Episode 3: Privacy Please Podcast with Guest Scott Giordano covering CCPA and GDPR

Scott Giordano, Senior Counsel of Privacy and Compliance for Spirion, joins Cameron Ivey to discuss the California Consumer Privacy Act (CCPA) and upcoming privacy regulations.

The two cover:

  • The contrast in how long it took for GDPR to come together versus the CCPA and what that means for the clarity and enforcement of each law
  • The current state of GDPR enforcement
  • Upcoming American state privacy regulations including ones regulating biometrics and the Internet of Things (IoT)
  • The new ballot initiative known as the California Privacy Rights Enforcement Act (CPREA) and its category of “special personal data.”

Links to the resources mentioned in the episode:

GDPR

CCPA

CPREA

State by state upcoming privacy regulations

Mnemonic

Report: Out of Control: How consumers are exploited by the ad tech industry

Click to Listen here

Here’s a transcript of the conversation:

Cameron Ivey: Ladies and gentlemen, welcome to Privacy Please. I’m your host Cameron Ivey, and with me today is the incredible and informative, Mr. Scott Giordano. Dr. Scott, he is the VP and senior counsel, privacy and compliance for Spirion. Thanks for coming on, Scott.

Scott Giordano: Thanks for having me on. It’s great.

Cameron Ivey: Yeah, absolutely. It is 2020. It’s January. CCPA, it is live.

Scott Giordano: Yes.

Cameron Ivey: When did it go live?

Scott Giordano: It went live on the first of the year.

Cameron Ivey: What does that really mean? Just as a simple term, break it down for anyone listening right now, what is the CCPA?

Scott Giordano: Well, CCPA is the most comprehensive US state level data protection regulation that we have at the moment. And when I say data protection, I use that phrase very deliberately. It’s a combination of privacy and security, mostly privacy, but some security. And so it’s a holistic view of protecting personal information. And it’s interesting because sometimes people will say, “Oh, it’s just California’s GDPR,” which it’s not.

Cameron Ivey: No.

Scott Giordano: It’s not. I mean it borrows some elements, which is great. Because the law was drafted so quickly, a couple of things probably got into it that you wouldn’t have thought of and some things added into it that were just drawn from GDPR. It’s kind of a grab bag. Not the way I would have done things, but we’ve got it and we’re working with it.

Cameron Ivey: Yeah, absolutely. The biggest thing that I read an article about, obviously it went live on the 1st of January, the biggest thing is I think a lot of people are mistaken for what it really means and what it could do to their company if they kind of just put it in the background and not really pay attention to it. From my understanding, you can elaborate on it, but when it comes to CCPA, it’s all about giving the customer the allowance to basically tell a company if they want their data deleted or not. Is that part of it as well?

Scott Giordano: Yeah. Yeah. You have the ability to ask a company to delete your data, and it’s subject to some exceptions. Because sometimes when you delete data, you actually do damage to other data. If data’s on a table, a lot of times that’ll make a mess if you delete one row or one record in a table, so you got to be judicious in what you’re doing. But overall, it gives folks an ability just to have companies delete their data, which is great. It’s long overdue.

Cameron Ivey: Yeah. And do you see that kind of happening elsewhere?

Scott Giordano: Well, it’s funny because now I’m going to websites and I’m seeing banners that are popping up saying, “Do not sell my data.” Which is part of the requirement is that you have to have literally a link to click on, on your website people opportunity to say, “Don’t sell my data.” In terms of the ability to delete, what’s interesting is that we at Spirion have gotten requests from folks to delete their information per CCPA. Even though it may not necessarily be CCPA based, people are saying, “Hey, according to CCPA… ” Or occasionally we even actually get it from GDPR. People will say, “Well, per the GDPR, please delete my data.” And of course we’re honoring those requests even though really we don’t do a lot of business in the EU in the sense that we would need to delete someone’s data.

Cameron Ivey: Sure.

Scott Giordano: But those requests come in and we honor them. I just think it’s interesting that people hear CCPA or they hear GDPR and they just presume that they’ve got certain rights, the “Right to be Forgotten”. What’s really fascinating about that is that took on a life of its own. I remember when that was first proposed and I-

Cameron Ivey: That was in the UK, right?

