Debbie Reynolds “The Data Diva” talks to John H. Sudduth, Chief Information Officer, Metropolitan Water Reclamation District of Greater Chicago. We discuss, his career journey in Cybersecurity and what is happening with cybersecurity at municipalities, what began his interest in privacy, insider threats to Data Privacy, the cyber risks of shadow IT, the increasing complexity of threats, his emerging privacy concerns, lack of Regulation of third-party data use, his gift of simplicity in communication and advisory, the importance of listening in executive communications, the differences in his public and private sector experience, technology that aids privacy retention, companies having a European outlook, unique challenges of municipalities in implementing privacy and their needing to deal with IoT, crosstalk between devices and abilities, the profusion of capabilities in IoT devices and his hope for Data Privacy in the future.
Debbie Reynolds “The Data Diva” talks to John H. Sudduth, Chief Information Officer, Metropolitan Water Reclamation District of Greater Chicago. We discuss, his career journey in Cybersecurity and what is happening with cybersecurity at municipalities, what began his interest in privacy, insider threats to Data Privacy, the cyber risks of shadow IT, the increasing complexity of threats, his emerging privacy concerns, lack of Regulation of third-party data use, his gift of simplicity in communication and advisory, the importance of listening in executive communications, the differences in his public and private sector experience, technology that aids privacy retention, companies having a European outlook, unique challenges of municipalities in implementing privacy and their needing to deal with IoT, crosstalk between devices and abilities, the profusion of capabilities in IoT devices and his hope for Data Privacy in the future.
44:44
SUMMARY KEYWORDS
privacy, people, data, technology, device, organization, protect, absolutely, municipalities, cybersecurity, crown jewels, threats, companies, implement, thoughts, agree, laws, point, iot, buy
SPEAKERS
Debbie Reynolds, John Sudduth
Debbie Reynolds 00:00
Personal views and opinions expressed by our podcast guests are their own, and are not legal advice or official statements by their organizations.
Hello, my name is Debbie Reynolds. They call me “The Data Diva”. This is "The Data Diva" Talks Privacy podcast where we discuss Data Privacy issues with industry leaders around the world with the information that businesses need to know now. I have a special guest on the show. A dear friend, I've known him forever, ever, ever, ever, ever. John Sudduth. He is the Chief Information Officer at the Metropolitan Water Reclamation District of Greater Chicago. Hello, John.
John Sudduth 00:44
Hey, Debbie, good to see you.
Debbie Reynolds 00:47
It's great. I haven't seen you since the pandemic started. And we've known each other so, so long, we have a constellation of mutual friends. And we talk to or talk through a lot of times, but I thought it'd be great to have you on the show. You know, you're someone as I said, we've known each other for a super long time. We met back in the 90s, when I was doing consulting work with law firms on digital transformation stuff. And you just really stood out to me, I'm so excited about all the cool things that you've done in your career. Because, first of all, you're just a very down to earth, funny, humorous person. You know, you have a very level business head on your shoulders. So you seem unflappable, I think any, any situation where I've ever seen you in been able to definitely handle yourself. And, you know, it definitely shows and your leadership, the things that you're doing in Chicago.
John Sudduth 01:52
Thank you. I appreciate that. Yeah, we go back a pretty good way. So you know, definitely happy to be here honored to participate in the packet.
Debbie Reynolds 02:02
Yeah, yeah. I thought you'd be a perfect person to talk to I don't even know what podcasts I was on. I was on one, I say, oh, my God, I need to talk to my friend, John about the stuff. So I think people who work in municipalities that do have special challenges that maybe the private sector don't even think about, right? And for me, I think it's part of that is, everyone is your customer, right? So it's not like Apple or whatever, like, okay, everyone who buys this is our customer. Everyone in Chicago that has water, that wants water, right, which is everyone, is your customer. So I would love to hear your thoughts about first of all, just let's, for anyone who doesn't know, this is really awesome. Talk about the trajectory of your career in the cyber or IT space. And then I would love for you to talk a little bit about the things that you see happening municipalities around cybersecurity and privacy.
