be causing the trouble there.

Cherie Givens:

Because I feel like, who can argue with treating it fairly? I feel like you're in a position where, how could you justify not treating the data fairly and not treating the people who say that you take it in? How can you really justify not doing what you said you were going to do?

Bill Tolson:

That's a great point. I hadn't thought of it that way. But yeah. Well, following up on that, North Carolina hasn't yet passed a consumer data privacy law yet. And I know they've had bills and stuff. As part of your job, do you see yourself maybe potentially working with the state legislature to help them craft privacy bills?

Cherie Givens:

I would love to do that. I actually have been asked about doing that. And I look forward to that opportunity. I would be happy to do that. It will obviously be what the legislators feel is right for our state. But I definitely think that my years of working in federal agencies and following privacy closely, I have a good understanding of what most people would be expecting to have in there.

Cherie Givens:

I also have seen, following the laws that have passed and those that haven't, I know some of the sticking points. And I think, for our state, we aren't California. So we'll need a different mix than that for it to work here, I would think.

Bill Tolson:

Okay.

Cherie Givens:

Yeah, I'll be mindful of that as I try to provide support for that to move forward. But I would love to see us have a privacy law. I was really hopeful that we were going to have a federal one, even though I know most people were sort of nay-saying that the likelihood of it. But there was a while my hopes were really up. And I understand California's issue with it, but I would have loved to have seen that. Because I think that the complex patchwork that we're going to have of similar but not the same laws is going to make it more difficult on businesses.

Bill Tolson:

That's really interesting subject. And I've written on that ... I've actually done a couple podcasts that the law you're ... or the bill that you're talking about is the American Data Privacy Protection Act, the ADPPA. I actually sat in on several of the House Energy and Commerce Committee meetings on it. And it really passed out the committee in a very bipartisan batch. I think there's two votes against it, 50-something for it. So everybody thought that was really great work.

Bill Tolson:

I read the bill and a couple of things jumped out at me. But first, you mentioned the State of California. One of the big problems with the federal bill is the idea of preemption, meaning ... And this is what every company, every organization wants, is they don't want to follow 51 individual privacy laws. Because they all differ slightly in definitions and things like that. They want to one. So the idea on the ADPPA was, if this passes and becomes law, then it supersedes all state laws and companies-

Cherie Givens:

Well, they had some carve-outs then. Yeah.

Bill Tolson:

Oh yeah. Oh yeah, yeah.

Cherie Givens:

Well-

Bill Tolson:

And they're the thing, they're asking for more carve-outs. That's what the Speaker Pelosi has basically said is the preemption issue is an issue. And they're still negotiating with it as to whether they can do some more carve-outs for California. The California CCPA and CPRA do have some very particular capabilities that they don't want to lose.

Bill Tolson:

Basically, what they want is they want state privacy laws that are tougher to be able to stand alone on those specific provisions, correct?

Cherie Givens:

Mm-hmm.

Bill Tolson:

Yeah, it's going to be interesting.

Cherie Givens:

I just thought it would've been easier overall for businesses, particularly those operating in more than one state, that if we had passed the federal privacy law, that would've given a foundation. And I felt like for some states, that would've alleviated the need to have to create their own.

Bill Tolson:

Right. Oh, [inaudible 00:36:56].

Cherie Givens:

We already had some of those that was working pretty well. Then you don't necessarily need to either start from scratch or even make it tougher. There's at least the chance that the federal law would've been enough and you could see how that worked for a while. And then see if it needed tweaking. Whereas without it, we are in a position now where some states have them, some states don't. And for us, we are hopeful of moving forward with the privacy law because there are gaps we need to fill.

Bill Tolson:

Yeah. Actually, just this week, I published a podcast with a Uniform Law Commission, which is really an interesting organization. But they have a model data privacy law that they wanted the states to adopt in whole. And none the states have adopted-

Cherie Givens:

I remember seeing that one. Yeah.

Bill Tolson:

Yeah, no, it's really interesting. I've read it. It's less constrictive on business, but still it has some very good provisions in it. I did an interview with one of the authors of that model privacy law, Professor Jane Bambauer. We just published it this week. It's on the website and it's on iTunes and everything. And she had some really interesting ... Very smart, but very funny lady too. We had a good time. But she had some really interesting takes on the state laws and the federal laws. And how the Uniform Law Commission's model law would've worked.

Bill Tolson:

Also, I had a podcast that I think we published two weeks ago, three weeks ago, with the US Chamber of Commerce, who obviously works on The Hill with the various committees and stuff to create these laws. And they had some really interesting ... What was his name? Jordan Crenshaw. He's an attorney, one of the lead guys on that whole thing. Really interesting guy. Really interesting talk with him. But that whole idea ...

