A Rising Attorney’s Career in Data Protection

Episode Notes

Transcript

Montana Funk:

This is Young Lawyer Rising from the ABA Young Lawyers Division and Legal Talk Network. Welcome back listeners. This is your host, Montana Funk. Today I am joined by Lexi Lutz. Lexi is senior corporate counsel at Nordstrom where she advises on privacy, cybersecurity and AI from a legal perspective. She’s also a published author and passionate about educating seniors on navigating today’s online environment. Thank you so much for listening, and I hope you enjoy our show. Lexie, good morning.

Lexi Lutz:

Good morning, Montana. How are you?

Montana Funk:

I am good. I appreciate you joining me today. And before we jumped on, I want to let the listeners know it is Friday the 13th. So we were talking about some technology issues, which I think is kind of funny. Today we’re going to be talking about technology, cybersecurity and things like that. So it was just ironic that of course this morning you were so good to bear with me, but of course I had technology issues.

Lexi Lutz:

So happy to be here. Thank you for having me. I’m really excited for our conversation.

Montana Funk:

Yes, me too. So that was kind of a little hint at what we’re going to be talking about today, but I want to jump right into it and I think it’s important before asking the specifics that you let our listeners know what your current role is and why that’s important to today’s episode.

Lexi Lutz:

Absolutely. Currently I am senior corporate counsel at Nordstrom, and my specific focus is privacy, cybersecurity and artificial intelligence from a legal perspective, essentially anything that has to do with data or security, very technology focused, but also kind of deal cross-functionally with all the different departments within the company, all kind of rowing in the same direction towards compliance and excellence in customer service, not only from the retail side, but also from data governance and privacy side. And then of course with ai, the evolution of AI legally and now we have domestic laws related to ai. I have been deputized to also advise on that From a legal perspective,

Montana Funk:

Were you always interested in doing stuff like this or is it something that you kind of found as you were starting your career?

Lexi Lutz:

Yes. If you would’ve asked me six years ago if my career journey would take me to a role that 100% focuses on privacy and cybersecurity and ai, I would not have believed you. Actually, when I was graduating from law school, my primary focus was employment and business and a little bit of ip. And so I started at a law firm, a very small firm doing a lot of IP work and some business litigation, which was great experience. But as soon as the opportunity presented itself to go, I actually switched to in-house about a year after being at the law firm and focused on exclusively employment, which was great. That’s kind of exactly what I wanted to do coming out of law school. And so I had the opportunity to do that. There were a little bit of privacy implications there of course, because employee data is extremely sensitive and so dealing with a little bit of privacy there.

But then I switched into a more generalist role for five years, worked for a hotel company, and that was around the time that the first US state privacy law became effective and obviously in California. And I raised my hand to help out with compliance with that and to my surprise, fell in love with privacy. So five years later found myself in having the opportunity with Nordstrom, which is where I am now. I have been for almost a year and a half now, and knew that I wanted a role that kind of focused more on privacy just because it is such a evolving area of the law. So it’s pretty much impossible to try to keep up with while being a generalist and wanting to provide quality legal advice on it. So I was very thrilled to have the opportunity with Nordstrom, but I think if it wasn’t for me having that experience in employment and then also being more of a generalist, I don’t think I would’ve ever had the exposure that I had to privacy that led me to my current role.

Montana Funk:

And something that I think it’s important to just kind of lay out, and this might be a silly question for someone who practices in this area, but can you just describe to the listeners who might be questioning what exactly does a privacy law govern or what exactly are state privacy laws? Just in a simple way to put it, what does that mean?

Lexi Lutz:

Yes, absolutely. That’s a completely great question. A lot of people are like, oh yeah, privacy, I’ve heard of it, but what exactly do you do? Yeah, so from an in-house perspective, privacy attorney, essentially, a big part of my job honestly, is keeping up with the regulations that are coming out right now. There are 19 comprehensive state privacy laws, and then of course there are also international laws like the GDPR. My focus is more domestic, so there are 19 state privacy laws, 20 if you include the Florida Digital Bill of Rights, which arguably is not necessarily a comprehensive state privacy law, but some people may argue that it is so 19 to 20, which we’re creeping up on. Almost half the states have passed comprehensive state privacy legislation, and every time a legislative session is active, if they don’t already have one passed there, there are drafts being circulated, there are red lines, and the legislatures are, they know that this is an issue that consumers really care about in the residents of their states.

