Rory Lubold of Galaxy Vets: Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information

First, identify where the PII information is received and stored within your company. What applications, databases, processes, and personnel are potential sources for PII to be compromised? Understanding where your data is at and who has access to it is the first step to defining where you need to assess and understand if any vulnerabilities and exposure exist.

It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?

As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information,” I had the pleasure of interviewing Rory Lubold.

Rory Lubold started in the United States Air Force as a computer programmer, flight test engineer, and systems analyst working on classified programs. After 15 years, he went to work in Hollywood’s post-production industry as a software and systems engineer and served in VP engineering and CTO positions. From there, as an entrepreneur, he started an IT services company to serve small to medium-sized businesses. Recently, after hearing about this game-changing veterinary consolidator co-owned by its employees, Galaxy Vets, he joined the organization as the vice president of IT.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I was born in Germany where my father, a career Air Force man, was stationed. I grew up moving around the world and had many enriching experiences during that time. I met my wife while attending a Department of Defense high school, just outside of London.

Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.

I was always fascinated with taking things apart and figuring out how they work. When I was in high school (before personal computers), my automotive shop teacher told me to look into computers, they would catch my interest. He was a retired NASA engineer, teaching auto shop in the Department of Defense (DoD) high school I was attending.

Can you share the most interesting story that happened to you since you began your career?

During my military career, I was responsible for analyzing Russian aircraft systems to determine their capabilities and how to counter their threats. I was allowed to travel to analyze the opposing aircraft firsthand and develop tactics to arm our pilots with the best tools to succeed in combat.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

My auto shop teacher, in high school, was a retired NASA engineer. Because of the distance from our home military base, we lived at our high school during the week and traveled home on weekends. During my first semester at that school, he told me if I mastered the automotive mechanic’s course content, I could teach the class. I quickly mastered the content and taught his introduction and advanced automotive classes to adults and high-school students for two years. Additionally, I was given the shop keys and access to work in the automotive shop anytime I wanted. His belief and trust in me were game-changers and he is someone I will never forget. He also sponsored me for the National Honor Society and coached our high school football team, pushing me to be the best version of myself. These types of people have such an impact on those that they mentor — I am forever indebted to him.

Are you working on any exciting new projects now? How do you think that will help people?

We are building some very exciting things at Galaxy Vets. Things that will bring veterinary medicine back to the hands of veterinarians and provide equity ownership to the veterinary teams. We are committed to reducing burnout in the profession — a profession with the highest suicide rate. As a very focused, driven, and keenly led company, we will bring about some major changes to the veterinary industry. We will bring the very best pet and pet owner experience through some amazing consolidated tools, telehealth services, and technologies. I am very fortunate to work with a great leadership team and amazing professionals who are all part of this evolutionary change in pet care.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

Find a work-life balance. Allow yourself to take time off and leave work at work. Support your colleagues so that they can find a work-life balance. Collaborate, share, and create a trusted network between you and your colleagues. Break down silos that stop information, collaboration, and trust from flowing between people and departments. Be a catalyst for change.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?

First, I would like to state that I am not a lawyer and this information is provided from my experiences working with Personal Identifiable Information also known as PII. The rules, standards, regulations, guidelines, and best practices are constantly evolving and are targeted at protecting PII, and we must be diligent in understanding these to protect it.

It is important to clarify what data we are referring to. Any information, or combination of that information that can be used to uniquely identify an individual is considered PII. Direct PII is information that can identify an individual by itself alone, such as a driver’s license or Social Security number. Indirect PPI is information that needs to be combined with other Indirect PII such as name, address without a city, or last four of the Social Security number. Both types of information must be protected and companies that handle that data should have acceptable use policies on how employees handle, protect, and dispose of this information. In the U.S., no single federal law regulates the protection of PII. instead, there are a series of federal and state laws, sector-specific regulations, standards, compliance, and self-regulatory programs that together form the foundation for protecting PII.

Beyond the legal requirements, is there a prudent “best practice?” Should customer information be destroyed at a certain point?

Yes, every company that handles PII needs to have an acceptable use policy, driven by “best practices in the industry” that defines how employees handle PII and when and how that data should be purged from the system. An acceptable use policy should accomplish certain basic goals: protect PII under the company’s control, define the means by which authorized users may access PII, and establish how PII can be used by employees.

