Episode 18: The Impact of Privacy Regulations on Business

Transcript:

Bill Tolson:

Welcome to The Information Management 360 Podcast. This week's episode is titled, The Impact of Privacy Regulations on Business. My name is Bill Tolson, and I'm the vice president of compliance and e-discovery at Archive360. Joining me today is Jim Banach. Jim is a compliance architect in the M 365 Center of Excellence, supporting Microsoft partner enablement and readiness around the Microsoft 365 compliance portfolio. Jim has been focused on the Microsoft portfolio for the entirety of his 16 year career as both a Microsoft partner, directly enabling customers, Microsoft cloud solutions. And now as part of Microsoft's working directly with teams building the capabilities that enable those solutions for customers.

Bill Tolson:

Jim helps customers and partners transform their businesses using Microsoft 365 cloud following the guidance and framework that allow them the ability to use the platform in a secure and compliant way. Greetings Jim, and I really appreciate you taking the time today to speak with us about data privacy and security, really looking forward to the discussion.

Jim Banach:

Sure thing Bill, pleasures is all mine and thank you for having me on here.

Bill Tolson:

Great. Okay, well, let me open it up here. I'll give a little opening of what we're going to be talking about today, and then we'll get into the discussion. So with the continuing rise in both internal and external cyber theft and ransomware, and with corporate misuse of personally identifiable information, federal and state governments have begun to enact privacy and security laws to force companies to better manage and protect the PII, personally identifiable information of individual citizens. The EU's GDPR, and California's CCPA, and CPRA were the first of a new breed of privacy laws that focused on giving individuals greater control of their personal data. Its accuracy and how it's used and sold as well as requiring minimum levels of data security.

Bill Tolson:

But as more states and individual countries create their own differing privacy laws, the overriding question from companies has quickly become, what will be the impact on those businesses trying to comply with the numerous current, new and changing data privacy laws and environment? In reality, companies will be forced to implement new processes and procedures, audit employees adherence to the new policies, purchase new technologies to make sure they're handling and managing data at the most appropriate level, and constantly train their employees on the changing policies and technologies.

Bill Tolson:

The driving factor for this new privacy and security environment is that all industries experienced a dramatic increase in cyber attacks, ransomware attacks, and the ever evolving variants of extortionware, which specifically target employee and client personally identifiable information. In fact, the average cost of a ransomware breach in 2021 was $4.62 million per breach, with 44% of ransomware attacks specifically targeting client and employee PII. Additionally, with privacy regulations, fines reaching $20,000 per incident, and that's from the Colorado Privacy Act. The total cost of an organization to an organization can reach tens or hundreds of millions of dollars per attack. And with the move to hybrid and remote work, overall corporate data security have inadvertently been reduced because of how quick companies had to react to that new thing of everybody moving home for a period of time.

Bill Tolson:

As I mentioned, foreign governments, the US government and individual states have begun to introduce, and in some cases pass into law, data privacy and security bills. Now, probably most of the listeners have heard about, again the GDPR and the CCPA, but we have a new California Privacy Act, we have a Virginia Privacy Act, many other states have been putting bills forward, including Connecticut, Massachusetts, New York, Minnesota, Utah, Washington State was one of the first. They actually haven't gotten the bill through yet, but they were the poster child for these things. And then countries like Brazil, China, and Canada, and so forth.

Bill Tolson:

In fact, our federal government, the US Federal Government, has several privacy bills introduced in 2021, two of them that were very close to what we're talking about here today. One by Senator Gillibrand of New York, and one from Senator Jerry Moran from Kansas are both good to look at. Jim, on all of that, and I know there was a lot there, do you have any thoughts on how these new privacy and security regulations will affect or are affecting businesses, end users, IT departments and so forth. Have you got any feedback from your Microsoft clients on what these new regulations are doing to them or for them?

Jim Banach:

That's a great question and that's a conversation we're having a lot with our customers, our partners. But I think the overwhelming theme is, as we hear about these new regulations, privacy is no longer just IT's responsibility. You can't just go in and turn a few knobs and dials and say, I'm compliant, I'm passing all the regulations. It really becomes a enterprise-wide effort. We need to educate our employees, whether they're in the back office, on the front lines, what it means to respect the privacy, but also respect the data that's being processed by their customers. It's touching all aspects.

Jim Banach:

So you can have a organization that need a PCI compliance, they have it. Marketing agencies have privacy requirements, and then obviously when we start talking about regulated industries such as financial and healthcare, they're some of the strictest regulations, and they're the ones that are being updated most frequently. But when we look at that, as I said, having users at the center of this is so important, that user education. But we often find that they're overwhelmed by the guidance they receive from organizations on what to do with personally identifiable information. And they don't understand why they're getting notified and saying, "Hey, you were trying to share this piece of information or maybe you shouldn't be storing it there."

Jim Banach:

Users are giving guidance on how to classify documents, what can be stored where, who they can share it with, and they're all coming from different departments. You have IT just wanting to prevent data from leaking out. You have compliance groups, you have privacy offices saying, let's not keep this information, this certain information or record needs to be stored for this length of time, and sometimes those are conflicting. And then all this time, as you mentioned, the move to remote work, this great resignation we're living in right now, IT teams are understaffed compared to the amount alerts that need to be acted on. So all that's created this sometimes perfect storm of moments that when we're dealing with more and more data than ever before, the chance for having an incident is that much higher and why we need to use the tools and technology and be hypervigilant from education on up.

