Ben Telfer:
Welcome everybody to today’s ICMIF webinar: The coming wave of privacy and data protection laws: tsunami or gentle ripples for co-operative and mutual insurers.
I’m very pleased to welcome from Cyberscout, one of ICMIF’s of supporting members, Ed Goodman and Jephunneh Lattiboudeaire. Ed is global privacy officer at Cyberscout and due to that is Head of Canadian Business Development. Ed, Jeph, it’s really nice that you could join us today and over to you guys.
Ed Goodman:
Thank you. Well, we are looking forward to presenting today and I really wanted to kind of give you guys… We’re going to really keep this super casual, very discussion-based and kind of talk through this and kind of demystify it.
Ithink a lot of people really overthink data protection and privacy probably right now, because it’s such a hot topic from a legal perspective. But what I really want to talk through today is really just two main areas or three main areas. How a simplistic approach really to data protection can help you stay in a real good zone of compliance wherever in the world your org is and we’ll get to that and why that is. Why putting the data subject, the individual, the consumer or your member, frankly, even your employee at the center of how you treat your personal data is really going to help you ensure compliance.
I think that’s something that cooperatives and member-based organizations like mutuals already do. It’s very natural for them. I think starting with that core thinking of where you do your business and applying that to privacy, that’s what we’re going to talk about today and how that can really help you get to where you need to be without panicking over all these new privacy regs that are coming all over the world. You have to really think of it this way, that really the whole entire organization has a role to play as part of the privacy data protection team. You need to create a culture within the organization to think about this all the way down to the brokers or agents or platforms you’re using to sell your insurance types of products, all the way across to how you want to treat your own employees and things like that in HR. Everybody has to be thinking about this.
I want to just dive in too by getting folks to realize that data privacy is pretty prevalent across the world. If you really want to look at it from a regulatory standpoint, of the UN recognized countries, there’s at least and these numbers are probably off at this point and probably higher already, but at least 66% that have some sort of data protection laws. There’s a lot of draft legislation out there. There’s a lot of growth. Obviously this tends to be an issue thought about by countries who have the luxury of thinking about it, but with that being said, I think it’s something to understand that pretty soon, within the next few years, three quarters of most countries in the world that are recognized will have some form of privacy regulation from that standpoint. Even more have some sort of constitutional statement around privacy or data protection and that’s in every single region of the world.
I think it’s important to understand that this is a universal concept already. We’ve got to start big and you worked your way in, that’s kind of the easiest way to really think about this without really getting too bent out of shape about it, if you want to think about it from that perspective. I think one of the things that I really want to get across and I think is the biggest takeaway are that these key, as I would call them, universal concepts of privacy that go across all jurisdictions and things like that. Just core concepts that if you really follow, you’re going to find you’re going to be in a pretty good area. I think you can start with a general concept of what is private or personal data.
I point to the GDPR only because I think the GDPR in Europe is really sort of cross-pollinating legal systems all over the world and allowing them to sort of adopt a very European approach to privacy. But personal data is really any information relating to an individual. It could be about their private, professional, public life, anything from a name, a photo, email address, bank details, basically anything about a person is personal data and you have to recognize that as an organization. Where your employees go on the internet, if you’re tracking them on your own systems, that’s private information. Where they go physically, if you’re tracking their locations, that’s personal information. If they’re taking sick leave because of medical conditions, that’s personal information, and it goes on and on and on and on, right?
I think it’s a good general way to think about it because this is sort of the approach and general concept around privacy that’s really kind of all over and they get more specific to what you want to think of as more sensitive personal data. These are really specific categories and it can go beyond this, but they’re the obvious ones that just, you think you have a right to privacy, that if you want to express them, you can, but really isn’t no one’s business, right, from that standpoint. Again, the reason we’re starting with Europe is the EU is already 27 countries, 28, I guess, if you want to still think of the UK as having adopted European concepts around privacy. Right off the bat, you’ve got a huge chunk that are following sort of same playbook.
The other thing you have to understand is that the Europeans only allowed data to be exported to countries that they look at as being adequate. So lots of countries around the world that are building out the privacy legislation and regulations enforcement want the Europeans to treat them as an adequate jurisdiction and so we’re adopting European definitions and approaches to privacy in order to get that. But the reality is that Europeans did not invent privacy. I want to be really clear on that. I know I’m an ugly American pulling this out here and saying this, but I did get my… I did study comparative law at a Dutch university, so I have been tainted by the Europeans. But with that said they didn’t invent privacy. I mean, they did have a huge hand in what we view as is data protection and privacy now, but really, it does come from other sort of routes.
I like to look at the OECD, the Organization for Economic Cooperation and Development, it was founded in 1961, really by 18 European countries and the US and Canada, surprisingly, right? And this is going somewhere, so now we have 37 member countries, including 22 of 28 EU States, but it’s a non-profit, non-governmental sort of entity that helps sort of improve, well, economic operation development. It’s in the name, right? You see list of member countries here, and what’s really relevant is that back in the late ’70s, they decided to take a look at data protection and privacy, which is pretty amazing that they were this far ahead and thinking like, “This might be an issue, right?” This is the days of super computers and before even the founding of any of the companies that we know that, that we would refer to today.
