Data Privacy Expert Nalini Kaplan On Why Your Liquidity Event Is In Jeopardy Until You Perform A Data Privacy Audit (#68)

 [00:00:00] Jeffrey Feldberg: Welcome to the Sell My Business Podcast. I'm your host Jeffrey Feldberg.

[00:00:06] Jeffrey Feldberg: Are you thinking about an exit or liquidity event?

[00:00:09] Jeffrey Feldberg: This podcast is designed to help you increase the value of your business, and at the same time, give you the certainty to capture the maximum value in your liquidity event.

[00:00:21] Jeffrey Feldberg: At the heart of the Deep Wealth Experience is the nine-step roadmap of preparation. Learn and master the same strategies that had me say no to a seven-figure offer, and a short time later, say yes to a nine-figure offer. In the words of a business owner who went through the system, "the Deep Wealth Experience was hands down, the best program I've ever participated in."

[00:00:45] Jeffrey Feldberg: To learn more about the 90-day Deep Wealth Experience, please visit www.deepwealth.com/success.

[00:00:58] Jeffrey Feldberg: Welcome to episode 68 of the Sell My Business Podcast.

[00:01:03] Jeffrey Feldberg: For over three decades, Nalini Kaplan has focused on business strategy, customer relationship management, and data privacy. Nalini combines the discipline of the big four consulting as she was formerly a partner with Deloitte Consulting, where she created and led several global practices with an entrepreneurial passion, interdisciplinary approach, intellectual curiosity, and a strong drive for results. Nalini helps business owners and CEOs build and manage their data privacy programs so that they not only comply with the law but lower risk, manage compliance and grow revenue, even if they don't have the staff to run a program.

[00:01:48] Jeffrey Feldberg: She works with organizations on how to create and maintain trust, security, and digital privacy. Nalini specializes in linking data protection to business strategy and building data privacy programs, using an agile approach that saves time, money, frustration, and over-engineered solutions.

[00:02:12] Jeffrey Feldberg: Nalini welcome to the Sell My Business Podcast.

[00:02:15] Jeffrey Feldberg: It is an absolute pleasure to have you with us today. And for our listeners, you're in for a real treat because we're going to do a deep dive on what is a skeleton in the closet for most business owners that you don't even know about and how preparation can really not only save the day, save your business, save the deal.

[00:02:35] Jeffrey Feldberg: But when you do it right, and you prepare, help get that bigger enterprise value, but in Nalini, I'm getting ahead of myself. There's always a story behind the story. So, my question for you is how did you get to where you are today?

[00:02:46] Nalini Kaplan: Thank you, Jeffrey. It's so great to be here. My story spans a couple of decades. I realized back when I was helping companies with customer relationship management and big technical systems that there wasn't a lot of care and attention paid to what are we doing with the information that we're gathering and collecting number one? Number two, I also saw that people didn't think about ever getting rid of any data.

[00:03:15] Nalini Kaplan: On the contrary. It's oh, we might need it one day. So, fast forward to a different area of my life. And I was in the healthcare industry working 70 hours a week as a chaplain resident. And immersed in the world of both HIPAA and then clinical ethics which led to a love of data ethics. And so, for the past decade or so, I've been researching areas of data ethics, and then in a much bigger way, decided to focus and specialize in data protection because companies really need it.

[00:03:51] Nalini Kaplan: You can't open a newspaper today it seems without seeing yet another data breach or yet another compromise. There are lots of really interesting societal macro issues in this space. And because I'm a very practical person I decided to become a practitioner and help companies wrestle with the business side of data protection.

[00:04:13] Jeffrey Feldberg: And so that's interesting, I know some of the listeners are saying Nalini, that's all fine, but I'm not a multi-billion-dollar company. And you hear about that all the time and you see it and big deal, I have a nice business. Data privacy, data breach doesn't really affect me.

[00:04:29] Jeffrey Feldberg: And even if it did, I don't have millions of customers. And sometimes Nalini when we read things, the words that are used in the media whitewash what's actually going on behind the scenes. Maybe you can paint a picture in practical terms when the data privacy is breached for a company, what happens to that company?

