Scroll

Strange roommates: Whitney Merrill on the uneasy coupling of security & privacy

A clear pattern is emerging of security leaders also being anointed with responsibility for privacy. Some of the origins of this movement no doubt can be found in regulations like GDPR who blend requirements for both security and privacy in mandates for data breach response. While this may seem like a logical pairing for lawmakers, it can be anything but a happy marriage inside an organization as they not only compete for resources but also have divergent needs in areas such as data retention.

Whitney Merrill, founder of the Defcon Crypto and Privacy Village and current Privacy Counsel at Asana, joins Jack and Dave to untangle the complicated relationship between privacy and security. From shared ground in areas such as longstanding shortages in staffing to profound differences elsewhere, security and privacy are just similar enough to allow those who combine them thoughtlessly to make a mess of them both. Case in point, Whitney explains that privacy is often not a risk exercise at all, but instead a legal matter. We conclude with Whitney’s clear, practical advice for CISOs who find themselves responsible for privacy for the first time to keep their head above water and a healthy distance from regulators.

Our dialogue with Whitney also serves as a catch up session for anyone who wants to go past current headlines, from the latest on Clubhouse, Facebook and Grindr to mobile deanonymization and the unsavory business of data brokers. She explains just how hard it is to actually get an organization to properly respond to
a data inquiry, but why she does it and how the visibility she provided on the struggle may have prompted the California Attorney General to recently take action against a very visible, repeat offender.

About this episode

A clear pattern is emerging of security leaders also being anointed with responsibility for privacy. Some of the origins of this movement no doubt can be found in regulations like GDPR who blend requirements for both security and privacy in mandates for data breach response. While this may seem like a logical pairing for lawmakers, it can be anything but a happy marriage inside an organization as they not only compete for resources but also have divergent needs in areas such as data retention.

Whitney Merrill, founder of the Defcon Crypto and Privacy Village and current Privacy Counsel at Asana, joins Jack and Dave to untangle the complicated relationship between privacy and security. From shared ground in areas such as longstanding shortages in staffing to profound differences elsewhere, security and privacy are just similar enough to allow those who combine them thoughtlessly to make a mess of them both. Case in point, Whitney explains that privacy is often not a risk exercise at all, but instead a legal matter. We conclude with Whitney’s clear, practical advice for CISOs who find themselves responsible for privacy for the first time to keep their head above water and a healthy distance from regulators.

Our dialogue with Whitney also serves as a catch up session for anyone who wants to go past current headlines, from the latest on Clubhouse, Facebook and Grindr to mobile deanonymization and the unsavory business of data brokers. She explains just how hard it is to actually get an organization to properly respond to
a data inquiry, but why she does it and how the visibility she provided on the struggle may have prompted the California Attorney General to recently take action against a very visible, repeat offender.

Meet our guest

Whitney B. Merrill

Data Protection Officer and Privacy Counsel at Asana

Whitney Merrill is the Data Protection Officer and Privacy Counsel at Asana. Previously she was Privacy, eCommerce & Consumer Protection Counsel at Electronic Arts (EA) and an attorney at the Federal Trade Commission. In her spare time, she runs the Crypto & Privacy Village, a non-profit, which appears at DEF CON & BSidesSF each year.