Advancements To Boost Your Data Security with Anna Mercado Clark

September 21, 2021

Anna Mercado Clark is a Partner at Phillips Lytle LLP, a premier regional law firm recognized nationally, with offices throughout New York State and in Washington, DC and Canada.

She leads the firm’s Data Security and Privacy and e-Discovery and Digital Forensics Teams. As a former Assistant District Attorney, she also handles white collar criminal matters and investigations. She obtained her B.A. in Biology from Rutgers University and J.D. from Fordham University School of Law. Anna is an Adjunct Professor of Law at Fordham University School of Law. She is also a member of EDRM at Duke Law, a community of technical and legal professionals who create practical resources to improve e-Discovery and information governance, including cross-border discovery in light of the General Data Protection Regulation (“GDPR”).

John Shegerian: This edition of the Impact podcast is brought to you by ERI. ERI has a mission to protect people, the planet, and your privacy, and is the largest fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company in the United States, and maybe even the world. For more information on how ERI can help your business properly dispose of outdated electronic hardware devices, please visit eridirect.com.

John: Welcome to another edition of the Impact podcast. I’m John Shegerian. This is a very special edition of the Impact. We’ve got with us today Anna Mercado Clark. She’s a partner at Phillips Lytle. She’s a data security and privacy expert and also a general cybersecurity expert. I’ve been on panels with her before and today she joins us on the Impact podcast. Welcome, Anna.

Anna Mercado Clark: Thank you very much, John. I’m happy to be here and I’m always happy to talk to you.

John: Well, the feeling’s very mutual. Anna, before we get talking about all the important work that you do and the topic that you cover, which are really huge trends in our world today, in terms of cybersecurity and data security and privacy, can you give a little bit of the Anna Mercado Clark backstory? How did you even get here? How did you end up in New York with this very important practice that you’re doing right now at Phillips Lytle?

Anna: Sure. I actually grew up in the Philippines. I moved to the United States when I was 11. I went to law school in New York. My first job out of law school was as a criminal prosecutor at the Queens County District Attorney’s Office, where I prosecuted everything from misdemeanors to attempted murders. Then, I joined a civil litigation firm. I got recruited to my current firm where I was a commercial litigator. I ended up getting into data because I was involved with volumes of data. Initially, my involvement in data was in E-discovery. Because I was so familiar with my clients’ data systems and data, anytime they had a data question they came to me. So, I ended up learning the practice area and joining the data security and privacy practice team of the law firm. Now, I lead the team.

John: Did you have any idea back then that cybersecurity would become such a huge industry when you were contemplating this evolution in your career?

Anna: Not in that particular sense. I knew some lawyers at my law firm already had assisted in data breaches. But for me, I just knew that data was the future, right? As things were becoming more automated, companies were storing more and more data. I knew we had to manage that somehow and that the issues were going to proliferate as we continued to amass more and more information. But I did not think along with the terms of data security or cybersecurity necessarily back then.

John: Got it. For our listeners and viewers out there, to find Anna, I just want to give this shout-out right now. You can go to www.phillipslytle.com. It’s is where you can find Anna. Anna, let’s get right into it. Talk about where we are today. It seems as though when you read the stats… When you’re growing up, you hear those famous words “crime doesn’t pay”. But when it comes to cybercrime, it seems as though that’s turned on its head. In 2015, $3 trillion was gotten by the bad guys. 5 years later in 2020, $6 trillion. What’s going on here and what should our listeners and viewers, whether it’s protecting their own family or whether it’s protecting the ecosystems and businesses that they represent, what should be top of mind for them? What should they be thinking about that they’re not thinking about today?

Anna: That’s a very good question. I think when we think about cybersecurity, initially, when we started thinking about scams through emails, you used to get the Nigerian prince email or I won the lottery email and give me some money and I’ll give you a windfall later on. The cybercriminals have gotten so much more sophisticated since then. I think that’s what’s so scary now. A lot of the data breaches and cyber incidents that we’ve dealt with, particularly during the pandemic, have evolved around large multimillion-dollar transactions involving wire transfers, where the bad actors or the cybercriminals are infiltrating email systems. I think for people who are looking to protect themselves and their family members, I wouldn’t worry so much about the latest in gadgets, the latest in software. Ultimately, systems are as strong as their weakest link so use your common sense. Think about whether something sounds right. If you don’t feel right about it, if it doesn’t sound right, then don’t move forward with it.

