Andy Lunsford of BreachRx: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity

An Interview With Jason Remillard

Privacy by Design should be your default starting point with any product or business process.

Every state in the US and almost every country in the world has its own data privacy regulation. It is no longer the case that companies can get away with burying their head in the sand when it comes to privacy considerations. Most organizations find that taking privacy considerations into account in the earliest stages is far easier than attempting to bolt on those considerations after the fact. While the framework is a little dated, Ann Cavoukian’s 7 foundational principles are a great starting point.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Andy Lunsford, CEO and Founder of BreachRx, a technology company that automates privacy incident and breach response. Prior to founding BreachRx, Andy spent 15 years working in privacy law and large-scale commercial litigation.

Andy has a BA from Washington and Lee University, a JD from the University of Arkansas, and an MBA from the Wharton School of the University of Pennsylvania.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

Some of my early years were spent in Southern California, but the majority of my growing up was in Fayetteville, AR, which is a college town in Northwest Arkansas — home to the University of Arkansas and just down the road from Walmart’s headquarters in Bentonville. Fayetteville was an idyllic place to grow up. It is in a beautiful location within the Ozark Mountains, and due to the presence of the University and vibrant business community, there were a lot of opportunities presented to me that are not otherwise typical for a city of its size.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

In high school I didn’t yet know what kind of career path I might take, but I knew fairly early on during that time that I was deeply interested in the intersection of privacy and technology. Two of my favorite books in high school were George Orwell’s 1984 and Aldous Huxley’s Brave New World. Both struck a chord with me on why privacy is so important and laid the foundation for me to think about privacy as a fundamental human right. Then, in college, my favorite class was a course called Philosophy of Law. The course covered a range of important topics and seminal Supreme Court cases, but the portion that truly fascinated me was its focus on the concept of a right to privacy and the implicit ways that right was woven into various aspects of criminal codes, civil codes, and Supreme Court rulings. I was so enthralled with the topic that I ended up writing my senior honors thesis on the right to privacy. As I did my research for the thesis, I spent a lot of time thinking about how privacy, technology, and the law intersect. After that I was hooked and knew I wanted to pursue a career in privacy and technology.

Can you share the most interesting story that happened to you since you began this fascinating career?

Prior to starting BreachRx, I spent over a decade living in Washington, DC. In the early days of the company, I moved to San Francisco assuming it would be an easier place to find talent for my growing startup. The first hire I was looking to make when I moved to the Bay area was to bring on a highly technical co-founder with a deep background in cybersecurity. Through a mutual friend in the Bay area, I was introduced to Matt Hartley, who eventually became my co-founder and Chief Product Officer. Ironically enough, Matt lives in the DC area about 10 miles from my old house.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

There are so many teachers, colleagues, friends, and family that have helped me along the way, but my brother is probably the person to whom I am most grateful for helping me get to where I am in my career. After I law school, I moved to DC to start a litigation consulting firm with my brother and a couple of other partners. Through hard work, we enjoyed a lot of success and that firm is still operating today. I learned so much from that experience of building a business. Obviously it is hard work, but many don’t fully appreciate the psychological fortitude it takes to walk away from a safe, steady paycheck and maintain the optimism and faith that you can build the business you’ve dreamed about. Some people describe entrepreneurship as jumping off a cliff and building an airplane on the way down. I think that is a very apt description, and don’t think I would be the entrepreneur I am today without my brother’s influence and encouragement.

Are you working on any exciting new projects now? How do you think that will help people?

Yes! I recently launched a privacy tech startup called BreachRx. We are transforming the crisis of privacy and cybersecurity incident response into a routine business process. Unfortunately, it is inevitable that privacy incidents and data breaches will happen to all companies no matter what technology they put in place. The regulatory and contractual requirements companies face when they experience these incidents is intense. Customers and regulators demand more speed and more transparency than ever before when it comes to managing these incidents. At BreachRx, we’ve created a platform that automates the workflows for companies, so these events are less disruptive. Not only does this drive down the costs for the companies using our platform, but it ultimately benefits the consumers whose information may have been impacted by an event. If companies can handle these events faster, customers will be able to take measures to protect themselves more quickly.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

I find that I do my best work and am most productive when I take the time for self-care. For me this means exercise, eating well, and getting enough sleep. It always feels like there is more work than hours in the day but taking the time to care for yourself enables you to be more creative and productive with the time you spend at work.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

