IEEE Digital Privacy Podcast Series: Episode 3
A Conversation with Jason Lau
Chief Information Security Officer, Crypto.com
Listen to Episode 3 (MP3, 25 MB)
Part of the IEEE Digital Privacy Podcast Series
Brian Walker: Welcome to the IEEE Digital Privacy Podcast series, an IEEE Digital Studio Production. This podcast series features conversations with industry and academic leaders, as well as key stakeholders of digital privacy in order to help advance solutions that support the privacy needs of individuals. This episode features Jason Lau, Chief Information Security officer at Crypto.com. Jason shares his insights on cybersecurity and privacy, speaking to emergent challenges and opportunities related to the digital privacy space. Jason, thank you so much for contributing to the IEEE Digital Privacy Podcast series. To start, can you tell us a little bit about your background and current responsibilities?
Jason Lau: Sure, no problem. I'm currently the Chief Information Security Officer at Crypto.com where I oversee the company's global cybersecurity and data privacy strategy. I'm also an adjunct professor for cybersecurity and privacy at one of the leading business schools in Asia and also a member of the Standing Committee on Technological Developments for the Privacy Commissioner for Personal Data in Hong Kong as well. On the global community side, I'm also the regional lead faculty member and co-chair and also sit on the advisory board for the International Association of Privacy Professionals. I'm also helping with think tanks from the World Economic Forum through to the Center for Information Policy, Leadership, Forbes Technology Council and so on.
Brian Walker: So, Jason, what are your thoughts on prioritizing digital privacy?
Jason Lau: So that's a really good question. I think before I share my views, I think another good way to start this discussion, I think, is if we look at Apple CEO Tim Cook, he recently said that privacy is actually one of the top issues of the century. And I completely agree with this. It's very true. We've seen a lot of corporate multinationals from all industries, big and small, through to everyday users and consumers being impacted by privacy. So we're seeing digital transformation really driving a greater adoption of technology. We're also seeing an accelerated growth of this post COVID or during COVID from contact tracing apps through to individuals and workspaces using video conferencing, working from home. And I think it's accelerated the adoption of technology. And as a result, data privacy plays a really big part in that. So, if you go back in time around 2018 or so when the Europe's General Data Protection Regulation came enforced, it really set new standards for data privacy around the world, especially in Europe. And now many regions around the world are actually following suit, and you're seeing more and more regulations that are really focused on ensuring that the rights of the individuals in regard to the data privacy and security. So, I think it's becoming more and more prominent in the everyday life. And then when you look at it from a security perspective, there's just more and more data privacy issues from data breaches that are happening. So, if we look at some statistics, the ransomware attacks, which often lead to data breaches, every 11 seconds or so, there's an attack worldwide somewhere, looking at the growth of these attacks. And it's growing every year, year over year, 20 to 30%. We're seeing many industries being attacked. So absolutely. I think going back to the original question, I think data privacy really needs to be prioritized in every way, shape and form. In organizations, it needs to be a board level responsibility. And in your daily life, when you're using your mobile phones through to browsing on websites, you need to be more cautious of, you know, what these websites could be collecting on you and making sure that you follow the privacy best practices.
Brian Walker: So are there lessons learned from past experiences in digital privacy that can be applied to enhance the technology space going forward?
