The Power of Privacy a Conversation with Teresa Schoch Privacy Attorney
At the ripe age of 28, Teresa was a professor, an attorney, served on the ethics committee for the Michigan State Bar, and was a pioneer in using technology in law, designing tools for several practice areas. She has pursued a career in law and technology, focusing on data privacy in recent years, and truly believes that if you love what you do, you never really work, you just live your life learning and creating as you go.
IGW: What sparked your interest in the Law?
TS: My family was enamored with the King Arthur legend with its concept of the round table and justice considered part of our heritage. I visited the Oxford law library and fell in love with its sun-filtered stained-glass beauty, and the sense of respect for law that prevailed in the peaceful, scholarly atmosphere. I decided I wanted to be a law librarian and work in a place just like that. I saw my future as that of a scholarly guardian of the law helping ensure that knowledge of justice was maintained and accessible. I set my sights on getting a master’s degree in library science, then a law degree. I surprised my guidance counselor in high school when he asked me what I wanted to do with my life, and I replied with a specific plan for reaching a very specific goal.
Later, as the primary writer for the Michigan State Bar ethics committee. I was asked how I could decide legal ethics questions so adroitly. I told them that the knights’ code was so similar to attorneys’ ethical rules, that I would consider relevant facts and determine what a knight would do!
How did you get into the records management and IG space?
In law school, my passion was environmental law, and even though I still wanted to be a law librarian, here was such a pressing need for lawyers to protect the environment that I shifted gears. Upon graduation, I was an environmental litigation attorney in a large firm in Detroit, but also in charge of the law firm’s library, online research, the technology committee, litigation support and both the firm and the Bar’s ethics committee. (And I taught at two universities in my spare time!)
While practicing law, I kept seeing ways that information could be used creatively by accessing data sources that were becoming available online (increasing the types of knowledge to apply to a case), and how much more efficient the practice of law could be if we used developing technology for addressing clients’ needs; e.g., document assembly (contracts, trusts, corporate and firm record-keeping), conflicts recognition, etc. Since no one else was addressing it, I designed systems for decreasing time to accomplish tasks using my information science skills.
In my next role at a large firm in Florida, I kept my promise to myself to be a law librarian as a Director of Information Management, responsible for library management, research services, investigative work, litigation support, conflicts management, knowledge management and records management. I practiced law but primarily focused on bringing technology into the practice. Our law firm was recognized nationally for its cutting-edge technology utilization in several areas, including records and information management (RIM). Automating the RIM center, I realized that the records center was the central nervous system of the firm.
In D.C., I shifted gears to become part of this industry that was feverishly capturing data for online retrieval. As part of that effort, I addressed privacy issues related to the capture of personal information through the automation of public records, court records, white pages, etc. I had become expert in finding background on individuals and, for example, trained the FBI, CIA and Justice Department in computerized investigation.
You’ve also been focused on privacy for a while, before it was “cool”—what prompted you to go in that direction?
As stated earlier, my passion for creative information use in the legal practice led me to push for electronic access to public records, newspapers and similar sources early on. In Florida, we were researching our jury pools using public records sources that no one had done at the time. We discredited witnesses by finding information in local newspapers and often researched the background of people on behalf of our clients as a professional courtesy.
At that time, I was writing monthly articles on law and technology and frequently addressed issues of privacy as more sources became automated, and where ethics came into play as we were able to discover more about witnesses, opposing parties and our own clients through databases. I wrote several articles on privacy rights related to new sources of information access and participated in lawsuits relating to early personal information data publishing many years ago.
More recently, while consulting on RIM, I saw my value to organizations as being able to holistically address their information management by focusing on Information Lifecycle Management (ILM). I considered it my mission to help organizations understand the interrelationship of e discovery, records management, security, privacy and defensible disposition. My message was that the goal for ILM was to be “lean and clean” i.e., less is more. Most large organizations had (and still have) huge repositories of dark data that served no purpose whatsoever other than to employ accountants to pay the bills for their upkeep. I wanted to free up those resources for growth and show the competitive advantage of lightening up.