Bill Tolson:

That's a great point. And I run across sort of the same thing on the litigation side e-discovery. Employees can inadvertently make mistakes with data. A lot of times they're not doing it on purpose, but if they make a mistake and end up exposing customer's PII or responding to a phishing attack or whatever, those kinds of things, that still can put a company in deep water. It doesn't matter what your intent behind it was, it was, did you leak data or not? Was the breach successful or not? That's one of the things and I think Jim, we've mentioned this in some talks, companies over the last 20, 30, 40 years, basically the focus on records have been, I need to capture those 5% of the enterprises records for regulatory compliance and all the other stuff. Hey, employees take care of that, the vast majority is on their laptops or workstations, we don't care about that stuff.

Bill Tolson:

We got to worry about those 5% of company documents that are responsive to regulatory retention requirements. Nowadays, I think we're getting to the point where if a company know what it has, it can't be compliant anymore. It's not just those records, but it's all of the data. Because that data can include PII that leaks out, could put you into trouble and all kinds of stuff. The question that I think we can eventually get to is how does a company manage all of the data within their enterprise not just those 5% of records. Meaning all of that data sitting on laptops, and workstations, and file servers and so forth. Because now with the new regulations, those are all being affected by security and privacy requirements.

Jim Banach:

I think you're right there Bill, and the cloud has just made this infinitely more pervasive. Because you're not an IT administrator staring at a rack of storage anymore, and a user never thought of that. But gone are the days of quotas on mailboxes, quotas on my home drive and we've trained people and the consumer market actually brought this upon us, a lot is many of us have become digital pack rats. Search has become so easy that it says, oh, let me just keep it, I may need it. I don't have to worry about where it is and I think we've all been on that. If you see those pictures and images of people with thousands and thousands and thousands of under read emails. Go back five, 10 years ago, I mean a thousand unread emails, the next thing you know they're getting that note that says, hey, your mailbox is full, you need to delete some information.

Jim Banach:

The prevalence of being able to easily store information, and then what you said, where it can be stored can be anywhere. You still have your traditional on-premises data locations, maybe your ERP platform, or your other key line of business may have not shifted to the cloud, but you're in the process of moving that there. So whether you're in one of the public hyperscale clouds out there or third-party solutions. And then there's the third-party solutions that you as an organization have management and control over, and inevitably you're going to have that shadow IT environment out there as well. Where people may be storing things because it's more convenient, because maybe your organization's policies haven't kept up with allowing people to use the cloud or breaking down those barriers for that easy collaboration.

Jim Banach:

And I think that's why it's so important that as an industry, we've really seen people going toward and adopting that Zero Trust methodology. That's really at the baseline of all of this. Identity we're talking, that's always that control plane of where everything is pivot around and it's what a user is doing. And are they doing it from secure places with a known location, with known devices and then we're going to allow them access. So that's that first step of we know where they're coming from. And then we can say, all right, now, at least I know where the data is then as you said, what do I do with it? How long do I need to keep it? And depending on the regulations in the industry, some say, you may need to keep this forever. Others are like, we only need to keep the relevant information, and that's changed so much because it's so much easier to store things now.

Bill Tolson:

Yeah. One thing that occurs to me every time I talk about this subject of, do you know where all your data is within the enterprise? Not just what IT has access to, but where all the data is. Because if you get a data subject access request saying, what kind of information do you have on me? You have to be able to report in full. And then if they come back and say, I want you to delete it. If you don't know where all their information is and you end up not deleting some of their stuff, because it was sitting in unknown repositories or on laptops that the IT department doesn't have the ability to index or look at, then you're in violation. The one thing you learn in e-discovering lawsuits is you always have to assume that the other guy has that smoking gun email.

Bill Tolson:

So don't say it doesn't exist because they will have it. That's always the mistake. So in this new environment of privacy and data subject rights, you have to know where everything is, to be able to be compliant with the law. And then as you were saying, you know where everything is and then what do you have? I used to work for a great CEO years ago, he would say, gee, it costs anywhere from 200 to 500 times more to find the information that you're looking for when you need it than to store it for 20 years. So storing it is one thing, but also being able to find it when you need it is something else. And that plays into the whole privacy setting right to be forgotten and that kind of stuff.

Jim Banach:

I think that searching for, that's really what the cloud has allowed us to do so much better. It's what the machine learning capabilities has allowed us to do so much better. But now that people are used to being able to easily search for it, there's an expectation that you can very quickly come upon this. And I think that's what a lot of these privacy regulations have shown is, like you said, it doesn't matter if you missed it or not. I mean, there's differing levels of fines depending whether an inadvertent or a purposeful leak of private information. But either way governments are saying, hey, people are entrusting you with their personal information, you need to do everything in your power to know where it is. You don't just get an E for effort anymore.