John Sudduth 03:09
Absolutely. So my career goes over a pretty lengthy timeframe. As as the IT world goes. I actually started in help desk support once upon a time, so I'm not the traditional; I like to say I'm not the traditional CIO. I literally started by installing components to computers. And from there, I went into networking, then did some database administration, where a little bit of software development, actually building networks and small applications into management. So once I got to management, that was a bit of a hybrid. So leadership, and still doing technical work. And probably about 10, 12 years ago, I pulled my fingers off the keyboard because I was struggling to straddle that line between wanting to technology and wanting to get more into technology and business alignment. So I made the decision that I was reluctantly pulling my fingers off the keyboard and focusing on leadership, business transformation through it, and that type of thing. So pretty lengthy, a lengthy career in IT. I've been in almost 30 years now, so I'm giving away my age and not to give away yours. So, you know, it's been a pretty good career, honestly, you know, I've kind of seen technologies come and go and probably over the last, I mean, I've been around security pretty much that entire time, although it is kind of morphed into something completely different, you know, over around the last 12 to 15 years. But I've really gone hard and heavy with information, privacy, Data Privacy, information security for about the last seven years, to the point where I currently hold a multitude of security-related certifications. So that's my career in a nutshell.
Debbie Reynolds 05:37
That's really cool. You know, I've noticed the announcements that you make, and I see you speaking on stage and different things, I keep up with you and what you're doing. And I noticed a few years ago that you were dipping your toe into privacy. And I would love to know what was the impetus for that with you?
John Sudduth 05:55
I think privacy is a key component to technology, right? So part of our job as technology professionals is to collect, house, and protect data. And data pretty much drives everything that we do. It’s not just technology anymore, but your data is being tracked when you buy a candy bar on your credit card or any of those rewards programs; that's data collection. So I've started to dig a little deeper into privacy to get a better understanding of it. I mean, well, it's always been there. We didn't think enough about it; I would say, back pre-2000. We're just putting data out. And what would happen, you know that the bad things start to happen, right? The data leaks and the exploitation of data, the holding data has this manipulation. And then we started to say, oh, wait a minute; we need to protect this stuff. So I've kind of become an evangelist like yourself with putting privacy first and making sure that people understand that we have all this data and that it needs to be protected. So that's constantly what I'm pushing now, throughout the utility space and actually, throughout the IQ space in general.
Debbie Reynolds 07:31
Yeah, wow, that's great to hear. I knew you're just a smart cookie anyway. So I knew that you would get that relation. My genesis in technology was database administration. So that was my first love and data. And I always liked to see data flows and things to happen. And honestly, we see data flows aren't great. We as as people are using it. So one thing I love to talk about. And I'm sure you're the perfect person to talk about this, which is in the past, information security, in my view was thought of as you have a castle, and you're protecting the castle, okay, and everything, the walls and everything like that. But we're saying that the data is not always in the castle. And the threat is not always outside of the castle. So talk to me a little bit about that kind of mind shift or that change in IT and privacy?
John Sudduth 08:34
Oh, wow. That's really ironic. That'd be because that's the exact analogy that I've used in several presentations. It's almost like you've seen him, but I know that you have. But you're absolutely right. That traditional mindset was that there was a key, our data's in this castle, I liken them to crown jewels, and a castle. And then you have this castle with the wall, and he had the moat and all of that protection. So that was the traditional way of protecting data using that analogy and that there are firewalls there, intrusion detection devices and all of the things that protect your crown jewels. But what's happened and this has really exploded due to COVID is that people have taken those crown jewels and made them mobile, right. They're storing them on laptops and storing it on phones and tablets. And so the threat doesn't have to break through this wall and this moat to get to your crown jewels, because your crown jewels are being taken out with but your user population. So what's happened is that we've had to pivot and adjust to protecting those endpoints we call an endpoint protection. So we have to build that same methodology around each device as it goes out. And what we've learned and this has been a hard lesson is that you can put all the technology in the world around your assets, you know, data being an asset. But if the mindset of the person who has that asset is not right, bad actors are going to get to it. Right? No matter what. So I always say to inform people when I'm speaking about Data Privacy, when I'm speaking about cybersecurity, is that you have to change the mindset of your data stewards, your people who are actually holding that data who have certain controls over that data, to make sure that they understand that the threats are out there, the threats are imminent, and that you empower them with a mindset of protecting that data when that they have the control over.