After the Snowden NSA information leakage revelations, the EU began accelerating the passage of anew privacy regulation (the GDPR) which would require that companies be aware of all the information they had in their possession, (including all that dark data). I knew that this was going to be the impetus to finally move toward the “lean and clean” information model that I saw as the future of information management. I created a course on the “Snowden effect” on ILM at IBM soon after his
I considered it my mission to help organizations understand the interrelationship of eDiscovery, records management, security, privacy and defensible disposition
release of classified information, and I shifted my skill set to focus on the privacy facet of ILM. I reacquainted myself with privacy law (three certifications so far) and began to study privacy related technology in relationship to data identification, data mapping, encryption, etc. I also began to study the conflict of laws between global records laws and privacy laws. To expand my skill set, my next consulting role was focused on the interrelationship of security and privacy as the GDPR became law.
How do you think things will play out in the U.S. with an emerging patchwork of state privacy legislation and perhaps federal privacy legislation looming?
Interestingly, the US’ respect for personal privacy is lagging the rest of the world in many respects. When I speak on the topic, I explain to my audience that to understand a country’s privacy laws, you just need to understand their history. People in the EU remember Hitler, Argentina citizens remember their military coup and the Spanish remember their civil war. Knowing what can happen when a police state uses your personal information against you leads most to a view of privacy as a fundamental right; i.e., a constitutional right, as established by the EU. We simply have not had that compelling sense of the need for that personal right in the United States. (Perhaps because we are so heavily armed?)
Others consider the EU’s fundamental right to privacy to be more about the Europeans’ desire to associate with whomever they wish. They do not want to be diminished in any way (class standing, included) by having personal details disclosed. Americans are perceived to be more concerned with a cowboy-framed freedom without the same sensibilities regarding their reputations and the impact on their social standing.
However, the exposure of Cambridge Analytica’s use of US individuals’ data to manipulate many voters in the 2016 election woke up some Americans to the danger of the current existence of an average of 5,000 data points on each US citizen. The “Great Hack” on Netflix is an excellent study of the ability to create echo chambers on social media to influence us to buy, sell, think, and vote. We now know that the election was won by the identification and targeting of “persuadable” individuals who could be triggered into a desired response by feeding them certain information over whatever devices they accessed. For me, the need to address the danger associated with this unbridled power of unwitting manipulation has become as critical as climate change.
California was the first to respond to Cambridge Analytica and similar groups. The California Consumer Privacy Act, effective January 1, 2020, addresses the collection of personal data for imposing on personal space when using internet related devices of all types, specifically prohibiting sharing of your data without your knowledge.
Will there be a US federal law that preempts all state privacy laws? At some point, that is likely inevitable. While there has been a recent bill introduced to create a federal privacy framework with less dependence on the FTC for enforcement, I would be surprised to see the gridlock in Washington changing any time soon. The recent revision of the North American Free Trade Agreement (NAFTA – now the UMC) spoke to a US privacy framework as a footnote, indicating that the US will follow APEC’s framework in upcoming years. (That is its own article.) Other countries have also addressed details of privacy issues in their trade agreements which makes sense since individual data is perceived as “the new oil” in economic terms but never addressed their future framework.
Whether a US federal law will mirror California’s law, or abolish it completely, will depend on the political landscape. As referenced earlier, privacy rights likely are going to be perceived in the same realm as climate change. The federal government will decide to protect them or will think that it is more important that corporations have the right to maximize profits from this new oil. Like on the climate change stance, we may end up one of a couple of countries that does not see the need for privacy protection. That does not keep us from being impacted by the rest of the world’s laws as we address localization laws in Russia, China and India, for example, and requirements for personal data transfer. With the globalization of business, we cannot conduct business without meeting international privacy laws.
In the meantime, organizations in the US will be scrambling to address US state laws that will mirror California’s Consumer Privacy Law in the upcoming months and years.
Have you seen much impact with CCPA yet? What have companies that invested in GDPR readiness done to accommodate CCPA? Any additional measures?
Large companies are being impacted by the CCPA essentially to the same degree as the GDPR. Smaller companies are not as likely to be regulated by CCPA unless they provide services to larger companies.
GDPR was effective in getting many large corporations to understand the need to address their information hoarding. The storage downsizing already in play was critical for the CCPA as well. Some organizations had already mapped their data to determine the location of personal information beyond the EU-based data which gave them a distinct advantage. There was also increased budgeting and technological implementation in securing data which is critical for the CCPA. But there are differences in the laws that require different frameworks.
