Interview: Theresa Payton on GDPR and privacy

For the second anniversary of GDPR, we asked industry leaders what they think about GDPR and privacy. Theresa Payton, former White House CIO under George W. Bush and CEO of cybersecurity consulting company Fortalice, sees GDPR as an important step. However, she’s also skeptical about the data collected by companies and hopes that privacy will be given more importance in the future. Here’s the full interview.

Cybersecurity Magazine: How important is privacy these days, specifically in light of user profiling and user tracking?

Theresa Payton: “Know this, the new currency is data and the highest valued data is human behavior patterns. We cannot, in the name of crisis management, allow big tech and governments dictate all the rules here. What happens when Big Tech and Social Media companies are allowed to collect data in the name of helping us flatten the curve and go back to some sense of normalcy but then find themselves with government-encouraged and perhaps government-sanctioned access to new behavior patterns and data elements they may not have had access to before? They may realize that they have collected pure gold, data they can eventually monetize. Do you think they would voluntarily stop collection after we have a vaccine?”

Cybersecurity Magazine:Does that collecting of data increase security risks, i.e. does the lack of privacy make it easier for criminals to steal identities?

Theresa Payton: “We work in both cybersecurity and intelligence operations. One of the things every investigator knows is that if I can tell where someone has been, digitally or physically, chances are I can predict where you will be next. We have found that security solutions are woefully inadequate protecting credit card numbers, personally identifiable information, and even access to email accounts. Can you imagine your behavior data in the hands of criminals? They could use your patterns of life to do a digital walk in on your identity.”
 
Cybersecurity Magazine: How much should I as an average individual care about my privacy?

Theresa Payton: “We should all care a great deal. This is unchartered territory. Most Americans seem resigned to not having privacy and that’s not good. If citizens think they are potentially watched and tracked then democracy dies a little. We should be free to come and go as long as we don’t break the law. Contact tracing blurs the edge between law and what big tech and bureaucrats deem appropriate in the moment that you are out and about. Do you want nameless people or an algorithm deciding you have risky behavior? I don’t believe people know how much risk this level of data intrusion carries.”

Cybersecurity Magazine: What should the Government vis-a-vis companies  be allowed to access and for how long?

Theresa Payton: “Governments need to put the guard rails up now. The guardrails must include: opt in language and ease of use to opt out of tracking; digital shredding strategies; all patterns should be anonymized before stored; and agreements must reached now on whether or not the government and private sector can use that data for other purposes.”

Cybersecurity Magazine: What do you think about the privacy discussions around the corona tracking app?

Theresa Payton: “I think we need to have more dialog about the security and privacy ramifications of these apps. I am worried that the tracking data will be used, in a negative way, to determine if someone has risky behaviors and could potentially impact the price or access to insurance and medical treatment. We used to say “don’t judge a book by its cover” now we have to say, “don’t judge me for where my phone has been”.”

Cybersecurity Magazine: The GDPR is EU law, but companies dealing with EU citizens have to comply as well – how did you perceive the start of GDPR in 2018?

Theresa Payton: “It remains to be seen in my estimation whether or not the time and money spent on GDPR has a true ROI for your privacy and mine. Many companies were confused on what’s in and what’s out of scope and spent manpower and dollars on that instead of on innovation or perhaps instead of on resiliency plans during a pandemic. However, I do think GDPR was good for the globe in many ways because it showed everyone a new bar in individual privacy rights.”
 
Cybersecurity Magazine: Is it time to introduce similar laws in US states, like California has been doing?

Theresa Payton: “As someone who is helping companies wrestle with GDPR, CCPA and other compliance efforts around privacy, I would like to see us implement a nationwide effort. The patchwork quilt of state based laws was horrible to follow pre covid 19. As businesses make up for lost revenue and lost business, having to think through each State’s individual privacy laws is often a daunting task. Just saying code all specs to CCPA as the new standard would be onerous and CCPA is the high bar now until the next state decides to implement their privacy law.”