And so they do want to make sure that they at least have something that’s going back and forth and eventually hopefully being passed. So keeping up with just all of the legislation is a big part of it. And then on top of that, there’s AI legislation that has already been passed in Colorado and all the other states are kind of racing to be the next one to pass an AI bill. And then in addition to that, just there’s a lot of focus on contracting. So Nordstrom handles a ton of data from customers, employees, contractors, and even confidential company information as well. And so all of that data is, data’s a commodity now, so that’s extremely valuable to us. We want to make sure that that is kept safe, that it’s kept secure, and that we are handling it in the proper way, not only legally of course, we want to comply with the law, but also just from a Nordstrom customer service perspective, how would our customers want us to be treating their data?

So of course, we do have the legal compliance side of it, but we also have, if we’re going to handle a customer’s data in a way that coincides with the way that Nordstrom’s treat customers, what does that look like? The Nordstrom specific way, which I’m hoping that the listeners know that Nordstrom is extremely focused on customer excellence and service, so we definitely want to make sure that that coincides with how we handle data. So there’s that piece of it. And then drafting and reviewing privacy policies, terms of service, any consent kind of disclaimers and disclosures, and then data breach response. If we get a notification from a vendor of a potential breach or God forbid there’s a potential breach to our systems handling data breaches and notification requirements as well as mitigation strategies for that. And then training and education. So ensuring that all of the individuals within the company handling data understand what they need to do best practices for protecting the data and ensuring that there’s full transparency for customers and employees regarding how we’re handling their data.

Montana Funk:

So obviously there’s a lot there, right? There’s a lot to unpack when it comes to privacy law. It’s not just as simple saying, oh, this is dealing with cybersecurity or ai, right? It’s dealing with data in all different forms. And I want to talk specifically going into the legal realm of it and how it impacts litigation and law firms. So let’s take a quick break then when we come back, let’s dive into that aspect.

So before the break, you kind of gave an intro to our listeners about what exactly privacy law is, all the areas it covers. And I think obviously with this podcast for young lawyers, it’s really important that they understand what rules they have as an attorney in different firms within terms of data and people’s information. Because obviously every day, no matter what firm you’re at, if it’s private, if you work for the government, you’re going to be dealing with sensitive information. So is there, I guess a certain conversation or something that young lawyers should be looking out for when they’re in their career about what does it look like to make sure that we are protecting clients’ interests, our interests, as well as how can the firm as a whole make sure that they are acting in a way that isn’t going to open them up to liability or litigation, let’s say?

Lexi Lutz:

Absolutely, yes. So I think when it comes to protecting data, just if you’re not necessarily focusing on privacy law, but if you’re just looking at it holistically from a firm perspective or a company perspective, probably the most simple explanation I can give to any young lawyer who is involved in that process would first of all understand what kind of data you have in the first place. I’m not going to lie, my first six months at Nordstrom, I felt like half my job was just trying to figure out what data do we have, where is it stored, who has access to it? And then so what data do you have? How is it being processed? Would be the second step? Is it going to vendors? If it’s going to vendors, in what way is it going to vendors or any type of third party, whether that is if you’re going to a law firm or if it’s going to a platform that is a technology platform that you’re utilizing.

And then if they’re putting it through generative ai, then that’s a whole different step. But let’s just say first of all, understand where your data is, understand where it is, how it’s being processed, understand who has access to it, so both internally and externally, who has access to it. And then step four would be, what is the purpose? If you are collecting a full name and address, a phone number, email address, birthdate, social security number, what is the purpose for all of that information? Do you really need the birthdate and social security number? Do you really need the full address? Maybe you just need the zip code if you’re trying to aggregate the data and do some type of analysis on individuals in a specific area. So I think understanding the purpose and then minimizing the data usage to that purpose is going to be extremely important because that is definitely one of the things that the FTC will look at if you get a complaint filed against you or any attorney general, really under any of the 19 privacy laws that have been passed, and then several of those which are already in effect.

So I think data minimization is really important and that goes to the purpose. And then step five would just be transparency. So making sure that the consumers or employees or really anyone whose data that you have understands how you’re using it, what data they have, what’s being processed, who it’s going to, who has access to it, and then the purpose for that. And then from a consumer perspective, if you’re telling me that you are using it for this specific purpose and that you are specifically minimizing it, the use of my data for specifically only this purpose, then that makes me feel better. But I think there is a difference between companies or law firms telling people that, Hey, we are minimizing the usage of your data versus actually minimizing it. So just make sure that whatever you are saying in your policies, especially external facing policies, are actually true to your practice.

