As the world digitizes and more and more data moves online, the evolving threat environment has prompted a critical demand for better security. Thankfully, some among the greater business landscape have already begun to legislate new standards of protection that will help ensure the safety of consumer data. But despite HIPAA, GLBA, and PCI DSS having existed as U.S.-based, sector-specific data protection for years, the sheer amount of sensitive information that is being collected now has warranted more extensive action by governing bodies who have taken it upon themselves to elevate protection standards. As more and more large-scale data breaches began to emerge across the globe, the EU was among the first to take new steps with the enactment of the groundbreaking General Data Protection Regulation (GDPR), and several other countries and states in the U.S. have followed suit with similar standards as recently as last year. As cyberattacks mature and evolve, so too must data protection—without the appropriate diligence, organizations risk losing their clients’ trust, making progress difficult and potential new business wary of collaboration.
As more legislation continues to pass, with updates to existing standards releasing weekly in some cases, the privacy landscape can be difficult to maneuver, both in ensuring data protection and remaining compliant with the constantly updating requirements. But as Litmus has demonstrated, a proactive approach and the right partnership can make all the difference.
In 2019, Litmus brought in Schellman to discuss options for compliance assessments, and at that time, talks centered around whether a SOC 2 or an ISO 27001 certification would be more suitable. Eventually, Litmus partnered with Schellman for SOC 2 Readiness, Type 1 SOC 2, and Type 2 SOC 2 examinations before extending their relationship for recurring Type 2 examinations. Throughout their initial collaborations, the teams expanded their discussion to include notable data breaches in the news and what that meant for already complicated privacy concerns, as well as what could help bolster what was already a substantial plan in place for maintaining Litmus customer trust.
“It was within about 18 months of GDPR having gone into effect, and at Litmus, we realized that we could react defensively against all the new regulations and benchmarks for what now constituted a solid security and privacy program, or we could actually go on offense and make this one of our strengths,” says Matt Gore, CTO and Chief Privacy Officer at Litmus. “We decided to lead with this new principal of the business, and that choice has now become a real differentiator for us in our particular market.”
Making privacy a priority required investing a lot of resources from the start, including buyin from leadership and the establishment of a specific team entrusted to support such a robust effort, as well as internal reevaluation of the growing program year after year. “As the evolution of data privacy becomes more focused on the consumer—the end user, the person who is providing the data—there needs to be an appropriate response,” explains Justin Unton, Head of Information Security and Privacy at Litmus. “End user trust is what Litmus is all about. We want to do things the right way.”
"As the evolution of data privacy becomes more focused on the consumer—the end user, the person who is providing the data—there needs to be an appropriate response."
Justin Unton | Litmus | Head of Information Security & Privacy
Given that the two organizations had already established a working relationship, it made sense for Litmus to pivot back to Schellman regarding strengthening their privacy position—especially since the assessor had well proven to be working in good faith. “In our earliest interactions with the Schellman team, we were just looking for some guidance to begin with, and I really appreciated that the fact that they did not try to sell us the most expensive service. They actually looked at what we had and offered the best fit. It created this mutual trust between our teams,” says Gore. This straightforward, honest nature established in the initial talks provided a solid foundation for the later, more complex discussions regarding the auspicious goals for the growing privacy program at Litmus.
When those discussions eventually evolved into an actual privacy assessment Litmus needed completed for a specific client, they looked to Schellman first for help. “Litmus reached out to us because they’d already seen the quality of our work, and they had another need,” says Debbie Zaller, Principal and Privacy Practice Leader at Schellman. “Since we were already their auditors elsewhere, it made the most sense to continue down this new path together.” Unton too confirms as much. “I had such a great experience the first go-around with Schellman during the SOC 2, so when I saw that they were also vendors for privacy attestations, it was a no brainer. We’d already worked with Schellman, we knew the quality of the work they produce, and so we knew what to expect going into another agreement with them.”
Matt Gore | Litmus | CTO & Chief Privacy Officer
Not only that, but once immersed in the new process for privacy, the assessor proved itself very equipped to help. Because despite the proactive investment by Litmus into building their program, privacy remains a complicated mountain to climb in compliance, and the extra guidance provided by Schellman in navigating the particulars has made a significant difference so far. “During SOC 2, there’s this process of providing evidence—if there’s no evidence logged, it didn’t happen,” explains Unton. “With privacy, you also have to be able to prove that the actual process of providing evidence is working as it should—that you’re doing what you say you’re doing—and that presents opportunities for new controls and processes here and there.” Thankfully, Schellman fields a broadly experienced team focused entirely on privacy—their expertise helped elevate Litmus’s approach to that initial, client-specific privacy audit while also helping strengthen the overall internal knowledge of the particulars.