[00:04:50] Nalini Kaplan: Sadly, the company can actually go under. So, first of all, in every State on the books today, are data breach notification laws, which means one, you have to actually know that you've been breached. And two, if any personal information has been compromised. And I'll talk a little bit about what that means in a moment, you have an obligation or the State's Attorney General's office might come after you. Or in the case of some businesses the Federal Trade Commission can come after you and literally shut you down because you were subject to a fine per violation, which means per record typically. And it can easily get into the hundreds of thousands or millions of dollars in fines, even if you're a small company.

[00:05:38] Nalini Kaplan: And that's an unfortunate, sad reality. Not surprisingly many companies are reticent to talk about any of their data security vulnerabilities and their data breaches. Even though they have an obligation to report. So, I would venture to guess that probably 70% or more goes under or not reported at all.

[00:05:59] Jeffrey Feldberg: And so Nalini, did I hear you properly? So, if someone had a thousand breaches as an example, you're paying a thousand times, whatever that fine is?

[00:06:08] Nalini Kaplan: That would be correct. This is for that individual violation. And because we live in a multitude of 50 States, the limits, the amount of penalty and some parameters vary State by State. So, you really have to be savvy about what's required in your home State. You have to also be cognizant of what the laws are in other States, because it's not just where you operate, it's where your customers and your employees reside. So, you may have jurisdictions that you didn't realize to be concerned with.

[00:06:44] Jeffrey Feldberg: So, wherever a customer is. In other words, that's the jurisdiction that you're subject to?

[00:06:49] Nalini Kaplan: That's correct because the State is there to protect its citizens’ rights in terms of personal information.

[00:06:56] Jeffrey Feldberg: And so, from a big picture perspective, without necessarily getting into all the technical details, what constitutes a data breach? What's actually happening that someone is getting into a business's computers or network or information?

[00:07:14] Nalini Kaplan: So, there are a few things that happen. First of all, I promised everyone an explanation. What do I mean by personal information or data? So, it's information that can identify that Nalini is Nalini or Jeffrey is Jeffrey. Some common examples are name and email address. Less common examples are phone numbers because once you have a name and a phone number, or even just a phone number it can be traced back to us.

[00:07:43] Nalini Kaplan: And there have been some studies done that with three pieces of information, not including our name, you can identify the nexus of 90% of us. That's pretty powerful stuff. Today we're not looking only at the information that we freely give organizations so that they collect about us in the course of their doing business, but things that can also be inferred by virtue of our behavior or our location.

[00:08:09] Jeffrey Feldberg: Wow. That's amazing three pieces of information that could put everything together. And I guess that goes back to a conversation that you and I were having offline. Most things are tracked, whether we realize it or not. And we have a digital footprint. So, let's tie this now big picture. Because I know for the community, they're thinking of having at one point a liquidity event. And Nalini I know you've been on the other side of the table. So, a buyer has brought you on board to then do due diligence on a company that they're looking to purchase and you're coming in from a privacy side what's going on and what are you seeing?

[00:08:47] Jeffrey Feldberg: So, talk to us a little bit about that, because I know, two things. Number one, when you say due diligence, you want to see a grown person cry. You mentioned those two words and then you throw into the mix with technology because not everyone is comfortable with technology.

[00:09:00] Jeffrey Feldberg: So, technology and due diligence is just a perfect storm of confusion and frustration. And what do I do? So, let's talk about the risks of not being compliant from a data privacy side of things, and someone like yourself comes in and you start having all these red flags. What does that look like? What did you see when you were doing?

[00:09:19] Nalini Kaplan: First of all, without adequate either a data privacy. And I want to make sure that people know that when I talk data privacy or data protection, it's the same thing. Data protection is the term outside of the United States. Data privacy is usually within the United States and information security.

[00:09:40] Nalini Kaplan: The buyer's going to come in and ask what data protection policies are in place? What controls exist on systems, where data is stored, handled, processed? What internal and external audits were, risk assessments, or other testing are conducted? And how regularly? Any fault line in these things induces the prospective buyer's due diligence team to say, okay, we're going to trigger a cybersecurity audit. Okay. We're going to do data protection assessments. And to the extent that the seller's organization doesn't have this together, it doesn't have a viable working program, which means you have evidence. You have demonstrable evidence of these practices in a consistent, regular, continual place.