What they looked at is a few key examples and the three major countries or regions they looked at for data privacy was, first of all, Germany, which had really the first true data privacy act. If you really want to look at it, that was the Hessian Data Privacy Act and that was really the first. But at the same time, the Swedes weren’t that far after it in passing some of the first federal data protection, and guess what? The US, which likes to be a punching bag for privacy, they’ve actually passed a ton of privacy legislation in the late ’60s and early ’70s, right?
The OACD looked at this and they said, “What are these core concepts that all of these things have? Why are these so groundbreaking and so interesting?” And so they came up with this thing in 1980 of all things that they published called Guidelines in the Protection of Privacy and Transporter Flows and Personal Data. What it was is sort of a guide on core concepts around privacy, that all countries should try to espouse in their own legal systems. Again, you start big and work in, you start internationally and say, “These are core concepts. You, as countries need to bake these core concepts into your laws. The way you, as governments apply them to your own citizens, to the way that your businesses apply them to consumers, all of this.”
By looking at these core concepts, which we’re going to talk about here in a little bit, that really were extracted from concepts of data privacy law from different regions already, admittedly Western regions, right, North America and Europe. We do see these key concepts and what you see here, we’re going to talk about each one of them. And if you look at these core concepts and you practice them as a core philosophy, going to find that you’re going to automatically back into whatever your local legislation is, for the most part, if it is following sort of these general rules. Yes, there are exceptions, for instance, Vietnam requires strict data localization and there’s little odds and ends all over. But for the most part, this is really the DNA of every single modern piece of data privacy legislation out there. I’ve read a lot of international data privacy legislation, both old and new and it’s crazy when you get into these concepts and suddenly, when you look at the Protection of Personal Information Act in South Africa, it’s got a heck of a lot in common, almost 90% of what you’re going to see, maybe slightly different terms of structure, in the Philippines or concepts you find in HIPAA and HITAC. I mean, I don’t know. I’ve been rambling. What are your thoughts?
Jephunneh Lattiboudeaire:
I was actually going over the legislation for Jamaica, for their privacy, their newly introduced privacy act and in all honesty, these core concepts are translated into this legislation and you can see the influence of GDPR and privacy by design and seeing these outlined in the West Indies/the Caribbean. You can see that a lot of these things have a lot in common. We’re not talking about huge differences. They’re usually minuscule differences and as a result, it’s very easy to translate from one country to another country just by utilizing these core concepts.
Ed Goodman:
I call it, again, the DNA of it. I think, again, you live with it long enough, sometimes folks don’t see the forest for the trees or they’re just looking at really complicated answer to the questions.
Jephunneh Lattiboudeaire:
It always seems so complicated when you realize that these are very simplistic concepts and it’s not just applicable to legislation. It’s very applicable to just everyday life and that’s how you approach your clients. When you do that, it builds that trust, that reliance on the company that you provided that information to. I know that I build trust that way.
Ed Goodman:
I think trust is the perfect word for it and that’s really what privacy is when you’re dealing with government, but with business orgs is, do you trust them with the information you’re providing them. There is a secrets, your insurance company in particular, in the US obviously your health insurance, but even with other types of insurance carriers and events that happen, there is that. And so these core concepts, they’re things that we all want everywhere to your point and they’re all of these core concepts that if you’re following them and thinking them through, then you’re like, “Oh, this is serving… this is just the way we serve our members. This is the way we that we’re already doing this stuff.”
I start with collection limitation, right? It’s basically just what it sounds like it’s. It’s really like limiting the data you’re collecting about people to just what’s necessary for what it was needed for basically, and needs to be done with their knowledge and consent so they know, right? I don’t know you know, if you need to get someone’s information for a claim it’s probably not relevant to also find out and ask what religion they are racial or ethnic origin is or what their sexual orientation is. I mean, as crazy as it sounds, but why does… There’s lots of stuff, even collection limitation think of it online, right. Do I need to know if you’re filing a claim online, what websites you go visit afterwards?
That’s other collection limitation, right?
Jephunneh Lattiboudeaire:
One of the biggest things that as a Canadian, when it comes to insurance is that every province has something different when it comes to insurance requirements. Especially when it comes to auto insurance and what we see a lot of the times, and I know this is not privacy related, but what we see a lot of the times is that they’ll collect information that might not be as prudent towards the situation, that I think is not prudent to the situation. I don’t think you need a credit check to get auto insurance, but in some provinces, it requires you to have it. I don’t see the application to it, but then again, I live in Ontario, so we don’t do it here so I’m not sure if it’s something that’s really and truly needed in order for us to move forward with the process.
Ed Goodman:
And to your point, it is privacy related because they’ve been tons of studies in the US that it does end up cutting against class and racial and ethnic lines when you start doing credit checks and suddenly you’re using that as a risk.
A a lot of the risk indicators aren’t there that you’re necessarily higher risk either, but that’s a perfect example though. Why is it relevant? It’s like, “Oh, we need your telephone number, but we also want your email.” Well, why? You’re not going to email me are you. Well, it’s because we want to give it to our marketing department so they can share. Limiting what things are collected for super-important data quality, making sure that the information that you’re collecting is relevant for the purpose of being used, and that it’s accurate, complete and up-to-date. When Cyberscout started, it primarily was to undo personal fraud for individuals, right, and people always thought, “Well, we’re just getting their money back when they got defrauded or something like that.” And we weren’t. We were actually saying, because they would have a credit report that would say they owed money and they’d say, “I don’t. Here’s a police report I filed, here’s a sworn affidavit.” We would then go to the credit bureaus, the people that had the supposed debt that said that they were the ones that had it and say, “This isn’t the right person.” Guess what? Your data on this person is not accurate. It is not complete and it is not up to date. You need to fix it.
