In our #PrivacyMatters series, Privacy Radius interviews people who are working at the forefront of customer privacy, data protection or compliance at leading SaaS or privacy-first companies. No matter if they are privacy expert, geek, innovator or leader for all of them #PrivacyMatters!
For our first edition, we are delighted to interview Kavya Pearlman from Linden Lab, creators of the Internet's largest user-created virtual world Second Life. Linden Lab also debuted Sansar in 2017, a new platform making it easy for people to create, share, and sell their own social VR (Virtual Reality) experiences.
- Name: Kavya Pearlman (CISM, PCIP, IFSEC Global Influencer 2018, Top 40 under 40 -San Francisco Business Journal 2019)
- Role: Information Security Director @ Linden Lab
- Twitter: https://twitter.com/MayaOfSansar
What is your background?
My background is in Network and Information Security. I graduated from DePaul University, Chicago with a Masters in Network Security and went on to acquire CISM (Certified Information Security Manager) certificate from ISACA. Due to my current role, I also became certified PCI-DSS ISA (Payment Card Industry - Internal Security Assessor) and certified PCIP (Payment Card Industry Professional).
How did you end up at Linden Lab?
After graduating from Chicago, I moved to San Francisco to build Information Security Framework for a Corporate Immigration Law firm. I acted as the ISMS Manager. Right after the law firm, I found myself advising Facebook's third-party security team during the 2016 US Presidential election. It was around the same time, I learned that Linden Lab was building a whole new virtual world called Sansar. When the lab approached me about heading information security, I knew I wanted to protect this new virtual world in the making as well as help with the well-established work of Second Life. I feel a profound sense of purpose in protecting a whole virtual world that has its own economy and potential to impact millions of lives across the globe.
How would you define your role?
I am the Information Security Director and responsible for strategic security initiatives for keeping the lab compliant and protected from existing and emerging threats in cyberspace and in general. Just like any security professional, I spend a good amount of time learning about new and emerging threats as well as technologies. Another part of my role is to use the knowledge in figuring out as well as implementing security solutions to keep Linden Lab’s products and infrastructure secure. Fairly recently, with the General Data Protection Act (GDPR) and California Consumer Privacy Act (CCPA) 2020 draft a lot of the focus has shifted to protecting data and ensuring privacy from the ground up.
Do you have a separate compliance / data protection team?
I do have a team dedicated to privacy, data protection and compliance. No matter how small an organization may be, I recommend that everyone should have at least an informal team that pays attention to privacy/data protection. Besides internal privacy efforts, it is also important to contribute to upcoming regulations which I plan on doing with the upcoming Federal privacy framework for the United States. Besides that, I believe privacy should not just be a single team’s job. Many large organizations including Facebook had dedicated privacy teams yet failed on privacy/data protection. At the lab, most of us understand privacy implications and try to incorporate into the very fabric of our products, whether that's marketing the team or engineering team.
What was key to the preparation for GDPR? What made it a success? What challenges?
Awareness and collaboration - this is true for any new or existing regulations and compliance requirements - not just GDPR. I joined the lab in August 2017 and one of the very first projects I picked up was preparation for GDPR. I believe the lead time for preparation was really helpful in understanding GDPR from a business perspective. However, the real success factor was various teams coming together to execute on the proposed changes and doing it in a timely manner. Everyone at the lab understood the criticality as we ran training campaigns and had dedicated teams working to keep the timelines.
The biggest challenge was coming to terms with the granular details such as “what makes an entity of our size and revenue GDPR compliant”. Since there was no precedent, it was quite challenging to draw that line in the sand at first. I guess if over preparation is a pitfall, I am rather happy to acknowledge that, than the another way around. The lab invested a lot of resources and time at getting GDPR right - something I feel so proud about.
If you had the chance to start from scratch at Linden Lab, what would you have done differently to prepare for new privacy regulations or customer privacy expectations?
GDPR introduced 6 basic principles to the world that are essential to Privacy:
- Lawfulness, fairness and transparency.
- Purpose limitations
- Data minimisation
- Storage limitations
- Integrity and confidentiality
If I were to start from scratch, I’d stay in close touch with how GDPR as a law, specifically for an organization our size. I would still let the above principles be the guide to building new privacy features and modifying the existing capabilities to remain privacy-focused. While laws and regulations tend to be broad in order to cover a wide spectrum of technologies/businesses, I would put on the lab’s mission-oriented filter to synthesize GDPR like law into a set of concrete actions.
What are the biggest mistakes you see other companies making?