[00:10:28] Nalini Kaplan: It can at the worst end the deal, kill it entirely because there's too much inherent risk for the buyer, or it will certainly diminish the value of the enterprise in question. I hope we haven't depressed everybody too much, but the flip side is by having enough preparation and showing that demonstrable evidence that I just talked about can be a broom. It can be a value enhancer and it can do it in two different ways. One, it helps the prospective buyer understand that you are serious. You have paid for the cost of doing business, which includes the theories of compliance activities that any business that is mature would have to do.

[00:11:13] Nalini Kaplan: But there's also a couple of interesting emerging trends that I think savvy business owners can take advantage of. Data privacy in the United States is now becoming a thing, a wanted thing, as opposed to we only care about our convenience. So, of course, we'll give up all of our information in exchange for free applications.

[00:11:34] Nalini Kaplan: There has been a proliferation of organizations who've embedded what we characterize as privacy by design. So, they're not asking for consent. They're asking for double opt-in consent for marketing information, for example. Some of this is promulgated by the recent California law the CCPA and there are now four laws on the books, three of which are going to come into force in January of 2023.

[00:12:04] Nalini Kaplan: And they're more State laws that are coming up with the potential for enactment and the law. So, companies want to get ahead of that. They also want to meet their customers where they are now, and customers are demanding more authentic relationships, more raw, real relationships, and better protections because remedies available to individuals I would submit are quite inadequate.

[00:12:29] Jeffrey Feldberg: So, what's interesting. And for our listeners out there, as Nalini is talking about this, for me, it would be equivalent to showing up to your liquidity event and saying, you know, I didn't get any audited statements from my accountants. I didn't really think it was important. So, here are my unaudited statements. Here you go. Let me know what you think. And it sounds like the whole area of data privacy. If you don't have that, it's like showing up without audited statements, but I would imagine Nalini that even for professionals in the mergers and acquisitions world, the advisors who are helping business owners prepare for the liquidity event I would think that data privacy may not necessarily be their wheelhouse, that they don't specialize in it. As a result, the best of intentions from a business owner in getting the right advice, perhaps this is an area that's overlooked. What are you finding out there in terms of does it meet the Nalini standard of data privacy with what you're seeing?

[00:13:29] Nalini Kaplan: I think you have an apt analogy, Jeffery, and a couple of things to consider. One is a lot of M&A teams investment bankers, et cetera, even legal teams are not equipped to really address all of the information security and data protection concerns that need to be addressed. However, they are savvy enough to hire that do specialize in that kind of due diligence more often than not.

[00:13:55] Nalini Kaplan: So, more about that in a moment. The second thing that's been happening there is no data privacy certification framework yet. are however many information security certifications. There's the ISO 27001 standard and savvy companies are making those investments or certain triggered events.

[00:14:20] Nalini Kaplan: One is I have a client, for example, who has expanded internationally and deals with Fortune 1000 companies that demand certification. So, it made good financial sense to do that. They're making a return on investment in millions of dollars because these certifications aren't free sadly. There's some work involved and you'd have to get a third party to attest to actually show the certification.

[00:14:47] Nalini Kaplan: Once you have those in place, they're leverageable in many ways. I'm often brought in to help clean up the mess afterward. So, the company has done a patchwork of things. So, they have a technology department and they've anointed someone as the security lead and he or she has done the best job that they can.

[00:15:07] Nalini Kaplan: And they've got wide open holes when we do some thread testing, for example. Insurance companies are now getting smarter because cyber insurance claims have gone through the roof and some things are not as economically viable for them. So, they are now turning to firms to perform due diligence in advance of issuing cyber insurance policies.

[00:15:31] Nalini Kaplan: Secondly, when a company comes to submit a claim, insurance companies often have arms that they outsource to, to help the companies actually clean up the mess. And there's an entire industry that is specific for data breaches and notifications.

[00:15:48] Jeffrey Feldberg: That's interesting Nalini. And, for me, I put data privacy right in the due diligence area. And that happens to be step four of our nine-step roadmap at Deep Wealth. And it's interesting because when you have a liquidity event, congratulations, Mr. Or Ms. Business owner, you now have a new full-time job and it's called the liquidity event. And if you're not prepared in advance, congratulations, you have a second full-time job. So, one is the liquidity event. Next is the whole due diligence side of things. And by the way, you still have to run your business.