Bill Tolson:

Yeah. If the company suffers a breach and that information is exposed, the data subjects, the end users, now have rights to go after you in one way or another, and they should. Because like you say, they're entrusting you with personal information that if used incorrectly or illegally can cost the end user large amounts of money and lost hours and all kinds of stuff. So the days of taking data security especially around PII lackadaisically are on, because it could put a small to medium size company out of business overnight. What is it that GDPR fines can reach 20 million euros, right?

Jim Banach:

Exactly. And I think as I was reading up on some of the other regulations as we were preparing for this, if you look at something like Brazil's new privacy regulation, a lot of these groups, they'll tier or differentiate and say, hey, the really large corporations that have the means to do this, we hold to a higher standard. But Brazil said, "I don't really care about your company side. You can be a five person organization or a 5,000, you are just as much responsible." And I think it's only a matter of time before we see more states or more countries take that hard edge where, as you said, if a privacy issue happens to a small business, it could put them under almost instantly. And I think it's on all of us as part of the broader industry to say, how can we help enable these groups to do it effectively knowing that they don't have the budgets of Fortune 500 companies to do so?

Bill Tolson:

Absolutely, right on point. And the other thing that most people don't think about is, what do these new requirements do to a company's cyber liability insurance rates. If you're not making the best attempt to secure data, I've been told by insurance brokers, your rates are going to be way higher. And if you suffer a breach, they're going to be even higher after that. So taking it seriously affects the bottom-line, because besides the bad press and I hit the shareholder equity and all these other kinds of things, and fines that can follow a privacy issue, it really is becoming all inclusive.

Bill Tolson:

In fact, we talked about many of the states, you mentioned that foreign countries, China has a pretty strict new privacy law. India is working on one that is very, very inclusive of all kinds of stuff. But I noticed Jim, just on December 10th, the Federal Trade Commission filed an advanced notice of proposed rule making with The Office of Management and Budget, to basically start creating and putting into the Federal Register privacy laws at the federal level. Because the Congress has not gotten to the point where they've even gotten to the point of actually issuing anything or passing a law.

Bill Tolson:

So the FTC is now saying, well, gee, we're going to start writing laws into the Federal Register without Congress. The FTC law, basically the filing says, the FTC's intent as seeking to curb lacks security practices, limit primary abuses and ensure that decision-making does not result in unlawful discrimination. But it'll be interesting to see what kind of rules the FTC comes up with, and if they're not shot down in court somewhere. But at least they're trying to do something which, I'm disappointed in the federal government not being on top of this, to tell you the truth.

Jim Banach:

Yeah. And I think sometimes this helps to think of that of a group like the FTC will say, hey, to do business with the federal government, you need to abide by these standards. So many companies here in the US do business with the federal government in some way or another, that it ups the game. You're used to see this and you still see it in military contracts all the time.

Jim Banach:

And what drove the creation of so many of the government and sovereign clouds that are out there is, sometimes it may not be the law of the land, but just to do business with other companies you have to apply to this. And I'm hoping maybe that's what drives it, is some of these bigger firms, and organizations, and entities, start setting standards that say, look, to work with us you need to apply to this. Here at Microsoft we have our privacy and standards of compliance and it says, if you want to be a partner of Microsoft, you must agree to do A, B and C. And if you don't, sorry, but so many groups do business with Microsoft, that it forces the hand of a lot of corporations.

Bill Tolson:

That's like the HIPAA regulations for business associates. Not even the data controllers, but with the business associates, they're just as liable and they have to sign up for this stuff to be considered in the in-crowd. And with HIPAA, I mean, you could be looking at gigantic fines as well. It's one of those things. I've been following the state privacy regulations all around the country. Last week or the week before I did a podcast with Minnesota State Representative, Steve Elkins, very nice podcast. He was one of the co-authors of the Minnesota Privacy Act, which did not pass this year. So he is going to do it again next year with changes and stuff.

Bill Tolson:

But one of the things I asked him, and I've looked at all of the state bills and they all read, except for the California one, but all the rest of them read very similarly to each other. And they're relatively nebulous when it comes to things. One of the things I asked him is, in the Minnesota law that didn't pass, I said, you had written in there that a data controller shall establish, implement, and maintain reasonable administrative, technical and physical data security practices. And I said, well, what is that? And most lawyers that I know they've all said, well, any first year lawyer can be successful arguing against that, what's reasonable mean? So I asked the representative, I said, why the fluffy wishy-washy language? And he said, in reality, all of the states and probably half the states are working on these things right now, they all pick data or content from other states practices.

Bill Tolson:

So many states have gone to the Washington State Privacy Act and taken language out of that. And they say, well, this is good enough, put it in here. There's not a lot of thought put behind it technically, most of the state representatives are state senators, are not IT folks. Now, representative Elkins, actually did have 25 years in the IT industry before he became a representative. But he said, yeah, that's a mistake and the states among themselves have talked about becoming more prescriptive. And I said, what I would like to see is maybe a requirement that all PII is encrypted while at rest and while in transit. That's not next generation technology, it's been around forever. So why not stipulate in your bills that PII must be encrypted?