Debbie Reynolds 10:51
Oh, that's so cool. I love what you're thinking about, and we have like-minded ways to think about this problem. One thing I would love to talk to you about, I'm sure you know, tons about, and this is Shadow IT, okay. So, in the old days, Shadow IT has always been a problem with people trying to do their own technology and stuff like that and not going on along the path of what the organization wants to do. But Shadow IT, I think, now creates a much higher risk to organizations, especially because before, it used to be like, oh, you have to go through this purchase process, and someone had to install this application on your drive. Now you have people just creating accounts in the cloud and throw stuff in the cloud, and then they leave the organization. And people are like, oh, data got deleted, oh, because Jasper left the company and all the stuff was all his account and all that stuff. So talk to me about the threat of Shadow IT and how it is exponentially changed because of the cloud.
John Sudduth 12:05
Absolutely. So I think that there were several drivers that pushed what we traditionally knew as Shadow IT into this whole new realm. And you hit on one of those, which the cloud. That was a big driver. But the other driver that I talked about, that I don't hear a lot of other people talking about, is what I call the consumerization of IT, right. And the analogy, or the example that I use, is that when you go buy a device from Apple, whether it be a phone, or a tablet, or a watch or what have you, and next time you buy one, you just notice or you know, if you're an Apple consumer, that there are no instructions that come with that device, right? Back in the day, we would get a device, and you had a whole book with an index that told you how to configure that device, how to use that device, and you know everything about it. But what happened with the consumerization of technology is that end-users start to feel very empowered that, okay, you know, what, I set up my phone, I can set up an account in the cloud, and I can become my own IT person. I don't need it anymore. And what I've seen is that actually evolved into vendors, giving the misconception to end-users within an organization that you don't need it, right? All you need to do is sign up with us, and then we will configure everything, and your IT department may not even need to know about this. And I can't tell you how many of those installations that I've had to clean up. Right? And it always comes back to well; the vendor said that we didn't really need it. So we didn't bring this through the normal process. And that's what is really logged into you. And I think that the cloud and the consumerization of technology has really pushed that to a point to where it is right now.
Debbie Reynolds 14:24
Yeah, two things I want to talk to you about. So, one, I want you to expound a bit on the people part of the IT or cyber problem. And then the second part is in terms of administration and how you deal with cyber threats. I feel like the threats are exponentially more complex, and I don't think it's something where you can just throw bodies at the problem. So it's a two-part question last about people. One is about how we face these exponential threats in the future.
John Sudduth 15:09
So I'll start with the second part first about facing the threats. The first part really is understanding, alright, you can't protect what you don't know. So you have to identify the assets within your organization that you're looking to protect. And then, from that point, you figure out what the best tools, what the best methodologies will be to protect those assets. So it's really about understanding, and then from that point, you have to what I call keep your ear to the street, as to what's happening out there. So that may mean listening to various podcasts and aiming, joining various groups to consume information, and maybe listening to webinars, but whatever, find some outlets where you can consume information and get a better understanding of what's happening. Because if you put those two things together, right, we protected our assets. And then, we can look at the emerging threats that are happening, and you can actually go back and adjust as needed. And that's something in the utility space that we constantly have to do because we're directly battling state-sponsored bad actors in a lot of cases. So that's the second part of your question. The first part is the people. Right, and with the people, it really goes to training and making sure that they have a good understanding of you how to protect their information, and how they can be utilized in order to gain access to that information, and the level of threat that they may be to an organization. One thing that we really harp on is mandatory cybersecurity training, cyber awareness training, to the point where we do internal phishing campaigns to make sure that our people understand that these are things that may be coming through. And, you know, we actually go beyond that to try and give our end users some life skills around cybersecurity. So outside of what we're doing at our organization, we say, these are some of the things that you may see, coming through your personal email, right, as tax season, so the bad actors are out there trying to get your information to file fraudulent tax returns, and so I think by putting those things together you, the people and the protection of the asset, you have a better chance of combating these threats because the threats are there. Some of the threats are going to get through, you're going to have to deal with them, but you want to protect as much as you possibly can.