[00:16:20] Jeffrey Feldberg: And oh, by the way, those numbers, those projections that you gave, which happened to fall still within the liquidity event, period. Well, if you don't hit those numbers, you're either going to kill the deal or your enterprise value is going to go down. And so, with what I'm hearing you say for those business owners, that don't prepare in advance or data privacy is maybe just an afterthought. It sounds just like a scramble of where you're sacrificing your money, your health, and your time. You now have very expensive outside groups and consultants who are just piecing this altogether last minute, trying to get it all ready for the liquidity event.

[00:16:59] Jeffrey Feldberg: Whereas working with someone like yourself well In advance of that you're now saving your health and your time because you're doing it on your time and you're not having all these crazy outside resources that you don't need to be in there. It's yourself with Nalini and your team that's working with Nalini to get this done in a reasonable manner.

[00:17:17] Nalini Kaplan: Absolutely. Instead of plugging the leaky boat which seems like an endless exercise you have the gift of foresight and time that saves an awful lot of aggravation as well as time and money. And the key is with a little concerted effort earlier or early on, you can save a lot of time effort down the road.

[00:17:40] Nalini Kaplan: The other thing that I sound particularly for smaller enterprises, you don't have to adopt and over-engineered privacy data protection information security, the way that you would a billion-dollar enterprise. Now you can't cut corners, but you also don't need a lot of the overhead of processes that many larger concerns require.

[00:18:02] Nalini Kaplan: If you think about information security integrated with data protection and that it's part of what you should be doing on your ongoing business. It takes some of the compliance pain away because if you're doing the right things anyway, and you've got a clear plan that everyone in your company understands.

[00:18:21] Nalini Kaplan: You have a set of policies and you've taken the time to do your standard operating procedures and mapping those to a set of what are called controls. In other words, can I demonstrate that I'm doing this well? It's embedded into your system and then it doesn't quite run itself. You do need some management, but it's not that scramble that you just discussed.

[00:18:43] Nalini Kaplan: It's more like here. We're happy to open up and show you, our books. Here we can respond to a client or prospective client questionnaire with these. We can respond to a prospective buyer's series of questions with ease. That's where you want to be. So, my recommendation to companies under a hundred million dollars a year is think about the questions.

[00:19:07] Nalini Kaplan: And I've got a diagnostic that does just this and then work backward. Can you actually substantiate and answer those questions with confidence and with demonstrable evidence, and then you don't need to be afraid and you don't need to scramble.

[00:19:21] Jeffrey Feldberg: And what's interesting Nalini the whole data privacy to me, it's going to be one of two things. There's no gray area here. Either it's a skeleton in the closet that is going to be costly big time. Forget the liquidity event. It could be something that just takes your business down as a skeleton in the closet.

[00:19:38] Jeffrey Feldberg: Yeah. I know it's there, but don't really want to deal with it or I don't really see it. It's invisible. It's in the background. Or on the flip side, if you no longer have it as a skeleton in the closet. You can now have it as a Rembrandt, but not a hidden Rembrandt, but a Rembrandt that's out for public display that you can talk to your customers about your prospective customers.

[00:19:58] Jeffrey Feldberg: You can talk to them about this, and certainly any future buyer would just eat this up that, hey, look at this company is already compliant from a data privacy side of things. Nalini, have you had experience with companies that have become compliant from a data privacy side and what that's meant for them in terms of their operations, in terms of new customers coming on board, the existing customers, what does that look like?

[00:20:23] Nalini Kaplan: Yes I have. And those are companies that pre-compliance as the floor. That's the ticket to the dance and the starting point. What they really understand is that privacy is about people. It's not just about checking boxes and it's not only about data, bits, and bytes. It's actually about people, which means it's about relationships, which ultimately means trust.

[00:20:51] Nalini Kaplan: And it's living that trust in such a way that people want to keep coming back. So, yes, I've had experience helping organizations write things like manifestos that state what their philosophy is about relationships and privacy is a key component of that. They don't start their privacy policies with your privacy is very important to us and then stay in all the ways that they are legally protecting themselves. For some good publicly available companies out there I would check out Base Camp and Jason Fried's work. He's actually written such a manifesto. He and his company had produced an email called hey.com. I'm not affiliated in any way.