Bill Tolson:

And by the way, the other ... And I know we're running out of time here, but I want to get a couple of things in here that really I think are interesting. Part of the ADPPA and also part of some of the other states, the individual privacy laws, is idea of private right of action, which basically means that in many of the state bills and some of the state actual laws, it's the state attorney general who enforces it. And who can bring suits, and fines, and all that kind of stuff.

Bill Tolson:

But with the private right of action, it means that under certain circumstances, the individual data subjects, the individual citizens, can sue the company for a breach. So you could have 10,000 people trying to sue you if you suffered a breach. And I've talked to many state senators and representatives who've authored bills. And they've all said, "Yes, we had that in there, but we had negotiated out. Because it was a major, major sticking point for certain factions." I-

Cherie Givens:

That's what I've heard as well. And that's what I would imagine would be an issue for North Carolina as well.

Bill Tolson:

Yeah, California has it. The federal bill so far has it. Actually, I've been following the ... Canada has a very interesting privacy bill in their parliament right now. It's C-27. But they also include private right of action. Like you say, that's one of those things that they're just going to fight over like crazy. So-

Cherie Givens:

Well, I mean, speaking just for myself, I think that if there is a reasonable amount of time to fix it and you've chosen not to fix it, there should be a private right of action. I feel like there's a window of time when, once you've enterprised that something is not right and that you need to address it, if you continue to not address it, then there should be some action that someone can take. You shouldn't have to wait forever.

Bill Tolson:

Oh yeah. Oh yeah. And depending-

Cherie Givens:

I think there's nothing wrong with having some period of time where the company has to make the adjustment. And then if they don't ... I'm not saying that, that would pass here. I'm just saying, speaking as a private person, I personally feel like, yes, at some point we have to say, "Okay, this is ridiculous. And you don't plan on doing what you're supposed to do. So there has to be a consequence to that."

Bill Tolson:

Well, interestingly, in that committee hearings for the ADPPA, it was the preemption provision that caused all the furor. And the private right of action really wasn't, which really surprised me. You would've thought at the federal level, those various ... Of course, the Senate hasn't done anything yet. Still has to make it the House floor. It's actually on the House floor right now. But Speaker Pelosi basically saying, "We need to work on the preemption clause first."

Cherie Givens:

Yeah. Well, that made me think we ... Yeah, that little chance of ...

Bill Tolson:

I talk to lots of businesses around the nation on a regular basis, around the world. And they've all said, "The US has to have a federal privacy law like the GDPR, like Canada, like China, like Brazil, like everybody." And it's been a major issue for company. Companies just want a law to be able to follow. They need to know what the liabilities and risks are and everything else.

Bill Tolson:

But I think it's a great sign that all of this stuff is now happening, especially at the state level in the United States. But that federal bill is much needed obviously. Two weeks ago, I thought there was a very good chance it was going to get out and become law by the end of the year. Now, not so much unless they bend on the preemption issue. But I still think there's a chance. So we're looking forward to that.

Bill Tolson:

But Cherie, I think that we're running out of time here. So I think that will wrap up this edition of the Information Management 360 Podcast. I really want to thank you for this fantastic discussion. Really, really love the points you made. Wrote them all down and I'm going to do some more work on them. But really fantastic. I wish you well in your lots and lots of endeavors. You have a lot of stuff going on. It's amazing. So I'll follow you.

Bill Tolson:

But if any of the listeners of the podcast have questions on this topic or would like to talk directly to subject matter experts, you can send an email mentioning this podcast to info, I-N-F-O, @Archive360.com, or directly to me. My email address is Bill.Tolson, T-O-L-S-O-N, @Archive360.com. And I'll get right back to you as soon as possible.

Bill Tolson:

Also, check back on the Archive360 website, or you can also go to iTunes and Spotify, wherever you're listening, downloading this. For new podcasts with leading industry experts, like Cherie, on a regular basis, I have several podcasts. Actually, I think I have 30-plus now. But I have five or six talking directly to state legislators. Very interesting discussions with them.

Bill Tolson:

Actually, I have a podcast scheduled now, or I'm in the process of scheduling with the chief privacy officer for the Province, Ontario, Canada. So that's going to be really interesting. I had a discussion with him the other day. So Cherie, I'll follow you with a CPO from Ontario, Canada. But I really want to thank you. It's been fantastic and I think this turned out excellent. I think people are really going to love it.

Cherie Givens:

Well, thank you so much for having me. I really enjoyed discussing privacy with you. And I will definitely be tuning in to future podcasts.

Bill Tolson:

Thank you very much.