A lot of the companies got caught up, where an outside law firm was defining the scope of activities (not truly understanding the internal technology capabilities and business objectives) oftentimes overburdened companies wanting to do the right thing. Another mistake I noticed was organizations waiting till the last minute or simply waiting for a privacy incident to happen before actually taking any steps towards compliance.
What metrics do you care most about in your role?
- Awareness being the key- I keep a close eye on the number of days between on-boarding and completion of basic privacy and security training.
- Since GDPR came into effect, a number of GDPR Data Subject Access requests are carried out timely and diligently with various metrics attached to it.
- Another one is privacy impact assessment with respect to new features and ensuring every finding is resolved before things go into production - therefore the number of completed privacy assessments.
What metrics are most important for you to define compliance success?
- Percentage of staff receiving privacy training
- Number of incidents tracked by origin; by organizational unit; by project and severity levels.
- Percentage of “high-sensitivity” solutions with monitored audit trails
What had the most impact on these metrics?
- Reporting - This is probably the most impactful step, especially when the reports are truly transparent to the Senior Management
- Monitoring- While everyone starts with a baseline metrics, over time, one or more of those metrics may diminish in importance or relevance because of the smooth running of an activity. Others may come to the forefront to take its place.
Which companies do you admire for their privacy approach and why?
Mozilla - best known for its Firefox browser advocates strong privacy and incorporates privacy within the very fabric of their products On B2B side Salesforce, which explicitly lets you keep the ownership the data you load into their servers. Salesforce lets you encrypt the data so Salesforce itself cannot see it and the company promises to never sell the data. Finally, I have to count Apple with Tim Cook’s recent advocacy for better privacy. It all starts from the top. I wish more and more CEO’s came forward and used their influence to focus on privacy.
How do you manage compliance?
Managing Privacy and compliance is an ever-evolving and continuous process. It takes people, process, technology and tremendous leadership to strike the right balance between them all. I have written in detail about my approach to privacy and compliance to virtual worlds here: https://issuu.com/cybersecurityquarterly/docs/csq_volume_2_issue_3/14
In the past, I have used Truste’s privacy SaaS tools and found them to be really useful. The lab’s complex environment has compelled us to build internal tools for privacy. With major push to the cloud and with the wave of ever-changing privacy regulations, we are literally evaluating a few vendors as we speak.
What’s the hardest thing about defining a customer privacy framework for end-users?
A vast amount of user data is being generated and with more and more devices every passing day. For us business dependency and exchange of data with various third parties makes it challenging to keep data private even if the organization’s desire is to do just that. For that reason, many organizations including the lab are dedicating resources to third-party security and accountability.
If a platform serves a global audience, allows free exchange of data and runs a full-fledged economy with its own currency, platform’s privacy risks are bound to be quite similar. Sometimes these risks are less or more depending on the business model and technology in use and the amount of data at stake. For example, Google and Facebook type large organization have a much graver impact from privacy incidents than an organization like Linden Lab.
What’s the hardest part of managing privacy for global platforms like Sansar?
I’d say Vendor Risk management is probably the hardest - Since all other aspects are somewhat under the organizational control. When it comes to vendor risks, one can try to minimize the risks by running a dedicated third-party risk management program as we do. However, when it comes to third parties legal and security assurance only go so far. The best approach is to minimize the exchange of data as much as possible with various third parties so we reduce our dependence on “trusted” third parties for keeping our data secure.
VR/AR presents new issues around privacy because of biometric data. What risks do you see and what are your recommendations?
VR/AR presents new issues around privacy because biometric data can unconsciously reveal intimate psychographic data without one providing explicit consent.
The risks are tremendous and if we are not proactive, we are looking at a losing battle. For that matter on Nov 8th 2018, approximately 40 or so VR/AR professionals (including myself) spent a day at Stanford University reflecting on the very subject and came up with few key recommendations. My friend and co-organizer of the event, Kent Bye (Voices of VR podcast host) captured details of our discussion:
From a consumer perspective, we should be demanding that VR companies DO NOT record and store this information in order to protect us from overreaching governments or hostile state actors who could capture this information and use it against us.
From a business standpoint, the issues around biometric data privacy in VR/AR represent new ethical & moral issues, which require cross-disciplinary teams for technical, legal, medical, cultural, & economic innovation. There are too many open questions and a lot of work needs to be done. Most importantly we need to collaborate across platforms, remain proactive, continuing discussions and efforts like VR Privacy Summit on Nov 8th,2018.
Are data breaches the new norm?