Debbie Reynolds 18:15
Yeah excellent, excellent. What’s on the horizon that concerns you the most in privacy, either in your role or personally, what are you looking at, like thinking like this.
John Sudduth 18:31
I'm not a big fan of the facial recognition, you know, that that's something that, that worries me a little, just from a personal perspective, although I do use it on my phone. But I just feel like it or I can see kind of things on the horizon around targeted marketing based off of hitting certain demographics and other things that could be used, bad things that could happen or could be a result of collecting facial recognition data. So that's the one thing around privacy that does concern me right now.
Debbie Reynolds 19:18
Yeah, I agree with you on that. And that's something I talk about a lot. The phone I used to have had face ID and I traded it to someone. It was a higher phone. I traded it to someone with an older phone. I don't really like this and a lot of it is what we're seeing is companies can misuse and abuse data, right for different purposes. And right now, we don't have strong enough regulations in the US especially around that third party data risk. What are you using it for, did people agree to this, you know? So that's definitely a challenge that we definitely see. I’d love to actually have a question and a comment. So you’re extraordinarily gifted in the way that you communicate with people. And you've always been that way, as long as I've known you.
John Sudduth 20:20
Thank you for that.
Debbie Reynolds 20:24
The thing that you do that is so amazing is that you don't talk down to people about IT stuff. So I've never seen you do the acronym soup thing with anyone. You explain things in very simple terms. So it helps you to be able to talk with people at all levels in a way that they can understand. We can bring them into the conversation, not shut them out. So just give me a little bit of some executive advice for people who are looking to have that type of communication skill. What are your thoughts on that?
John Sudduth 21:02
Well, I mean, communication really bridges the gap, right? I mean, no one is, you can't just hop into an industry and start doing acronym soup, as you've dubbed. And what I try and make sure that I do is to catch myself, if I start to do that. Now, when I'm talking to someone, if I'm talking to a completely technical audience, we will geek out in a heartbeat, I have no problem with that because I understand the audience that I'm speaking to. But I try and make sure that if I'm speaking to a general audience that don't go into geekspeak. And I try and make sure that I understand that audience. Also, I think that as communicators, not even just executives, but just communicators in general, we just have to be conscious that all of us have a connection as a human, right? And we need to make sure or we need to stay conscious of that as we're relaying information, that people are actually consuming that information. So it means putting something out there seeing your reaction, making sure that you're getting a response from it. And I think that that's the one takeaway that I would I would give anyone around communication is, speak, listen, and then react, right? But that listening part is key, you have to be able to listen, which is consuming the information, and then act on it. So not trying to over talk anyone or, you know, don't try and start using acronyms to make yourself seem smarter than anyone, but just connect on a human level and just converse and communicate on that human level.
Debbie Reynolds 23:11
That's great advice. That's great advice. Right? So listening means actually listening to the person and not just waiting for your turn to talk.
John Sudduth 23:20
Exactly, exactly right, you hit the nail right on the head, right? You know, process the information, understand what they're saying because a lot of times you can get something key out of it that you otherwise would not have gotten if you're trying to talk over someone or if you're thinking of what you're going to say next.
Debbie Reynolds 23:37
Right. Exactly, exactly. So you've been in private sector, you've been in public sector, I would love your thoughts about the differences there, in terms of cybersecurity, in your roles. What are your thoughts about that?