[00:21:33] Nalini Kaplan: But I actively look for companies who live their values.

[00:21:37] Nalini Kaplan: So, Proton Mail is another good example of that and one of my primary hacks that I advocate for with my clients is, use technology providers that have privacy by design and strict privacy and security controls already built-in. It saves you time, energy, money. Yes, I'm seeing big dividends.

[00:21:58] Nalini Kaplan: There's one company that I've worked with recently that just acquired another sizable firm. They now reside in 180 different countries in part because they drive this based on trust.

[00:22:11] Nalini Kaplan: So, it really can pay off and just a plug for Cisco does some very interesting research studies in this area and their latest report actually demonstrates ROI for businesses who've made investments in privacy programs.

[00:22:26] Jeffrey Feldberg: Nalini It's amazing to me here we are we're under the umbrella of due diligence when it comes to data privacy, but we're talking about trust. And I know when I look to step number three of the nine-step roadmap, that's your Future Buyer. Trust is absolutely everything. If your future buyer doesn't trust you as a business owner well there's no deal.

[00:22:48] Jeffrey Feldberg: And if you don't trust your future buyer, there's not going to be a deal, but that trust, which is a currency, it goes all the way down the line even in this area now where you can establish that trust with the marketplace, with the customers, with your vendors, with your suppliers. It's a narrative unto itself because it really speaks highly about your values as a company and how you put people first and you're walking the talk instead of talking the talk.

[00:23:12] Jeffrey Feldberg: So, let me ask you this and Nalini, I'm now a business owner and I've been listening to this conversation and I'm like, okay. Never really thought much about data privacy before, but I get it. This is something that's important. I'm going to drink the Kool-Aid Nalini. I want to make sure. that my business is data compliant.

[00:23:29] Jeffrey Feldberg: Down the road, I don't want to be scrambling for my liquidity event. I want to provide this to my customers now. I want to do the right thing. What does that look like? Meline. So, if I said, here you go, here's my magic wand. Nalini, take it. Make my company compliant from a data privacy side of things. Can you walk us through your process, the timing, the steps, and what that looks like?

[00:23:50] Nalini Kaplan: Sure. Although every company certainly has its unique factors. Most companies benefit from the following framework. So, it starts with a conversation. I need to know what kind of technologies one has, how much of that is in the cloud? Is that your product or is it a series of operating systems?

[00:24:13] Nalini Kaplan: Like your customer management system, your supply chain, and so on.? After the conversation, I scope out where should the first emphasis be so we decide on a security standard and framework. I've had the best traction with the Center For Internet Security because it's based on a maturity model.

[00:24:35] Nalini Kaplan: So, it handles organizations that are quite small and manageable chunks. We start there and then as a compliment because the US is rapidly moving and the legislation keeps coming and keeps changing. I advocate for looking at the European standard, the GDPR, the General Data Protection Regulation has a good framework.

[00:25:00] Nalini Kaplan: It's based on a set of good principles founded on trust. And we do three months rapid implementation, where we operationalize the basic elements. So, you need to show things like your list of systems and what data you actually have and what you collect, and what you do with it. And you have a good sound legal purpose to hold that information.

[00:25:28] Nalini Kaplan: You have a good retention policy and you can actually carry it through. Some companies want to hoard data. Interestingly enough, in the 20 years that I've been doing data governance and data management work, it's still astounding to me that 60% of data collected is actually never accessed again.

[00:25:49] Nalini Kaplan: That's expensive and that's also horrible liability. Both legally and in terms of the relational trust that companies build with their customers. The 90 days is contingent upon having a couple of good people within the organization who actually want to learn how to fish.

[00:26:06] Nalini Kaplan: I teach people how to fish data protection. I'm not a helicopter consultant that comes in fixes and leaves. Without. Having the organization be able to maintain and sustain good practices and also be able to field the new things that come along. Not surprisingly folks like me to stick around.

[00:26:24] Nalini Kaplan: I'm happy to do that. I do that on a continual basis, but it's at a lower concentrated effort because the organization is in good stent themselves. Now lest you think that you can solve all the problems in 90 days that's a starting point. Typically for growing companies, it takes one to two, two and a half years to really get this all going well.