Think about how you can confirm transactions, particularly if it involves large amounts of money. Because once the money is in the wrong hands, it’s very difficult to get that back. We work with law enforcement officers quite regularly to try to get money back, where they’ve been wired to the wrong accounts or fraudulent accounts. It’s very difficult, once it’s out, to get it back. The best defense is really not to find yourself in that position to begin with, which really means staying vigilant, using your common sense. If something doesn’t sound right, talk to your friends. Look at the FBI website, actually, because they frequently put out alerts on what the most common scams are and validate transactions. To the extent of online accounts, make sure that you’re implementing dual-factor authentication. What that means is, in addition to your password, the account will ask you for an additional second layer of confirmation of your identity, whether it’s a thing on your cell phone or an app that you’ve previously validated, to make sure that you’re who you say you are and it’s not some person trying to get access to your account without authorization.

John: Got it. When I got into this industry, the whole big about data protection was centered around paper shredding and companies like Iron Mountain, Shred-It and HIPAA, Starbucks. But in May of 2018, Anna, GDPR happened. We felt a sea change in this whole world of data protection, privacy, awareness around it, media attention. There are all sorts of new laws that have come out. GDPR then has come to America and now states, such as California, Nevada, Maine, and New York, have already passed their own data privacy laws. You would know better than me, but when I’ve talked to other experts that are like you and on the level that you are, they tell me every state in this nation within the next 12 to 24 months will have their own law. What’s going on with all these rules and guardrails now? How is that changing the landscape and what should we be thinking about? Because the rules and laws around GDPR and associated data privacy laws are fast-changing and the noose is tightening in terms of what kind of penalties can be meted up by these regulatory bodies.

Anna: You’re absolutely right. The interesting part is, even before the GDPR went into effect, there was already a similar directive as opposed to a regulation. The difference is, as a directive, European countries had to do something extra in order to implement that in their own countries. The implementation looked wildly different around Europe. So, what the regulation really sought to do was to try to make that implementation much more uniform and to strengthen the protections that were offered by the directive. The additional thing that made it different from the directive and the reason that it became such a big news item around the world is it sought to have extraterritorial reach. What that means is, even though you’re a company that’s not located in an economic area, where the GDPR is in effect, you would find yourself subject to the law if you meet the threshold requirements of article 3. So, companies that are solely located in the United States who were only doing business in the United States might find themselves, either based on their third party arrangements, their vendors, their marketing activities, might have been the ambit of the GDPR.

I think you’re absolutely right. A lot of companies really sought to change their compliance programs to comply with the GDPR, as opposed to having a hodgepodge compliance program that sought to comply with different regional regulatory requirements. Because for some companies, it’s just easier and most efficient and economical to have one program. Now, that’s much easier for other jurisdictions, so then pass more stringent requirements, because companies were already doing what they needed to do to comply with the GDPR. The hurdles that were there initially, in the US, in other countries, were not there in the same way because companies were more willing to do the things that their laws now would require. I think I agree with that assessment. It’s going to be toward more stringent regulation of personal data. Even as I say that, though, I think what’s interesting is each state law has its own nuance. The definition of personal information, for example, can be wildly different. The definition of a data breach can be very different. What is required in terms of data protection measures can also be very different. Even though the trend is towards greater protection, I think what that looks like on a regional basis is still going to look very different from one another. I think what we have to look out for is what the federal government is going to do on that front. Because unlike other areas of the law, there are a lot of companies, including tech companies, that are clamoring for a uniform federal law that governs this space. Because it would be much easier for them to comply than it would hodgepodge patchwork of regulations from the different states. Not to mention on top of the state laws, you also have industry-specific laws that you have to comply with.

John: Right. What do you think? The GDPR came over during another presidency, a new president has now been elected, what’s going to happen on the federal side? Are they going to get some version of federal legislation done on this that it’s going to give people some sort of guidelines that they can look to? Or what do you think is going to shake out and how long is that going to take on a federal level?

Anna: That’s a question I asked my colleagues in Washington, DC quite frequently as you can imagine. There have been a lot of different efforts to try to get a federal legislation in place. One is the level of sophistication on the issues is not uniform among lawmakers. That’s something we have to address. The other is we have the pandemic and other more pressing economic issues that are taking precedence. I don’t expect a significant step to be taken in this direction in the next year or two. So, I would have to see how the economy recovers during that time for tackling this issue. What we’re seeing instead, though, is various different federal agencies putting out their own guidance in lieu of or in the current absence of a federal law. They’re putting out their own guidance about what they expect and what they recommend. Some of these government agencies have regulatory powers. It will be for the next few years. There are a lot more federal agencies putting out guidance and until we get a law in place. But I don’t anticipate federal law coming into effect anytime soon.