Jason Lau: I think cybersecurity and data privacy really go hand in hand in driving a culture which really is supported from the top. I think just to clarify and to provide a little bit of explanation into this. Security is a little bit more about the safeguarding of assets. Again, I'm very I'm oversimplifying things, but in a nutshell, that's what security is. Whereas privacy is a little bit more concerned with upholding the rights of the individuals. Now, both of these functions have to actually work hand-in-hand to achieve this. And it's actually much, much harder than you think. So different organizations have different entity structures. There are different organizational structures. They have different businesses and industries that they operate in. So, there's no such thing as a perfect playbook in, I guess how to implement data privacy. But for sure there are some key things and lessons learned, as you alluded to, that can help facilitate a more mature data privacy type of organization. Looking at things from risk management perspective, you can't fight the fight for everything at the same level. You need to choose which fights you're going to fight, and you look at it from a risk-based approach, and you need to really think about having accountability, because if you don't have accountability in your organization, then it's really difficult to drive a privacy program. So having a data protection officer to help provide oversight to ensure that organizational processes and personal data is in compliance with the applicable data protection rules and regulations is fundamental and making sure that you have a good data privacy posture. You need to be broadening the whole kind of data privacy organization if you'd like. It's more than just a vertical. You need to have steering committees at the top where you bring in different top level C levels from the different departments. So, the marketing team is definitely going to be touching a lot of personal information. The finance team is going to be touching a lot of personal information. Your HR Team from onboarding those people with their CVs and resumes through to your own employees inside your company, through to the technology team that actually has to develop the technology to integrate with third parties and so on. So, every single function has to deal with data privacy in one way, shape or form. And the privacy team needs to be kind of the glue. It needs to be the facilitator in many of these different day-to-day operations. And how do you do that? Well, you need to implement policies and procedures and workflows where privacy is fundamental in part of the actual deployment process. So, things from, you know, vendor risk assessments because third party risks are a major issue through to data processing agreements if you're in the EU for looking at privacy from more of a legal perspective. And then, you know, privacy impact assessments is also really important as well. So, you can actually assess these projects and the risks. So I think, you know, on a day to day, the lessons learned, I would say, is it's a tough task, but it's not impossible. And you need to look at it from different aspects, not just from a legal perspective, not just from a regulatory legal perspective, but from an implementation perspective and then from an internal audit perspective. And then using external auditors to also give you that quality assurance for your data privacy practices. It helps to build trust with your end customers and using standards like ISO 27701, which is very new, or the NIC privacy framework in different regions if you happen to be so for example, in Singapore they've got a data protection Trustmark. In Hong Kong, the privacy commissioner launched the gold awards. So every region has their own privacy certification or award structure. And I think it's really important to look to these as well in your day-to-day business.
Brian Walker: So, what about emergent challenges? Say, for instance, the metaverse.
Jason Lau: So, the Metaverse and Web 3.0 is still in its early stages. But I have to admit that there is a lot of questions and challenges being raised by the privacy community at large. In my opinion, these questions are really only touching the tip of the iceberg right now. It's going to be quite a few more years before a fully-fledged Web 3.0/Metaverse is fully available for everybody to use in the way that the large tech companies are expecting it to be used. But I think when we look back, before we talk about the Web 3.0, I think it's important to kind of put into perspective what it was like at Web 1.0. So Web 1.0 was mainly about static websites and personal websites where you would broadcast information or companies would broadcast information with limited interactivity. And then Web 2.0, there's a lot more interactivity of the Web sites. And now with 3.0, it's much more immersive in the experience. And it's going to take privacy concerns really to a whole new level. There’s been a lot of different concerns over the last few years in regard to data privacy over collection, Cambridge Analytica cases, and many, many more than I could be referencing. But one of the things that is or has been a big issue is around targeted marketing. So in order for companies to do targeted marketing, they would often be collecting data and profiling you in many ways from how you click, what you click on, how often you spend on a particular page. All of this, you know, we always talk about the Big Data, data analytics and that's essentially, you know, we look at the last five years or so where all of this data has been helping organizations to build these profiles so that they can essentially sell something to you. Now, when we go into the Metaverse, think of it like this. You