Listen to learn about the relationships between privacy, security, and legal matters in our digital world.
"Some security is better than no security. If you are a small business, and you don't have all the resources to invest in a huge cybersecurity program, that's ok! Start with the basics, such as strong passwords, the use of VPNs, and trainings on cyber threats like phishing and malware."Privacy and security considerations can be difficult to get your arms around; when laws and regulations come into play they add another layer of complexity.
Victoria E. Beckman (Lead Digital Crimes Unit Americas - Corporate, External, and Legal Affairs for Microsoft) sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to discuss the relationships between privacy, security, and legal matters in our digital world.
Listen to learn:
Resources:
Connect with our guest: https://www.linkedin.com/in/victoriabeckman
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to the SecurityMetrics podcast. I'm Jen Stone, one of the principal security analysts here at SecurityMetrics. The topic today is, something I'm very excited about. It's about how legal aspects apply to privacy and security. A lot of times, I talk with organizations that the biggest kind of stress and fear is around the legal parts of things like HIPAA, GDPR, or there's confusion about it. How do you even read these laws? How do you apply them?
So I have found a really awesome person to come and talk to me today. Her name is Victoria Beckman. Let me tell you a little bit about her. Victoria is the leader for the Americas of the Digital Crimes Unit or DCU at Microsoft. DCU is responsible for implementing strategies to disrupt cybercrime by dismantling criminal infrastructure through civil actions, collaborate with organizations and governments to strengthen cybersecurity and support victim remediation, design education campaigns, and advance policies and legislation to deter and decrease cybercrime.
Victoria is a certified privacy manager, CIPM, and certified information privacy professional, CIPP US, by the International Association of Privacy Professionals or IAPP.
Prior to practicing law, Victoria was an industrial engineer in the technology and automotive sectors and a competitive figure skater for her native country of Columbia. Victoria is very cool. I'm so excited to have her on the show. Thank you so much for joining me, Victoria. I'm very excited to have you have you talk to me. And I would love to hear, a little bit about your educational background, your career background. How did you get to hear from where you started?
Well, thanks, Jen, for being for inviting me. I'm very excited to be here as well. And, my career has been kind of wild.
It hasn't been conventional at all.
I would I'm gonna give you a a quick summary. Great. I was born and raised in Colombia, only child.
And, I graduated very young from high school. So at sixteen, I found myself having to figure out what what to do with my life.
It's different in Colombia because it is unlike the United States that you can change your mayor and you can kind of figure out as you go. In Colombia, if you apply for, let's say, industrial engineering, like in my case, you applied and there's a curriculum and you have to follow and take the classes that they tell you and you can't really change midway.
So it was actually a bed with one of my cousins.
He was attending this university in Columbia that is, very prestigious and has a very, well known, engineering engineering campus. Sorry. I'm forgetting the words. No worries.
And and he it is fairly difficult to get accepted there. You have to take a test, and the results are published in the national newspaper, first page, and everything. So it was kind of a bet, oh, you know, you can't really go here.
Oh, so it was a really difficult big deal, and so you made a bet with him?
Yes. So I made a bet. He's, we grew up fairly close together. We're closing age, and he was kind of the doogie hauser of the family.
He was the the genius of the family. So I said, and also there weren't a lot of women because it was only engineering. And I said, well, I can do that. So I actually did, and I passed.
Wow. And then I I was kind of stuck in there. My parents were very excited that I was gonna go to that university and be an engineer. So I said, okay.
Well, let's do this. And, and I I liked it, but but when I graduated, I started working as an engineer. I used to work for a a subsidiary of General Motors, and it was fairly, a tough environment from the work, like the daily life perspective, in that I was young, I was a woman.
There were mostly men, people who have been there for years who said, well, we're not gonna do what you tell us to do. We have been doing this for forty years. Mhmm. And this is how we're gonna do things.
So it it was tough. It was very tough, working working in that environment.
At some point, they said, we have a program in the United States where you go, you learn the processes, and then come back and apply them here. And I said, okay. To be honest, I did not wanna come to the United States.