Scott Giordano: That was part of the process of the deliberation for GDPR. It wasn’t just UK, it was the all 27, 28 EU Nations that were involved in putting that together. And there was this debate about the so-called “Right to be Forgotten. And it’s a remarkable story and it bears repeating.

Scott Giordano: There was a gentleman in Spain that went bankrupt, I believe, and it was reported in the newspaper and that was picked up by Google. And the poor guy, I guess either couldn’t get a job or couldn’t get an apartment or couldn’t get something because that newspaper article just kept following him around. He sued Google, or actually I guess he complained about Google, and the Spanish Data Protection Authority went after Google and they won, and so that set a precedent.

Scott Giordano: They called it the “Right to be Forgotten” because of the frustration of having things follow you around forever. And so this eventually became part of GDPR. And at the time that they were discussing this, I thought it was fascinating. I never thought it would happen. I really thought it was a lot of just hyperbole, and because people, it’s an emotional situation. But the reality was that it wound up in there and that really had a big change-

Cameron Ivey: Eye-opening.

Scott Giordano: It did because people were saying, “Well, I now have the right to be forgotten.” And so that’s made its way over here to the US. Even though there’s no “Right to be Forgotten” at this point, with one exception for children, there actually is a “Right to be Forgotten” in California for children that that predates CCPA. But CCPA really has borrowed this idea of “Right to deletion” as they call it, and so it’s fairly robust. It’s welcome news.

Cameron Ivey: The CCPA was basically kind of like a piggyback off of GDPR?

Scott Giordano: It was a grab bag. And what’s funny about it is that because it was drafted in such a short period of time, you think about GDPR, it took between four and five years of deliberation and debate and drafting to get this thing out the door. And the one in California was somewhere between four and six days, depending on whose story you believe. That’s unprecedented. And as a consequence, it turned into a grab bag of GDPR-like rights plus some just strange wording in how things were done.

Scott Giordano: It’s in groups of five, so you have for example the right to tell a business that you are going to ask them to delete categories of specific information and other things, and then you have the right to actually make the request. You have the right to request it, you have the right to make the request and to tell businesses. It’s just interesting how it was worded. I would not have done it that way. Just parsing the law is just no fun, but this is what comes with being an attorney.

Cameron Ivey: Yeah. That’s your game.

Scott Giordano: Yes. That’s my game.

Cameron Ivey: That’s your life. I know you enjoy it either way.

Scott Giordano: I do. I do.

Cameron Ivey: Okay. When it comes to privacy, the CCPA is the main topic right now, of course, in the public and industry media. What kind of impact is that having?

Scott Giordano: Well, the impact’s been mixed. As I alluded to earlier, it’s not unlike when GDPR went live, so lots of emails I’m getting with links to updated privacy in terms of service, terms of use and so forth. Cookie banners seem to pop up everywhere. I can’t go anywhere and I mean anywhere without a cookie banner popping up. I don’t care who’s it directed at, cookie banners are popping up. In fact, cookie banners that you can dial in. You can say you can keep this, but you can’t use this. I mean that’s how granular they’re getting, so you’ve got these granular cookie banners. You’ve got the “Do not sell my data” banners that are popping up with some regularity.

Scott Giordano: It is not unlike GDPR. I don’t think there’s quite the torrent of information I was getting when GDPR went live. I remember that week because I was getting a ridiculous amount of emails from companies that shouldn’t have been emailing me at all, including law firms who should have known better. This was the irony is law firms were asking me, hey, if I wanted to opt in to their email database. Which was absurd because if you have to email me to opt in, then you’ve already violated the law, but I didn’t belabor that point.

Cameron Ivey: Okay. With the GPR, because we mentioned it earlier, it’s still a little over 18 months old. What is your view on how it’s being enforced?

