NIST Privacy Framework : Our Essential Data Protection Guide


Kin Lee Yow, of the Canadian Automobile Association, behind the scenes data protection

Your car breaks down on the side of the road, and you call an auto club to help get you back on your way. You likely don’t think too much about the behind-the-scenes operations, especially in terms of the amount of data that gets collected. This week, Kin Lee-Yow, the CIO of CAA (the Canadian arm of AAA), talks about the importance of privacy for his organization and how he navigates the unique challenges of the industry.

Here are four can’t miss tidbits from this week’s chat:

Journey from Online Banking to Roadside Auto Service

CIO isn’t typically an answer a child gives to the “What do you want to be when you grow up?” question, and Kin Lee-Yow never planned to be a CIO. As a college intern at Royal Bank of Canada, the largest bank in Canada, he worked on launching online banking as the internet came of age. The many hours he spent educating and reassuring customers and employees about the security of the internet led to his passion for security. He shares how his trip (pun intended) through different industries helped him gain the business and technology experience needed for his current role in the automotive industry.

CAA in One Word: Safety

When a new CEO joined CAA, he revamped the mission statement from a lengthy paragraph into a single sentence that indicates the company’s obsession with member safety. Lee-Yow talks with us about how when their members are waiting on the side of the road, which has resulted in deaths, the company must make sure they are protected and safe. Even the other parts of the business, such as travel medical insurance, home insurance and auto insurance, boil down to safety and the fundamental core of protecting the safety of their members. Lee-Yow shares how having such a concise purpose lets the company apply this to every decision — even data and privacy.

Poor data protection results in violating the mission of member safety

“I think data privacy is important. The only thing is trying to understand the importance of it as to what the end result is. For us, when I link it back to our mission of member safety, that means if I expose the information to somebody who is not supposed to have that information, or if I use that information where it’s not supposed to be used, then I’m violating that mission statement that we have.”

– Kin Lee-Yow, CIO of the Canadian Automobile Association (CAA)

3 Days from In-Person to Remote, Thanks to a Strong Foundation

Although many CAA employees permanently work from home, a large number of their employees needed to move to working remotely when COVID-19 shut down local retail stores. Because of the shift and the pandemic, security at the company went on high alert at the same time. Lee-Yow explains that because they already had the technology in the place, they were able to execute the framework during the move to remote instead of reinventing the processes. While the volume increased, the tools and processes remained the same, which kept the move relatively seamless and stress-free. Check out how his team (and the whole company) actually became closer even when physically separated.

How much information are you giving up for the convenience factor?

“I think that the piece people still need to start to understand is how much information they’re giving up for the convenience factor. Because some people may be very open to it because they have nothing to lose.”

– Kin Lee-Yow, CIO of the Canadian Automobile Association (CAA)

Why Privacy Statements Need to be 2 Sentences Instead of 10 Pages

Many companies view privacy statements as a way to cover themselves from a legal standpoint, but during our chat Lee-Yow talks about how the real point should be for consumers to understand how their data is used and how it’s protected. The challenge is that everyone has a different view of privacy, especially people new to services and technology. During our chat, he explains exactly how to go from 10 pages to a few sentences — yes, it’s really possible.

Data privacy considers what a person loses if something happens

“Security and privacy are two different pieces. Security is something you always need because every company — at the core — has data to protect. But in terms of privacy, it’s a balance of what you lose if it happens. Protecting data is a must — you need to make sure it’s available and only used by authorized users.”

– Kin Lee-Yow, CIO of the Canadian Automobile Association (CAA)

How Your Insurance Company Already Knows How Fast You Drive

Lee-Yow shares how many people initially resist the CAA telemetric device — even for the promise of no insurance rate increases — because they don’t want CAA to know their speed. But he then explains that between cell phone data and toll booth times, even though drivers aren’t already directly giving that information out, that it’s very possible (and easy) for insurance companies to figure out if they have a lead foot or not.

Ready to listen?

While we’ve shared a lot of interesting details, the best stuff from the conversation is still a secret — until you listen to the episode, of course. Check out this week’s episode here.

Listen now