put on your virtual reality goggles, for example, and the moment that you put that on, companies could be measuring things that they've never measured before. They're going to be measuring your behavior, looking at your pupil dilation and your eye movement in the Metaverse and reacting to different visual aids and things. So in the Web 2.0, when you're clicking here and there. They don't see your face. They don't see your eyes and where you're looking. They just see where your mouse pointer is clicking and not what you're actually doing. But the moment that you're in this whole Metaverse, then your activities and your, you know, how you react is now going to be even more data than ever before. And then there's all these other challenges. What happens, you know, touch wood, what happens to the Metaverse profile of that avatar if the identity of the real human actually dies? What happens if you actually breach privacy laws in the Metaverse? How does that impact you in the real world? What are the laws that are governing personal data in a decentralized Metaverse, for example? You know, in the real world that we operate in, there are cross-border data transfers that we have to consider between, for example, Europe, US, Australia, Asia. So what happens in the Metaverse? Who governs all of that? So, if we're talking about a centralized Metaverse, then if it's just one large tech company that’s building the platform, then are they responsible for the security and the privacy? How does it work ? When we look at the GDPR, for example, in the real world we have concepts of controllers and processes. Do we also have these types of things in the Metaverse? What about children's data? There's just so many questions. So, I think going back to the original question. I think fundamental to the development of the Metaverse is really about ethics. Ethics needs to be the center of the whole development in the DNA of anything that's developed in the Metaverse. So, any function, feature that's being developed, any advertisements or anything that's been developed across any platform, really needs to be using ethics specifically around data privacy and individual privacy at the core of its development. Yeah.
Brian Walker: So Jason, how do you see the IEEE Digital Privacy Initiative helping to advance the technology space?
Jason Lau: So, I think the IEEE is positioned very well in this space because all of these technological developments at the end of the day need to be built by engineers, need to be built by developers. And a lot of these technologies, even if you look at the, you know, the blockchain, the immutability of the blockchain, the benefits for privacy in the blockchain, all of this at the base level is fundamentally built on technology. So the IEEE playing a role in this is going to be absolutely critical because you can't have engineers that just build but don't understand the importance of data privacy. So there has been this challenge where many organizations feel that privacy is just leave it to the lawyers to understand the regulation. But there has been this disconnect. And the disconnect is when the lawyers look at privacy and go to the engineers and say, well, we need to build privacy by design, privacy by default into the tools that we're developing. But there's that disconnect. The engineers have no idea what you mean, no idea how to implement, no idea what their expectations are. So there needs to be that bridging. And that bridging is where these type of programs and new certifications that are coming out and already exist. And these discussions and these initiatives, for example, with IEEE, can help to facilitate that discussion and that dialog so that both parties can come closer to understanding what it means to actually implement privacy by design and privacy by default, for example. So I think the IEEE can play an important role in bringing together the different parties as well to facilitate conversations about those challenges, whether it's Web 3.0 or whatever it may be, and bring together different parties, for example, whether it's government bodies and regulators, whether it's associations. It could be small to medium organizations and multinational. So I think there's a lot of development in this space. And I think, you know, IEEE can play a critical role, especially in promoting the importance of privacy to its massive engineering membership.
Brian Walker: Thank you again for your time, Jason. Any final thoughts or advice you'd like to share with our listenership?
Jason Lau: For those of you who are interested to get into the world of data privacy, my journey has been somewhat of an interesting road. My background by trade, I'm an engineer by trade, but I got into the cybersecurity field very, very early before the word cybersecurity was even a popular term. And during that time, I got involved with many different cybersecurity projects, and that is where I got my taste of data privacy. So, whether it's dealing with data in the United States, with large hospitals and dealing with HIPAA, or whether it's dealing with big banks that have to deal with data for their users and transactional data. And then over time, I really got to see the evolution of the regulations. And then I got involved with the, you know, the global players and the associations from the IEEE and the others. So I encourage everybody who wants to get into this space to look at associations like IEEE, the IAPP and others as well to learn more about this space, obtain some of the certifications and definitely be an active contributor in the community.
Brian Walker: Thank you for listening to our interview with Jason Lau. To learn more about the IEEE Digital Privacy Initiative, please visit our web portal, at digitalprivacy.ieee.org.