That’s what the Fair and Accurate Credit Transactions Act, FACTA and FCRA in the US are all about, privacy laws, right and that’s data quality and that’s something to make sure that again, do you have quality data when you’re making decisions? Are you collecting and is it accurate? You need to give people the ability to correct it, right. That’s GDPR, man. That is the [Pieta 00:16:14], that whole concept, it’s all we’ve woven throughout. Individual participation, you need to be able to inform people that their information is being collected, used, and that they should have the ability to access it, correct it, delete it. That’s the concept that, listen, I, as the individual have the right to participate in the data that you have on me and I have the right to say, “You know what? I’m not doing business with anymore. I want it deleted.” Unless there’s a regulation that says they need to keep it or something like that.
But this is one of those key concepts that if you think about it is more and more finding its way outside of Europe. Right to deletion is what it’s called, right to erasure a huge concept under GDPR. Guess what? CCPA in California, core concept there, you have the right for deletion. We’re seeing this start to spread to lots of other places too, but it just comes down to the same core concept.
Jephunneh Lattiboudeaire:
Taking into a negative example of individual participation. Just going over the Clearview AI, I’m just doing a case study. I really enjoy following along with it. I think it’s fun even though I’m horrified by the whole situation. But going over their own privacy policy, their right to… my right to deletion of my own information that they collected without my consent. They do not provide you with an ability to delete your information from there.
Ed Goodman:
You, as a Canadian, don’t legally really have it yet. I think it will be coming, but it’s not something… and if in US, it’s not a universal right. It is if you’re European.
Jephunneh Lattiboudeaire:
But given that they don’t believe that they did something wrong, they haven’t even updated those privacy policies to react to what the Canadian government, well, the Privacy Commissioner has stated that the whole situation is just plain illegal in Canada. They haven’t even responded to that yet and it’s taking time. I know it takes time, but realistically, given the situation they even put themselves into, you think that they should have been able to react to it in a faster manner.
Ed Goodman:
No, I agree and I think this is key. Again, I come back to it, putting the individual, the human being at the center of it, at the center of the control, whether it’s your employee, whether it’s your member, that concept and that is really key to it and putting them at the center of all your decisions. Purpose specifications, you need to know why are you collecting this information? What’s the purpose for it? You shouldn’t just collect it because it’d be a nice to have. Like I said, well, we collect your email just as a nice to have, right, because marketing might want it. Or we collect a piece of information like, “Oh, how old are you?” It might be relevant in certain contexts, but in others, it might be more relevant because again, marketing wants to know what’s our demographic. There really should be a specific… and it’s all right if you say, “We want to collect this because marketing wants to know, right?”
You don’t have to consent to it, but the point is what you don’t want is a concept of, just collect all the information you can about people and we’ll figure out if we want to use it or if we needed it, but collect as much as you can at the application, not just what we need.
First of all, that’s bad because it doesn’t follow these core concepts and it’s going to probably run a stray of some form of regulation. It’s also bad because I try to explain and I’ve been doing this for years, working breaches for well over a decade and a half, some data collection, it’s not an asset, it’s a toxic asset. That asset is potentially going to cause you harm if someone steals it or it gets purloined or if someone gets access to it, so you only collect what you need for that purpose, not just because it’s a privacy protection for these individuals, but also as a CYA to cover your. Because again, it also limits your own exposure. Again, a lot of individual companies still think it’s the late ’90s, early 2000s, and they just take this… cast a wide net, collect all the data we can.
Jephunneh Lattiboudeaire:
That’s what I was going to say. For some people it’s the more information, the better, and that’s the way that we reach out to our market. That’s the way that we can make sure that we get the correct marketing aggregation. But realistically, like you said, it’s about making sure that having a specific purpose to it. I don’t mind providing the information to a company who’s declared what that information is for, but I feel you don’t need my height and my weight and everything else to do a credit check.
Ed Goodman:
It’s also bad marketing to your point. It’s about trust, right? It’s like, “Oh, we want to get all this info on as many people as possible.” No, you want to get the right info for the right people who would actually be interested. The rest is all background noise-
Jephunneh Lattiboudeaire:
Exactly. How do you even clarify what information you actually need at that point? How do you even utilize this information? What are you doing with it?
Ed Goodman:
Again, it comes back to trust and building that trust with your member and understanding it. Again, it’s not to say, you can’t get it. All this to you and I want to go back to even a bigger concept. All of these core concepts also come down to one key concept in data protection and privacy that’s universal across every jurisdiction and that’s transparency. You need to act like you live in a fishbowl is what my dad used to always say. Anyone can see you and-
Jephunneh Lattiboudeaire:
They always want you to be transparent with their information and, oh, well, let’s talk the next topic.