Scott Giordano: Well, I mean today there’s been about 200 fines, okay. And some of them have been substantial, like the 50 million euro penalty that the French DPA, the CNIL, assessed against Google last year. And they did so because of the way the terms of use were worded. In the sense that there may be 20 different uses for personal information that are distinct, but you can check one box that said, “I accept.” And that was not acceptable to the CNIL. That’s this idea of a legal basis.

Scott Giordano: Under GDPR you have to have a legal basis to use the data, otherwise, full-stop can’t use it. Some are easy. Some of the bases are easy, like a contract. There’s an underlying contract that you can wave around and show that, “Hey, I’ve got a contract.” Great, that’s a good basis, or you can get consent. But the thing is that if you get consent, it’s got to be meaningful consent. Just having someone check a box when they don’t understand what their checking is is probably what we all do.

Cameron Ivey: The majority, yeah.

Scott Giordano: Yeah. We all do it, and it’s one of the frustrations of data protection. But again, it’s full-time employment for lawyers for forever basically. But that net of it is that I get the feeling that there’s a lot of disappointment in the data protection community over the lack of Draconian fines that have been levied against offending companies and I think it’s a bit unrealistic.

Scott Giordano: If you look at the FTC and their fines against Equifax, that took a couple of years, probably about two and a half years for them to bring the hammer down on Equifax. I think the same is going to be true for GDPR.

Cameron Ivey: Oh really?

Scott Giordano: There’s about 70 cases percolating before the Irish Data Protection Commissioner and about 20 of them involve tech firms, and that’s so because tech firms tend to headquarter themselves in Ireland if they’re going to work in the EU because they have the lowest tax rates. You get a lot of companies that will headquarter themselves there and that gives potentially the Irish Data Protection Commissioner a lot of power to regulate privacy because effectively she’d be creating precedent.

Cameron Ivey: How would that affect everywhere else?

Scott Giordano: Well, it’s a good question and it’ll certainly affect the rest of the EU. A lot of times what happens is when a company has a practice that is mandated, it’ll wind up just doing it worldwide because think about what happens if you try and create two sets of practices, one for EU and one for non EU. What happens if you get one wrong? It’s just too easy. It’s too hard to maintain two separate systems.

Scott Giordano: And in the run-up to GDPR, I dealt with this problem with my clients. The idea was that, well, they want it to have one set of rules for you control data and one set of rules for everything else. But after a while it became so cumbersome to create two databases and two of this and two that they finally threw up their hands and said forget it. We’re just going to do GDPR for everyone, which is ideal. It’s the way to go.

Scott Giordano: That’s what I think is going to happen is that when there is some kind of mandate that the Irish Data Protection Commissioner makes, I think it’ll be widely adopted worldwide.

Cameron Ivey: Great. It’s good insight. In your view, what are the most important legal developments in the world of data protection?

Scott Giordano: In the last 24-ish months, about 35 or so US states have passed data protection laws or regulations. And as I mentioned earlier, we’re expecting more, perhaps many more this year. I call this phenomenon the “Quiet Revolution”. And I do so because it’s changing the data protection landscape significantly, but it has the most part stayed under the public radar. I’m a big fan of this approach because we’re seeing states implement data protection according to their values.

Scott Giordano: For example, Illinois, well-known for regulating biometrics, and in fact there was a lot of litigation last year over it and there was a state supreme court holding that said that you didn’t need to necessarily plead damages once you start going to court, which is something that’s typically shut down privacy litigation by private parties. That was a big, big change.

Scott Giordano: Maine is regulating the sale of personal information by subscribers to internet service providers. Which again, it’s narrow, but it’s an interesting idea that they’re doing. California and Oregon, regulating internet of things or IoT security. And this one is interesting because, let’s say for example, you’re following the Ring doorbell litigation. That’s been in the news. Internet of Things security is becoming such an issue that you’re undoubtedly going to see more states addressing the problem.

Scott Giordano: I like to think of this as, what I call the laboratories of democracy approach, and it creates a patchwork of laws. That’s gotten a lot of criticism. I think it’s a virtue, not a vice because every state is doing data protection according to its values. It overall helps our big picture data protection for individuals rather than just trying to make one law that fits all. I just don’t think it’s going to work and so I think this is the best way to go.

