Author of Tomorrow's Jobs Today
Does your business know how to report a #databreach should it occur? Having a partner to help when facing the reporting responsibility could make all the difference when reporting to those affected and all regulatory entities. #dataprotection #dataprivacy #compliance
via Professing Principles of Digital Ethics and Privacy – CPO Magazine
“For me, trust has to be earned. It’s not something that can be demanded or pulled out of a drawer and handed over. And the more government or the business sector shows genuine regard and respect for peoples’ privacy in their actions, as well as in their word and policies, the more that trust will come into being.” Dr. Anita L. Allen
Dr. Anita Allen serves as Vice Provost for Faculty and Henry R. Silverman Professor of Law and Philosophy at the University of Pennsylvania. Dr. Allen is a renowned expert in the areas of privacy, data protection, ethics, bioethics, and higher education, having authored the first casebook on privacy law and has been awarded numerous accolades and fellowships for her work. She earned her JD from Harvard and both her Ph.D. and master’s in philosophy from the University of Michigan. I had the opportunity to speak with her recently about her illustrious career, the origins of American privacy law and her predictions about the information age.
Q: Dr. Allen, a few years ago you spoke to the Aspen Institute and offered a prediction that “our grandchildren will resurrect privacy from a shallow grave just in time to secure the freedom, fairness, democracy, and dignity we all value… a longing for solitude and independence of mind and confidentiality…” Do you still feel that way, and if so, what will be the motivating factors for reclaiming those sacred principles?
A: Yes, I believe that very hopeful prediction will come true because there’s an increasing sense in the general public of the extent to which we have perhaps unwittingly ceded our privacy controls to the corporate sector, and in addition to that, to the government. I think the Facebook problems that had been so much in the news around Cambridge Analytica have made us sensitive and aware of the fact that we are, by simply doing things we enjoy, like communicating with friends on social media, putting our lives in the hands of strangers.
And so, these kinds of disclosures, whether they’re going to be on Facebook or some other social media business, are going to drive the next generation to be more cautious. They’ll be circumspect about how they manage their personal information, leading to, I hope, eventually, a redoubled effort to ensure our laws and policies are respectful of personal privacy.
Q: Perhaps the next generation heeds the wisdom of their elders and avoids the career pitfalls and reputational consequences of exposing too much on the internet?
A: I do think that’s it as well. Your original question was about my prediction that the future would see a restoration of concern about privacy. I believe that, yes, as experience shows the younger generation just what the consequences are of living your life in the public view and there will be a turnaround to some extent. To get people to focus on what they have to lose. It’s not just that you could lose job opportunities. You could lose school admissions. You could lose relationship opportunities and the ability to find the right partner because your reputation is so horrible on social media.
All of those consequences are causing people to be a little more reserved. It may lead to a big turnaround when people finally get enough control over their understanding of those consequences that they activate their political and governmental institutions to do better by them.
Q: While our right to privacy isn’t explicitly stated in the U.S. Constitution, it’s reasonably inferred from the language in the amendments. Yet today, “the right to be forgotten” is an uphill battle. Some bad actors brazenly disregard a “right to be left alone,” as defined by Justice Brandeis in 1890. Is legislation insufficient to protect privacy in the Information Age, or is the fault on the part of law enforcement and the courts?
A: I’ve had the distinct pleasure to follow developments in privacy law pretty carefully for the last 20 years, now approaching 30, and am the author or co-author of numerous textbooks on the right to privacy in the law, and so I’m familiar with the legal landscape. I can say from that familiarity that the measures we have in place right now are not adequate. It’s because the vast majority of our privacy laws were written literally before the internet, and in some cases in the late 1980s or early 1990s or early 2000s as the world was vastly evolving. So yes, we do need to go back and refresh our electronic communications and children’s internet privacy laws. We need to rethink our health privacy laws constantly. And all of our privacy laws need to be updated to reflect existing practices and technologies.
The right to be forgotten, which is a right described today as a new right created by the power of Google, is an old right that goes back to the beginning of privacy law. Even in the early 20th century, people were concerned about whether or not dated, but true information about people could be republished. So, it’s not a new question, but it has a new shape. It would be wonderful if our laws and our common law could be rewritten so that the contemporary versions of old problems, and completely new issues brought on by global technologies, could be rethought in light of current realities.