At that point, my cousin that one cousin have gone to be a professor at the University of Barcelona, and I wanted to go and, be there with him and study there, whatever.
So, but they said, well, it's only six months, and you learn. And and I said, okay. Cool. This will be I can do this.
Originally, they sent me to Arizona where they had, Proving Grounds, but I happened to land in Arizona the morning of September eleven two thousand one.
Oh my goodness.
And, I did not speak any English at the time.
So when so I actually realized what was going on because I called my parents to tell them I made it, I'm here, and my mom is crying saying you need to come back, they don't want any foreigners in the US, this just happened, blah blah blah. So fast forward to my experience at at at this subsidiary of GM, there were other engineers from Mexico, from Brazil, and and it was tough at the time because of what had just happened. Mhmm.
They didn't really know what to do with our visas, how to feel Sure.
Blah blah blah.
And I had this genius idea, and I decided I'm just gonna quit, and I'm gonna get another job. I'm not gonna tell my parents because they're gonna make me go back to Colombia.
And I did that, and it was not pretty.
But I did not But you didn't speak English.
I I could it was a total disaster. But at that point, I thought I couldn't tell my parents that that was going like that.
So while I keep telling them that everything was great, I worked any job that I could find. So I worked at a hotel. I worked at a supermarket. I worked all kinds of crazy places, and and realized that if I wanted to stay, I needed to change my visa then. Mhmm. So the fastest way was to get a student visa.
I thought, I'm gonna do some kind of master's in engineering.
And, again, out of kind of not really a bed, but this was more somebody saying, you should take the LSAT. You have a lot of reading comprehension, and you will know what is to take a test in English. Mhmm. And I said, okay.
And that's how the idea of the LSAT, came up. No one in my family is an attorney. I never thought about being an attorney. I don't I don't think I even knew what attorneys did at that time.
But I took the LSAT.
Out of a miracle, I did fairly well. I applied to Arizona State because that's where I lived and I didn't know anything else, and the dean of the law school contacted me and said, we want you to come here. What is it gonna take? And I said, Money, I don't have any.
So they ended up giving me a scholarship as long as I kept a certain GPA.
Nice.
And in my heart, I wanted to be a public defender. That's what I did in law school. I was an intern, and and I was that said that that was gonna be my career.
But a mentor said, you know, you should go to a big firm and have that in your resume, and then it could be whatever you want. Mhmm. And I let him convince me, so I went to a a big firm, and I worked two years doing intellectual property litigation because of my background.
And I hated every single day that Oh, no.
I was like, this is not for me.
So two years into that, I quit, and I went to be a public defender.
So Wow. I I actually joined the, the heaviest purpose unit, which is the unit that defends people on their flow. Mhmm. And I loved it. Loved it. That was gonna be my life. Mhmm.
Met a person who is now my husband, and he did not like that job because I was constantly in prisons and and witnessing executions and things like that. And and he was he also happened to be from Ohio. So he said, we're moving to Ohio. And I said, well, you realize I'm gonna have to start all over again.
Uh-huh. And and so when we moved to Ohio about eight and a half years ago, I was very I I actually was scared to go back to a law firm. I thought this is not I got a job at a law firm, and lucky enough, the first week that I was there, a case involving a hacker that had transferred money to China came in. They were already, they had done already all the forensics, and there were all the forensic reports and everything.
And they said, you're an engineer. You you understand this. You figure it out. So I read, and I did not understand.
I was like, I have no idea what this is.
But I loved it, and I thought, if I'm gonna be working at a firm, at least this is something that has kind of the technical aspect that I that I did like about engineering, and and I can do I can do this. So I started just on my own, quitting and going to conferences, and it started just kind of absorbing anything that had to do with that.
And and then it kind of boom, or then, you know, another case similar that came, they gave it to me, and and next thing I know, that became my practice.
So that's a long story to tell. That is a wild story.
Remaking yourself, regularly and and being extremely successful at it. I I love that story. Isn't cybersecurity fun?
It is. It is a lot of fun. And that was actually one of the things that that made me feel like I I like this.