There is not a stated period of time after which customer information or PII should be destroyed or purged, but once that information is no longer useful, it should be properly removed from the system utilizing stated procedures and policies. An interesting fact: many breaches of data do not come from malicious actions to “steal” the data but from poor practices or policy enforcement by companies to protect the data. Employee training and awareness for protecting PII data and acceptable use in handling that data are paramount. Periodic checks, reviews, and updating of acceptable use policies and practices need to be done to ensure employees follow them.

In the face of this changing landscape, how has your data retention policy evolved over the years?

We are a new company, less than a year old. We have the advantage of standing these policies up now and learning from the plethora of information and examples that are available.

Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?

Data is stored as long as it has value in the Galaxy ecosystem. As a new company, many of those timelines for keeping the data are just being defined. We store the majority of our data encrypted, and when data is transported, it is also encrypted. PII data will be evaluated quarterly for retention purposes and disposal.

Has any particular legislation related to data privacy, data retention, or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?

As a new company, the legislation, compliance standards, best practices, and policies are all welcome as they collaboratively work to protect PII. We embrace and fully implement these as we grow and will actively participate, as the opportunities are presented, in these evolving standards to insure PII is protected.

In your opinion, have tools matured to help manage data retention practices? Are there any that you’d recommend?

The tools have definitely matured and also increased in numbers. As we used to say in the military, “The beauty of standards is that there are so many to choose from.”

Our founder, Dr. Ivan “Zak” Zakharenkov, has a fundamental tenet of Galaxy Vets and that is “Data Privacy and Security by Design.” We are committed to protecting and securing all of Galaxy Vets’ data. This foundational architecture requirement drives security from design through implementation. A couple of the initiatives that we are very committed to are: the General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?

We always plan for ways to improve overall business continuity in case of outages, attacks, or issues that may impact business continuity. We train our people to identify the most common types of work impact issues, outages, cyber-attacks, and natural phenomena to plan for the quickest recovery and business stabilization. There is no completely foolproof way of mitigating or avoiding all threats. We have a business continuity plan in case there is an interruption of business that provides a way of reporting and mitigating the effects of business interruption. I have found that honesty is the best policy. Identify what happened, respond quickly, assess, educate, and improve policies, practices, and procedures to constantly evolve to meet new and evolving threats. Fortunately, the attacks we have seen so far, we have been able to minimize or thwart and we are constantly on the lookout for new, evolving, and maturing threats.

Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)

There are some lessons that we have learned, over the years, that we feel are the tenets of a good foundation from which to grow.

1. First, identify where the PII information is received and stored within your company. What applications, databases, processes, and personnel are potential sources for PII to be compromised? Understanding where your data is at and who has access to it is the first step to defining where you need to assess and understand if any vulnerabilities and exposure exist.
2. Second, define policies, procedures, best practices, and training on how your company handles and protects the PII identified in Step 1. This review and scrutiny of how PII is handled is not a one-time process. A new vulnerability can be something as simple as a software update from a publicly facing application that exposes your data and makes it vulnerable. Remember, an increasingly larger percentage of data breaches are a result of poor PII handling and protection and not cyber-criminals. Always start from a zero-trust position that all processes and procedures within the company are considered suspect until you can prove that they don’t inadvertently expose your data publicly or make it vulnerable to cyber criminals.
3. Define how long PII data should be kept. Identify what PII is relevant and how to identify stale or obsolete PII data. Define what the removal process looks like and ensure that PII identified as stale or no longer needed is safely removed and purged from the system. Secure logging or some tracking mechanism should be used.
4. Next, perform dark web scans and periodic assessments to ensure that no PII from within the company shows up for sale or is available on the dark web. Run periodic reviews to decide if a breach or vulnerability exists. An ounce of prevention is worth a pound of cure — these words of wisdom from Benjamin Franklin are as relevant today as they were in 1735.
5. Lastly, develop and test your Business Continuity Plan (BCP) to ensure that your business can recover and operate when any form of data loss or compromise occurs. Your BCP should also include a Recovery Point Objective (RPO) which tests how quickly you can recover your business from a critical data breach or loss to full functionality.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective, and something everyone can do!)

I would like to see a movement where we all accept each other just the way we are.

How can our readers further follow your work online?

Please follow GalaxyVets.com to see the amazing things we are doing to help with burnout prevention in the industry, transform the veterinary workplaces and client experience, and bring back the ownership to the veterinarians, technicians, and administrative staff in the hospitals.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!