In my current role as a global privacy attorney at Axiom (an international legal services firm), many companies respond to my requests to amend contracts to comply with CCPA with the statement that they comply with GDPR, but compliance with the GDPR simply does not equate with CCPA compliance. Again, we can look at what drove the passage of the CCPA, which was not the same as the GDPR. The CCPA is a direct response to the Cambridge Analytica revelations; the sharing of personal data without our knowledge for the purpose of influencing us to act in a predetermined manner. California’s law is controlling businesses and service providers in a manner that ensures opt-out rights when data is being sold, with a very broad concept of a sale. A consumer’s rights to deletion and access are the same in both laws, but other requirements in data sharing are handled differently. Companies that have proliferated in the US to provide programmatic advertising through cookies utilization are scrambling to develop new business lines considering the CCPA. Google has created a new model of “restricted data analytics” while Facebook is creating headaches for linked websites with new optout requirements.
In addition, the California Attorney General drafted regulations that are very specific about how consumers can approach an organization to assert their rights under the CCPA. The response framework is not the same as one for a GDPR-based request.
I do think there is a time when we have traveled so much that we have people we love around the globe and we come to the realization that we want to travel to see people more so than places.
What is the biggest mistake companies make in preparing for privacy compliance?
Thinking that privacy and security are the same thing.
Obviously, protecting privacy requires good security and many breach laws do not require a notification to those individuals whose data was breached if the data was adequately encrypted. But there are a lot of other aspects to privacy management beyond securing the data. Global laws, rights to access, deletion, verification, conflicts of law, cross border transfers, recognition of sensitive data, breach response, service provider/vendor agreements, privacy by design, etc. are just a few of the areas and led by privacy professionals, rather that security professionals. In many instances, hiring professionals don’t know the difference and expect security professionals who can build firewalls to assume all other duties relating to privacy for which they are not trained. In the same vein, many C-Level professionals think that anyone can handle privacy management; that it is just not that hard. It is such a new area with so many moving parts that many don’t know what they don’t know.
What trends are you seeing with privacy information management system software?
Most of the budget in privacy management (assuming security is addressed in a larger, different budget) is being spent on mapping tools, de-identification software, automation of data subject requests, cookies management, website scanning, personal data location software and consent monitoring. There is a consolidation of privacy management tools occurring, with research tools becoming integrated into the implementation tools so that legal requirements are attached to the records to which they relate. Privacy mapping tools are integrating with RIM tools. Software developed for locating information within unstructured data for eDiscovery purposes is being used to find personal data.
If you could have dinner with three historical figures, who would they be, and why?
Nikola Tesla, Charlie Chaplin, Dante Gabriel Rossetti I am sure there would have been women in this list if they had been acknowledged in their times, but these three men have inspired me to be my best and to contribute, often working harder than others might, simply to manifest as much as I can with what I have been given. While I have been at times been perceived—mistakenly—as competitive, I only compete with myself to get better at whatever I am doing.
Tesla reminds me to stretch my mind, create, and to not worry that it might have all been thought of before. He did not sleep much and saw patterns everywhere. He delighted in making the world a better place by manifesting the pattern-based designs that were meant to make life easier.
Chaplin rose above a tough life in a London poor house to remind people around the world to see the humor in it all. His work is brilliant in that he did not have to say anything but was understood around the world because he tapped into the universal human experience captured in expressions and gestures shared in all cultures by all races.
In the end, kindness is what matters. Rossetti was a poet, essayist and artist who captured colorful beauty on massive canvas works and exemplified joie de vivre that was a rebellious lifestyle in the Victorian era. He led a talented brotherhood who inspired each other to reach new heights in writing, art and design pulling from the King Arthur legend to portray concepts of loyalty, honor, civility and beauty.
What is your favorite place to travel to, and why?
Going to England is simply going home so that is not really travel. Otherwise, I call a tie between Buenos Aires, Argentina and Maui, Hawaii.
Buenos Aires is rich in culture with music, art, architecture, dance and fashion. The Argentine people are inherently curious and have a special kindness about them.
Maui’s beauty is like Rossetti’s colorful art come to life. The colors are rich, from the bountiful flowers to the stunning sunsets where bliss is a common word. Maui is another area of the world where there is a special kindness between people.
However, I’m not finished seeing the world so that can’t be definitive. There are still countries I want to experience. But I do think there is a time when we have traveled so much that we have people we love around the globe and we come to the realization that we want to travel to see people more so than places.
For me, the need to address the danger associated with this unbridled power of unwitting manipulation has become as critical as climate change.
[/glossary_exclude]
recent posts
You may already have a formal Data Governance program in [...]