Ed Goodman:
You’re right, it’s about transparency. That’s what this is about too. Use limitations, again, this all kind of comes back to it, the data that you’re collecting for a specific use, which we just talked about, right, and this is just why I switch, because it was a good time to dovetail into it, it should never be used for purposes other than the specified use. If you’re saying, “We need your information.” Like, I don’t know, on auto claims. Yes. “We need your email and your telephone number so that we can contact you related to the claim- and to the progress on your vehicle that needs repair, whatever it might be. What you don’t do is have all your claims files sitting there with all this data and you have to retain it for some amount of time in the province or the state or wherever you are. Then have your marketing company come in two, three years later, or your marketing department come in two, three years later and say, “Hey, we heard you have all these claims files that you have to hold for seven years and you have email addresses and we can blast all these people about how we can still save them”
Jephunneh Lattiboudeaire:
It drives me insane. The seven year concept for information, you don’t need it. The information has changed. It has altered. It has moved on and yet you’ve held onto this information that is no longer useful, no longer practical, no longer has… it’s not up-to-date, so why are we holding onto this information? We’re holding onto this information in a manner that is not befitting of high risk information either. A lot of times it’s sitting on a desk, a lot of times it’s sitting in a file folder in a cabinet and-
Ed Goodman:
Or even worse with a bunch of other files in an unencrypted server somewhere on AWS that anyone can get into.
Jephunneh Lattiboudeaire:
And it’s been there for years. It’s grown digital dust.
Ed Goodman:
Well, and that’s where limiting what you collect, having a purpose specification for it, even comes into retention and some of the other things that we’re doing and security safeguards. Because the other side is you need less security if you’re collecting less stuff, less information.
I mean, you always should have good security so I’m not saying you kind of diminish it, but the point is that you should always take reasonable security measures. But that’s one of these core concepts is that if you have information, if you have people’s secrets and they’ve trusted, you need to take steps that would be reasonable based on the size of your institution, things like that, to make sure that they’re protecting from any unauthorized use or destruction, modification, disclosure… I mean, destruction could be, maybe it would be a fire 20 years ago.
All our data is on the server, but we didn’t back it up. Right. And now it’s been encrypted so now they’ve destroyed your data, your financial information. Like I said, so I think it’s important to understand that this is another core concept. It’s a little weird place where we’ve seen a bit of a, not a bad fracture, but a slight divergent in some of the legislation that’s no longer just about privacy, but about becoming more about security requirements. But I always say security and data protection or security and privacy are really just flip sides of the same coin, right. But this is really important and hopefully your organization, if you are a co-op or a mutual, you’re regulated. There are some requirements already industry-wide that do take these basic steps, but it’s something you really need to be looking at, that you’re preventing it. It’s really important. Again, it always comes back to this for me, is openness and transparency. You need to be really clear about what you’re doing, how you’re collecting your information, what you’re going to do with it, what it might be used for, give them the ability to contact you if they have any questions, to request deletion, request portability.
If they say, “I want all the data you have and move it over.” These are new concepts. I mean, I think, it’s something we’re going to see in the future, a lot more of this concept of you have my files, you need to give it to me and let me take it to my next business or provider or whatever it might be in a way that they can transfer it in, right. We’re getting there, closer and closer where it’s more seamless, but that ability needs to be something that… that openness needs to be something that is always there and then accountability. In the end, you, as an organization need to be accountable to whatever approach, more importantly, representations you’re making to your employees, to your members, to your customers, your clients and make sure that there are mechanisms in place to deal with any failures. Because the reality is no one’s going to get this perfect.
I think that everyone always is like, “Oh, are you HIPAA compliant? Are you GDPR compliant? First of all, there’s no freaking such thing. There’s no golden stamp that they give you and compliance, it’s a journey. It’s not a destination. You’re never going to get there because it’s always changing, the technology changes so the security changes. What you need to use it for changes so you collect it different. You need to be accountable and organizations should at least have somebody increasingly that thinks about this, even if it’s not a dedicated role in their organization, whether that falls… usually it falls into a legal type of role, but it could be compliance, sometimes it’s even in the financial or that sort of area. But accountability is huge and also constantly checking and improving, that’s part of the accountability. It’s looking and saying, “How can we learn? How can we get better?” But in the end, you’re responsible for what you’re taking in and kind of from that standpoint.
Jephunneh Lattiboudeaire:
I honestly think that that’s the hardest principle for many organizations to follow, the accountability section. That’s because when there’s a lot of organizations that are out there being like, “Well, we didn’t know that we were supposed to do this.” But in this day and age, this age of information that we’re in, it’s not really an excuse going forward, saying that we didn’t know. We do know. We’re all sitting here wondering what’s the next change that’s going to happen to privacy legislation and which country is going to set that standard and who’s going to bring it over to North America, who’s bringing it over to the EU. It’s just a matter of saying, “Well, I messed up.”
Ed Goodman:
Well, and it’s funny because when I was a baby lawyer for a very brief time, I was in a criminal defense firm and one of the things you got to always constantly tell people is ignorance is not a defense to violation. And sometimes, some places this is criminal, by the way. I think it’s important to understand that you need to know that. There needs to be an awareness. There’s not an expectation by regulators you’re going to get it perfect either.