Cameron Ivey: Awesome. I mean, just to kind of dive a little deeper on the Ring topic, a lot of people probably have that or something similar to it.

Scott Giordano: Yes, yes, yes.

Cameron Ivey: I have it myself. What exactly happened, just for insight on people that are listening?

Scott Giordano: What my understanding reading the pleadings is that there’s two-factor authentication that is available in Ring, but a lot of people were just using a password or they perhaps weren’t even changing the factory password. But whatever it is, they were only using one factor which was easily compromised and that was giving easy access to bad guys who were taking advantage of this.

Scott Giordano: And this is what the IoT security bills were designed to do was forced… For example, typically equipment, hard equipment, routers what have you, ships with a factory password. You’re supposed to change it. Otherwise, if you don’t, bad guys can can break into your router.

Cameron Ivey: Easily.

Scott Giordano: Okay. Yeah. And in fact, there are folks that do nothing but go and ping routers all over the world trying to see which ones have their factory passwords not changed and go and-

Cameron Ivey: Which is probably more than most?

Scott Giordano: More than most, likely. It’s shocking even this day how many-

Cameron Ivey: It’s called being lazy, people.

Scott Giordano: Yes. Yes. Absolutely. Absolutely. And so what likely happened is that folks weren’t taking advantage of two factor or weren’t apprised of it or for some reason just weren’t engaging it, and it’s unclear at this point what happened. But then of course bad guys got in. They were scaring people because they were breaking into the system and just harassing people and what have you. And it was creating a lot of headaches because you create this doorbell alarm for security and then now you’ve got bad guys breaking in. It was not what people were expecting.

Cameron Ivey: Sure. I mean, so that’s giving them access to their camera basically?

Scott Giordano: Yes. Oh, yes. Absolutely.

Cameron Ivey: It has nothing to do with their personal information, more so the…

Scott Giordano: Well, here’s the problem with IoT security and this is why it’s so frustrating is that if someone’s got a home network, in theory, that home network is now available to the bad guys.

Cameron Ivey: Oh wow. Yeah.

Scott Giordano: That’s why you have to do things like create a sub net or your IoT devices so that the bad guys can’t get out of it. I mean, there’s a lot of work, and here’s the frustrating thing is that manufacturers want to create all these great toys and give them to people and say it’s super easy. I just set up a new network in my house a couple of weeks ago. It took me five minutes, okay. This was like the fastest thing I’d ever done in my life, okay. They give you a code to click on, on your smartphone. It sets everything up to the factory defaults. You change all the passwords you need to change and-

Cameron Ivey: And your Scott G. bell went off and you’re like, “This was too easy.”

Scott Giordano: This was just like, wow, it was amazing. And that’s great if you have the mindfulness to make sure you’re changing passwords and you’re using other factors of-

Cameron Ivey: Not using the same password for every other app.

Scott Giordano: Exactly. Having unique passwords of critical things. I mean, think about your bank account, you’re not going to reuse that password for anything else.

Cameron Ivey: Nope.

Scott Giordano: You should think of other devices as needing that same level of scrutiny. And so when I stood this thing up, it’s like, “Wow, this is great.” Fast installations are great because we don’t want people getting frustrated, but the thing is that they have to understand what’s involved. When you use Internet of Things, you’re really exposing yourself to all the bad guys. And unless there is some kind of training that we can give people to help them understand the potential there, these things are just going to keep on happening.

Scott Giordano: The alternative is forcing people to use two-factor authentication in every case. But then manufacturers are afraid people are going to get frustrated and they’re going to send it back, or they’re going to call customer service and customer service may not even know how to help them. And this is the other the challenge too with building products. A lot of times the companies want to build products, push them out the door, and they don’t really put a lot of thought into customer service or they outsource it and don’t brief the people properly. And then the people that are doing customer service can’t help and it creates frustration all over. This is a tough nut, but it’s got to be, it’s got to be fixed because Internet of Things, it’s a disaster. It really is, and it’s not getting any better.

Cameron Ivey: It’s true. And people, they’re becoming more aware, which is good.

Scott Giordano: Yes.