John: For our viewers and listeners who just joined us, we’re honored to have with us today Anna Mercado Clark. She’s a partner at Phillips Lytle. To find Anna and her great colleagues, go to www.phillipslytle.com. Anna, give us a day in the life of your professional life. How do things work? Does your phone ring and a fortune 100 or 200 company call you and they say, “We just had a breach. We think we’re going to be on the cover of the WSJ or NYT. We need help.” or are people calling you, saying, “Listen, I just read about those people. I just heard about Colonial Pipeline. I just heard about Sony, or some other big brand. Can you help us prepare so this doesn’t happen to us? Help us become more resilient. Help us become more defensive so we don’t end up on the cover of the NYT or WSJ or Bloomberg or something like that.”? What’s a day in your professional life look like?

Anna: I think what’s so great about this practice is no 2 days are alike. I’m sure you’re not surprised at that answer. You’re very familiar with this practice area. I think companies and organizations, because I work with not for profits as well and high net worth individuals, it really varies, right? There are some who are more advanced in their data protection mindset. Those are the people who will come to us and say, “We really need to prepare. We just heard about this and we saw this in the news and we want to beef up our policies. We want to do a test of our data protection policies and systems, and let’s talk.” More often than not, the way that we end up… because they have an issue that’s already happening, a data incident. In the legal profession, we don’t like to call anything a data breach, John, until we absolutely have to, because it’s a term of art. For those listeners out there who might suffer a data incident, beware of using that term because we don’t want you admitting to something under the law.

John: Good point. That’s great advice right there. Perfect.

Anna: That’s sometimes how we’ll get the call. We’ll get a call and say, “I need somebody to talk to.” Usually, that’s after hours, on holidays, during the weekends, because that’s when these attackers’ activities are increased. Or sometimes because of our close relationship with law enforcement, law enforcement would reach out to us and say, “Hey, this is happening. There are many companies that are suffering from this attack. Clients might be impacted. Let’s talk.” Then we might be the ones telling our clients, “Hey, this issue is happening. Let’s talk about whether or not this impacts you.” Sometimes because of our other work with a client, we know their data systems. We have colleagues in DC, as I mentioned earlier, and colleagues in law enforcement. When we get the news, and we get them fairly quickly, we might reach out to the client and say, “Hey, I know you use a software. There’s an issue.” Sometimes we know the issue before our client even knows the issue, which can be a real advantage. For us, our strategy is to not wait for the client to come to us with a problem. Our strategy is to try to anticipate problems for our clients and give them the best business-focused legal advice that we can, given the facts that we know.

John: Talk a little bit about cyber-insurance. Obviously, it’s a growing field. A lot of people are buying it. My friends in the cyber-insurance industry tell me it’s like the Gold Rush. They’re selling more cyber-insurance policies than ever before. But when the bad guys seem to be winning, the cybercriminals go from 3 trillion in ’15 to 6 trillion in 2020 in terms of ill-gotten gains, is it an insurable industry, and how are the insurers going to continue to figure out how to work with those they’re ensuring so they don’t have losses every year in terms of cyber-insurance that they’re selling? How is that interrelate and where are you in that ecosystem in terms of advisement?

Anna: Yeah, that’s a great question. When people started thinking about cyber-insurance at the outset, insurance companies didn’t know how to price these policies, right? It’s very unlike other insurance policies that are on the market. In our experience, the insurance issues don’t [inaudible] that they do and other general commercial coverage. The question is never how much is covered, right? Usually, in commercial situations, a lot of the dispute centers around, “How much is the insurance willing to kick in?” The interesting thing about cyber-insurance is the issue is usually whether or not your event is even covered. We tell our clients all the time, “You really should seek legal counsel. Don’t just rely on your broker when you’re selecting your coverage.” I don’t say that just because I’m a lawyer. You can hire some other lawyer. It doesn’t have to be me. The reason I say that is because you might be confident you have a $10 million policy or a $100 million policy. But then, when you really look at the policy, you might realize it doesn’t cover the thing organization is most at risk for. For example, if you are a manufacturer, there are many policies that might not cover those losses if you suffer a data breach that does not allow you to generate your widgets or whatever items that is that you’re producing. There are many policies that don’t cover wire fraud transfers because the rationale from the insurance perspective is the transfer, right?