It it is always at least well, from all standpoints, but from the legal standpoint, it's also always changing.
It's fairly new.
So I felt like there was a little bit more of an even feel. There wasn't gonna be the case where an attorney that has been doing this for forty years says kind of, a young lady, I know how to do this. I've been doing it for twenty years. It's kind of like, no. We we all have the same experience and chances.
It's it's okay if you have experience to tell someone else that does not have as much experience. Hey. Let's rely maybe let me share your experience. But when you use the words young ladies, just pro tip for everyone out there, that's probably not the best phrase to bring into it.
So tell me about your your current role. What what what do you do, and and what do you like best about what tell me tell me about those details.
So I I love it.
I think you've got a lot of fun. I think you did a perfect job. But, so now I'm at Microsoft. I lead the digital crimes unit for the Americas, which means from Canada to to Argentina.
And what we do is my team has attorneys, has analysts, has technical people, because what we do is we try to keep the Internet safe and and everything safe for our Microsoft products, obviously. But we do a lot of pre, pre crime work. So when you hear, you know, in the news about a a breach or something like that, it's probably too late for our team. It's probably in the hands of another team.
And so we have, several what we call labs, where we have analysts and and computer people that are constantly monitoring, behavior online, and we kind of go after, criminal networks. So let's say, for example, we we do ransomware. We do well, any kind of malware. We do technical support fraud, business email compromise, all these different kind of targets that we have.
And let's say we find suspicious activity in Mexico, for example, and and so we start kind of following that, then the investigator creates a report and then presents it to us. And then as, as attorneys, what we do is we work very closely with law enforcement in each country to say, here, here's all the evidence, this is what we have, we need you to help us by prosecuting this person, because we obviously don't have that capacity, or sometimes we actually file civil claims.
And another arm of my job is in order to file those civil claims, we have to be fairly creative because there is not legislation that covers a lot of these crimes. So we have to be creative in that we depending on the country and the laws that they have, we have to comment, the cases of, let's say, oh, is this can we kind of say claim that this is a fraud or impersonation or invasion of privacy?
But we want those laws to evolve. So we I also work very closely with legislatures to say, we know you wanna come up with laws for this. They probably don't know much about it. So here is a suggestion of of good the same best practices for cybersecurity hygiene or how you will, create us some kind of safe harbor law so that that companies can follow an industry recognized standard and then get some kind of legal, reward for that. And it could be, let's say and some states have done that in the United States, that you get an affirmative defense to a tort claim if you can demonstrate that you follow a standard. So we we come up I'm constantly in communication with law enforcement, with legislature, with congress, from, you know, Panama, Mexico, whatever, to say, this is where we wanna go.
But, ultimately, again, our goal is to work as a team to try to stop these cybercrimes from happening.
That's that's fascinating.
Especially, the involvement with legislation. I had always wondered, you know, who comes up with because lawmakers don't have expertise in that. And so so how do they get that language for, solving some of the privacy and security issues that they're trying to legislate for. So very interesting that Microsoft is part of that, and and you bring your background to that.
Yeah. And we're we're obviously not the only ones, but they do because of the relationships we have with them, let's say there is an initiative improved for a cybersecurity law. So they send it to our team, and we send back comments and other companies and other people send back comments and, and, you know, and they ultimately adopt whatever they wanna do.
Right.
So let's refocus a little bit. There is a relationship between privacy and security that is not often well understood. Some of the people that I work with, they're they fall under HIPAA regulations, which which, you know, is a privacy law that that uses security.
I would like to hear your perspective on the relationship between privacy and security and and then some of the legislation that that enforces privacy and security.
Sure. So they're two different things. They they act together most of the time, but they're different. Cybersecurity relates more to, I guess, illegal access to the information. So how do we keep the information safe so that a hacker or somebody who is not authorized part of our company doesn't have access to this information and disclose it when it cannot be disclosed?
And obviously, there will be technical, administrative, and physical safeguards to keep that information safe.