[00:26:49] Nalini Kaplan: Gosh, why is that? The data privacy part ironically is actually the easier part. But the information security landscape can be quite extensive and quite detailed. It's important to make sure that you've got key safeguards in place first. And that's what you build privacy on top of because you can have security without privacy, but you cannot have privacy.

[00:27:14] Nalini Kaplan: In other words, bounded information, protected information.

[00:27:18] Jeffrey Feldberg: It's interesting. Two things stood out there and Nalini with what you said, and firstly I'll start backward. The last thing that you said was it typically takes anywhere from one to two years. And by the way, I like your analogy that you teach fishermen, how to fish, that you're going to go into a company, train.

[00:27:35] Jeffrey Feldberg: The people, teach the people what they should be doing in that first 90-day concentrated effort. But then you can also be there at the request to guide them through that. So, for all your business owners out there, that think you can just show up for a liquidity event today and have it tomorrow. Maybe you'll have that, but at the expense of your enterprise value at the expense of skeletons in your closet, like data security, data privacy, so that the heads up there.

[00:28:01] Jeffrey Feldberg: But the other thing that you said Nalini was that 60% of the data that's collected is not used. Can you talk to us more about that? What does that really mean? And as a business owner in my company, how should I be treating data and how do I even identify it if I'm using it or not? That I can then dispose of safety.

[00:28:21] Nalini Kaplan: Great set of questions. First of all, there are lots of data discovery tools out there that help with this. So, you don't have to set about a wholly manual effort. For examples of data customer lists from a decade ago. And despite re-engagement campaigns or nurturing campaigns, no nibbles there, there's no reason to hang on to them.

[00:28:44] Nalini Kaplan: And that form of contact data, in particular, it opens you up for problems if that's breached. Other examples though are old project files that are no longer used. Videos from several years ago that are not accessed. Training courses. And discovery tool can tell you when it was last accessed, often it's duplicate information and I'm not talking about backups now, but just data that happens to be replicated in lots of places.

[00:29:13] Nalini Kaplan: It can be just about anything, it can be old pricing lists and product descriptions. It's generally not the computer code, but it could be, if it's an old legacy system that's been decommissioned for example. The other thing that I see is people collect a lot of information about interactions.

[00:29:31] Nalini Kaplan: So, one example unless you're an outfit like Google, where they need massive amounts of data sets in order to perfect their behavioral algorithms. We have information in an email that's 8, 10, 15 years old. It's not clear that information is needed ever again. And it can be difficult for organizations to say, oh, but what if?

[00:29:55] Nalini Kaplan: So, I have a multi-stage process to help alleviate that concern. Where we actually archive that information for a set amount of time. And if it's not accessed, say within six months or a year, then we delete it permanently. Let's talk a little bit about deletion because often data breaches are with discarded information that people thought that they disposed of properly and didn't.

[00:30:20] Nalini Kaplan: Lost laptops hard drives needed to be completely wiped and sometimes physically destroyed. It's amazing to me, how many datasets are in cloud storage and physical drives. USB drives. Mobile devices are actually unencrypted.

[00:30:38] Nalini Kaplan: In other words, plain, anyone can read them. On servers that had been repurposed. You need to actually wipe those completely clean by leveraging the power of encryption from the get-go. And I spend a lot of times with clients focusing on how to encrypt properly, which means that you control the keys.

[00:30:59] Nalini Kaplan: There's a great mythology out there. Many vendors are claiming to be end-to-end encrypted. And while that might be true, in one sense, they're hoodwinking us a little bit because they actually control the keys. So, this is like telling you, Jeffrey, you've got a perfectly safe home but I'll give you the key to your house and I'm going to keep mine.

[00:31:22] Nalini Kaplan: That's what that means. As opposed to a zero-knowledge and end encrypted, which means that only you Jeffrey, and your household would have those keys. And that's a really important fundamental distinction that often gets lost because there's so much to this data protection.

[00:31:39] Jeffrey Feldberg: For the community out there, take it to heart that this is really a big deal. And it's likely to become more of a deal as we continue as a society to be more computer reliant.