These are situations where you were tricked into authorizing the transfer to a fraudulent account. You have to really think about your risks, both in your industry and your own company based on your business practices, and select the insurance policy that covers that, as opposed to just selecting an insurance policy that’s willing to give you the most cover. The other thing is we’re seeing a change. There have been sea changes in the insurance industry in this field in the last few years. The latest sea change now is as a result of the pandemic because COVID has really encouraged a lot of cybercriminals. They have a lot of time on their hands. A lot of people are at home, meaning they’re more vulnerable. A lot of companies shifted to remote infrastructure to do it, even though they didn’t have the time to train their employees. There have been a lot more claims. I think insurance companies are still struggling to determine how to price these insurance policies properly, what should be covered, what should not be covered. That’s a kind of continuous process for them. I don’t think we’ve settled yet on what that’s going to-

John: I want to go back to the work-at-home phenomena that happened because of COVID, Anna. But let’s take on the insurance for one more question. I know every company is idiosyncratic to itself. But in terms of your macro advisement, do you, as a general principle, advise your clients to maintain and keep a cyber-insurance policy?

Anna: 100%. In the old days, you’ll see some cases tackling this. Many companies did not have cybersecurity insurance. What they would do is try to make a claim on their general commercial policy, their property policy, their criminal policy. Insurance companies were resistant to that. There were some successes in getting coverage under those policies, but now, the language in those policies prevents a future successful claim under those policies. So, a 100%. I cannot stress this enough. Any company, no matter how big or small, should have cybersecurity insurance. The average cost of a data breach the last time I looked was in the millions of dollars. There is an increased cost of that in the United States. It’s much more costly to manage a data breach and that’s partly because you have the expense of your initial response team, which can include your law firm, your legal counsel, your PR team, your forensic investigator. It might even include your own employees addressing the immediate needs so that you can get back to the day-to-day business. Then, on top of that, you might have to retain additional third parties to sift through the data that might have been compromised to determine whether or not you have a data breach notice obligation. Then on top of that, you have the cost of sending out notices. There have been instances where companies have gone bankrupt because of the cost of having to provide the notices. It can easily add up. So, it’s best to have insurance coverage.

John: Anna, go back to them now. COVID has created this work-at-home phenomenon. Maybe it was going to happen anyway, but because of COVID, just like the Zoom boom, it happened faster and society has changed forever. The business has changed forever. How we do business, how we work has changed forever. I was on a call this morning with a very large organization that was talking to us about potentially being a client. They said they had over 100,000 plus people working from home. Here’s the challenge they said they were up against. Everyone went home somewhere in mid-March of 2020. When they’re working in the cocoon of the office, they had guidelines. Their CTO or Chief Information Security Officer put nice guardrails around everybody to protect them from themselves, protect them from other employees, protect them from the outside world in terms of bad actors. They go home quickly and then have to get business hardware at home. They have their personal hardware at home, and what they told us this morning was they found out there’s been a lot of cross-contamination in terms of information of business that ended up on personal hardware and hard drives and personal information on business equipment because things blend together when you’re working from home without all the guidelines that you have from the safety of an office. How can corporations or how can even just regular good citizens of this country protect themselves from even just benignly creating a potential data incident at their company or for their family because of all this cross-contamination? What’s going on in that sector, and how do you work with companies? Because COVID changed the world, and that created a whole new level of issues.

Anna: Yeah, I know. I agree completely. And I think any organization has to take a multi-pronged approach. The first thing is to make sure that you’re continuously educating your employees. I’ve mentioned this before. I am a fan. I’m a big proponent of logical advancements to shore up your data security, but it’s not 100% reliable. At the end of the day, when you look at the biggest data incidents, data breaches that have occurred, oftentimes people are the culprit. They click something they weren’t supposed to, they responded to an email they weren’t supposed to, they provided their credentials somebody shouldn’t have, and there is nothing, no matter how sophisticated, that system is never going to 100% guard against that. So, I think the first thing you have to do is make sure that you’re communicating regularly with your employees, even though they’re working remotely, and that you’re communicating with them, not just about their day to day responsibilities but about the importance of making sure that they are complying with the company policies even remotely. Perhaps some companies even do tests on their employees. The tests are not intended to make people feel bad, that they don’t know something. It’s really intended to alert them that even though they’re smart, even though they’re sophisticated, they can still fall prey to these attacks that we’re seeing.