Privacy is more with who, is authorized to access that information. So I guess it could be, quote, unquote, more legal access to the information. In privacy, for example, we have a let's say we have a company, but not everybody can have access to the payroll of the company. Mhmm. So we need to keep that private, and only the HR person and the CEO, for example. And so we we from the technical aspect of it, we go and set up the controls so that only those people who should have access to it have access to it.
So that's why it kind of interact. Also, a lot of the privacy laws that are that are being proposed or enacted have the component of cybersecurity in that they they request or have the requirement that the information have to be, safe, has to be kept safe, or some of them have, actually, including private right of actions in case of a breach and and private information gets disclosed. Mhmm.
And some of them also have, requirements to notify of a breach if if if a breach happens, where someone has access to personal identifiable information that shouldn't have had access to. So that's kind of how they interact. Not all privacy laws have that. You mentioned HIPAA. HIPAA has a very defined privacy rule and cybersecurity.
And some, let's say, California Consumer Privacy Act has a private right of action only out of a breach when certain type of information, actually, not all of it, is disclosed.
Some of them don't mention anything about breaches. Right? So, so it just kind of depends on the state, depends on the industry, depends on a lot of things.
Right. So, it feels like we're getting a lot more privacy legislation and security legislation than there has been in the past, which, of course, because cybersecurity is evolving, and criminal activity online is evolving. And so it makes sense that we try to wrestle with these these questions of what should be legislate legislated.
From your perspective, what kind of trends do you see among, for legislating, these things?
Well, as you mentioned, I think I think there's more awareness from even consumers and legislatures and and everybody in general about the risks and about the consequences of of attacks and about the consequences of not keeping information private.
So I think in the from the privacy side, there was there's been kind of an explosion after two thousand eighteen when the, GDPR, which is, I forgot, general protection oh my goodness. General data protection regulation, in in the European Union, became effective on May eighteen, I believe, twenty eighteen, because then other places were kind of like, oh, wait, as a company to figure this, especially because the GDPR, even though it's a European Union law, has this, what they call this, extraterritorial component, meaning if you are a company in the United States and you process information of a European Union subject, not citizen, has nothing to do with citizenship, somebody located in the European Union, you have to comply.
So at that point, a lot of multinational companies were forced to review their privacy policies and said, okay, we need to comply with this, if we're gonna be operating in in both continents.
That inspired California, and California inspired Colorado and Virginia that have been enacted and become effective in twenty twenty three, and a wave of privacy like, regulations that are either inspired on GDPR or CCPA or a combination of those.
Then from the cybersecurity side, well, we've seen all the all the breaches, all the hacks, and and I think people like us, common people, are seeing the effects in in regular life, in our day to day life.
Sure.
So I think it used to be people thought of, like, the hacker with the hoodie somewhere and stealing someone's money that wasn't yours. But then when you can't have gas because there was a hack, then you're like, wait a second, maybe this is important, or, you know, you have all your information from social media, like, disclosed because there was a hack or something like that, then I think people are more aware.
Right.
The the the one difference that we that I also see in legislation and in general and the approach is that, traditionally, Europe has been very concentrated in in privacy, and this has a long history from World War II and and things like that.
And so in the in the European Union and in Latin American countries, privacy is actually a fundamental right. And most of those countries have privacy as a constitutional right in their constitution.
In the United States, the word privacy is not even mentioned in the constitution, and that's not necessarily the approach. The approach has been a little bit more, from the economic standpoint, and let's get all the data that we can on people so we can target them with advertisements. We can personalize this and that.
So I feel like the laws that are being proposed reflect a little bit of that.
They're more I mean, there's even a difference within the states. There are some that are clearly more protectionist of the individual, like California, because they have celebrities, and and there's been cases even of stalkers getting celebrity information.
And there are other states that are more wanting to have companies invest on those states. So they're like, this, you know, this is costly and difficult for companies, so we're not gonna go there.
A lot of organizations end up in a position of being subject to some of these laws, these regulations, and their technical teams, their IT and security teams get told, okay. We have to, abide by the the California privacy law. We have to abide by GDPR or by HIPAA. HIPAA is a really common one.