Montana Funk:

No, that makes sense. And I guess kind of tying into this in some roles, so specifically I can think of in my role right now, I do criminal defense, we have documents that need to have all that information on it. If it’s in a police report, there’s going to be addresses, phone numbers, stuff like that. So is there a ethical duty that us as lawyers have to our clients when it comes to having situations where there is going to be a substantial amount of data like that?

Lexi Lutz:

Yes. Yeah, I think the duty of confidentiality definitely comes into play here when it comes to ensuring that the data is kept safe. Of course, there’s also all the state laws have exceptions to disclose information and compliance with the law or in response to litigation or subpoena. So you would be protected by the law in that way, in your case, Montana of the criminal defense and having to ensure that all the information that the law enforcement is requesting that they actually receive it. But yeah, I do think that from, if we are looking at the ethical rules that lawyers must abide by the duty of confidentiality, honestly the duty of competence as well, because if your lawyer is not aware of the laws that they have to abide by from a privacy perspective, then arguably that would be a breach of the duty of competence for ethical violations. But I think those would probably be the two main ones that lawyers would want to be aware of and that they would be held accountable for when it comes to disclosing client data.

Montana Funk:

And that makes complete sense with especially confidentiality like you said. And same with competence, just I think that kind of ties into what you were saying about having those conversations with people where their data’s going to be used because if you’re able to be upfront with them and say, Hey, look, we have this data, it’s necessary for this case or it’s going to be used in this way, then that also kind of ties in to that competency and being able to trust in your attorney. So I’m wondering from your perspective, have you seen any ongoing actions or maybe anything that lawyers make or mistakes that they make that increase their risk of having a breach or this data leaked? And this is an example, I don’t have anyone specific in mind, but let’s say people are using their work laptops and then sending information to their private email and then working on their home laptop. Is there something that you see that’s like, okay, this is actually quite a simple fix that lawyers don’t realize they’re doing that could expose them to a breach or leaking this data?

Lexi Lutz:

Yes, I think that a hundred percent. As far as the work versus personal computer, I think it’s really important to make sure that those are each siloed for use work for work use, personal for personal. And then when you are using your work computer, I would certainly try to avoid as much as possible using any public networks. Most smartphones and cellular services have hotspot services, and so that’s something you can utilize if you are sitting in a Starbucks but you’re trying to get work done on your work computer, that’s something that you would want to consider. And if you’re worried about the cost of it, I think you could definitely try to ask, that’s something that your work would reimburse you for because you would probably be using the hotspot for a fair amount of time if you’re trying to get worked on it. So I definitely would recommend using a secure wifi connection anytime you’re using your work computer and frankly your personal computer as well.

But I think especially for lawyers, if you’re doing client work on your computer using a secure network and then also ensuring that any emails you send that has information related to your client are encrypted. And some people say, what does that mean? Most of the emails that you send through Outlook are through Microsoft automatically encrypted. So I wouldn’t worry about that, at least if it’s through a work network. But you should definitely check with your, don’t take my word on that, I just know that’s how it is for my work computer. But if you are not sure, then certainly check your work policies regarding encryption of emails. I’ve worked at places where you have to type in the subject line before you send the email encrypt, so certainly check. But I do know that there are mechanisms where work computers can be made automatic if you’re sending something through Outlook, but definitely double check on that.

And then if you’re sending something through Gmail from a work computer or personal and it contains personal information or confidential data, I would just check your settings to make sure that you understand how to encrypt it. And basically what encryption does just from a very high level is it takes the information that you are sending, it makes it only visible to the recipient. And if there were to be a hacker to get into that information, actually it would be nonsensical. They wouldn’t be able to read it. So that’s the purpose of encryption. Some people have probably heard that term but don’t actually know what it means, but just kind of explaining it as though you are a second grader, that’s the best way that I know how to explain that.

Montana Funk:

I think that you explained that perfectly and something that you had said kind of triggered a follow-up question that I have. And I’m sure listeners are also wondering, a lot of our work is on the go and okay, I’m in between meetings, but I have to send this email or I have to respond to this person on teams. And a lot of the time that’s being done on people’s cell phones, and it might be that you have a cell phone that you use personally, but it’s also used for work. So is there, even if it’s a small tip that you can provide to those attorneys who are on here saying, oh man, I have my personal phone, but I also use my work email on there, and how can I be sure that that’s protected if I’m just using, I’m out there and I’m on LTE or 3G or something, how can they protect that from potentially an attack when they have to do it on the go or something?