There are also various technological solutions. Some companies are opting to provide their own hardware to employees, particularly the ones that are handling particularly sensitive information. There are also a lot of companies that are employing virtual desktops. So, you can’t access information and export information outside of that virtual desktop, and some are using VPNs, Virtual Private Networks. Citrix is a good example of that kind of setup, where you have to provide your credentials. And again, dual-factor authentication is trusted enough. It’s actually a requirement in some laws depending on what states you’re in or what industry you’re in, but you should always have a whole host of issues, I’d say 80-90% of issues that we’ve been seeing lately. Because even if your password is compromised, if the bad actor doesn’t have your cell phone or whatever device you’re using for the dual-factor authentication, then they won’t have access to your account. So, there are a variety of different approaches, but I think the most important is training.

John: Without giving away any trade secret, obviously, are you constantly amazed and shocked when new clients walk in the door and they tell you, again, without malice, how lacks they are in this area and how vulnerable their corporation is, until you start coaching them on how to really start protecting themselves? Are you still constantly re-amazed at that level of benign neglect as well?

Anna: Yeah. It’s so interesting because I find that the level of sophistication of the client in business does not necessarily become part[?] with their level of sophistication on these issues. There are organizations out there, who were wildly successful and who have a great a reputation and were excellent at everything else, but we find, especially depending on the industry, there are organizations who don’t necessarily think they’re a target, who don’t think that they need to worry about this, because they’re not an Equifax, they’re not a consumer-facing company. And that’s the wrong approach. They’re attacking construction companies, manufacturing companies, companies that are part of the supply chain for our energy [inaudible], think governments. Traditionally, organizations that would not think they’re a target are increasingly becoming a target. So, in this industry, the question is not if, it’s when.

The other thing is, there are a lot of clients, officers of companies, for example, management personnel, who think I’m so smart, I’m so sophisticated, I’m not going to fall for this. I tell them all the time, “Don’t feel bad if something happens and you do something that you’re not supposed to do because…”, which is why I think education is always so important because the threats change constantly. And so, all we can do is try to keep up as much as we can with it and make sure that people are armed with the tools they need in order to protect themselves. And when something happens, the other important piece is making sure they know who to report it to and what to do. Because that’s the worst part, right? We have companies who do testing. They’ve got a malicious email, and only 5 people reported it. The fact that only 5 people reported it is a bigger problem than the fact that 30 people click on the bad email, because then it really compromises the organization’s ability to protect itself against the repercussions of that bad action.

John: Right. And we’ll talk a little bit about the future. Take out your crystal ball. You’re a young woman. You’re obviously one of the leaders in your field. Talk about this decade ahead. If cybersecurity and the trend of cybersecurity was a baseball game, are we in the bottom of the fifth or the top of the second inning in terms of the evolution of data security and privacy and how that whole world is going to evolve in the next 10 years ahead of us?

Anna: I just say I love that analogy because I’m a huge Mets fan, and I hope I don’t offend listeners. “Let’s go Mets. This is our year.” We say that every year, but I truly believe this is our season, and not just because Jacob deGrom is such an amazing pitcher. Should we talk about that instead? It’s interesting because I think despite the many changes and the developments in this industry, I truly believe it’s still in its nature. When you look at who’s in the space, for example, there are some of us who have been in this space for many years, but most people are only really starting to think about these issues, to think about data security and there are still so many technological advancements that are happening in this space, both in terms of trying to protect data, but also every time there’s a new technological development we have to adapt. Now, what do we do? Zoom, for example, was not a way of life before the pandemic. Now, we have Zoom. There have been a lot of modifications to Zoom as you can see that has happened even just since the beginning of the pandemic. And so, I think we’re just warming up. We haven’t even begun the ballgame yet.

John: Got it. I love it. That’s awesome. I want to switch from your expertise, your profession on data security and privacy, but talk a little bit about your journey personally. Historically, Chief Information Officers, Chief Technology Officers was a guy’s world. You’re a woman that’s broken into that industry, let’s talk a little bit about that. And then, let’s take it one step further. You’re also a woman of color and ethnic, and an immigrant. What level of difficulty on those 2 issues have you found in terms of breaking into the boys club, breaking into business, and shattering the glass ceilings? I’m always fascinated by that journey. We have so many young women around the world that watch the show, listen to the podcast. I’d love you to share your experiences in busting through.