[00:31:51] Jeffrey Feldberg: And everything's in the cloud now and all the data that goes around with that. So, from a business owner side of things, if there were two or three practical things coming out of this conversation that I could do as a business owner starting today,

[00:32:03] Jeffrey Feldberg: And it's not going to solve everything, but it's going to at least put me on the right path.

[00:32:08] Jeffrey Feldberg: What would you be recommending?

[00:32:09] Nalini Kaplan: I would say first, list out all of the systems that you have. So, these include things that you need to run your business. So, everything related to HR and your employees is also not just customers. Your product development, your supply chain, as well as your customer and marketing systems. And then we'll think about what's the kind of information, the nature of the information, and how much of it is personal or sensitive in one way or another, or highly confidential.

[00:32:41] Nalini Kaplan: So, let me pause there and give you some examples. So, every company has intellectual property of some kind or another. That's highly confidential too. That's a distinct from the personal information about the officers of the company or the employees or the customers, but nonetheless, just as important.

[00:33:00] Nalini Kaplan: And I recommend either as the three or four-level, what we call classification schema for the data. The public would be the base. And this would be information that you put out on your website that you would hand out to anybody. It could be on the five o'clock news, no problem.

[00:33:17] Nalini Kaplan: The second one is data that's for internal purposes only. So, it's confidential, but if something were to escape, it's not, life-threatening not ideal, but not life-threatening. So, things that should not be shared and unless it's authorized by both parties and then highly confidential which includes sensitive information as well.

[00:33:37] Nalini Kaplan: Intellectual property would be the highest category. Sensitive would-be things like marital status. There are some legal constructs to this in different jurisdictions. Political affiliations in our country and they're public, right? If you're a registered voter, not so in any other part of the world, by the way, that's considered sensitive data. Union membership, health, of course, protected health information.

[00:34:01] Nalini Kaplan: There's legislation that's now in the Senate in Oklahoma. That's actually going to demand opt-in for marketing purposes, the first of its kind in the United States, by the way. Similar to the GDPR or Canadian law. Getting back to the exercise though, do you have a legitimate right to this information?

[00:34:21] Nalini Kaplan: That's part with the binary yes or no. Do I have a contract with the customer? Those are two good starts. On the security side. Particularly since many of us are working remotely now do I have a bring your own device policy?

[00:34:35] Nalini Kaplan: And not much of my company data is out there on individual cell phones and laptops and devices. That's a huge liability. So, I would do an assessment of them as opposed to company-issued devices. And then lastly two things. One is most security breaches start often by human error of one kind or another, and by social engineering. Meaning phishing with a "ph".

[00:35:04] Nalini Kaplan: So, I would run some phising exercises, some tests internally to raise awareness amongst staff, to not click on things that don't look right. And even when they might look pretty darn good to learn from that effort because there's a ton of theft using business email as the entry point, particularly in the accounts payable.

[00:35:27] Nalini Kaplan: So, those are a handful of things I can think of a few dozen more, but that at least starts to paint the picture of what's the level of risks that I might be experiencing right now that I could tackle first.

[00:35:37] Jeffrey Feldberg: I would be picking up the phone right now to call you, please come in and do an audit in my company because the weakest point are the employers.

[00:35:46] Jeffrey Feldberg: Not intentionally, but unintentionally and you get some kind of a text or an email that looks legitimate and you click on it. Nothing really happens. But next thing somebody has a backdoor into your company and into your system. So, it's a whole different world out there. And as business owners, we have to protect ourselves on the cyber front as much as we do in every other area.

[00:36:07] Jeffrey Feldberg: Nalini, one other question, before we begin to wrap this up. So, with this pandemic, which is still here light is at the end of the tunnel, but we're still going through this. Life has changed. The business has changed how we do things has forever changed.

[00:36:21] Jeffrey Feldberg: What are you seeing now in terms of the biggest risk and perhaps that's what you mentioned already with having your employees from the work from home and having your data on all kinds of different notebooks and laptops and phones, but what has the pandemic changed now from a risk side of things that wasn't there before, or maybe it's magnified it even more?

[00:36:41] Nalini Kaplan: I'll leave our listeners with a couple of key things here. So, we've had the fragmentation of information all over the place and therefore it's out of the company's control and out of the company's ability to monitor if it's been compromised or not. So, I would say that is a very real large consequences of working remotely.