Lexi Lutz:

That’s a great question. I think that back to the trying to make sure you are in a secure wifi network, and I know sometimes that’s not possible, but if you cannot connect to a secure wifi network and you do have to get an email out, I think at least make sure it’s a legitimate network. So I mean, I use Starbucks as an example earlier and I’ve actually read their terms and I’ve had to sometimes send, not in this role, but other roles, a quick email on the go from a Starbucks wifi. And I think generally they’re secure. I’m not, definitely not condoning to send a bunch of work emails from a Starbucks wifi network, but I think to the extent that you can go to some type of legitimate company where they have a reputation for at least taking care of their customers, and they do have higher standards when it comes to data security and privacy, and I think probably don’t use this as your default, but if it’s kind of an urgent situation and it’s on the go, generally if it’s a larger company like a Starbucks or a Walmart or a McDonald’s, generally you can count on them having secure wifi as secure as a public network can get, right?

So I think just try to do it from a legitimate wifi network. If you can’t get to a secure one or if your phone can just send on a cellular network, then that’s ideal too. And then also if you have an apple cell phone, there is, I’m sure everyone has seen within the past year or so, apple has had to ask and their apps within the phone have had to ask things like, will you allow us to track your usage? Which is kind of like the equivalent of a cookie banner on a phone. And so my default is ask not to track. I know that they make it. I think the first option is allow to track, which most people probably check because it’s the most obvious one and they’re just trying to download this app or trying to use the app and they don’t care to read 15 page policy on that.

But I think if you can default to ask not to track and then that way they’re not tracking all of your activity throughout all of your apps and websites that you visit and usage of your phone, I think that can definitely reduce the probability of someone trying to get the data that you are sending on your phone. And then also just general settings on your location. I think that a lot of apps probably have your location and you don’t even know that they do. And I understand some apps like Uber, you usually have to have your location turned on at least while you’re using the app at the very least. But I think just make sure that you understand which apps you actually need to use location data for, and then apps that you don’t need location data for because that location data is actually becoming more and more valuable.

And frankly, there aren’t a ton of laws right now to protect that type of data. So I think just trying to turn that off where you don’t really need it. And I know some people don’t care. They’re like, oh, well if Pizza Hut knows where I am, it doesn’t really matter. But I think just generally speaking, the more data that’s out there about you, probably the more dangerous that’s going to be in the long run, even though even if you can’t see kind of the short term implications. And when I was younger, my mom used to always be like, well, don’t put this on the internet. We kind of grew up in an era where we just put things, the internet because it was new, it was fun, it was a way for us to connect and didn’t really understand the long-term implications. And now I completely agree with my mom on that because there’s all this data about, especially millennials growing up in the Tom from MySpace days, and all of our information is just kind of out there and there’s not a lot to protect it. So I think the more that you can reduce the amount of information that third parties have about you, the better.

Montana Funk:

I think that’s a good point too, because almost every app, I feel like even you open it up and the first thing that pops up is would you share your location with, let’s say it’s Snapchat or even random ones that you wouldn’t think need it, and then it’s always the second or third option that’s like allow only while using or don’t allow. And you have to be consciously thinking about that when you’re looking at it because it is so easy, especially now when social media is a major thing amongst the generations to just be like, yeah, allow, I want to get to my messages or I want to see the newest post. So just stuff as simple as that I think is really helpful for our listeners to be aware of. And I appreciate you kind of going through those things with us. I think it’s something that we can oversee pretty easily, not even just in our career, but just every day generally. So I think that’s super important. And I want to take one more break, but when we come back, I do want to touch briefly on AI because obviously that has been taking off recently as well.

So AI has been something that has been around I feel like for a while, but hasn’t really been at the forefront until honestly I feel like the last year. And I could be naive in thinking that, but can you explain to our listeners or maybe personally, have you seen AI either benefit firms and benefit law practice or specific harms and how you balance the pros and the cons of using something like ai?

