Three years ago, in her final CMSWire column of 2015, Dana Simberkoff suggested businesses should familiarize themselves with a new regulation: the European General Data Protection Regulation. While GDPR has since become a near-household term, let's just say that for those of us in the US, Dana was ahead of the curve.
As the Chief Risk, Privacy and Information Security Officer at AvePoint, Dana keeps up on the latest privacy legislations and interprets them in layperson's terms, using her legal background to help clients and CMSWire readers alike navigate the intricacies of privacy and data regulation. A regular speaker at security conferences, Dana can otherwise be found outdoors, away from the online world, whenever she has down time.
'We're in the Epicenter of a Tornado of Serious Concerns'
Who are you, in a 280-character tweet?
I’m the Chief Risk, Privacy and Information Security Officer at AvePoint. I have been featured in Forbes, highlighted in CSO Online’s list of 12 Amazing Women in Security and serve on the Women Leading Privacy Advisory Board for the International Association of Privacy Professionals (IAPP). I received my BA from Dartmouth College and a JD from Suffolk University Law School.
What attracted you to your field and what still excites you about it?
As evidenced by the news each day, our current cybersecurity and privacy climate is unlike anything we’ve seen before. We’re truly in the epicenter of a tornado of serious concerns about information security, privacy, surveillance and access. Both privacy and security are neither free nor easy, and especially living in our increasingly social world, have presented — and will continue to present — a paradox when it comes to personal privacy and security.
Working in this industry over the past many (*sigh*), many years has provided me with an opportunity to contribute to the evolution of this profession and to hopefully help make the world a better place in some small way. That’s what attracted me to this field years ago, and it’s what still excites me about it to this day.
What project are you working on now that our readers should know about?
For several years, I have been very involved in helping our customer navigate the evolving regulatory landscape of privacy and data protection, and the value of metadata is always the focus of these discussions. In fact, I have been talking about metadata for such a long time that I used to explain metatags with the following analogy: “Metatags are to electronic documents as cards in a card catalog are to books in a library.” Talk about old school!
These days, while fewer and fewer people (sadly) know what card catalogs are, companies are still incredibly slow to adopt what I consider to be a bare minimum threshold for a successful privacy and security program. Think about metadata as a love note to the future — when unclassified, your data is potentially an unrealized asset to your organization as much as it is a risk. Much of that data may be lost in silos, file shares, instant messages or inappropriately shared through social platforms — in other words, it’s lying undiscovered and unprotected in various places within your company. Data tagging and classification allows organizations to gain better insight and control into the data that they hold and share throughout, while metatags allow organizations to optimize their e-discovery and record retention programs — while also protecting and controlling the flow of information within organizations.
How can you — and how should you — protect everything against everyone? Understanding what and where this data is, along with ensuring it’s properly classified, will allow you to put the appropriate levels of protection in place. With the onslaught of data breaches and new breach reporting requirements as of late, I’ve seen the metadata tides turning recently, as I’ve been involved in a number of data classification projects around the world. Librarians everywhere should rejoice — as should the data subjects whose information will be better protected!
What story/stories related to your field will you be following in 2019?
It’s no secret that GDPR changed the entire global regulatory landscape over the past couple of years, especially this year, given it went into effect this past May. But with the California Consumer Protection Act (CCPA), China’s CyberSecurity Law also announced and a number of other security and data breach notification laws being announced this year, it’s clear that the new normal for privacy laws will require clear, tangible and operational IT security controls.
Thanks to a perfect storm of events — namely, an increased amount of data breaches, heightened consumer awareness and some very serious and ethically questionable choices from large technology vendors — I believe we’ll come closer to seeing a US federal privacy legislation within the next year. And if not that, then we’ll definitely see increased regulatory scrutiny within the US in 2019.
What was your first paying job?
My first paying job out of law school was working for a software company with a focus on regulatory compliance. I had an opportunity to become deeply immersed and well-versed in supporting the privacy and operations security programs of many of our corporate and public sector clients.
- What word could you happily live without hearing ever again? Two words: “Yes, but ...”
- What book are you reading now? “Click Here to Kill Everybody,” by Bruce Schneier
- Favorite way to spend a day off? I love to spend a day off with my friends and family outside gardening, hiking, running or skiing — whenever possible, that is, as I live in New Hampshire!
- If you could go back in time, what period would you go to? I would go back to the 1950s because a lot of the women I admire were building their careers during this time, which was when it was very challenging for them to do so. I would love to be able to see what life was like for them in order to better appreciate how far we have come today.
- Quote to live by: "Do what you feel in your heart to be right — for you'll be criticized anyway. You'll be damned if you do, and damned if you don't." — Eleanor Roosevelt