In the year 2017, the number of data breaches exceeded 1300 and 2018 was more or less the same. At this rate, it would be right to say Data Breaches have in fact become the new norms. While that sounds bad, 2018 was notably the year of GDPR and introduction of Draft California Privacy Act 2020. I am hopeful that with the upcoming US federal privacy framework, we will see a shift in the trend. In the meantime, I recommend we all take a few steps to protect ourselves against data exposure:
- Update default privacy settings for various social media apps and other online services.
- Enable multi-factor at the very minimum and use a yubikey, if possible.
- Keep an eye on financial statements and follow up if you see suspicious activities on various online accounts.
Unfortunately, there are no silver bullets to privacy and security, this is why it’s more important than ever to stay educated on data privacy, and to always be aware of what kind of information you are putting out as well as where you are putting information out.
What’s next for customer privacy at Linden Lab?
As I mentioned prior, there is so much work to be done. While Second Life continues to evolve, Sansar is putting lots of new features each month. With every new update, there is a potential impact on privacy. Aside from internal accountability for privacy, we need to keep up with new and emerging regulations. Most importantly, we need to educate others about emerging technology risks and contribute to various privacy frameworks in the making. This year Linden Lab is Data Privacy Day Champion and continues to promote privacy and trust via various National Cyber Security Alliance initiatives like Data Privacy Day on 28th January 2019.
What should we expect in 2019 regarding privacy or data protection?
I am counting on the introduction of new US federal privacy framework. While we will remain busy preparing for the California Consumer Privacy Act 2020, there will definitely be few other states that roll out their own version of privacy mandate. The silver lining from 2018 privacy scandals is we will see a higher level of privacy awareness from consumers and online users. This will have a direct impact on how various online entities treat our data. I anticipate 2019 will be a good year for privacy and data protection. We will see a lot of positive efforts - hopefully we will start to recognize the privacy impact of sharing biometric data. After a couple of really bad years, I remain optimistic for 2019.
How will customer privacy change over the next ten years?
A lot of it depends on how we approach privacy issues we currently face. The key aspect that is bound to change is consumers will come to expect a higher degree of accountability and privacy when sharing information online. I believe, in the next 10 years, privacy would not just be a thing for legal experts to navigate and keep an organization “compliant”. Privacy would become a driving force and a key factor in conducting business. Out from the hands of lawyers, into the minds of engineers and the board.
Do you think AI & blockchain will have an impact on privacy & data protection? If yes, how?
From the face value, it may seem AI may introduce more privacy problems than it would solve. After all, AI needs more and more accurate data to learn and build solutions. Ironically, assessing the impact of technology on our privacy and identifying the right safeguards may end up being more accurately done by machines in the not too distant future. But first, we have to address many other open questions like consent for the data and lawful and ethical use of such data. Until we strike an ethical balance, our principal job will be to embed privacy and cybersecurity practices in the development of artificial intelligence involving personal data.
The blockchain is another technology that may have a positive impact on privacy solutions. Blockchains are distributed ledger systems – that is, information is stored not in a single, centralised database, but in a potentially infinite number of places. This does raise the question of data being everywhere and not really private. There are potential new mechanisms such as “secret contracts” vs blockchain based “smart contracts” that could solve part of the data privacy issues within blockchain. Another question we would need to respond to is immutability. If we cannot delete data off the blockchain, then what about GDPR “Right to delete information”. Again, these technologies can have a positive impact but not until we answer to few key questions that are related to the technology itself.
Tools and inspiration
What (SaaS) product(s) couldn’t you miss for all the money in the world?
KnowBe4 - I am a big believer in awareness and education. KnowBe4 provides Security Awareness Training to help educate users on solving IT security problems related to spear phishing, ransomware attacks, privacy, OWASP Top 10 and recently GDPR. KnowBe4 experienced 290% growth in the 12-month period and rightfully so, it keeps up with the ever-changing regulations and threat landscape. I love granular reporting capabilities KnowBe4 offers which puts me one steps closer to compliance and not having to build the entire program from scratch.
How do you get inspired? Who inspires you?
I am a person who loves challenges. I draw inspiration from pursuing a difficult problem, overcoming failures and succeeding with knowledge, patience and perseverance. For inspiration, I couldn’t possibly pick a single person. Although, there are moments and people I come across in life, that inspire me to learn more, lead better and always help others. Right now I am truly inspired by this effort #PrivacyMatters and taking some serious and concrete steps to become part of the solution to privacy problems myself.
Thanks for your time and great insights Kavya!