1. I love the dynamic nature of the cybersecurity industry. I consider myself a lifelong learner and everything in the cybersecurity and privacy world changes rapidly. The best technology, strategies, and solutions today are quickly outdated. In order to stay current in cybersecurity, you need to be willing to learn new things every day. That pace of learning energizes me and makes me excited to go to work.
2. I love the creative and strategic problem solving required to be successful in the cybersecurity industry. Cybersecurity often feels like a big game of strategy. Everyone is working with limited resources and trying to think two steps ahead of the adversary. Strategic problem solving is one of my biggest strengths and favorite activities. By working in cybersecurity, I am able to use that part of my brain every day.
3. I love that solving problems in cybersecurity has real and meaningful impact on people’s lives. Many people spend the majority of their waking hours engaging in professional and personal activities online. The connectivity that is possible today is incredible, but due to our reliance on technology and the connectivity it affords, the business risks and personal risks that come from data breaches increase all the time. It is extremely gratifying to work on solving problems that can benefit so many people.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

In the very near term, I expect to see a continual increase in nation state sophistication, new adversarial entrants, as well as criminals continuing to accelerate their use of ever more sophisticated ransomware attacks on companies of all sizes. I expect soon we’ll begin to see the deep fake threat being actively applied beyond disinformation — for example, being used by criminals to target executives with more realistic attacks to steal corporate funds.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

I’ve spent most of my career working in large-scale commercial litigation, and so most of my experience comes from the aftermath of a cybersecurity breach rather than fixing or stopping a breach. I often find that the story of how a breach happened is not nearly as interesting or as important as the story around how a company handles the response and aftermath from it. My biggest takeaways from those experiences are that those companies that have prepared for these inevitable events and take them seriously tend to see far fewer consequences than those that don’t actively prepare or try to sweep them under the rug.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

As a small business, we focus on a cost-effective yet powerful cybersecurity foundation based in three areas: our environments, our endpoints, and our product. Our environments are really our first line of defense, and we leverage tools available to us from G Suite like Multifactor Authentication and email scanning and alerting, both of which raise the bar for attackers trying to break into our accounts. On our endpoints, we deploy Microsoft Defender or the like for other operating systems and we’re strong believers in password managers like LastPass and KeePass to ensure good practices and protect us from malware attacks. Finally, in our product, we built a tiered defense and take advantage of security offerings from our cloud providers. For example, in our AWS environment, we use products like AWS Shield and GuardDuty which prevent denial of service attacks and actively detect threats, both of which make it easier for us to maximize our ability to protect our customers and their data.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

Leveraging tools to streamline and consolidate security alerts to a single location is key when you’re small. Sticking with our AWS example, using AWS Security Hub consolidates information from across all their security tools so our team has fewer places to look.

When to hire a CISO is tough to generalize as it depends on the business, its industry, and its risk tolerance. Ultimately, as a company grows it has to consider if the skills and the time of their team can scale with increasing security needs — in other words, more data, more people, more challenges, all of which will require more time and focus on security. Companies can take a few steps before hiring a full-time CISO, such as hiring a temporary or fractional CISO and/or getting in place a managed security services provider to offload some of the low level triage of alerts and allow internal people to focus on higher level problems.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

One thing that doesn’t occur to many people is that everyone builds up a set of recognizable patterns using their computer, their email, and their environments. If your computer suddenly starts to feel slow, you start getting emails that seem out of place, or your network suddenly seems slower than normal, those are key signs that something is likely amiss. It’s not always an adversary, but nonetheless is likely something that requires attention.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

The steps a company should take are very situational to the type of attack, the severity, and the type of business. For example, a ransomware attack for a B2B Fintech company will require a very different response than a string of account take overs for a B2C retail company. That being said, there are a few general principles that tend to hold true. 1) Prepare for these events because they happen to businesses of all sizes. Ideally you have a solution like BreachRx in place that will automate many aspects of the breach response work. Not only will you save your organization time and avoid potential fines, but it will drive down the costs for outside counsel and consultants. 2) If you don’t have a robust system in place, call an experienced outside counsel to oversee and guide the response. Most breaches lead to litigation and it is important to that you can utilize attorney-client privilege as soon as possible. 3) Do not wipe any of the machines or restore them until a forensic image of each machine impacted has been taken. Preserving evidence is vital at this stage, so that you can fully understand the size and scope of the event. By wiping the machines, you may not realize that the attacker is still on your network in other places and it is much harder to go after the attacker without evidence that you can prove was preserved properly. 4) Call the authorities. The FBI and other law enforcement agencies have seen and assisted with countless cyber attacks. Your company might be one of a string of related attacks and sometimes the authorities can provide valuable information to minimize the consequences. 5) Beware that paying a ransomware demand may get you in more trouble. Look what happened to Uber, and the US Department of Treasury recently warned that paying ransoms may result in potential sanctions.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

Regulations like GDPR and CCPA were part of the driver for creating BreachRx. Over and over again, I’ve seen companies suffer through the consequences of a data breach and these regulations have only intensified the pain. I often describe the scenario organizations find themselves in as one where they are double victims. Not only will a company suffer the direct damage from the loss and recovery of an attack, but because of these regulations, the organizations also face fines and litigation. To put this into context, think about a scenario where a burglar breaks into your home and steals valuable items from you. In the aftermath, not only do you have to fix anything that was broken and replace your valuables, but what if the government fined you for the intrusion and you were sued by your neighbors? More and more it seems that governments and the general public view data breaches in the same vein that they view fraud. Thus, it is imperative that organizations actively prepare for these events and put systems in place to meet the requirements.