Read more at Professing Principles of Digital Ethics and Privacy – CPO Magazine
The ease of digitally storing and monetizing personal information has now run up against the rights of consumers to access and in some sense, reclaim ownership of that data,”
via Data Governance: How to Tackle 3 Key Issues – BankInfoSecurity
Privacy requirements have changed dramatically as a result of GDPR and CCPA, says Rafael Moscatel, managing director at Compliance and Privacy Partners, a California-based consultancy.
“The ease of digitally storing and monetizing personal information has now run up against the rights of consumers to access and in some sense, reclaim ownership of that data,” he says. “That’s a paradigm shift that introduces a number of logistical burdens that some organizations, even relatively new ones, are not prepared to deal with.”
Moscatel says organizations need to identify and adopt appropriate privacy best practices.
“A solution needs to be proportional to an organization’s true risk, and while it must meet certain standards, your compliance professionals, data fulfilment service teams and IT support must be able to work with each other and speak the same language. It’s not as simple as throwing together a data map,” he says. “It’s not just collecting the metadata; it’s understanding the relation of the attributes not simply from a database perspective but from an ethical one.
What’s important to remember here, overall, is that making your privacy plan a key component in your compliance program isn’t just helpful. These days it’s really a strategic imperative. That’s not only because it’s a hot topic or because it’s a growing regulatory requirement, but because it naturally enhances the way our organizations, and specifically our compliance and infosec groups, treat and value ALL of the data they’re responsible for testing and for securing, and in validating and protecting PII, we’re actually adding a layer of assurance that improves both internal operations and the customer experience.
Privacy makes data governance ethical and tangible, and compliance leaders understand that. Today, what we’re going to walk you through is what that awareness and proactive approach look like through the eyes of project leaders during three stages of compliance, prevention, maintenance, and retrospective.
What’s important to remember here, overall, is that making your privacy plan a key component in your compliance program isn’t just helpful. These days it’s really a strategic imperative.
I just want to point out that privacy, conceptually, is, of course, ancient really. People tend to forget that. I mean it has been written into legal codes even before the constitution as a Records and Information Governance community we’ve been dealing with it, from HIPPA to SOX, in one form or another. What’s different today at least in the business world is that the thresholds that trigger compliance these days aren’t industry-specific. Instead, they’re related to annual revenue and the number of data subjects you interact with, so that’s why we see a broader cut of industry’s being looped into these new demands of GDPR and the CCPA.
Privacy leaders have been asked about the volatile regulatory environment and a clear majority of privacy leaders rank keeping pace with the new regulatory landscape as a pretty important factor in their strategy…. Research also that a minority also are not confident that they have a framework for helping them adjust to that change. So, that’s what we’re aiming to address here today in terms of strengthening that IG program so that it helps buttress or even drive your privacy goals.
[Another] insight we’re sharing with you involves metrics. And we all know metrics is the heart and soul of compliance to a large degree. And we see that finding those metrics to measure their programs is somewhat lacking for the majority of those surveyed. And that results in the majority of leaders being unable to effectively report on their program outcomes.
I was recently interviewed for an article on Data Governance & Privacy for a number of periodicals including Info Risk Today on “Data Governance: How to Tackle 3 Key Issues: The Importance of Accountability, Data Inventory, and Automation. Below is the full text of my interview for additional context.
While global privacy regulations like the GDPR and CCPA have greatly impacted contemporary data governance discussions, enterprise projects, and software solutions, we often forget that privacy itself is far from a novel concept and, in fact, one with deep roots in centuries-old ethics and social mores. What’s different now, or even from twenty years back, and what does that mean for data governance today?
The truth is that many companies have had to comply with at least some privacy requirements for decades, but the ease of digitally storing and monetizing personal information has now run up against the rights of consumers to access and in some sense, reclaim ownership of that data. That’s a paradigm shift that introduces a number of logistical burdens that some organizations, even relatively new ones, are not prepared to deal with. Especially since IT infrastructures and dependencies change quite rapidly. So the question becomes how do we build data governance rules that can keep up with these nuanced laws and demands while still supporting the greater needs of the business? The severity of fines and reputation damage from non-compliance has forced us to sit around the table and try to find the right balance between risk and reward. I think ultimately privacy-by-design as a fundamental aspect of enterprise architecture will bring needed order to some organizations despite handicapping them in the near term.