Lexi Lutz:

Yes, great question, Montana. So yeah, to your point, AI isn’t anything that’s new. It definitely picked up a lot of press in November, 2022, I believe it was when OpenAI released chat GPT, and that was pretty groundbreaking because it was a chat bot that was much smarter than any chat bot any of us have ever encountered in the past. I think the first chat bot I’ve ever encountered was on a IM, it was Smarter Child. I don’t know if you ever chatted with Smarter Child, but I remember being, I don’t know, probably 13 or 14 on a IM and being so impressed with Smarter Child being able to respond to me right away and no answers to questions and have some comebacks. And then obviously there have been chat bots on, if you go on pretty much any website that is customer service oriented these days we’ll have at least a chat bot that you can begin kind of asking questions. And that’s of course impressive. But ChatGPT really took it to a whole new level, which is why AI is now, and honestly since November, 2022 has been this explosive cutting edge topic that now of course has prompted legislation but also a lot of innovation.

It’s definitely a double-edged sword, and I feel like we’re still in the infancy of it and we’re still trying to figure out exactly how it’s going to fit into our everyday life, both personally and professionally. So from a legal perspective, I think lawyers can definitely benefit from ai. I think there was a little bit of a scare at the beginning where lawyers thought they might be replaced, like, oh no, this thing can draft a complaint or it can draft an answer, motion to dismiss. If I just put in kind of, here are the documents that we have and here are the exhibits we have, and then they can essentially just draft a motion or whatever you want to file with the court. I’m sure as everyone knows by now, chat, GBT is not going to replace lawyers. If anything, I think it will allow us to focus on really the more human aspects of the job and frankly the more intellectual aspects, which if you’re a lawyer, I am hoping that part of your pursuit of the journey of the practice of law is kind of the intellectual challenge of it.

So I think it definitely provides, and we only have so many hours of the day and a lot of the intellectual thinking and critical thinking and attention to detail takes much longer than a lot of the things that people are talking about that Chat GPT or insert name of AI tool here can help us with. So I think from a law firm or in-house perspective, it’s definitely a beneficial tool as far as efficiency. It can help. I kind of see it as a one L or two L intern to help out with the kind of initial drafting of something or summarizing or, Hey, here’s this document, can you pull out important dates that I should be aware of? And then kind of spitting those out within seconds, which I would never be able to do. But of course you got to take everything that they do with a grain of salt.

Not saying that one Ls are two Ls aren’t smart enough to do that accurately, but you still have to double check their work. So yeah, just ensuring that it has correct sites to the resources. I’m sure everyone here knows that the AI tools do tend to hallucinate, so you just want to make sure that you’re fully aware of that. And then if you’re working on an area of law that’s constantly evolving, I do, I mean frankly, you can’t really trust it, but if it’s an area of law that has been around for decades, then it’s probably going to have more information and therefore be more reliable. But again, trust but verify in really anything you’re using it for.

Montana Funk:

It’s funny that you mentioned how just earlier in the early two thousands, I remember when I would be on MSN and then you would, right, you’d have Smarter Child and you could use it on FSN, and I remember messaging it if no one’s on right, and I’m like, how are you today? Literally just no reason except for wanting something to interact with and thinking it was so cool. So that kind of unlocked a childhood memory for me. But I think something too that a lot of people probably listening don’t realize, and I definitely also didn’t think of it this way, chat, GPT really took off saying, Hey, this is what AI is, how crazy is this? But really we had Siri, Alexa, those are all things before that. I think a lot of people don’t realize like, Hey, actually AI’s been around for a while and everything we say, right?

You’ll have times where you’ll talking to someone at home and then Siri will pop up and be like, Hmm, I didn’t get that. And it’s like, whoa, what? You’re listening to me. So I think like you said, it’s so helpful and it can be such a helpful tool. I personally haven’t used it a ton because I do kind of am someone who wants to check, verify all of that stuff. But it is also so easy, I feel like for people to leak stuff unintentionally or become a victim of a scam or of something where it’s not only necessarily ai, but just anything technology wise. So have you seen a shift maybe in the last couple of years as technology continues to take off where people are becoming more victims to certain scams, and what are those that people need to be looking out for?

Lexi Lutz:

Yes. So I know that certainly from a cybersecurity perspective, the evolution of AI is definitely concerning in that community just because it’s new resources available to people who aren’t using the AI tool as a one L or two L intern. They’re using it as an evil intern in the basement of a foreign country funded by a foreign actor, a state actor to say, what are the ways in which we can utilize this for evil, not good? And I think one example of that is phishing. So a lot of us know phishing is where you receive an email, which on its face may look legitimate, but as you read it and get more detailed analysis of it, you realize very quickly that it is a scam. It is someone trying to get you to click on a link so that they have access to your data or your computer or the ability to get into your account, whether that is a personal email account, financial account, social media account, what have you.