Bill Tolson:

And he said, actually, that's a great idea. And he said, we've actually talked about that, and we'll probably include that in the next bill. So if he gets in his bill and it passes, then other states will copy it and so forth. But I was wondering Jim, what you thought about that? Have you had a chance to read any of the bills and any thoughts on any of them?

Jim Banach:

It's funny that you brought up like that, because I think it's a struggle of, if I'm a business and saying, all right, what do I need to comply with? Like you said, what is reasonable for one group that's spending millions of dollars in my privacy office alone, some other group may say, hey, I put a warning up on my website. How do we give that right guidance in there? And I think having the nebulous language in the laws, it can be a double-edged sword. It lets the evolution of technology dictate the pace of what we're reasonably able to do. If you think conversely going into something like the Digital Millennium Copyright Act, the DCMA, it plays such strict requirements on what could and could not be done that you just saw it challenged in court time and time again, this is technology had advanced what the law was written for.

Jim Banach:

So I think some of these laws are trying to be a little bit of technology agnostic or future-proof in there, so they're not saying, thou must follow these three steps in the NIST regulation to be compliant, but saying, hey, do what you feel is reasonable. It's the same thing to the legal language, the commercially reasonable efforts. If consumers are going to keep demanding, that is the bottom-line is, we as consumers are being smarter and smarter about what is tracking our personal data and what we're able to control it.

Jim Banach:

I think we've got operating systems and platforms that say, every time I open a new app, I opt in to it tracking my information or not. So we're hyper aware of that. It's almost like we're letting the consumers push the industries, and groups such as Microsoft and others are stepping up and saying, all right, how do we fill the gap with technology so that businesses can do this at scale with these immense amounts of data and signals that are being collected out there, and do it in a way that we feel is comprehensive and meets the needs of these organizations.

Jim Banach:

So like what we said in the beginning, if that lawsuit does happen, that they can say we tried our best and that there isn't phantom email or mysterious email that wasn't showing up in first discovery that said smoking guns. So I think it's on the onus of everyone from the people that are making technology to the people that are processing the data, to us as consumers, holding everybody to as high of a standard as we recently can.

Bill Tolson:

Yeah, that's a great point. And like you said, most of us do business in a free market. And if you are sloppy with customer data, then eventually they will stop doing business with you and go elsewhere. It's to your own self-interest to potentially spend the extra dollars and the extra time to become more secure, because people nowadays, especially again, with all the ransomware and extortionware and stuff like that, are becoming much more aware that their data can be a problem for them if misused. Of course, I'm in the business but I know people who aren't that that's something in their thought process. Gee, has this company had an issue in the past and why would I do business with them? Why would I give them my business? Of course that's a longer-term thing, the free market reacting.

Jim Banach:

It is. But I think at the same point, information dissemination is so much more important. Let's think back a few years ago when Petya and NotPetya happened as ransomware, it didn't make the national news. Go this summer, you have things such as the Colonial Pipeline, everybody knew, everybody knows what ransomware is now. And they know that the first thing out of the mouth is, not that these organizations systems are locked, it is extortionware. They're taking the personal data and threatening to sell it on the dark web or other places.

Jim Banach:

And I think when I talk to customers about our compliance solutions, the first thing I tell them is how much is your customer's trust worth to you. How much is protecting your IP that differentiates you from your competitors important to you? That's a lot of when we're talking to people about not only privacy, but also insider risk and information governance of you're running on trust. Microsoft has a slogan, Microsoft runs on trust because if our customers lose faith in us and our ability to properly protect their data, that's a big problem for us. We want to be as transparent and trustworthy with what we're doing with the data at every possible moment and move.

Bill Tolson:

Yeah. Well, Jim, you had mentioned several minutes ago, Zero Trust. Can you talk about the new privacy security technologies companies are looking at, to address the new environment of data privacy and security?

Jim Banach:

And its essence, Zero Trust is how in the industry we think about access now, and getting access to our data, and continual attestation of what's going on. So no longer is it enough for organizations to say, I've got the best firewalls in the world, everything inside my corporate perimeter is secure. Even before this new way of working that we were living in, that was starting to break down. The cloud started breaking it down. We're accessing information from our laptops, wherever, so we need to pivot how we were looking at things. And in Microsoft, what we think about this is talking about the identity first and what's happening on it, and then making sure I'm accessing it with a secure device. Whether that's my mobile device or my computer, and that I can attest that it is compliant to my organization's standards.

Jim Banach:

And you couple that with things such as multifactor authentication. If I put a plug in here, if you're not using multifactor authentication, whether on your personal information or your corporate information, wherever you can, go start doing it. There are a number of applications out there, Microsoft has our authenticator application that lets you not only manage sign-ins for your corporate information, but you can do this for anything else that you access. I know I had an email from Social Security this weekend. It said, "Hey, to access this, you need multifactor authentication to get at it." So even my vacation clubs that I look at have multifactor authentic.

Jim Banach:

So everybody knows that identity breaches and harvesting passwords are still the number one way many attackers can easily get into organizations. It's not through sophisticated code executions or flaws. If we look at the current vulnerabilities that are out there with the log for [Jay 00:27:46], that's a very real issue and it's one that's going to keep a lot of security professionals very busy, but those are determined people. A lot of, I would say would be hackers or other information, they're going to say, look, path of least resistance.