John Sudduth 23:53
So the notion, and I've actually fielded this question a couple of times, and the response that I typically give is that in the private sector, our notion was to fail fast. So let's try this; let's get it out there. Let's get it implemented. If it's not going to work, let's figure it out fast to figure out what we're going to do next. All right, government, you get one shot. So, and that was a tough lesson for me, honestly. But you know, being frank, that was a very tough lesson. And that you have to do deep due diligence because you're you whatever solution that you select, you're simply married to it for five years. You can't take the fail-fast mentality. So that has really, believe it or not, helped me a lot to evolve my thinking around technology implementation. So now I take the approach of combining those two things together. So while we need to understand the technologies that are out there and understand that they are evolving really quickly, because again, in the private sector, we had the rule if you can't get it implemented in six months, don't do it. But in government, it’s darn near impossible to get something implemented in six months. So you have to do due diligence continuously. And you have to make sure that you're selecting the right product, because like I said, you're going to be married to it for five years. So those are to compare and contrast. And another thing about government is that there's new processes. Some people call it red tape, but there are processes in place that you have to do something execute, and then you have to wait, sometimes a pretty lengthy time, before you can actually move on to the next step, wherein the private sector sometimes you can do things in parallel.
Debbie Reynolds 26:03
Yeah. Wow, that's really interesting. That's really interesting. Well, one thing that I would love your thoughts on, and this is privacy-enhancing tech. So I think of this in two different ways. One is technology that's created, their sole purpose is to handle privacy, right? And then what we're seeing is, as some companies will say, you already have tools that you're using. And as they're updated, they're saying, okay, we know that you have privacy concerns. We created this feature to help you manage that. What are you seeing in terms of either stuff you're implementing or things that you're looking at that are coming to you that touch on privacy?
John Sudduth 26:50
Well, I think thankfully, most companies are aware now that privacy is a concern. So I'm seeing a lot more privacy statements built into contracts. I'm seeing things like agreed-upon data purges at certain points, actually relinquishing data upon termination, and contracts and those types of things. So I'm a lot more enthusiastic around privacy as it relates to companies’ housing data now than I was, let's say, even five years ago, so I think there's a lot of awareness around privacy. I mean, we see it in the media and on various news outlets, probably multiple times per day. So I think that that's really driven companies to think about privacy first. And I think that that's driven companies that are consuming those services and those products to address the questions around privacy. So how are you protecting our data? And that's something that I put in place that the organization that I'm at right now we have, it's what I think we're up to about three and a half pages of various questions, places where they have to attest as to how they're securing data. And various ways that we're asking those privacy questions. And I think that that's the case in a lot of organizations right now.
Debbie Reynolds 28:30
Yeah, I noticed that as well. I think it's only going to increase, especially as we see these regulations tighten up around the world, or especially around third-party risks, especially. So even though as people, even though they're not in Europe, or they might be doing things in Europe, they're seeing kind of a European flavor, in those questionnaires about you, what is the purpose that you have for this data? What are you doing with this data retention? Where it wasn't, companies will keep data forever. They weren't told to do otherwise. Right. So, right, you know, for me, I'm glad because I hate that sort of end of life thing like nobody wants to be hot over a product when it first comes out, right. But when it's like when the ages out, no one wants to be a hot potato. Nobody wants to touch that. There's no glory in the end of the whole thing. What are your thoughts?
John Sudduth 29:27
No, I absolutely agree. You know, and, again, to your point, it's good to see people aware of that. So yeah, and that bright, shiny object is always attractive. But we have to keep our eyes on that, as it starts to age out and not be as shiny and understand that this data that we put out there in the beginning is going to be be just as valuable as when that system becomes end of life. So we have to protect it throughout the entire lifecycle.
Debbie Reynolds 30:07
Yeah, yeah. One thing that I think is really tough that municipalities do that I think private companies don’t have to think about as much. When everyone is your customer, it makes your job that much more difficult. Right? So you have technologies, for example, that were developed for the private sector, and then when they tried to implement it in the public sector, there may be some gaps there that people aren't thinking about it. Can you talk a little bit about character? I'm not going to know exactly what I'm talking about. The most challenges?