“Just being able to work with the auditors to help deconstruct and demystify what works and what doesn’t when it comes to privacy is very, very helpful,” says Unton, and Schellman was always ready with the answers to any questions that were raised. “We have a depth of experience in assessing organizations against privacy laws worldwide that I believe sets us apart from competitors,” explains Zaller. “Some organizations choose to focus on particular regions or particular laws, or maybe their personnel aren’t solely focused on privacy regulations, but on the other hand, we field a specific team geared toward this particular practice and only this practice. It helps us make sure our people remain well-immersed and up-to-date regarding all the changing standards so that we can provide our clients the most thorough privacy advice and examinations as possible.” All in all, the partnership between organization and assessor has continued to flourish throughout these more complex collaborations, and Litmus—now well past the first steps toward steadfast confidence in their privacy protection—credits Schellman for their guidance in establishing such.
"Just being able to work with the auditors to help deconstruct and demystify what works and what doesn’t when it comes to privacy is very, very helpful."
Justin Unton | Litmus | Head of Information Security & Privacy
Moreover, these efforts aren’t just to assure Litmus customers that their data is safe, though that remains priority one—it’s also for the organization’s own benefit. “You have to consider the immense responsibility that consumers place on us in giving us their trust, and we take that trust very seriously,” says Gore. “It’s very helpful to have Schellman validate that trust put in us, to give that third-party perspective. Privacy is a different challenge to tackle that requires a different approach—we’re not just answering yet another security questionnaire. I think Schellman coming in to look at everything helps us all sleep better at night because there is an immense amount of responsibility to protect the people you serve well.
The good news is that the partnership with Schellman and the completed compliance assessments have already seen some returns manifest. “I can’t understate how important this program is for us. We do business with the Top 10 banks in North America, and you can imagine how important privacy is within those discussions,” explains Gore. “Compliance’s reach is so long into our organization. Our entire direct sales team relies on everything that we produce—everything that comes out of this compliance engagement with Schellman—that’s how important this relationship is to us.”
But it’s not just confidence in data protection either—the recalibrated emphasis on compliance and privacy is also helping to entice new business relationships efficiently and effectively for Litmus. “Being able to say, ‘here is our SOC 2, here is our privacy assessment’ as reassurance, I really do think that helps us close deals,” says Unton. “We get to ‘yes’ or ‘no’ much quicker, without an entire team being involved. It helps us stay very lean, and it also helps our bottom line.”
"Compliance’s reach is so long into our organization. Our entire direct sales team relies on everything that we produce—everything that comes out of this compliance engagement with Schellman—that’s how important this relationship is to us."
Matt Gore | Litmus | CTO & Chief Privacy Officer
Moving forward, both firms anticipate their collaboration thriving even more, with the familiarity between teams and mutual privacy focus ready to come back into play as Litmus continues to raise the bar higher. “As we have now gone through several audits and we have a multi-year relationship, we know now that we have a partner we can question freely regarding things where we don’t quite know the answer or the best path forward on something,” says Gore. And as Litmus moves to potentially expand their examinations of internal data protection, there are questions to be asked—currently, discussions with Schellman are taking place regarding more varied and more comprehensive privacy assessments. “We are working with them to build a broader program,” confirms Zaller. “Now that we’ve helped them with some initial, client-specific privacy requirements, we are looking to assess them holistically against a larger framework so as to widen their field and help provide further assurances.”
Regardless of how those discussions develop in the end, at present the confidence at Litmus is high, and together with Schellman, they will continue to move towards maintaining a total assurance of end user trust. “Privacy is now a core tenant of what we do, and I feel that our way of following the letters of the law—plus having this third-party confirmation to support us—it really resonates with our customers,” notes Unton. “Having now gone through a privacy process that was very specific to one client, Schellman gave us a lot of good feedback that will help set us up for future success as we progress with the broader program. And when new things come down the line, whether that’s a new privacy law in Brazil, or Virginia, or anywhere in the world, we already have a solid foundation—as things come up, we’ll only need to make minimal changes in order to succeed.”
One of the key priorities of any organization is a commitment to client trust, and in this era of advanced technology, privacy remains at the heart of such. At Litmus, they are doing everything possible to protect and reassure their customers while keeping pace with any and all privacy legislation being passed.