Jim Banach:

If I can send a well crafted email and gets someone to click on a link, that then captures their password, great, I'm going to do it. There's a whole industry that is out there where you can buy phishing kits on the black market, and that's really scary. It's ransomware for hire. How do we prevent that? Multifactor authentication is the first big step of that. Then it is having those modern devices. Where can I reduce on-premises infrastructure? How much can I use the cloud and the scale of the cloud? I mean, Microsoft handles trillions of authentications on a regular basis. Nobody's getting more authentications out there than say Microsoft and a few of the other hyperscale cloud providers, so we've seen it. And then how do I bring that all together? How do I say, "Hey, this looks risky, Bill, you signed in from Colorado at lunchtime and then two hours later you're signing in from Germany."

Jim Banach:

You probably didn't travel there unless you broke the speed of light, so we can identify those. Even the best funded security departments in the world probably don't have the telemetry and scale to capture that information. So that's the first thing I would hear with a lot of customers, and thankless come around is they say, hey, I can do security better than Microsoft, I can do it better than Amazon, better than Google because Microsoft had that one thing that made the news.

Jim Banach:

But when you look at it in aggregate and what they're doing, I think the power of the cloud and the power of these signals and the machine learning that can be put behind it, it sets the table stakes that much higher. So that now you, as a security group, you're spending more time hunting for a specific threat than just looking at the logs to say what is happening. And that goes from everything from that sign in all the way to what sensitive information is in my environment? Where do I have HIPAA related information? Where do I have things that have to comply with SOX? Where are the credit card numbers stored? The cloud provides the ability to search for that at a scale and level that didn't exist before, or just only the largest of the largest companies were able to handle.

Bill Tolson:

Yeah. With the move to the cloud, then you have the ability to dynamically upscale storage, upscale your CPU usage for short periods of time, if need be. I mentioned PII should be encrypted. Do you have systems now that will recognize PII and say, well, gee, I need to encrypt that. I could do field level encryption. I could do anonymization or a pseudo anonymization. And that all happens potentially in the background and you're using encryption technology for that. And then you get into encryption key management. A lot of the issues companies have is a SaaS provider is encrypting data up on their third-party cloud, and the encryption keys are kept up there as well, so the cyber crooks can go up in there and potentially find it and use the encryption keys. Sometimes the encryption keys are used on multiple customers, those kinds of things.

Bill Tolson:

So Microsoft has for cloud, encryption key management, they have Key Vault, which is a very secure area within the cloud that protects those keys. And then you can even go the next step and say, well, gee, I want those encryption keys stored on-prem, I don't want them kept in the cloud. The big FinServes, the big banks, Wall Street banks, that's one of their requirements is, encryption keys cannot be stored in the cloud period, in some cases. So that extra ability to maybe encrypt the data on-prem and move it up to the cloud and keep those encryption keys on-prem is yet another security potential that CSOs are starting to ask for.

Jim Banach:

Right. And I think that all comes back to organizations digital maturity, and their level of trust. And I think that's where the cloud is such a great democratizer there. So if you are a small business, you would know nothing about key storage and field level encryption, but you do know I'm storing stuff with customer information. Out of the box, let's have some rules that detect the most common things that are out there. I need to comply with HIPAA, all right, what are the sensitive information types that are out there? I as a small business, I'm probably keeping the majority of my data in something like Office 365 or a SaaS solution that may partner with it. I'm not building a line of business apps in Azure, or in AWS, or Google where I can take it to the next level.

Jim Banach:

But the great part about it is even Microsoft, our SaaS solutions a lot of times, are being built on those core building block fundamentals of Azure. So you mentioned Azure Key Vault, what we're doing, what we brought together, when we had bring your own key, host your own key. Those same solutions are enabled by Azure Key Vault. So you can get that level of capability in a SaaS cloud, same way as you can in a pure cloud that you're building your line of business PaaS application in. I think it's that level of sophistication. We meet customers and it's important on meeting customers where they are in that digital journey, and providing them.

Jim Banach:

The other thing, you mentioned having that data encrypted and where it's stored. And it's really interesting when you look at some of these new encryption messages, maybe homomorphic encryption that's out there saying, all right, how do I make sure that the data is there and it's encrypted only I can decrypt it, but I have the services that can reason over it. And I think that's really important because I think the thing that can prevent people from using the power of the cloud sometimes is just that is that. I'm the only one that wants to control my keys, control my information, but the minute you do that, now you say, all right, well now I can't take advantage of the machine learning in the cloud to identify all the sensitive information, because I've encrypted it before it's got to the cloud. So how do you balance that? And I think there's some really interesting stuff coming along in the industry that hopefully lock that and make it a little bit more democratized. But at the same time, making sure organizations have 100% say in what's happening with their data.