Cameron Ivey: Very cool. On to another topic. Do you see a federal data privacy law anytime in the near future?

Scott Giordano: I don’t. I think the train has left the station, and I may be in a minority on this, but I think the federal privacy statute would have needed to be passed into law a long time ago. Right now, there’s not much agreement in DC on just about anything and I don’t see the president and Congress agreeing on a national data protection standard.

Scott Giordano: States have taken the lead on this. And I think what will be a game changer is the California Privacy Rights Enforcement Act, also known as CPREA. It’s a proposed ballot initiative and it will likely be on the November ballot in California.

Cameron Ivey: Oh, okay.

Scott Giordano: If it’s approved, it will have a huge impact and will effectively be our national standard or at least one of a few, we’ll say. For example, Washington’s privacy act, Virginia’s privacy act are all going through their respective legislatures so we may have multiple standards. But what’s interesting about CPREA here is that the mandates are much more robust than they are in CCPA.

Scott Giordano: For example, there’s a new class of personal information called special personal information and that includes things that you would expect, like social security numbers and passports, and what have you. But it also includes biometrics, which is a hot topic, and it include GPS location data, which is awesome because you can do a lot with GPS data. And surprisingly, the contents of email, that’s special data. And my theory about where that came from was the Sony hack because the contents of emails were released. They were embarrassing to Sony. There was all kinds of… And I won’t go into all the things that were said, but the negative of it was that it was a huge embarrassment.

Scott Giordano: And so that I believe anyway is a consequence is now email is special. Special data means that as a business, if you have the data, you can’t sell it or even use it without permission from the consumer. That’s very powerful. Needless to say, this year and next year are going to be a very interesting times for data protection professionals.

Cameron Ivey: Yeah, definitely a good thing for data protection companies.

Scott Giordano: Yes, yes, yes, yes. We’re working at the right company.

Cameron Ivey: Well, I mean, I guess to stay on that same topic, what does that mean for a company like Spirion?

Scott Giordano: It’s tremendous in the opportunities because there’s so much data out there that needs to be identified, it needs to be protected, it needs to be tracked; and here’s what’s funny. When I was working at a consulting firm, I was doing GDPR projects. And what was consistent about GDPR project, especially when I was doing data inventories, was that whenever you would find two sources, two applications, if you will, that were processing personal data that you knew about, you’d typically find a third that you didn’t.

Scott Giordano: Say you go to Oracle database, maybe it’s an HR database, and that thing’s connected to your LMS, your learning management system. Or maybe it’s expense management or maybe it’s connected to something else that’s connected to something else. We call this application chaining. It’s the idea that you have information that’s going from one app to another to another to another, and unless you deliberately chase that thing down, you may not know where it’s ultimately going.

Scott Giordano: And that’s a problem because you may chase down one or two links, but you don’t chase down all the rest of the links. And then that data’s being used for something or it’s being stored on a test project, for example, a pilot project and the person running it leaves the company and now that server’s floating around out there and no one knows about it. And then after while you’re collecting all these servers and you don’t know about them, but the bad guys always seem to find them. Don’t know how, but they excel at finding that kind of data; and once they find it, they excel extracting it and next thing you know it’s winding up on the black market or just on the public internet just as a way to show what they could do.

Cameron Ivey: Very good. Anything else that you can think of that you’d like to share with our audience, whether it’s consumer or anything you can share?

Scott Giordano: I think there’s a lot of frustration out there among consumers about how little control they have over their personal data; and every time I think we’re getting a handle on it, we get more bad news. Early January, probably a couple of weeks ago, the Norwegian Super Council released a report on multiple potential GDPR violations by what are called ad tech companies. This is advertising technology companies that specialize in the technology of internet-based advertising. There’s a huge ecosystem with these kinds of companies out there. The Council commissioned a infosec company called Mnemonic. They’re based in Oslo and they had them perform a data flow analysis of 10 popular apps that are running on Android. Apps that you’ve probably heard of or I imagine Tinder, OkCupid, Grindr-

Cameron Ivey: Sure, some of those were broken into, yeah.