Jephunneh Lattiboudeaire:
Exactly. We’re all human at the end of the day and the laws are always flexing. That’s why most of all, I’m on common law. I’m not sure where everybody else is. And that the beauty of common law is that everything’s about precedence, so knowing that we haven’t gone to court and tested this aspect means that we have that flexibility to work with it. And because we have that flexibility to work with it, we know that we can’t always get it perfect every single time, until somebody has brought it into court and we’ve actually used it and we know what’s going on. But just making sure that we can say, “This is the standard. We want to meet that standard and when we don’t even meet our own standard, we have say, ‘This is where we messed up.'”
Ed Goodman:
That’s what regulators are looking at too. Because even where you are less worried about litigation like you would be, for instance, you’re always worried about litigation in the US and Canada. There might be some regulatory authority, but whereas in Europe, people are always stressed about the regulator. Either way, I think I always tell people that in the end, just like we say here, steering clear of consumer protection privacy data protection, any of these violations is really as easy as being totally honest and transparent, providing information about what you’re doing and using and choices around it, obtaining and documenting consent, making sure you’re getting permission saying, “Hey, you’re okay with us using this for these reasons.” And you repeat it and you make sure that they understand it and you put it in non-legal terms on your website and other things like that and making sure you’re recording it and documenting it so that… “Well, I didn’t say that.” “Well, you gave us consent. If you don’t want it, delete it. We have it. Then I know it’s going to sound strange coming from a lawyer, but it’s so dang easy just following through and doing the right thing. That literally, will seriously keep you out of so much trouble. It’s always the cover up in the lie to get around doing the right thing in the end if you did mess up. It gets you in a way less trouble than the thing that caused it.
Jephunneh Lattiboudeaire:
Exactly and that’s exactly it. It’s easier on regulators when you say, “This is what happened.” You go to them, you say that this is what happened. “This is what happened to my shareholders. Do you understand what is going on?” We’re being clear and transparent and honest each and every time.
Ed Goodman:
That’s what we’re going to do so it doesn’t happen again. That’s another thing too. We’re learning from it. I think that’s really important. Again, it’s just putting yourself in someone else’s shoes, whether you’re in a marketing department, whether you’re in IT, whether you’re the lawyer. How would you feel about the use, collection, treatment of personal information of the type that you’re asking if it was me, if it was my friends or my parents? What about my kids, would I be feel comfortable you knowing that about them? Why do you need that? I know that sounds really simple, but again, I think you take core easy concepts, then you try to encapsulate them into law and everything gets lost in translation and people suddenly, they see the law and they’re like, “What? I don’t understand.” It is this simple wherever you are.
Jephunneh Lattiboudeaire:
It’s just how would you want yourself to be treated? That’s it. How do you want yourself to be treated?
Ed Goodman:
People say it’s generational and I call baloney, because I talk to my kids about it. They are much younger than me and very much about putting themselves out there. They still have a very strong concept of privacy and what they want their data used for and how they want to use and now they want to understand it better. I think there’s a little bit of differences, but people still care about their privacy and people still want to reveal to the world what they want to reveal, not what other people might reveal about them.
Jephunneh Lattiboudeaire:
I think it’s a little bit different for the iGen, because they’re so used to it. They’re used to having their whole lives videotaped and tweeted and texted and “Facebooked” and “Snapchatted”. That’s their entire lives so to them, maybe the idea of having the sense of privacy is a little bit different than myself, who is a millennial, who is a little bit more concerned about what I’m portrayed as on the internet. What am I more concerned about with the information that is being collected on me?
Ed Goodman:
But the difference is they still want control because they are cultivating their own image and what they’re sharing. And I see it in my own kids.
Jephunneh Lattiboudeaire:
And they know that, that is their business.
Ed Goodman:
They don’t want somebody else cultivating that for them. They’re like, “Whoa, this is my data. I’m okay to make my videos and my stuff and post it but you can’t use it- and they have that control. I think, again, orgs need to understand that these shifting values of privacy, whether you’re a boomer, an extra millennial, a Zoomer as my kids like to call themselves, the concepts are still there and it comes back down to individual control, consent transparency in what you’re doing and it translates across generations as well as it translates across cultures, things like that, at least from what I’ve seen. I think the other thing is, and you could talk a little bit about this is, I think as an organization, really, we already talked about having someone dedicated that thinks about this, maybe even having did a governance group and protocols to think about how as an organization should we approach this? But I think having a privacy by design mindset is really important and since you’re the Canadian, I’ll let you give a real quick explanation. What is privacy by design or data protection by design for all of you non North Americans?
Jephunneh Lattiboudeaire:
Privacy by design is taking those core concepts and incorporating them into your privacy policy, saying that this is the foundation. The core concepts that we were discussing earlier on taking that and putting that into the foundation of your privacy policy and utilizing it, knowing that this information is to be protected and our clients are protected, our members are protected from the beginning. This is the foundation.
Ed Goodman:
It starts with product. It felt like when you’re designing a product, you’re saying, how is it going to impact privacy? When you’re designing a service, how was it going to impact privacy? And at that point, it’s like, you kind of look at that policy as your, I don’t know, your Bible, your roadmap, whatever it is.
But people are like, “This is my privacy approach. We will not stray from what’s in here. This needs to be baked into that new product, to this new marketing campaign, to this… You’re putting it into the DNA.
Jephunneh Lattiboudeaire:
It should be the foundation. This is what you build your house on top of, right? I created it keeping in mind each one of these members, each one of these consumers. Especially for mutual companies and cooperatives, they already do it. Right. They pay attention specifically to the member and because of that, that privacy by design becomes they’re not just a core principle, but their core principle.