Bill Tolson:

Yeah, no. You mentioned homomorphic encryption and that's really been of the interest to me. We adopted for our security gateway, that is an on-prem solution that with the cloud and our cloud information management archiving application. Utilizing homomorphic encryption basically enables you to keep the data encrypted while in transit and while at rest, but also while in use, so the data never has to be decrypted. I won't get into the technical details of homomorphic encryption, but it is that next step. And the cloud enables it because you do have that extra CPU available if you need it. And that's one of the things that I've asked the various state representatives and senators is, when can we move to that, this technology does exist. You don't have to specify a specific vendor, it exists across the industry, so why not?

Bill Tolson:

Encryption again, it's one of those technologies that is really available that every business should be using now. There's no reason to put PII in danger of being stolen or reached if the technology exists. And that's what I want the state representatives to look at too. But that encryption in combination with role-based access controls, the system is smart enough to know, well, Bill signed in, he's in a Zero Trust architected system now, I want to get into a SharePoint and look at some stuff, or I want to get into Salesforce and look at some stuff. And the system based on roles within, for example, Microsoft Active Directory knows which type of information I should have access to and will limit me.

Bill Tolson:

I could sign in and maybe I see some emails, but the social security numbers have been encrypted and they don't make any sense to me. If I was somebody else with a higher authorization, I could sign in that same email and the system would know to decrypt that stuff for me automatically. That's becoming a basic security procedure that companies should be using now too. And all of the... No, I shouldn't say all the crowd systems, the ones that I know about, including with Microsoft and Microsoft with Active Directory, it's all built-in now, you just got to set it up. Those are the base level security requirements that everybody should be using. I would be surprised if insurance brokers are not close to making them do it.

Jim Banach:

Yeah, and I think that may be what pushes it. It may not be, I would say the governmental regulations that drive this, but it may be, like you said earlier, insurance costs for cyber are just going up and up. And we may find that it's the insurance companies that say, "Hey, you don't want to have a exorbitantly expensive policy, do these things." You think about even in the auto, you have seat belts, you have airbags, your insurance policy goes down. Are we on the verge of seeing similar things in corporate insurance policies for cyber risk?

Bill Tolson:

Yeah. Like you say, it's going to be cost that drives it. The cost of not doing it is going to be more than the cost of applying the new security processes, procedures, technologies, and so forth. We've talked about the privacy regulations in general, but I think regulatory requirements in general and the cloud, obviously we've both talked about many companies are moving in cloud, and they all will be there eventually just based on cost and available technology. And you've mentioned machine learning and AI.

Bill Tolson:

One of the advantage of a big platform like for example, Microsoft Azure, they have all of these various technologies available for vendors to use. For example, you mentioned machine learning, we take advantage of Microsoft machine learning capability within our products to be able to utilize that and go to that next level of, for example, predictive categorization and things like that. Predictive supervision on the FinServe size, and I know I just stated it up front, but Jim, are there any other advantages in using a cloud platform to complying with regulatory requirements, privacy requirements?

Jim Banach:

I think one of the other ones, and I'm going to touch on one of our products actually, compliance manager is, there are hundreds of regulations. I think one study I read said, there's a change in a regulation somewhere in the world every 20 minutes. And when we talk about large companies, we talk about in these privacy rules, it's not, there's one set of rules that apply to you when I'm located in a certain country, or state, or region, but also where my customers are. My customers are global. It's almost inevitable that one of these privacy regulations touches you, how are you staying up to date on that? Hundreds of regulations with thousands of updates, and if one changed, how do I know if I fell out of compliance or not? So even tracking regulations, take away the really cool technology like the AI, and machine learning, and real time sensitive information type scanning, but just tracking regulations, tracking compliance toward it.

Jim Banach:

The cloud makes that much more available to you, so that you're not having to have spreadsheets sitting somewhere. And then someone else trying to interpret the law and stay there. We're bringing that ability in the cloud of just tracking these. So someone's compliance department can say, all right, here's the rules, here's some regulations, and whether I'm in the Microsoft Cloud, or I'm trying to manage my regulatory compliance against another cloud like Salesforce. I'm able to do that and I'm able to track it and it's defensible, I think, is the other important part. Is you can say, look, I did these steps, here's where I am in terms of compliance and I'm tracking it. And I know every change that was made to those documents, to those steps, to that information. I think the cloud brings that power to a lot of organizations in just getting a better handle on what they need to be doing.

Bill Tolson:

The big cloud platforms like Microsoft, they employ literally thousands of regulatory specialists. I read at one point, Microsoft had over 3000 regulatory specialists just working on GDPR. With that kind of background and backing, vendors who are creating these additional applications, they do have a very seasoned, very educated team at the cloud provider to help them understand this. And one of the things that we rely on is that Microsoft has gone through the hard work of being certified in every known kind of requirement. And they're very good about publishing those and saying, yes we are, and this is why, and these are the agencies and so forth.

Bill Tolson:

So if we're operating within the Microsoft cloud or the AWS cloud, as a vendor with our application, the cloud provider, the big ones, have done all the work in helping us be able to understand and believe that yes, if a customer asks us are we GDPR... It's funny, they'll bring up GDPR certified, which there's no such thing. But do you operate within GDPR, or HIPAA, or any of these other things, we can go back and with Microsoft say, well, sure, we're operating within Azure for example, so yes, we are under these kinds of things. So it's a big help. I mean, having all of those resources behind the curtain to do that and to be able to rely on that, those kinds of things are so costly and they require so many specialists to get to the point to say, yes, we do meet those regulations and this is why.