John Sudduth 30:42
Yeah, I'll talk specifically about in that arena, the challenges with IoT right now, Internet of Things, we, at utilities, there's a lot of data that, in some cases are still manually collected. And as IoT has been introduced, various sensors and various data collection mechanisms, that industry has really exploded, and it's exploded without any regulations around. And, to your point, there are companies out there that are building these widgets, that they're constantly saying, this is a great widget, this is life-changing for your utility, and this and that, and some utilities buy into it, and then they try and integrate it, and they find that it doesn't integrate with some of their legacy systems, or, it doesn't collect the data in a manner that's useful to them for their reporting needs. And so that's something that we're constantly seeing. And that's actually something that I'm working with, with a group of utilities across the US to try and get various standards in place, or at least a guideline in place for vendors to operate against as they're building these devices. So that not only will it work at one utility, but it will work across the entire industry. And that's really where that void is, right. So in the public sector, and a lot of cases, you know, things have standardized, or what I would call corporate IP, things have standardized across the board. So, you go buy this widget; it’s more than likely going to integrate into your environment. However, on the public sector side, particularly in utilities, that may not be the case because the technology is so vastly different from organization to organization. So, that's something that's going to be imperative to get in place within the utility industry probably over the next few years because we're seeing these various infrastructures come to end of life, some of them have been around for 20, 30 years, in some cases, and the threat is out there because the bad actors are coming at it, like gangbusters. I mean, the perfect example is Colonial Pipeline. It was a critical infrastructure that got breached. So I would say that getting certain standards in place, and having an understanding that your widget needs to integrate with various systems, and this is from a vendor perspective, is absolutely paramount when your customer base are public utilities.
Debbie Reynolds 33:40
So cool that you're working on that. It's such a vital thing. I work on IoT as well, the devices with companies that are pitching to the municipality. So yeah, there are definitely some things there, some gaps there, you'd have to think about. To me, I think of an IoT device as a computer without a screen. So I think people think, oh, it's not doing anything, you don't know what it’s doing. Exactly. So I think like you're saying a lot of these, especially municipalities, you have these systems that weren't, they were never commercial, right. They're always, probably purpose-built for municipalities. And then now you have these things on the market, Internet-connected, and you're trying to build it into your system, and I can see how that will be very challenging.
John Sudduth 34:31
Yeah, it's a pretty significant challenge in the industry right now.
Debbie Reynolds 34:35
Yeah, yeah. Yeah, with Smart Meters, you know, people think, oh, I got the Smart Meter. I'm going to go to Amazon and buy this thing and plug it in, and you may not know even what it's doing. Exactly, exactly.
John Sudduth 34:48
Or you may not even know enough to change the default password, right. You know, now someone has access to, directly to that device.
Debbie Reynolds 34:59
Yeah. One other thing that concerns me about IoT is that, as computing becomes more sophisticated, the devices will talk to each other, and they'll talk to each other about you. I think people don't understand the power of these devices, the technologies going into them and how to use them, or how to limit their use. Maybe the device has 10 things that it does; maybe you only need five of those things, and then the legal issues around what is doing. A lot of times, I feel like organizations end up holding them back on that. When they implement something, it's okay; well, it's doing something that's illegal in your state or something, so what are your thoughts?
John Sudduth 35:51
No, you're absolutely right. And this is something that I'm foreseeing that is probably already here. But as they start talking about artificial intelligence, and machine learning, those concerns multiply because what could ultimately happen and what ultimately will happen is that you're going to start to integrate. Now, what we think of, not so smart IoT devices, those devices that are only designed to do 10 things, but when you put machine learning on top of that and then AI on top of that machine learning, now you have a system that's pushing or having those 10 things done, and making decisions, right, and this is sometimes without human intervention. So your point about it doing something this not legal in a certain state without your knowing is quite plausible. And not knowing is not deniability, right. And as a law.
Debbie Reynolds 37:06
Exactly, exactly right. So, you know, things that concern me, or what if one really interesting thing, and I did a video about this, it's like devices, they end up doing multiple things. So let's say before, let's say a speaker is only telling you things now is recording information. Now it's something that has video on it, or some sensor, or whole other thing, something that's sensing you, but not videotaping you, because they're like law, there are different laws about that. So it's different laws for video, different laws for audio, and very few laws about sensors. So we're going to see a lot of that, probably coming up in the future. So having these devices that maybe even with update push to the Internet, now, I have all these capabilities that you didn't know about even though they have capability to do, but now has this new functionality. And I think some people think that's cool. In some ways, it's not bad. But I think, to me, again, I think a lot of whether it be individuals or even municipalities, they're going to be left holding the bag of these things or doing things that aren't legal, you know?