Anna: So, that’s a great question. I love that you asked that. And I hope that me wearing my traditional wear today did not…

John: Talk about that. As my friends would say in the Philippines, “Ganda, ganda.” Beautiful.

Anna: I appreciate that. Nicely done. And so, this is actually a traditional Filipiniana top from the Philippines. As part of my conscious desire to bring diversity into conversations that I’m a part of, I’ve started to substitute wearing suits oftentimes when I’m on panels, when I’m speaking publicly. I got a TV interview wearing my traditional wear. And at first, I thought it might put people off. But interestingly, I’ve had such a great response. People are curious about it, and it’s been such a great way to start a conversation about diversity, about where I’m from, about where other people that I’m speaking to were from. It makes them feel more comfortable to share their own stories.

And so, as far as my own story goes, as I mentioned earlier, I moved here when I was 11. It was a tough transition. I was bullied when I was in grammar school when I first moved. Because of that and because of the lack of representation, at least for me, I didn’t have a lot of people who already occupied the position that I’m in now in my own circle, I am more conscious of being that for other people, being that resource. And so, I started teaching at Fordham a few years ago, a Fundamental Lawyer in Skills Class where I teach aspiring lawyers about the soft skills that you need to be a lawyer: client reviews, negotiations with adversaries. And then, I was also asked by the law school to develop a data security and privacy course for compliance professionals, and it’s been such a great experience. I co-teach that with my friend, Professor Ken Rashbaum, who is also a partner at a different law firm, and we’ve had such an interesting time talking to different people about their own compliance experiences. And these are people who work for a fortune 50 to 100 companies. So, we learn as much from them as they learn from us. But the reason I teach is because I want to make sure that there are people who look like me who are in these spaces. And I also am cognizant, even though I don’t want to necessarily be or I don’t think I deserve to be representative of a whole group of people, I recognize that sometimes when people meet me, whatever their impression of me is, will be applied to people who come after me who might look like me. And so, because of that, I always want to be the most prepared person in the room. I always want to be the person who is trying to solve problems and bridge any gaps that there might be among the other people in that room.

John: I have a theory on that. What makes this country great, and you and I both can relate, is that we’re an immigration nation. You’re sitting in the hotbed of it, right in the middle of New York City. Is that our immigrant DNA or is that more of a mother and father thing that your mom and dad instill education on you and always to be the most prepared person in the room? Or was it just our immigrant DNA that we come to this country really with nothing? All of us have similar journeys, and that it’s on us to make the most of this opportunity, and the only way to do that is through education and preparedness. How much is nature? How much is nurture?

Anna: I’ve never thought of it in those terms before. You’re making me think about these issues in a new way, which I really like. I think it’s a combination. My mom and my dad were very hard working. My father was a physician. My mom was a nurse. And so, I have always been hard working. Both of them came to the United States for additional medical training and ended up staying here in varying lengths of time. And so, I think that’s part of it. They always valued education. In the Philippines, there is also a cultural expectation that, at least in my generation, you would want to go to school, you’d want to advance your education. And then, when I came here, I think, how do you set yourself apart? I was humble enough to know. I’m not going to be the genius in the room, and I think most people will not be that person. There are very few people who truly occupy that space. But what I wanted to be was do the best that I can. And I found, actually, that I can do better than a person who is smarter than me by being more prepared, and that’s something that was within my control. I couldn’t control what was naturally given to me or my natural talents. What I could control was how hard I worked for my clients in whatever space I occupied, which is why that’s something that I’ve always, and even in my firm, instill in our younger associates or newer associates, is that I’d rather have you be the most prepared person in the room rather than the smartest. Because the smartest person is not necessarily going to do the best job.

John: That’s really so true. In terms of your Filipina background, your Philippine background, you’re also the founder or co-founder of the Philippine Bar Association?

Anna: Right. The Filipino American Lawyer Association of New York.

John: Talk about that.