Ed Goodman:
I think that’s where, and that’s why I want to talk about it too, when kind of thinking about this is that it is everyone’s job, but I do think mutuals and co-ops, you have an advantage over your competitives in these multinational insurers and other groups that do not have this member oriented first kind of approach. Because again, it’s in your DNA and I think you’re almost at an advantage from a trust-building standpoint because it’s unlikely that your data is going to cross borders. It’s going to stay fairly local so that’s a good thing. People trust that versus a multinational where, “Oh, no, our data might go to the US or Americans’, oh, might go to the Philippines.” Everyone’s always worried it’s going to go somewhere else. But most of the time, again, if you’re not a… again, this is usually local. It’s usually smaller controlled. You have that aspect of it. I think you’re also thinking about it. It’s also a point of pride that you do put them the member centric, if you’re some giant multinational insurer or even national insurer, in the end.
I don’t want to say they don’t care, but you’re just a policy holder. We need to acquire more policyholders and we need to market and we need to use your information in ways you may… and I’ve seen it because we’ve worked with both and it’s not the fault of either model. I think they’re different and they have advantages. But I think when it comes to this core concept of consumer individual essential privacy approach, it is very much to the advantage of the co-op and mutual sort of structure to be able to play into that in the most positive sort of way. I think it comes down to it being everyone’s job. I mean, this is something that everyone needs to think about in the org. Again, that’s the mission statement for your whole vertical, right, as co-ops in this. Again, down to the contractors and vendors to the employees, members, insurance customers, everyone needs to understand they play a role in this. What I like to make sure people understand is when you’re thinking about data protection and privacy you need to think of it not as a barrier to us being able to market and sell stuff, or it’s some crazy constraint on us to be able to develop good products and product offers or even a limitation on doing business. Because it’s not that at all, especially if you have the right people in place that are helping kind of enable you to do it.
What you’re really doing is building a clear path to customer and client trust. You develop engaged users through effective marketing. Rather than the shotgun splatter approach and seeing what sticks, you’re really targeting in on the ones that you know you want as your customers and are going to value what you’re going to offer to them. It becomes again, a competitive advantage actually to doing business globally as well. When you are a local company competing against a multi-national, being privacy data protection centric and being loud and proud about that is huge and it’s a huge advantage that you have from that perspective of saying, “Listen, oh, your data stays here. We’re part of your community. We understand how important privacy is. You’re not just a policy number. We slice and dice from a data and analytics perspective.” I don’t know. That’s kind of the way I think about it.
Jephunneh Lattiboudeaire:
I mean, I’m pretty much on the same page as you, because I really and truly believe that the best way to ensure that you can sell your product, you can market your product is just by building that trust between yourself and your members or your consumers. I know that I prefer buying from a company that has my best interest at heart when it comes to my own personally identifiable information and when I know that they have those controls in place, when I know my information’s not leaving Canada, when I know that they have strong safeguards. Even when say the Capital One breach came through, they took the accountability. Yes, it took them a while to notify everyone, but they took the accountability. They tried their best to make sure that all of those services were available to the consumers and they tried to make sure that they were as transparent as possible to the consumers that were affected in the breach.
That’s somebody I can go ahead and give my information to, because I know that they’re going to try their best going forward. Right. Try your best is the only thing that you can ask for from any company at this point, because of the fact that, like we said earlier, none of these legislations or regulations are static. They’re all flexible so knowing that you try your best to make sure that the clients are feeling safe and secure with your policies and procedures is the only thing that I can ask for.
Ed Goodman:
Yup. 100%. I think we’re done and want to open it up for questions. Hopefully we still got folks and Ben, if you’ve got any questions we’ve got time to answer some.
Ben Telfer:
Thank you so much Ed. Thank you very much Jeph. Yes, we’ve got a number of questions in.
Firstly, first question I’ve got here, Ed, you covered it towards the end, but it just says that mutuals have always been trusted by their customers. Does this growing data protection regulation potentially allow other insurers to become trusted? And if so, how can mutual stay ahead of the rest?
Ed Goodman:
Actually, I think it is a really good question. I still think that public perception counts and people trust what they know and what’s local to them, right? I think that that’s a huge advantage that pretty much all mutuals and co-ops actually have, right. I think the other size is… and whether it’s right or wrong so I’m going to be honest about it. It’s not necessarily based in fact, it’s perception because a lot of privacy is also perception. Folks just have an inherent distrust of multinationals when it comes to use of their privacy, where it’s going and how it’s shared. I mean, I think it’s just so… Sure, MEGA Corp might have great compliance…But in the end, people know, does MEGA Corp really care? No, they only care because they don’t want bad press, they don’t want compliance problems. They’re still going to, on the other extreme, want to know the outer most possible limits that they can push their data uses to extremes without getting in trouble.
I think that’s the difference, right? If I were to think of it that way versus mutuals and cooperatives. I don’t know how you articulate that, but I don’t think you’re at a disadvantage. I think that, even with rigorous compliance, I think there’s still going to be an inherent… People don’t stay at a lot of these large insurers the amount of tenured you see at co-ops and mutuals, let’s put it that way too. Most people that I find that work in those environments tend to stay for quite some time. They have their own pride of ownership in their company versus someone that… Someone goes to MEGA Corp, “Oh, this is just my stop. I’m going to be somewhere else in two years-”
Ben Telfer:
Do think there’s a way that mutuals and co-ops can benefit from the pandemic in terms of emerging regulation?