Scott Giordano: Yep. And so here’s the thing is, is the report’s called “Out of Control: How consumers are exploited by the ad tech industry” and it revealed widespread abuses in the sharing of personal data with ad tech companies. And I suspect this is going to precipitate a wave of investigations across the EU. And I hope those investigations cross the Atlantic and come here and we have same kind of investigations here in the US. We’ll see. I am hopeful though.

Cameron Ivey: Why wouldn’t that happen for us over here?

Scott Giordano: I think it depends on… Well-

Cameron Ivey: It’s a hard question to answer.

Scott Giordano: … It comes down to politics and you just never know what’s going to catch fire. This is the funny thing, especially in an election year, you never know what’s going to peak someone’s interest. What I’m finding is that just anything could wind up as a story and next thing you know it gets bigger and bigger; and before you know it, there is demands for an investigation because these companies that run these apps are global. It’s not just some local thing that’s happening in the EU or in a particular EU state.

Scott Giordano: Typically, if you have an app that’s popular, it’s popular globally. And with a couple exceptions perhaps in mainland China, but some countries have their own popular local apps, but by and large apps are popular worldwide. And so I suspected that some of these things are going to become a cause célèbre.

Cameron Ivey: Let’s hope so.

Scott Giordano: I hope so. I would love to see it in debates and so forth, the political level, see discussion about data privacy.

Cameron Ivey: Awesome. Well, what are you most excited and most looking forward to for 2020?

Scott Giordano: I am looking forward to CPREA, to this new statute or this really this… and we call it a water statute, but it’s also a change to the constitution of California, so it’s basically set in stone. That makes it very difficult to change. And I don’t see the federal government having the stomach to fight California on this. It’s a lot of political capital to expend. I don’t see it happening. The standards are very high in CPREA. That’s going to change the dynamic like nothing I’ve ever seen. This far exceeds, in my view, what the demands are for GDPR.

Scott Giordano: Now, there’s some cultural differences that I don’t think made it into CPREA. For example, this idea of the necessity for a legal basis, I think it’s a great idea. We saw something like that introduced in Texas last year in their legislative session, which I thought was an interesting way they did theirs and I liked. It didn’t wind up becoming law. But for whatever reason, it just didn’t wind up in CPREA. And I’m hoping that will at some point be added to the law because you can add to the law, you just can’t contradict it. Hopefully, we’ll see that. But even with without a legal basis, there’s so much to CPREA. I mean that could be a full-time job for me and nothing else.

Cameron Ivey: Well, great. I appreciate your insight on that. Scott, how did you end up being a data protection attorney?

Scott Giordano: Not in a million years did I ever think I would become a data protection attorney. When I started law school, this was many, many years ago, I thought I was going to be a patent attorney.

Cameron Ivey: Okay.

Scott Giordano: And so I went to law school; and in my third semester, a buddy of mine gave me a book on UNIX commands and said, “Hey, I want you to jump on the internet with me.”

Scott Giordano: And I said, “The internet? Where is our internet?”

Scott Giordano: And he said, “You have to go to engineering to go get an account. And we can jump on it and we can-

Cameron Ivey: Wait a minute. What year was this?

Scott Giordano: This was ’91, ’92, so it was early in ’92.

Scott Giordano: And I went to engineering and said, “I want an internet account.” And they looked at me kind of funny, but they gave it to me. I got it. I got a book on learning UNIX and started learning UNIX commands and went to the races.

Scott Giordano: And this was before there was a web, so you just had basic UNIX commands, you had Telnet, we had Telnet. What else did we have? We had Archie. We have WAIS. We had FTP. Boy, you could do a lot with FTP even back then. And so I was off to the races and I just spent so much time in the internet lab or I would remote in from home. I had a Mac and so I would just helm it in from home and just do all my work at night and basically just sleep… If I slept at all, I’d slept during the day, try my briefs and go back to bed, and just spent a lot of time on the internet. And once I started doing that, I really lost interest in anything else and just focused on that.