What are the most common data security and cybersecurity mistakes you have seen companies make?

Taking shortcuts companies think are temporary to accelerate some effort or deciding to wait and bolt on security in the later stages of something they’re doing or building. Taking this approach will typically take far longer than taking a bit more time and a few steps up front to plan and then do things right. Also, adding it later makes it far more difficult to ensure security is properly put into place in the end.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

Absolutely. In the cybersecurity world, we often talk about the attack surface for an enterprise. Historically, this had mostly been the endpoints where the organization connected outside of its own environment. COVID19 forcibly expanded the attack surface exponentially for most organizations because so many are now working from home. Home networks are rarely as secure as corporate networks. This new dynamic has created so many more opportunities for adversaries. In addition, as everyone adjusts to the new normal, we are seeing more privacy errors and issues because now everyone that lives with an employee can potentially have access to data that previously could only be accessed by being on site.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

1. Enable Multi-Factor Authentication (MFA) whenever it is available, especially for any account that contains sensitive data.

As we’ve seen over and over again, breaches are inevitable and usernames and passwords are regularly exposed. Everyone has so many accounts these days that people often rely on one or a handful of passwords for their accounts. As I mentioned previously, password managers like Lastpass and Keepass can help you track and maintain more complex passwords, but putting MFA in place makes it that much harder for someone to gain access to your accounts.

2. Privacy by Design should be your default starting point with any product or business process.

Every state in the US and almost every country in the world has its own data privacy regulation. It is no longer the case that companies can get away with burying their head in the sand when it comes to privacy considerations. Most organizations find that taking privacy considerations into account in the earliest stages is far easier than attempting to bolt on those considerations after the fact. While the framework is a little dated, Ann Cavoukian’s 7 foundational principles are a great starting point.

3. Data Inventory and Data Mapping should be done before you face a privacy or security incident.

Just as fundamental as the architectural diagrams you build for your tech stack, it is vitally important that your company knows the who, what, when, where, why, and how of the data’s collection, use, storage, movement, and deletion. Regulations like GDPR and CCPA now require companies to respond to consumer requests to identify the information the companies have collected and be able to delete the data if requested. If your company doesn’t have a full picture of the data it holds, meeting these requests can be a huge chore and potentially result in fines if the requests are not met in a timely or complete fashion.

4. Privacy policies should be unique to each company.

It might be tempting to simply copy and paste a policy from another company, but it is important that the policy your company puts in place is truly representative of how your company handles personal data and equally important that the policy is updated as your company’s practices evolve. Outwardly demonstrating to customers that you care about privacy is a competitive advantage, and it all starts with a good and tailored privacy policy.

5. Put technology in place that allows your organization to be proactively ready for the inevitable incidents ahead.

It is not enough to simply plan to call outside counsel after a cyber attack or privacy incident occurs. Many of the breach notification regulations have short timelines — for example, GDPR requires notification in 72 hours. These timelines are so short that it is often hard to get outside law firms and consultants up to speed fast enough to meet these tight deadlines. Prior to experiencing an incident, your team should put technology in place, like BreachRx, that takes into account the regulations that apply to your company, all the contractual obligations, and any internal and external policies that create response expectations. It is important that the technology you put in place is dynamic enough to keep up with the pace of the ever-evolving privacy and cybersecurity needs your company will face.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)

Golden rule: treat others as you want to be treated. You never know what someone else is going through and we all have much more in common with one another than most realize.

How can our readers further follow your work online?

https://www.breachrx.com/

https://www.linkedin.com/in/andersonlunsford/

@BreachRx

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

About the Interviewer: Jason Remillard is the CEO of Data443 Risk Mitigation, Inc. (Publicly Traded as Symbol: ATDS). Data443 is a leading Data Privacy and Security company with over 40,000 customers worldwide.

Formerly of Deutsche Bank, TD Bank, RBC Bank, IBM, Dell/Quest Software, TUCOWS and others, Jason has been in information and data security for over 30 years with customers in virtually every country in the world.

Trusted to deliver — All Things Data Security — he is leading the charge in bringing data privacy as affordable, deployable and realistic solutions that every business owner can take advantage of.