Jim Banach:

Yeah. It's important there, and I want to build on that point is, I've had these conversations with customers a lot of time of just, oh, well, once I move to Office 365, I'm HIPAA compliant or I'm GDPR compliant. And unequivocally the answer there is no. Office 365 enables a organization to reach HIPAA or GDPR compliant, but there are policies and processes that are not technology or requiring you to configure the technology in a certain way. Now we've got a lot of guides and informations on best practices, but it is up to every individual organization to either buy themselves or working with a partner that knows this inside and out, to make sure that they're taking it to that last mile. Because the hyperscale cloud providers are doing just that, they're building it for scale. They can't meet every individual regulation that is out there and implementation that's unique to the business.

Jim Banach:

It's important to say just because I've started using the cloud, I'm not completely in compliance. And I think that's an important thing for groups to remember. On top of that, I think you mentioned earlier, there is a comfort factor in saying, all right, well, Microsoft is doing everything that they can do to get as close to that as they can. They have regulations on GDPR and being a data processor. When [inaudible 00:42:57] too came out in the European Union last year, at this point that changed the way safe harbor was seen in some of the model clauses. Microsoft had a response right away and saying, look, here's how we believe we can do that. And even just last week of when we're recording this podcast, Microsoft made the announcement that says, we're going that next step above and beyond, in that we're going to be at a point where, yes, all of our Azure cloud services can already be configured to process data. We're going that next step that says, we will be able to make it to a point where all of your data in the EU will live within the EU.

Jim Banach:

So including support, diagnostics, service, generated data, personal data that we use. We're extending and expanding on our privacy commitment to our customers to go above and beyond the regulation. So more to come on that, that was a very hot off the press announcement last week, but there'll be summits later this year where we're going to start sharing more about that, and what we're doing to build better data boundary solutions into our core cloud services.

Bill Tolson:

And that's really important because I've written a lot about this over the last couple of years. But data sovereignty, there are country laws that say data generated in France must stay in France, unless certain things are met, but there's lots of countries around the world that basically have data sovereignty laws that say, data has to stay here. So having those hundred plus data centers around the world, whether you're Microsoft or AWS or the others, versus the one-off third party SaaS solution that has a data center in Omaha or something like that.

Jim Banach:

Nothing against people in Omaha though.

Bill Tolson:

Oh, I love Omaha by the way.

Jim Banach:

Well, we want to make that very clear.

Bill Tolson:

Great stakes, but yeah, they need to be very aware of that. We get that question a lot, because it's on people's minds now. And having that ability to designate a specific geography for where the data is going to be stored based on data sovereignty issues is a big deal. Talking about GDPR and I read it, I'm almost embarrassed to say this, but I read the entire GDPR. And I would say 60% or 70% of the GDPR requirements have nothing to do with technology, they're all process. And like you say, they have to rely on the end user companies to be able to say, this is how we're handling the data. This is what we do before we put it into the cloud, those kinds of things. When I get the question is your solution GDPR certified, you kind of, without the customer seeing it, roll your eyes and say, well, there is no GDPR certification. Number one, are your people doing all the required stuff?

Bill Tolson:

And then if it goes into and it's utilizing your technology, sure, we can say the technology and the way that we tell you to use it meets GDPR requirements. But it's not a one-size-fits-all, if I buy your solution, will we therefore be GDPR compliant? The answer is no.

Jim Banach:

But we can help you do it in a GDPR compliant way.

Bill Tolson:

Exactly. And that's the hardest part for people. I still get the questions from small banks and stuff saying, are you SEC 17 certified? And I'll say, well, SEC doesn't certify technology or solutions, number one. Those parts of the SEC requirement that require very specific types of technologies, absolutely. But there's a bunch of stuff like GDPR that has nothing to do with the technology. So that's a big part of it. One thing I want to touch on before we end this, the idea that the cloud also allows companies, organizations to consolidate data. Instead of having it in tens or hundreds of different repositories and not even talking about end user workstations or anything like that. But having some form of management and policies that say, well, gee, I'm going to start consolidating data.

Bill Tolson:

So there's one place to check for 60%, 70%, 80% of the data, that's going to speed it up, that's going to allow us to better meet privacy regulations, security regulations, and then those data subject access requests. Those are coming up a lot more now with both other companies and clients and other things. We're getting [inaudible 00:47:15] by DSAR, Data Subject Access Request. How can we lower the cost of those and automate them? And by consolidating not all of your data, but a lot of your data in a specific low cost, highly secure repository makes that new environment of responding to data subjects about the data much more straightforward.

Jim Banach:

And it is kind of a balance thereof. I think we see a lot of organizations that have had certain non-cloud repositories for years. And they said, I've got to get out of my data center, I've got requirements. If I'm keeping data somewhere, it's got to be on supported hardware, it's got to be in a supported platform. And my storage array is going out of warranty, so I need to do something with that.