John Sudduth 38:20
I mean, think about electric cars, right? Cars that do updates over the air. And this is where it's going to hit individuals and have a significant impact. But what if a bad package came across the Internet and hit, I won't name a brand, but let's say one particular brand of electric car, and it disables that car. So now you have this whole group of consumers who can't get to work, who can't get to wherever they need to go, per se, because they got a bad update from their car provider. And I liken this to for those of us who've been around technology for a long time, there was a patch that came out and Windows NT, and you know, I hate to start bringing various companies into this, but this is the thing that I always have to use, and it disables, or you have to shut down systems across the globe until another patch was put out by Microsoft in order to fix the bad patch that they put out. So imagine if something like that happened to a high-profile electronic car company that could have a drastic impact on individuals. So you're absolutely right to have those concerns.
Debbie Reynolds 39:46
Yeah, that's not far-fetched. That's not sci-fi like this can actually happen. Yeah, great. Oh, my goodness. Well, if it were the world, according to John, and we did everything that you said, what would be your wish for privacy in the world? So whether it be regulation, technology, anything, people stuff?
John Sudduth 40:08
Oh, that's a great question. And I'm going to answer this, but I'm going to flip it back to you to ask, what are your thoughts on what I'm about to say. But I would say, here in the US, and we need a consolidated privacy law. And the reason that I say that is because we see laws coming out of California, privacy laws coming out of Illinois privacy, laws coming out of Michigan. And as IT professionals, we enable businesses, all right, and it’s really difficult, at least in my opinion, to have to know what the various laws are throughout individual states like, okay, well, in Illinois, we have all-party consent law, when it comes down to recording audio, that's not the case. And I think New York. So I think that having something concise that goes across the entire country like the UK did, which will greatly benefit us, but I would like to know your thoughts on that as a privacy professional?
Debbie Reynolds 41:23
Oh, my goodness, look at you. Ah, yeah, I agree. You know, I think we need to get out of the idea that the people stay in one place, and they compute in one place. And the way they are going about it at state level is kind of provincial, so as you know, we live here at the Indiana border, like it's buck, wild Indiana, you know, Indiana that you can't do Illinois, so I think it just creates more confusion for businesses. And it makes it hard for them to know how to implement their products, especially as you're doing emerging technology. So you just get that much more complicated. So I think you're right, I think instead of fighting about the stuff that we don't agree about, let's come to some basic understanding of what we do agree about. So to me, at a Federal level, we should at least have like one synchronized definition of what personal data is, so I ended up doing, you work where I'm advising companies on state by state things they can do, it is just crazy for state by state, what the different laws and different different challenges that people have to have to face when they have products and services that they're putting out. So I think having more of an approach where we can, you know, stop fighting about things that we don't agree about, like, you know, the pride of private right of action or preemption, and just say, okay, as a country, we agree on these, you know, personal data means these five things, you know, I think that will greatly help help help organizations and, you know, help consumers because, you know, most consumers can't navigate this as well. It's really hard to know what their rights are.
John Sudduth 43:12
Yeah, great point. Great point.
Debbie Reynolds 43:15
Fantastic. Look at you interviewing me. Very cool. Very cool. Well, oh my God, I'm so excited. I'm happy that you're on the show. I think you gave some really great insight. Yeah, I love to chat with you too, about some IoT stuff, because that's definitely in my wheelhouse as well.
John Sudduth 43:37
Oh, absolutely. Yeah. And anytime, just let me know, we'll get scheduled and you're going to have it.
Debbie Reynolds 43:47
Perfect. Perfect. Well, it's so great to have you on the show. And I thank you so much. And I know our listeners really love it.
John Sudduth 43:54
Okay, I'm ecstatic to be a part of this show. I congratulate you on this. And I wish you continued success.
Debbie Reynolds 44:02
Thank you. All right. I'll talk to you soon. All right. Good to see you.