And I know that the trainings in the past, we’ll call it pre-chat, GPT days, one of the criteria for identifying a phishing email was, well, there would be typos or the logo is a little bit off. Maybe if it’s for Bank of America, it shows the flag, but the blue is on the opposite side as the real logo, or it comes from an email address that is one letter off. It’s like bank of americas.com. And a lot of times, like I said, it comes from foreign actors and typically funded by the state, but typically not. English isn’t their first language. So it was pretty easy to spot these kind of typos or inconsistencies with the brand. Now there are tools where these bad actors can now say, Hey, replicate an email from Bank of America and make it sound like Bank of America would sound speaking to a customer requiring urgent attention to their account and that they need to enter their financial information within the next 24 hours, otherwise something terrible is going to happen to their account or it’ll be closed or canceled or it’ll affect their credit, what have you.

So that is pretty terrifying if you think about it. I actually, I heard, because I do as a passion project, which I think we’ll get into later, this education for senior citizens on privacy, and one of them was telling me about a scam where it was, it was a legitimate email from the actual bank. There were no typos. It was right on point. They compared it with another email that they had received and it was essentially identical. They couldn’t find any difference but was a scam when they went and called the bank. So that’s pretty terrifying that they can, it’s no longer, oh, can you point out the six typos in this email? It can be real. It can look extremely legitimate. So while AI has a ton of benefits, obviously there are unfortunately bad people using it to their own benefit, which means we have to be on much, much higher alert and much more skeptical about the emails we receive and ways that we can potentially be scammed.

Montana Funk:

Absolutely. And I think a benefit to our jobs is that we are kind of trained to look out for these things. And I have clients who will tell me, oh, I have a voicemail that was telling me that the IRS is after me, and if I don’t call this number back and respond to them with my social security, then they’re going to come after me for millions of dollars. And I try to remind people, if it’s an actually big issue, one verify with the company, you’re typically not going to get a voicemail. You’re not going to get a text that says, click this link, you missed jury duty, and sheriffs are looking for you to arrest you. So we’re able to catch onto those things. But the reality is a lot of vulnerable populations who don’t notice that stuff and wouldn’t necessarily be able to catch on, or like you said, there are scams that are actually really smart and they look really real. So can you tell those people who are listening or maybe they know someone who got scammed, what simple things they should look out for. And then kind of talk to me a little bit about this Privacy for Seniors project that you also have, because I know that you work to kind of help prevent some of these things from happening in seniors because unfortunately, reality is that a lot of seniors are vulnerable and they do get taken advantage of.

Lexi Lutz:

Absolutely. So from a just general knowledge perspective, especially with now the prevalence of AI and hackers having access to it, I think probably the best piece of advice that I can give to the listeners is just to always be skeptical. Montana, you’re completely right. We are trained to be skeptical as lawyers. That’s why we’re so much fun. But in all seriousness, yeah, you’re completely right. If something was a serious issue, if you owe some type of payment or if you a warrant is out for your arrest, the real people will find you. Don’t worry about that. And it usually won’t be through email. It usually won’t be through a voicemail. It typically would be through certified mail, or if it is a phone call, you would want to hang up and call back the actual number of the entity that’s trying to reach you, whether that is a district court or a state court or police department.

I think that would be the best kind of case scenario. But usually I think certified mail would be how they would try to collect a debt or act on a warrant or something like that. But you probably know more about that than I do Montana, but, and I think always be skeptical, and if there is something that if you think it seems fishy, it’s probably fishy. A lot of people do get scared because they don’t have the training that we do or have seen the war stories that we’ve seen and heard, whether it’s through our own experiences or through others they have shared with us. But yeah, I think individuals who aren’t used to it definitely can get scared. And there is a little bit of, oh no, did I do something wrong? It’s like when a police officer’s driving behind you and their lights aren’t on, but you’re like, oh, no, did I exactly. Was I going a mile over the speed limit? Are my tags expired? I feel like I’m doing something wrong.