Scott Giordano: By the time I got done with law school, I had a friend at LexisNexis who had a opening for a student instructor. I jumped at it and got hired there doing that. And of course, I already knew their system inside and out because I used it so much in law school. And so-

Cameron Ivey: Where’d you go to law school?

Scott Giordano: Santa Clara University, next to San Jose. Enjoyed that tremendously, learning LexisNexis and you could find just about anything with it. I took that skill set and turned it into a full time job, which was great. Became an expert on all their databases and how to apply it, how to look for bad guys. I became an expert on open source intelligence.

Cameron Ivey: Very cool.

Scott Giordano: Got some interesting engagements working with law enforcement, helping them track down bad guys. It just became just a fun thing.

Cameron Ivey: That’s a pretty cool job.

Scott Giordano: It was. It was.

Cameron Ivey: What intrigued you about that, just personally?

Scott Giordano: Just the idea that you could do so much with some simple searches. If you knew how to craft searches, you could find all kinds of stuff. And so after a while I just got very good at it and got asked to do all kinds of things with people in security teams. I just kept spending more time in security.

Scott Giordano: I decided to go to graduate school at the time because the company was paying for it, so if they’re going to pay for it.

Cameron Ivey: Thank you very much.

Scott Giordano: That was, so I went to graduate school and kept working on infosec and fraud, forensics, all those fun things. I did graduate school. Then unfortunately, I got laid off from the company. They didn’t ask me to pay the money back from graduate school, so that was great.

Cameron Ivey: That’s good.

Scott Giordano: I had to do a little more work in graduate school, finish my thesis, and then the school asked me to come back and teach as an adjunct, so I came back and taught as an adjunct.

Cameron Ivey: How many years do you do that?

Scott Giordano: I did that for probably two, maybe three years as an adjunct. That was a lot of fun.

Cameron Ivey: I can see you being a good teacher.

Scott Giordano: Oh, well I appreciate that. I also, at the time, was teaching the first law of electronic discovery at Loyola Law School in Los Angeles, so that was awesome. Basically, one of my accounts was Loyola when I was at LexisNexis. I taught the first internet law class there, first e-commerce law class as an adjunct, and then later came back and taught the first law of e-discovery, which was a big deal at the time. E-discovery was, it was like one of-

Cameron Ivey: Was that in the early 2000s?

Scott Giordano: That was in the late 90s.

Cameron Ivey: Oh, late 90s, okay.

Scott Giordano: Yes. No, I’ll take that back. I think it was actually closer… I started teaching internet law in the mid 90s, e-commerce on the mid 90s, and I want to say that I was teaching electronic discovery and evidence, probably you’re right, in the early 2000s.

Cameron Ivey: Okay.

Scott Giordano: I did that, had that class for probably two or three semesters, enjoyed it tremendously. It was just a great experience. And then just because of so much reading and research you do on infosec, after a while, I decided to open up my law practice. I did that. And based on all the experience I got practicing law, I wound up sitting for the CISSP exam.

Scott Giordano: And it’s funny how things just keep accelerating. I had no idea I was ever going to be involved in any of this stuff. And so spent time at e-discovery firms. That was great and it just kept growing. When I was at one e-discovery firm, I had to do research on multinational privacy for multinational e-discovery. And so I spent so much time doing that, that I wound up becoming just kind of a local expert on privacy just because we had to do it. And that’s when I got recruited to come to Seattle and worked for a defense contractor and help them with all of their privacy and security and some trade compliance issues that I didn’t realize I was going to have to become an expert with. But I did that and it’s just funny-

Cameron Ivey: It’s pretty neat.

Scott Giordano: It is neat. It’s just funny how things just kept accelerating and I probably over a two-year period learned more about international data protection than I would have probably learned anywhere else in 10 years. It was just one of those deep end of the pools and I was able to swim through it and it worked out very well. And I just kept winding up at places that needed data protection and so that’s how I wound up here.

Cameron Ivey: That’s awesome. That’s a really cool story. Another question for you, what advice would you give to other aspiring attorneys?