Jim Banach:

And we want to bring as much of that data together as cost effectively as possible too because you generally don't need this on a real time basis. I'm not keeping this in my hot data tiers. But at the same time, there is a very real cost to moving data around between cloud providers. I think every cloud providers make it super easy to bring your data in, but if you need to move it elsewhere, get ready to pull out your checkbook.

Bill Tolson:

We refer to it as data ransoming.

Jim Banach:

Yeah. It's the state of the industry. I think that's the best way to put that. But it's that balance of how can I reason over the most real time freshest data in place so that I'm not paying egregious charges. But also saying, for the places where I need to get at it and it's latent, or I don't use it a lot, how can I store that as cheaply as possible, and how can I say, that's just one place so I'm not having to worry about the security profile of an appliance that I bought 10 years ago to manage my e-discovery solution. And I think you put those two together and what we try to do is through our connector ecosystem and through our APIs, make it easy for organizations such as Archive360 to attack and say, all right, work with as much data as I can, we'll start where we need, but you don't need to pull data out of places that are being accessed and used real time.

Jim Banach:

So taking advantage of Microsoft scale as a provider that's working with so many organizations. We've got dozens upon dozens of connectors that can pull in and say, all right, I can get your data from WhatsApp or from Bloomberg, pull it in and then have the tools that can search over it for your DSAR request. We've got our new privacy management solution that is purpose built for handling a DSAR request, and the requirements in there because although you see a lot of organizations maybe using their e-discovery or other search tools to start it, workflow is different.

Jim Banach:

Because you're not pulling all information, you may need to redact certain pieces of information. How do I do that in real time? How do I know that if the information I'm grabbing has other sensitive information in there? So looking at tools such as our privacy management and doing the subject access request, it brings it a little more purpose built, again, so that you don't need to have been trained in the industry for years upon years to know what to do, but it gives a starting point. And then it lets our partners, it lets our customers, build on top of that with their individual business requirements. And I think that's what's really cool about so many of the solutions that we've put out recently is that, we've got a starting point, we've got a great platform that meets the needs of 80%, 90% of our customers out there. But when you need that extra 20%, we've built it in a way that you can build on top of it.

Bill Tolson:

Yeah. And we mentioned data ransoming, which is a long-term ongoing issue with some of the cloud providers, especially some of the third-parties. The other issue that you run across, they might say, well, gee, we're not going to ransom your data, it's not a problem. They'll throttle the data. They'll say, well, take all the data you want out, but you only get a pipe that will give you 100 gigabytes per day or something like that and you're sitting on six petabytes. You're looking at years to get all your data out.

Jim Banach:

Or we saw back when organizations were first moving to the cloud and said, oh, I've got to get out of a archiving solution, I want to go native. And what did we get? Drives upon drives of EML files and said, here you go, you're nuts. It's like, what do people do with that? So yes, ingestion easy, bringing it out, that's the story. And I think that's where you and I have worked together in the past is, how do we get that data from point A to point B in a way that's actually usable, and defensible, and has that chain of custody.

Bill Tolson:

Yeah. The whole idea started off this part of the discussion with data consolidation. If you're are consolidating more data in a lower cost solution, higher security, it also gives you an easier ability to use NextGen analytics and those kinds of things, to get more value out of that data that you're holding for long periods of time. But having 16 different repositories with different ways to search and things like that, it is an issue for those companies who are looking at, I want to utilize that data that I'm storing using analytics capabilities and so forth.

Bill Tolson:

Okay. Well, I think Jim, that wraps up this podcast of ours. Again, I want to really thank Jim Banach from Microsoft on this, this is really an interesting discussion. Be sure to check back with Archive360, our resources/podcast page to see new podcasts that are coming out on a regular basis. Like I said, I have several more coming out with Minnesota State Representative, a state senator from Colorado and Colorado Privacy Act. We have a partner from a very large law firm, that's a specialist in privacy regulations around the role. We've got a lot of stuff coming out, so keep coming back and checking. If anyone has questions on this topic or would like to talk to a subject matter expert, please send an email, mentioning this podcast to info@archive360.com and we'll get back to you just as soon as possible. Additionally, Jim, did you want to give your email address for somebody to contact you?

Jim Banach:

Yeah. I think the best way if people want to reach out, there'll be a couple of links in the notes to the podcast, to find out more information about some of the solutions we had talked about. You can also find me on LinkedIn, just go ahead and search for my name. But I think it's a great opportunity of, security gets so much press out there. Everybody is trying to stop the attacker from breaching their systems. It's what makes the evening news.

Jim Banach:

But when we think about compliance and privacy, sometimes that is just as important because a lot of times there, it is like insurance. We're having to prove that you need protection from an event that hasn't happened yet. And how do we help IT professionals make the right case to their leadership of why they should do this? How do we help IT pros get skilled in being able to manage all this information? I would love to keep these dialogues open and bring them out in the open, because I think this is maybe the next wave of how do we protect organizations? How do we protect the data? Just as much as we've gotten used to protecting the defenses.

Bill Tolson:

Very well put, and again, Jim, thanks for taking the time, a great discussion. I want to thank everyone who is listening to this right now for taking the time. And again, keep checking back with us. Thank you very much.

Jim Banach:

Thank you.