There's a lot of, health related business in in the US.
And so they're often handed this requirement from their business leaders saying, we must be compliant with HIPAA, for example. And then the security team is going, well, we don't. How do we do that? How do we demonstrate that? How do we know? Because, one of the questions I get asked all the time is, you're going to come and do a third party, audit against, maybe the HIPAA rules or or help, you know, see where we're at with that. But there is no certificate.
You can't be certified HIPAA compliant. You can't be you know, these these are laws, not certification standards. And a lot of the people that I talk to are kind of scared of that. They're like, well, they feel like they're putting in a in a really difficult position, and then they ask, well, how do we demonstrate both to ourselves and to our leadership and to maybe customers that we're doing the right thing when we can't get a certification? What kind of recommendation would you give them for that?
Well, I my recommendations are not gonna sound, like, super legal because I feel like, number one, get a cool attorney that is not gonna tell you no. No. No.
That's a you know what? That is a really that's a really good, recommendation. I don't wanna breeze past it. So so when people don't if they have a law that they need to follow you know, cut cover and they don't have an attorney, that's a I think that they started in the wrong place.
Yeah. So definitely definitely get advice of counsel.
You know, there are attorneys, and I used to that, that specialize in in this, and so there is no point in you kind of trying to go along. At least some kind of guidance is is necessary.
Because and I was gonna go to kinda my second point.
It is important to really understand the laws and see whether they apply or not to you.
For example, I hear people like, oh, that's HIPAA information. That's HIPAA.
Anything that has to do with health is like, well, actually, the definition of HIPAA and who is a covered entity is so narrow Yes.
That if you're not a hospital, you're not a a hospital, you're not a hospitalist. In fact, even if you're a a doctor, but you're not receiving insurance and your your patients are paying you cash, you're not necessarily having to comply with HIPAA Yes. In some instances.
So so you need to actually understand the law and see if it does apply. CCPA, for example, there's a a high threshold of, the income that you have to have. You have to have more than twenty five million in net revenue a year, so a lot of a lot of the companies don't have to worry about it. Mhmm.
You know, all kinds of so that that's very, very important, and that's why I say get somebody who knows and and who is also gonna explain this to you so it's not scary, is gonna explain, okay, we have to do x because of this.
And and I always also told my clients in the past, it's obviously a a kind of, a risk, a balance of the risk.
Number one, if you are, you know, if you are selling things on Etsy, like, that you're making at home and you don't have some kind of privacy notice, likelihood is no one is gonna come and arrest you because you don't have Right. Notice.
Or you are selling stuff here and someone from Europe ordered, you know, three or four of your t shirts. Okay. You're not, you're likely gonna be fine under GDPR.
So look at that and look at the risk and do kind of that economic balance. I encourage people to do something. Not don't let the the whole thing scare you and be like, oh, we have to do HIPAA compliance, then we can, and but something is better than nothing. So if you are a small business and you don't have all the resources to invest in this huge cybersecurity program, okay, well, let's start with the basics. Let's start with making sure that you have that you require strong passwords, making sure that you, have VPNs so that if your employee goes home and and shares the computer with their kids and their grandmother, that at least that then there is a you know, they're separated, that they have some basic training that is super easy to do about recognizing phishing emails and not opening links and not you know? And I see this, like, with my own mom.
She you know, before she will she doesn't live in the United States. She doesn't even speak English, and she will call me like, oh, I want something. And I'm like, okay. Think about it. What are the chances that they're looking for you in Colombia to give you some I'm like, no. I'm not. You didn't win anything.
Yes. I'm like, no. Well, but but it says here, you know, my friend told me I'm like, no. Trust me. You're not missing anything.
So so I think I think taking a little bit of that of that concept of this is so kind of out there and complicated and I'm not an engineer and I'm not No. You can you can do a lot on your own with basic things. If you even small companies happens, like, if you're a small company, well, make sure that you keep, let's say, your employee information separated, that you keep it, safe. It could even be put it in something, back it up, and, you know, block it in a safe.