Ed Goodman:
Yeah. I think pushing local and pushing local storage, local use of vendors, I think that’s probably one of the biggest advantages because I think the other thing that you can still be compliant and outsource everything. I’m not saying that that’s inherently bad, but it does start chipping away at the trust, chipping away at the privacy. Everyone needs to use vendors, but if I decide, well, I’m going to use a vendor in another country because it’s so much cheaper versus my own countrymen who might be at a higher expense, but are more likely to culturally care. I mean, I think again, a lot of those types of little things going into keeping it local and all of that, it does cut against that at least from what I’ve seen perceptually.
Ben Telfer:
A question, you mentioned again about consumer perception. How has the or how did the Facebook and Cambridge Analytica scandal impact consumer trust in terms of how consumers view organizations and how they use and hold data? Have you seen any sort of hangover from that?
Ed Goodman:
Well, I mean, I think Facebook has experienced a ginormous hangover for that. I think they’re getting in a spit wad fight with Apple because Apple has been able to call them out and say, “Hey, we’re a consumer electronics company, not a data company like Facebook and Google are.” I’m saying, I think we’re starting to see a tech culture war, if you really want to go down that road, of those that are truly doing tech and those that are doing tech or sorry, are doing data. I don’t want to call it… Data collecting, reselling, brokering under the guise of high-tech. Not to pick on Facebook, but I mean, let’s be honest, what have they really done? They’ve just combined photo-sharing, email, instant messaging and a few other things. They don’t build new technological devices like Apple or Samsung, right.
I do think there’s been a backlash. I think there’s been a backlash against companies that are perceived to only trade in data and not necessarily provide things. Again, that gets back to what is the value that my local mutual or co-op provides again, versus something like that? I think it’s engendered. It goes back to my original statement is a more common distrust across jurisdictions of multinational organizations. It’s not good or bad, but it does start pulling back to give you an advantage to say, “We’re local, we don’t make money doing this. Your data doesn’t leave here.” I mean, those become active sales tactics. If you’re doing it, obviously make sure you’re not outsourcing all of your service support to another country, make sure you’re not offloading it from a data storage to another place. But if you’re not and you’re doing that, again, be loud about it, talk about it, articulate it because that’s what people don’t expect.
Jephunneh Lattiboudeaire:
That trust.
Ben Telfer:
Just another question that relates to what you’ve just said. How can mutuals use their data and compliance strategy to their advantage? Is there anything more you’d like to add to that question?
Ed Goodman:
I mean, listen, I think the reality is there’s tons of uses of data, so what do you want to use it for, right? If you’re what they call anonymizing the data, so if you have all this great claims information, you have a great… you have a lot of good experience, there’s no reason you can’t use that type of data as long as you’re taking people’s identifying info out of it. At the same time, if you’re looking to really engage your customers, there’s no reason you can’t collect their data and their information all the way down to their interests and all sorts of other things, assuming you’re clear about it and you’re transparent.
Ben Telfer:
And what’s it being utilized for?
Ed Goodman:
I think people always… Again, my brother’s in marketing, so we get in this discussion all the time. It’d be like, “Oh, privacy is anti-marketing.” “Nope, not at all.” I think it’s all about just being transparent with marketing and all that. I think it’s like any other business, frankly, you can absolutely use that data to your advantage and it’s very focused. It’s probably again, very local. But when I say to your advantage, don’t think of it like, “Huh, maybe we could sell it to local delivery services that might think that there’s value in knowing what our customers live or…” Not that kind of advantage. How do you use it internally, not as a revenue generator per se, but streamline? I don’t know if that answers it.
Ben Telfer:
I think it’s a great one. Thanks Ed. Jeph, I’m going to come to you for this next one. It’s a very simple way of putting probably a quite complex question, but what’s coming next in Canada?
Jephunneh Lattiboudeaire:
Oh, well, one of the biggest things that’s coming up next in Canada is Bill C-11 that’s pretty… I do believe we’re on second reading for it, so that bill itself is just to tighten up the investigative powers of the privacy commissioners, what can they do when it comes to putting in fines and penalties and things like that. That’s the biggest thing that’s coming to Canada and I’m hoping it’s going to be soon. I do believe this is the last legislation-
Ed Goodman:
It’s going to give your privacy regulators teeth though, that’s what’s interesting about it I think because a lot of jurisdictions, the privacy regulators are more ombudsman. I think in Canada it started… you Canadians are so nice, that’s the stereotype, but I think they’re going to get some real sharp steel fangs here soon.
Jephunneh Lattiboudeaire:
Well, I think it’s kind of weird in Canada because we, I don’t know if it’s weird, but it’s very different from the States where we rely a lot on our regulatory bodies to be more of our punishment force, if you will. But they’re not quite doing that right this second, their job is more just to investigate and see where the problem is lying in, see if this is something that we really need to come down on, smack down hard on it. But I do believe Bill C-11 allows that power to be expanded and be less ombudsman and more regulators actually do their job that they need to do, have the powers that they need, the tools to do their job.
