In our newest ebook The Privacy Paradox, we explore how privacy and security are shaping the future of marketing. Our Chief Security Officer Jill Knesek joins us today to continue the conversation about how marketers can respect the privacy of consumers, while also using data to deliver personalized interactions.
Jill has more than 20 years of experience in cybersecurity. Prior to joining Cheetah Digital, she served as a special agent for the FBI, assigned to the Cyber Crimes Squad in the Los Angeles field office. She was recently featured in the book, Women Know Cyber: 100 Fascinating Females Fighting Cybercrime.
With your background, you have a unique understanding of the interplay between privacy/security and technology. So how did we get to a point where essentially everyone has had their PII exposed in a data breach?
I think the problem is that security has always been an afterthought. When the internet came into being, nobody was thinking about people stealing data or hacking into systems. Data wasn’t seen as having any value — there was a lot of research data, personal emails, and things like that. The internet was designed purely as an open environment for communication.
Since then, we’ve been playing catch-up. As the technology becomes more complex, it creates more opportunities for poor coding, as well as vulnerabilities in the operating system, applications, tools, and technologies that are being implemented.
People, in general, are very trusting — and that’s a good thing. But as a result, we don’t realize the value of our data, or expect that anyone would try to steal it. Unfortunately, there is an underground criminal element that can find value in anything they steal off the internet.
Today we’re starting to see security being thought of more deliberately. There’s new terminology, like security by design and privacy by design — which basically says, instead of making it an afterthought let’s have an approach that addresses all the issues upfront. Let’s think about privacy and security during the design or ideation phase. That’s where we’re moving to as an industry and the new privacy legislations reflect this.
Brands have a huge responsibility in protecting customer data, but is there anything consumers can do to protect their privacy?
First and foremost, consumers need to be cautious about who they share their data with. Before you click on something and offer your data up, you need to do a little research. You want to make sure you’re doing business with a trusted, respected brand whose reputation you can rely on.
Second, only share data that is required. If a company is asking for personal information that is not relevant to the service, you should be suspicious and probably find another company to do business with.
Finally, consumers need to know their rights. GDPR has put consumers in control of their personal data and given them rights to control how it’s used and who can use it.
CCPA will go into effect in January 2020 and provide additional rights to residents of California, but most companies will most likely provide that same level of support to all of their consumers.
The new privacy regulations are making it easier for consumers to control their personal information but they need to take an active role in the protection and leverage these regulations to their benefit.
Zero-party data is information a customer voluntarily and intentionally shares with a brand. How do you think zero-party data will impact marketing and privacy going forward?
A key element of the new privacy regulations involves consent. With third-party data, you are trusting that the data you’ve acquired from someone else was legally obtained and consent was freely given by the consumer. With first-party data, the consent is easier to ensure but it’s not always clear to the consumer what data they have consented to share.
Zero-party data can overcome all of these hurdles as the information is shared voluntarily and intentionally, leaving no doubt about consent and use. In my view, how you get the data as a marketer is really important. Having fewer parties involved is always going to be the cleanest way of getting data. So zero-party data will absolutely have an impact on marketing and privacy in a very positive and transparent way.
How can marketers protect the data customers share with them?
One thing that is coming up a lot in privacy is data minimization. Data minimization is making sure that the data you keep is the data that you’re going to use. You’re not keeping, for example, someone’s children’s names and dates of birth just in case you find a use for it someday. That would be reckless, because if you don’t have any intention of using that data in some relevant way then you shouldn’t be keeping it. Every piece of data you keep increases the risk profile for the individual.
Another one of the things we’re doing now — the ebook talks a little about this — is an idea called tokenization. Tokenization is a way of masking data so that even if someone were to get it, it would have no value whatsoever. By implementing tokenization into your marketing platform you reduce the footprint of your PII and ensure you maintain control of that data throughout its life.
How should brands protect marketing data?
Having a dedicated security team is an important first step. Besides that, there are lots of different tools we go through in the ebook. We talk about encryption which is one of those tools that, if done correctly, is critical.
If you hold a lot of personal information on individuals then you are going to, at some point, be targeted. If your controls and your security posture aren’t aligned with today’s threats, the attacks are going to come and eventually, you will get breached. It’s absolutely critical that security and privacy be a key aspect of any good marketing program.
What is Cheetah Digital doing to protect consumer data and privacy?
I start with security and privacy awareness training for all of our employees as they are our first and last line of defense. Over 90% of all data breaches start with a phishing email, so we also do phishing simulations. If employees click on the link, they immediately get sent to a training page where they get trained in the moment and the training is linked to their actions. This has been proven to be incredibly effective in teaching the right behaviors.
Next, an end-to-end security program is absolutely critical. You can’t rely on only one thing — which is why I use what we call defense in depth or a layered security approach. Every layer has to be strong in its own right and able to stand on its own.
Finally, we utilize third party auditors to assess our security program to ensure it is fit for purpose and meets the standards set out for our industry. I am always happy to have a call with our clients to review our security controls and share our external security audits as appropriate, so they know we make security and privacy a priority.
How can brands continue to market when consumer privacy laws are only getting stricter?
Brands need to understand their obligations based on the new privacy regulations. GDPR is the first privacy-focused regulation that has teeth. Fines are being enforced and brands are paying the price for not doing all the things required of them.
It’s also about understanding that you can have security without privacy, but you can’t have privacy without security. Security and privacy organizations have to work hand-in-hand to understand the value of the data and how to protect it.
Finally, brands need to have a strong working relationship with their security and privacy teams and ensure your company makes these areas a priority from the top down. If you don’t have executive management support to implement security and privacy correctly, it’s going to be difficult to ensure these areas are not overlooked or pushed to the side when deadlines get tight or budgets are impacted. Without executive sponsorship and support, obtaining the necessary budget and ensuring prioritization of security and privacy will be next to impossible.
What do you think the future will be like for brands that go all-in on protecting privacy (even if it possibly means less access to data)?
I think it’s going to be much improved. It will force marketers to be extremely tactical and targeted with their approach to marketing to ensure compliance with the ever-growing privacy regulations. We’re going to be held to a higher standard that will challenge all of us to continue to grow, adapt, and innovate.
Being able to do what we do in a way that’s safe and secure and values the privacy of each and every customer is critically important. That’s the one-to-one relationship we’re going to have to build and I think privacy and security are going to help us do it the right way.
We’ll also get better data. Zero-party data is going to be very useful because that means a customer trusts us enough to voluntarily provide information. We have a specific reason in mind for the way we’re asking the questions and the information we’re requesting. The experience for the end-user is going to be a much more valuable one; the more they trust us the more data they’re going to be willing to share which will, in turn, allow marketers to delight their consumers with relevant campaigns that are timely and effective.
Anything else you’d like to add?
I think we’ve covered a lot. Obviously, I love security and privacy, I could talk about this stuff all day long. But when I came here I didn’t realize how really critical my role would be to the success of our company. As a company who is dedicated to marketers, marketers need to trust us first. We have to be able to demonstrate that responsibility through innovation to prove that we can protect data while at the same time helping them use it in the most effective way. So, for me it’s a very exciting time.
Want to know more about The Privacy Paradox? Download the ebook now.