Scott Giordano: Boy, there is such a dearth of attorneys in data protection right now. I mean, we need everyone we can get. If you’re in a law school right now or thinking of going to law school that has a data protection program… Certainly, Santa Clara has one. I imagine a lot of others do as well. I highly recommend getting involved in this programs because we need attorneys here so much and we need attorneys that really are willing to dig into the technology. It’s not enough to know the law. You really have to know the technology. You have to be appreciative of what the technology does. That’s what I think being in-house is so awesome because you’re forced to learn the technology.

Scott Giordano: Certainly, I know ours fairly well and know what our capabilities are. And that’s something that I really recommend aspiring attorneys or if you’re in law school now, if you have already been accepted to a law school and they’ve got a data protection program, I would start thinking about how you can use that to leverage your way into either a law firm or perhaps even an internship at a corporation. I think there’s a lot more willingness for corporations to hire folks right out of law school then there was when I was in law school where it just didn’t happen. I mean, you had to at a law firm for so many years or a DOJ or in-

Cameron Ivey: It’s definitely, I mean, even more so than when you became a lawyer. Nowadays it’s a little bit easier to start your own practice too, right?

Scott Giordano: It is. I think that it’s probably better for folks to get involved in startups or even regular corporations. Certainly there’s lots of opportunities there. As long as you’re willing to be a self-starter, which attorneys pretty much are, and willing just to immerse yourself, learn everything you need to learn. I think it’s-

Cameron Ivey: Be a sponge.

Scott Giordano: Yeah. You really have to be a sponge.

Cameron Ivey: Yes.

Scott Giordano: I mean, I’ve spent years and years and years learning information security and-

Cameron Ivey: And it keeps changing and it never stops.

Scott Giordano: It keeps changing. I remembered when I studied for my CISSP and cloud was still something that was on the horizon. It was not that big of an issue. I mean, it was back when, I think, it was still called SAS. It may have even been called, oh God, I can’t remember the name we used to call it. It wasn’t even called SAS time, but it was a while ago. And yeah, that should tell you how long ago that was.

Scott Giordano: And so things change so fast, but it’s so important if you’re planning on being an attorney to immerse yourself in this, which you already are if you’re in law school, but to really pay attention to all the changes that are going on. Get involved in IAPP, a great organization. They are growing so fast. There are so many people in there, probably half or more are attorneys, not surprisingly, a great organization. Even if you’re a student, I’d get involved. They’re just great people. I have only great things to say about them.

Cameron Ivey: Awesome. I appreciate that Scott, but what are you doing outside of law that you actually enjoy, tell the listeners.

Scott Giordano: Because I live in Washington state, there’s lots of opportunities to go hiking, and some serious hiking. It’s remarkable how many just hikes within a 10-minute drive I’ve got, and they’re serious. And so what I’m doing now is training for a Rainier climb, hopefully this summer. I’ve just been training with a personal trainer trying to get into the kind of shape I need to carry a 50-pound pack and do my first Rainier climb. I’m just spending a lot of time at the gym, a lot of time training outside, and just getting geared up. And hopefully, will get that done this summer and use that as a foundation to do some bigger mountains. I’m hoping that Denali will be the next one on the list after Rainier.

Cameron Ivey: That’s awesome. Well, Scott, I really appreciate your time. Hopefully, the listeners got a lot of good insight for CCPA and GDPR and got to know Scott Giordano on a little bit more.

Scott Giordano: Wonderful. Thanks for having me on. I hope I’ll get invited back.

Cameron Ivey: Absolutely.

Scott Giordano: Great.

Cameron Ivey: Thanks so much, Scott.

Scott Giordano: Thanks so much.

Related Blog Posts

Blog Post
Privacy Please Podcast with Chris Leach–CISO advisor at CISCO
Blog Post
Podcast Episode: Coronavirus and Work-from-home Privacy concerns with K Royal – Associate General Counsel
Blog Post
Biggest GDPR Non-Compliance Penalties (So Far) | Spirion
Blog Post
Privacy Please Podcast with Michael Santarcangelo of Security Catalyst
Blog Post
The New CCPA Regulations and What They Mean For Your Security Program with Scott Giordano at RSA
Blog Post
History of Google and CCPA’s Data Privacy Rules | Spirion