Anna: There are 2 of us who knew each other socially and just thought we should formalize this organization, and it coincided with our attendance at a National Bar Association Conference in DC. There were some other Filipino lawyers there from around the country who were coalescing to form a national organization. I’m actually also on the board of the National Filipino American Lawyers Association. And so, around the same time we thought New York is a hotbed of legal issues and legal talent, we should also form our organization, which we have and we have also established, with the cooperation of the National Organization, a scholarship for law students. We do a lot of work with the community but also we host a lot of events and panels touching on various legal issues that are at the forefront of-

John: So, mom and dad, are they still alive?

Anna: So, my father actually passed away when I was in college, and my mom is still alive. She’s a retired nurse. I was actually the black sheep of the family for a while because I majored in biology and the expectation was that I was going to go to med school.

John: That’s what I was just going to ask you. You ended up in law. They were from medicine. So, how did that all work?

Anna: I think some of my relatives still don’t know I’m a lawyer. They might think I’m still in a-

John: So, mom lives in the United States or mom lives back in the Philippines?

Anna: United States. She was actually the reason we ended up coming here. She’s one of the nurses recruited in the 80s or the early 90s because of the shortage of nurses in the United States. She wasn’t looking to move here. She just accompanied a friend to apply for a job, and they asked her to come. And my father had practiced medicine here years before, and moved back to the Philippines. It was supposed to be a temporary adventure for my mom, but then she decided it made sense to bring us over. I’m glad she did.

John: How many children were in your family?

Anna: I have 2 younger siblings, and I also have siblings on my dad’s side who are older. My older siblings are in the medical profession while my younger siblings are in — one is in tech as well and the other one is a director of professional development and recruitment for a charter school system. So, an education.

John: And so, you have one son.

Anna: I do.

John: So, let’s talk about that. If you were to refer to yourself, a tiger mom or…

Anna: As much as I don’t want to, other people tell me I am.

John: Okay. All right.

Anna: I’m sure people say I am. I’m sure my son thinks I am. So, I leave it with that. I don’t self-identify.

John: Okay. Got it. If you were to dream for your son today, what you would love him to become? What goes through your mind and your husband’s mind right now in terms of what you want your son to become?

Anna: It’s interesting because my younger self would have said the usual doctor, lawyer, engineer. And my husband would say whatever he wants to be. So, I think somewhere in the middle is probably where I land now, which is I want him to be a productive member of society. I want to make sure that he is self-sufficient and independent, because I’m not going to be around forever. But I also want him to maintain an intellectual curiosity. So, I think whatever job will give him those things is what I would like him to be.

John: So wonderful. That’s great. Anna, I want to give you the final word. You’ve been more than generous with your time, with your thoughts, with your brilliant expertise or professional skills when it comes to data security and privacy. Any final thoughts for our listeners who are looking to better protect both their families and the organizations they’re with in a very cyber-centric world where the cybercriminals are on the cover of the newspapers and the news every day?

Anna: Yeah. I think for me, the bottom line is don’t be afraid of technology, because you are going to be faced with technology in various aspects of your daily life. It’s better to try to learn it. Don’t be afraid to ask for help. And then, also, use your common sense. Just because you’re in the digital world, it doesn’t mean that that world operates that much differently than real life. Trust your instincts. You know when something doesn’t feel right. You know when you shouldn’t be giving your information to people. And by the way, the default should be, don’t give your information to anybody, over the phone, over email. Banks and other entities are not going to ask you for that information in almost every instance. And if you’re in doubt, use the contact information you have with the various organizations you have a relationship with to find out if the request for information is legitimate. Then, use the [inaudible] provided to you to provide that information.

John: She’s Anna Mercado Clark, a partner, in charge of data security, privacy, and other cybersecurity-related issues at Phillips Lytle. You can find her at www.phillipslytle.com. Anna, thank you for the generosity of your time. Thank you for making the world, not only a better place but a safer place. Thank you for inspiring the next generation of young potential lawyers and professionals, especially women and young ladies who are going to break through glass ceilings like you did, and not be just the smartest person but probably the most prepared person. Thank you for being on the Impact today. I’m so honored and humbled that you joined us.

Anna: Thank you so much for having me, John. And thank you for covering topics that are near and dear to my heart, and I think are not covered nearly enough when these issues are discussed.

John: This edition of the Impact podcast is brought to you by Engage. Engage is a digital booking platform revolutionizing the talent booking industry. With thousands of athletes, celebrities, entrepreneurs, and business leaders, Engage is the go-to spot for booking talent, for speeches, customer experiences, live streams, and much more. For more information on Engage or to book talent today, visit letsengage.com.