Debbie Reynolds, founder, CEO, and Chief Data Privacy Officer of Debbie Reynolds Consulting LLC, will be among specialists speaking at FinCrime World Forum this week.
Livestreaming on October 27 and 28, FinCrime World Forum unites over 3,000 financial crime, financial, and banking professionals to bring global audiences up to date with the issues defining today’s financial crime landscape.
Debbie Reynolds, aka “The Data Diva” is a world-renowned technologist, thought-leader, and advisor to multinational corporations for handling global Data Privacy, Cyber Data Breach Response, and complex cross-functional data-driven projects.
Ms. Reynolds is an internationally published author, highly sought-after speaker, and top media presence commentating on global Data Privacy, Data Protection, and Emerging Technology issues. She has also been recognised as a technology visionary and as a top leader in the Data Privacy industry worldwide.
We spoke with Ms. Reynolds about cyber data breach response planning and how CEOs need to approach this crucial facet of business in the data-driven world.
Could you describe your career journey so far?
I have been involved in data or digital transformation projects for over 20 years. I started my career in library science when organisations – especially university libraries – were moving from catalogues to databases. So that represented my initial jumping to data.
I then moved into spaces where I was helping create databases for Fortune 500 companies doing litigation worldwide. And so that drove me into situations where I had to work on data flows and global illegal data movements, and from there, I branched into privacy.
So, I’ve been doing privacy for many years. When GDPR finally came about, I thought, “Oh, great – now everyone cares about privacy.” But in the US, around May 2018, no one was talking about GDPR or talking about privacy. It took a couple of years, but I made sure I was doing a lot of writing and speaking on these topics.
Eventually, a big news agency called me to ask me about data privacy when GDPR went into full force in May 2018. I was asked to speak on television about the GDPR and what it means. A lot of Americans didn’t understand or know anything really about it at all.
So, we’ve seen the ripple effects of GDPR and other subsequent privacy laws and regulations coming out around the world that sort of mimic elements of GDPR, whether it be starting with the language or some of the things that are in that legislative framework. My work today is at an intersection of law and technology. I work a lot with companies that are doing new things, companies that are pivoting into new areas, or working on emerging technologies that involve data flows that impact the data privacy rights of all individuals.
Why is it essential that companies see data breach response planning as a business priority?
Data breach response planning should be a business priority, essentially because all companies deal with data and information; it’s how companies interact with each other and with customers. Data is at the bottom of business decisions and insights, and you have to have a plan in place to protect that data in case of a breach.
Companies’ biggest mistake is not having a plan, maybe assuming that they don’t need a plan or they won’t be breached. As a result, they might not take the issues seriously or assume it’s a bridge they can cross when things go wrong. There’s so much at stake, especially for small-to-medium-sized enterprises, from reputational damage to going out of business. Very few companies can soak up the harm associated with a data breach and still prosper; not every company is an Apple or a Google.
Companies that don’t know what they’re doing risk scrambling to figure out the steps to follow when a breach occurs. They won’t know what to say, who to contact, who to notify, etc. So, getting all these issues straightened out beforehand will minimise risk and offset any potential damage the organisation suffers should the worst happen.
So, it’s essential to find a way to lay the foundation for your business and protect your data; it’s a critical part of being in business and protecting your people. By having a plan in place, you’ll know what to do, where gaps in your data are, where you need to improve within your organisation, etc.
A data breach response plan will also lead to your organisation and your people learning more about privacy, understanding cybersecurity, and finding out best practices for protecting data and minimising vulnerability.
Customers and clients take these issues seriously, so companies that adopt a similar mindset – really taking data health seriously – will develop a market advantage.
Can you describe the current data protection landscape in terms of data breach response?
I think there’s still a way to go in terms of privacy awareness and data protection more broadly across the US. Presently, we’re seeing determination to pass new laws in California, Illinois, Colorado, Virginia – these states have stepped up and passed new regulations, while 13 or 14 other states have new laws under consideration.
Businesses are becoming savvier. When they see the regulation on the books and see what they have to do for Californian residents, they understand that it’s common sense to put new data privacy measures in place. They’re asking why the same cannot be done for other states. So, the conversation is building.
Many people on the business side and the consumer side are hoping the US will develop its federal data privacy and data protection legislation – regulation similar to that of the GDPR. Increasing levels of cyberattacks, ransomware attacks, and similar breach-related events have pushed up awareness. Businesses now know that they need to perform better, not only in reacting to cyber events but also in putting in the groundwork and improving preparations.
In the same way that you’d put preparations in place in case of a fire, it’s about having a plan - knowing who’s in charge of which departments, and knowing what steps to take to mitigate the danger. If people consider cyber breach response and planning with that mindset, it helps understand the importance of the concept and the practice.
Are there common mistakes that business leaders make when putting together a data breach response plan?
Absolutely – I think one of the common mistakes is not to take cyber breach response planning seriously. A plan can’t just be words on a sheet of paper; it’s about assigning new roles to people, establishing who your Head of Information Security is, knowing who you need to call if or when a breach takes place, and having your cyber insurance in place.
Real detail has to go into the plan so that people aren’t asking questions about their responsibilities when the time comes. Companies should be clear on what a data breach looks like, who has authorised access to what data sets, whether or not customer consents are in place, where those customers are, and whether or not a supervisory authority in Europe needs to be informed. There may be different bodies in the US – in certain states – or throughout other countries that you need to notify, to whom you need to give details about customers impacted and what data has been compromised.
A common mistake is not being thorough enough in your planning. You need an itemised structure or pathway to different duties and responsibilities throughout your company.
Hear more from Debbie Reynolds in her exclusive talk on the opening day of the FinCrime World Forum.
Date: Wednesday 27 October 2021
Session: Cyber Data Breach Response Planning
Time: 15:30 BST