When Lawrence Montle leads data security trainings for his colleagues at the New York State Insurance Fund (NYSIF), he starts with an analogy of a dripping kitchen sink.
“If there’s a little leak in your kitchen sink, you can go to work, come back, and things will probably be OK,” Montle says. “But if you go on vacation for a couple of weeks and there’s a leak, not only your floor, but your whole house will be damaged.”
Montle, the Chief Information Security and Privacy Officer for NYSIF, has trained most of the Fund’s approximately 2,400 employees in how to safeguard sensitive workers’ compensation and disability benefits data. (NYSIF is a government insurer for employers in New York.)
Cyber-hygiene, Montle emphasizes, is critical both at work and at home. He’s got an analogy to illustrate that point too: “If you’re a terrible driver at home, you’re going to be a terrible driver with the corporate car, but if you’re a good driver at home, it will translate over.”
Montle is NYSIF’s first-ever Chief Privacy Officer, and creating a security awareness program is one of his key accomplishments since he took on the role in February 2016. After conducting trainings at the Fund’s offices across the state, he says he’s pleased to get calls from employees who notice new phishing schemes or potential security issues they wouldn’t have otherwise flagged.
“You can do many things with technology, but the adage is that your biggest worry is between the chair and the keyboard,” he says. “Educating people will not only make my life easier; hopefully it will last beyond me.”
He’s set up similar safeguards, including an extensive screening protocol, with NYSIF’s outside vendors.
When Montle became NYSIF’s Chief Privacy Officer, he was already Chief Information Officer. He says that the positions are complementary: The privacy part of his job is about knowing what data to protect; the cybersecurity part is about knowing how to protect it. Montle’s background in tech, combined with his J.D. and M.B.A. degrees, make him a natural fit for a job that is part legal, part business, and part tech. (Montle earned his M.B.A. from Fordham before attending NYLS as an evening student.)
“In the old days, lawyers would tell you, ‘You cannot do this,’” he says. “Now those lawyers don’t get hired in-house or as outside counsel. You need to be able to walk people through the rules without losing sight of where you want to go from a business perspective. It’s important to bring every possible tool to the problem.”
A challenge in many organizations, Montle says, is that information technology and privacy employees don’t speak the same language: Privacy counsel may not invest the time needed to learn the intricacies of tech, while tech employees defer to lawyers on the law. When teams are siloed and conversations need an “interpreter,” the process becomes inefficient, he says.
He stays “fluent” in tech by reading blogs like Ars Technica, The Register (a British site), and CSO (Chief Security Officer).
Ever-changing notions of privacy present another challenge. Montle recalls his college exam grades being listed on a bulletin board by Social Security number, in order to make them “anonymous.” What used to be considered a harmless practice is now illegal in New York. Conversely, some privacy practices that have generated intense criticism are not yet illegal.
“Right now, the public policy is struggling to catch up to the law,” he says. “What Facebook did with their data was legal by all laws at the time, but it had unintended consequences. There are laws on the books, but this is definitely an area where interpretation is king. So, if the box is a foot wide, you should probably be within that 6-inch middle so that you can comfortably say, we acted in an abundance of caution.”
Meet other NYLS alumni whose work takes them to the front lines of emerging issues in NYLS’s digital magazine.