But usually if it seems fishy, it’s probably going to be fishy. Like I said, the people who need to find you will find you in a legitimate way and usually you’ll know. And then as far as the Privacy for Seniors program, yes, I’m very excited. I’ve thought about this for some time now. My grandmother used to live in an assisted living facility here in Charlotte, and she would come to me with, oh, I received this phone call. I received this weird email. And I’d say, yeah, grandma, no. Did you talk to someone that works on staff there? I’m sure they probably told you that that’s a scam. Do not give them your information. And she was a little timid. She didn’t like to ask others for help. She was also fiercely independent in her mind. And so she was a little bit timid to reach out to other people, but luckily she would bring this to me.

And so then I was thinking about it, and I had the idea years ago of putting something together like this, especially once I got pretty immersed with privacy as part of my practice. And this year I finally acted on it. And so since March, I have done approximately 12 presentations to just senior communities within right now locally within Charlotte, North Carolina. But I am hoping to try to scale the project a little bit. It’s still in its infancy. So again, I’ve only done kind of a handful of presentations, but if I won the lottery tomorrow, I would love to just do this full time because I just get so much joy and fulfillment out of it. And I have found that the senior citizens do find a lot of value in the information. And it’s nothing that you have to be a privacy expert or attorney or cybersecurity or anything like that.

It’s really just basic knowledge that we as young lawyers, or even if you’re not a young lawyer, but you have really any familiarity with the digital environment, you probably already know. And so I’ve put together a very basic high level presentation meant to be no longer than 30 minutes for senior citizens to explain, Hey, here’s what a cookie is, or here’s why your phone is asking whether it can track across all apps. A lot of people don’t, even if you’re not familiar with the digital environment, you don’t even know what any of that means. And so how would you know to respond if you don’t understand A, why it’s appearing on my phone? And then B, what the implications of that are once I respond? And so a lot of people have people that the senior citizens have folks that care for them and want to help them, but maybe they just haven’t talked about it.

Or maybe they think that the senior citizens can talk to the staff that work at their community and they can help them. And I do think it is important because people are like, why don’t you just put this on a recording and then share it with the senior citizens? Well, with this demographic, they really do value the face-to-face in person education and honestly, probably get much more of a benefit out of it because that’s how they grew up learning. They didn’t grow up staring at a screen like many of us and the younger generations after us have grown up. And so just having someone come in for 30 minutes, give them very basic education on how to navigate the digital environment and then as well as scams that are there and how they can protect themselves and their information and their assets, it can literally change lives.

There’s been so much in the news that I’ve seen within the past few months about senior citizens who have been scammed out of their entire retirement fund because they were lonely and someone on social media pegged them and said, oh, this person’s old and they seem lonely. They don’t have a lot of family, so I’m going to go ahead and pretend that I am some young woman and scam them. So yeah, one man I believe got scammed out of $750,000 on, there’s a Wall Street Journal article a couple months ago, and then people have sent these to me as they’ve heard kind of what I’m doing. And so it’s pretty heartbreaking. It’s devastating. Luckily there are ways that also you can educate the seniors. And then I’m also doing a presentation in Atlanta. I was on a different podcast and I, Justin Daniels, who’s a shareholder at Baker Donaldson, was one of the hosts.

And he, after the podcast offered to connect me with not only his law firm, but also, which is amazing, but also the US Secret Service. And so now doing next month a presentation at a senior living community in Atlanta along with the secret service that field agent is going to fill them in on. If something does happen, here’s how we can help you. But in the meantime, here’s how to protect yourself. And then I’m also excited just to hear the Secret Service agent stories. I bet he has some great stories, but so for any young lawyer who, even if you’re not privacy attorney, but if you are passionate about helping senior citizens with these types of issues and protecting themselves and their assets, please reach out to me. I can share my materials. I can tell you very simply how to reach out to these senior communities because a lot of times you reach out and they’re so shocked that you just want to do this out of the goodness of your heart. A lot of them are like, what’s the catch here? What are you trying to sell? And the answer is nothing. So I would be happy to share those materials and information with anyone who reaches out.