[00:37:07] Nalini Kaplan: So, in an effort to make things convenient for employees, it's also opened up a bit of a Pandora's box. The second thing is I'm sitting at home. I don't know how many companies require people to log in, to tunnel in with a protected layer.

[00:37:23] Nalini Kaplan: And that protected layer is called a virtual private network. So, that you make sure that you tunnel in a fully secure way when you're transmitting information and also working on corporate systems. So, I think there are a set of practices that we need to make sure we share and teach and reinforce with our staff working remotely that we didn't have to do when we were resident exclusively in our offices, with the network that was there on the premises.

[00:37:56] Jeffrey Feldberg: So, words to the wise words to the wise, just be careful out there and take the precautions. So, at Nalini, as we begin to wrap up this podcast interview, I have my favorite question that I like to ask every guest. And the question is when you think of the movie Back to the Future, you have the DeLorean car, which can go back in time, any point in time.

[00:38:16] Jeffrey Feldberg: And Nalini now imagine tomorrow morning, you wake up and you look outside your window and there's a DeLorean car. The door is open and is waiting for you to step into it. And you can go back to any point in your life. Nalini as a child or as a teenager, a young adult, whatever point in time it would be. What would you be telling yourself in terms of lessons learned or life wisdom, or do this, or don't do that?

[00:38:41] Jeffrey Feldberg: What would you say?

[00:38:42] Nalini Kaplan: I would love to go back to the time when, and it was more of an analog world and simpler world to take in the beauty of that. So, it's interesting that we've seen that movement occurs with people like Cal new forge or Ryder Carroll and the Bullet Journal and proliferation and what journaling period with analog tools.

[00:39:03] Nalini Kaplan: But I, I think that there's something very precious in our relationships and physicality. I think in part I yearn for it because we've all been in lockdown, in various forms for over a year now, too. But to imprint that into my way of being so that I can better take advantage of all of the technical tools out there today because technology is not a bad thing, but it does require, a set of ethical constructs in order to use it well.

[00:39:36] Nalini Kaplan: And I think that would help me maintain my balance of people in relationship first. 

[00:39:44] Jeffrey Feldberg: Wow. Some terrific advice. And for our community out there, Nalini has just. hit the, not the gold, but the platinum with what she's talking about. I mean, Cal Newport and Deep Work and finding that time just to get things done and the whole Bullet Journal, just to get your thoughts out there and this whole data minimalism that's just amazing to hear and some terrific advice Nalini.

[00:40:06] Jeffrey Feldberg: Nalini you have been absolutely terrific on the episode today and for coming on to the, Sell My Business Podcast. As we look to wrap up how can someone find you online Nalini, what’s the best place?

[00:40:19] Nalini Kaplan: I recommend folks visit me at ReThinkPrivacy.com and I've got a special treat for listeners. If you go to my website and there's a health check and the URL there is ReThinkPrivacy.com/healthcheck. You can assess how your business is doing in the data protection space. There are seven questions.

[00:40:43] Nalini Kaplan: It takes two minutes to do. And by providing your name and email address, I'm happy to follow up with you. And you also get a whole collection of very important resources that I hope will help you in your data protection assessment and then activities. So, you know what to do and when to do it.

[00:40:59] Jeffrey Feldberg: Wow Nalini that is terrific. And for our listeners out there, I hope you're paying close attention. You can not only get in touch with Nalini, but you can also get a free health check on data privacy. So, Nalini thank you so much for that.

[00:41:11] Jeffrey Feldberg: And for our listeners, I'll have all of that in our show notes. Nalini as we look to wrap up this episode, thank you so much for coming on, and please stay healthy and safe.

[00:41:21] Nalini Kaplan: My pleasure and I hope you, and all of our listeners do the same. Take care of Jeffery.

[00:41:26] Jeffrey Feldberg: If you're not on my email list, you'll want to be. Sign up at www.deepwealth.com/podcast. And if you enjoyed this episode of the Sell My Business podcast, please leave a review on Apple Podcasts. Reviews, help me reach new listeners, grow the show and continue to create content that you'll enjoy.

[00:41:49] Jeffrey Feldberg: As we close out this episode, a heartfelt thank you for your time. And as always, please stay healthy and safe.