So so start with something. That would be my advice.
I love that. I really like how you how you started with doing the risk assessment.
Because so many people when they're when they are stressed or fearful about something, one of the best ways to quantify it and and allay the fears is to add it to a risk assessment, either a a current risk assessment or or start a new risk assessment. You know? So make sure that that is a formal process where you say, this is what we're worried about. This is the likelihood that that's going to happen. This is the impact if it does happen. And then you can look at it kind of rationally and say, alright.
Based on this, am I going to put some type of remediation in place to to mitigate that the potential risk there, Or am I going to accept the risk? You know? So so having a fear in your head about something, like you said, do something because that helps you move forward. But also, taking a really, rational look at what is the true risk, I think, is helpful to to a lot of people.
Absolutely.
Absolutely. I I couldn't agree more with you, Jen. Like, it it's so important, again, because even if there's a risk, the fact that you're aware of that risk and you said I made the decision, you know what? I'm willing I know this risk is out there, but I'm willing to take it because of this. Because let's say that I'm a big company and it's not even that costly, or I'm a small company and chances are this is not gonna happen, or whatever it is.
And I always tell my clients, do those risk assessments and document those decisions so that later, if something happens, someone doesn't say, Woah, how come no one thought about this? No. You know what? We did.
We did. And we came to this conclusion, and now we're paying for the consequences, but we were completely aware that this was a possibility and we play our, you know, our cards this way. Yeah. I I I think it's imperative to start with a risk assessment to know where you're at.
And not only in cybersecurity, but in everything I feel like in life. Like, okay. I'm here. I wanna get to point b.
How is that gonna happen?
Sure. I I absolutely agree with you. I think there are a lot of lessons that we can learn from how we deal with risk and security and privacy in in the cybersecurity realm.
Tons of that applies to our personal lives as well, things beyond work.
Yeah. Situations with your kids, with your like, it's all a constant risk assessment.
I feel like Yeah.
Exactly.
Something that I've noticed, myself doing is, the better I get at risk assessments, the more, the quicker I am to adapt to a a difficult situation to future planning.
And so this is something that I like seeing in in organization is something happens and then they put in place, remediation for if it will happen again. Because what are the chances something negative is going to happen? Hundred percent because it just happened. So a lot of the groups that I'm working with now that are that are going over and updating their risk assessments, I'll say to them, okay, what's in there about having to work from home?
Because if they if they don't have that after the last year we've been through, they just weren't paying attention and and they don't understand the value of of taking lessons learned and putting them into into future planning through a risk assessment.
So there's a lot of value in that.
Well, I mean, it's also kind of that risk assessment is a cost benefit analysis. I hear and and you've probably seen all kinds of memes about the budget, like, for a company before a breach and after the breach. Yeah. And And I also kind of that mystery, it doesn't have to be costly, but you should invest something in some cybersecurity, in some sort of plan, because if you get hit, it is gonna be very expensive. It is going to be even if you have insurance, you have to deal with that, and now insurance coverage is changing according to so that they don't have to pay one thing or the other. You're going to have to get an attorney, and they're not cheap.
You're gonna have to get sometimes a forensic team and the reputational cost to your brand could be devastating. And so so it is better to at least invest in something, so you're not later saying, I'm like, oh, what?
That was often the case that they will complain.
Why is this so expensive?
And I always say, remember what I told you?
You should have spent, you know, a thousand dollars back then and not having to spend a hundred thousand right now.
Right. Right.
I I am with you a hundred percent on that.
I sure appreciate the time that you spent with me today that you brought some really valuable insight into into this topic and I've really enjoyed speaking with you. Thank you so much.
Thanks. Thanks for the invitation again and I hope that the listeners had some fun and got some value out of this.
I'll I'll bet they did. Thank you. Alright.
Bye bye.
Thank you. Thanks again for joining us here at the SecurityMetrics podcast. If you like what you heard, please subscribe, please comment, please share. We really wanna get the word out for these various topics to people who who they apply to and you know that better than we do. So take it up, share it with your friends. Thank you.
Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)