Montana Funk:

Well, I think that’s awesome, even that you’re doing that initiative and then also willing to share it because I think, like you had said, you can send people information or pamphlets or an email with watch this video, but especially for populations who are older, it’s not as easy to grasp as having someone in person showing you actually demonstrating it. It’s hard, it’s concrete. So I think that that is important. I know that I’m in Montana, and that could be something that’s already happened, but I haven’t heard a lot about it in my practice. I think it is important that we’re spreading these messages to try to protect people, protect not only elders, but just all vulnerable populations from these types of attacks, and just make them feel better too and give them some added independence to say, okay, now I’ve learned about this and I can take it on my own myself and I won’t succumb as a victim to this. So I think that’s an awesome initiative. And I want to make sure before we wrap this up, if you can just tell our listeners any other ways either that they can make sure that they’re helping other populations, like you said, with elders or protecting themselves, just one piece of advice you can give our listeners to help prevent issues with cyber attacks in the future, help them protect data, just anything. It’s kind of an open door for if you could leave one last final piece of advice.

Lexi Lutz:

Yes. So I think that a piece of advice that I received once and that has stuck with me and I do share it with other people is it has to do with passwords because passwords are always annoying. I know at work we’re expected to change our password. I am pretty sure it’s like once a month or once every other month, and it’s just like, oh, I have to think of something else. And it’s definitely annoying, but especially with the prevalence now of AI and people being able to find information about you and potentially guess your password hackers are getting smarter and smarter at that kind of stuff. I think passwords actually are a big deal. And luckily now a lot of organizations have multi-factor authentication where they have to send you a text, especially before you sign in from a new device to a bank account or health information, things like that.

But I still think passwords are, they definitely annoy people, especially when you have to change them often within your business or your company you work for. But I do think it is important, a, to even change your personal password pretty frequently. I would say if you can change it once a quarter, that probably should be sufficient. And as far as what you should put is your password. One of the best pieces of advice that I’ve received and that I think is pretty easy to share is instead of just having a word and some numbers and characters, if there’s a phrase that you can remember, or even if it’s just three to four words that you can remember, that can make such a world of a difference. Because like I said, these days, hackers have these tools and they can pretty much find any information that’s out there about you and try to guess your password or put it into an AI tool that will send them literally tens of thousands of results and then automatically try to input it and just get your information and try to guess it in that way.

And frankly, that’s terrifying. And unfortunately, I have heard stories where hackers have been successful with that. So if there’s a phrase that you can remember versus a word and then numbers, it can make such a difference. So an example that I’m going to try not to share any of my passwords, but an example would be instead of just let’s say oranges, 3, 2, 1, exclamation, say, oranges are sweet, something that, it doesn’t even have to be a full sentence, but just three to four words or a phrase maybe that you use or that you just think of in your head that’s easy to remember can make a world of a difference and make it that much harder for hackers to get in. So it sounds kind of silly to talk about passwords in 2024, especially with all of the technology that we have access to, but they are still a big deal. And even though we have face ID and all that, you just still want to make sure that you’re keeping your accounts secure because passwords really are still very vulnerable aspects that hackers utilize to their advantage.

Montana Funk:

That’s a great piece of advice. You’ve inspired me to go change some of my passwords for sure, because I know it’s easy to do just like one or two or three that you rotate, right? Like, oh, that’s what I remember. But you’re not wrong that it is easy to hack, and especially when a hacker gets a hold of one, they can typically find out lot of other information about you. So that’s a great piece of advice. Sorry, I want to round this episode out, but lastly, before we go, I want you to tell our listeners where they can find you sled, if they do have any follow-up, want to get involved in the Privacy for Seniors Project, where can they contact you?

Lexi Lutz:

Yes, you can find me on LinkedIn. Just search Alexandria Lutz, LUTZ, or Lexi Lutz. And I’d be happy to connect with y’all. And if anyone wants to get information on the Privacy for Seniors Project, would definitely love to have other individuals help, especially because there’s only one of me. And so we’re trying to scale it. And luckily we have some things in the works, but anyone who wants to be involved in that, I would love to connect with you.

Montana Funk:

Well, thank you Lexi, so much for joining me today. You have offered so much information, so much valuable advice, stuff that’s really going to help people going forward, so I appreciate it so much, and I hope you have a great rest of your Friday the 13th.

Lexi Lutz:

Yes, thank you, Montana. Happy Friday the 13th.

Montana Funk:

Well, listeners, that is our show. Thank you as always for tuning in. And if you like what you heard today, please recommend us to a friend. We can be found anywhere that you listen to podcasts, and I hope you enjoyed our discussion. Until next time, I’m your host, Montana Funk, and you’ve been listening to Young Lawyer Rising, brought to you by the ABA Young Lawyers Division and the audio professionals at Legal Talk Network.