Ben Telfer:
Thank you, Jeph. I’ve got two similar questions both related to COVID-19 and the COVID pandemic. Firstly, has that influenced any data protection regulations? And secondly, are you seeing any trends in terms of data breaches with people remote working more and also perhaps data protection not being the top priority for many companies at the moment.
Ed Goodman:
You want to drive it? Yes and yes.
Jephunneh Lattiboudeaire:
Yes and yes.
Ed Goodman:
I think every organization has increased its potential, what they call, tax surface, right? Because now it’s not just your little company network, it’s your network and then your employee working from home’s network and it keeps going out and out. I think the reality is the world and business and companies better get used to this because people are not going back to the office.
I think when it comes to cyber and thinking about cyber protection the corporate data security and InfoSec model that’s been applied for the last 20 years is very quickly evaporating and having to be looked at as sort of more remote workforce, different ways to administer it and all of that. I think it’s having an impact longterm. I think we are seeing more data breaches. I don’t know if they’re all being reported. That’s part of the problem too, because the tools aren’t all in place right now to monitor these data losses the same way they would be on a more distinct corporate network, if that makes sense. But yes, we are seeing them. I don’t know if that kind of is a roundabout way of acting, but I think the reality is look at this as not a temporary change, but a permanent change in the way we do work.
I don’t think the office is going to go away, but if you think people are going to super commute or spend all day trying to get to and from an office when they can be more effective working from home and only go in once a week. Now, the issue will be when things do open up more, a lot of those people will be working at their local cafe on an open wifi network. A lot of those people will be doing other stuff that’s more questionable than even surfing from home. It’s fundamentally changed things going forward, not just temporarily, that’s my read. I don’t know-
Jephunneh Lattiboudeaire:
I definitely felt for a lot of the companies that didn’t have their infrastructure in place before COVID started. It was a difficult time. A lot of these companies hadn’t thought through the risk exposure, they hadn’t thought through what that privacy would look like by working from home. They didn’t think through what would happen if they used personal devices versus business devices or if they use business devices for personal purposes, what that would look like. For a lot of people you do see that increased amount of claims experience because of the fact that these exposures weren’t measured, they weren’t taken into consideration. I don’t know what the future holds for us with COVID obviously, but I’m hoping that more companies are taking these things into thought on a day to day, instead of on the annual security plan that they used to do in the past.
Just because realistically our exposure wasn’t once a year, it was every single day, but now they have to think about it every single day. They have to measure that every single day. I mean, that’s better for people like us who work in the privacy industry because it means that more discussion is being held, more awareness is coming through. But the cyber criminals are out there in the world and sometimes they act faster than we do and they react faster than we do, so that’s something else that we have to take into consideration as well.
Ben Telfer:
Thank you, Jeph. We’ve got time for one more question. Apologies that we haven’t been able to answer all of them today to those who have submitted. If anybody’s watching this recording, please do get in touch if you’ve got any questions based on Jeph’s and Ed’s presentation. This question I wanted to save for last because I thought it was a great one. The title of this webinar is tsunami or gentle ripples for co-operative mutual insurer, which one is it?
Ed Goodman:
That’s a great question. I think for those who have had their head in the sand and thinking that this is an inevitable conclusion, that it’s coming to their shores, it’s going to be a tsunami. I think frankly for a lot of global multinationals, the big boy, it’s going to be more of a tsunami because, especially in regions like Asia and stuff like that where this hasn’t been as strict, they’re now having to really get to it. I think for cooperatives and mutuals, I think it’s more of ripples and only because I think if you were to look inwardly as an organization, you’re finding that these core concepts are already built into who you are. If you just draw them out, you just sort of follow your best instincts around this type of stuff, you’re already there. I mean, again, it’s just a different focus on a member versus a policy holder and how you value and look at them. I think it might be fun little waves to longboard on, but I don’t see it as flooding and destroying stuff, right.
But I go more at the ripples.
Jephunneh Lattiboudeaire:
I’m going to go with ripples too for cooperatives and mutuals. I worked with them over the years and I know that everything is so centric on the members and I know that their core concepts are already built in. It’s not even about adding in the core concepts. It’s just reorganizing and picking out what you’ve already done, because it’s already there. It’s not going to be a huge transitional period for any of these mutuals. I think that’s the best thing for us. It’s more like a pond ripple, if you will.
Ed Goodman:
Listen, you’re already a regulated industry that has to file lots of paperwork too, so it’s just drawing it out and documenting it. I think that’s part of it and then keeping it up.
Ben Telfer:
Well, that’s most definitely positive news. Jeph, Ed, thank you so much for joining us today and sharing Cyberscout’s thought leadership on a real emerging issue that’s not just focused on the Europeans. They didn’t invent it as you said Ed. It’s definitely something that’s going global.
Just finally thank you everyone for joining and thank you Jeph and Ed for presenting today. Hope everybody stays safe and well and see you on our future webinars soon.
The above text has been produced by machine transcription from the webinar recording. ICMIF has made every effort to ensure that transcriptions are as accurate as possible, however, in some cases some text may be incomplete or inaccurate due to inaudible passages or transcription errors. Listening to or watching the webinar recording will allow you to hear the full text as delivered during the webinar but this is available in English only. Our transcriptions are provided to enable members to select the language of their choosing using the dropdown menu above.