The second challenge is also privacy related, but in terms of exposure, much more consequential. Data breaches and ransomware have inundated infosec teams and exploiting poor data governance models is routine for hackers. Most breaches obviously originate with end-users, but the protection, encryption, anonymization, etc. of private data sets requires thoughtful and strict data governance to sustain disruption. How do meet that high bar and also provide a seamless customer experience? That’s a work in progress.
We try to spend as much of our time understanding the regulatory environment our client is subject to as much as their risk tolerance. You can always look for a baseline in terms of a particular set of laws, but often a best practice approach makes more sense in the long run. I think a solution needs to be proportional to an organization’s true risk, and while it must meet certain standards, your compliance professionals, data fulfillment service teams and IT support must be able to work with each other and speak the same language. It’s not as simple as throwing together a data map. This is, to your previous question, a challenge because the stakes are now much higher and teams must now not only support each other’s requirements but go farther in understanding and appreciating the very nature of those rules. It’s not just collecting the metadata, it’s understanding the relation of the attributes not simply from a database perspective but from an ethical one. This is a convergence of law and technology that requires true cross-functional teamwork, where each stakeholder must respect and value the contribution of his or her colleague. It’s just not enough to know your little corner of the universe anymore. At Compliance & Privacy Partners we aim to facilitate discussions that enable that synergy and eventually support change management goals.
As far as privacy goes, and despite its long history as a basic component of ethics and law, most groups still haven’t understood you can’t just throw bodies and technology at something like this. The specialty is too new and the laws are in many cases too vague to leave it up to a project manager, a lawyer, a vendor, and an enterprise architect. I’m seeing a lot of companies try to check off details of regulations without understanding exactly how they fit together. What ends up happening is a whole lot of talk, a whole lot of capital spend and very little result. Companies have to take a step back. The smartest know they need to bring somebody in who can provide an overview and roadmap for their particular challenges and then take next steps. That planning is what’s really going to set up their in-house teams and leaders for long-term success.
From my perspective, it would be to actually value privacy, not just as a consumer yourself, but as a smart business decision. Customers want companies they can trust and who provide solutions that help them solve their problem, but also don’t exploit their data. Do unto others as they say. I think building a culture that can internalize that as a golden rule will be transformative and lead to better data governance across the board.
Rafael Moscatel, CIPM, CRM, IGP, is the Managing Director of Compliance and Privacy Partners. He has developed large-scale information management, privacy and digital transformation programs for Fortune 500 companies such as Paramount Pictures and Farmers Insurance. His latest book, Tomorrow’s Jobs Today, is available soon from John Hunt Publishing. Contact him at www.capp-llc.com or follow him on Twitter @rafael_moscatel.
The competition for the Information Management 2019 IMT MVP Awards was tight – and congrats are in order to all of our winners! We got to know one of them, a bit better here! Read the winning articles here: http://bit.ly/IMTAwards2019
The 2019 Information Management Today MVP Awards Winners Spotlight from Shelley Trout on Vimeo.
It gives me great pleasure to shout from the digital mountaintop that along with my co-author, Abby Moscatel, Esq., we’ve signed a book deal with John Hunt Publishing to release our book, Tomorrow’s Jobs Today: Wisdom and Career Advice from Thought Leaders in AI, Big Data, Blockchain, the Internet of Things, Privacy, and More. The manuscript originated from a series of in-depth interviews we’ve been conducting around the world. The insights that emerged from these conversations were so essential and relevant to workers in the Information Age that we knew we just had to share it with a bigger audience!
This collection of in-depth profiles featuring Smart City CIOs, Data Protection Officers, Blockchain CEO’s, Informatics Doctors and other diverse, skilled professionals gives readers first-hand insight into what tomorrow’s jobs look like today. The hands-on experiences, subject matter expertise, and measured job advice shared within these pages demonstrate how identifying opportunities, setting the right cadence, and building strong relationships are the essential ingredients to unlocking your future’s potential.
This book is for the new graduate, the professional between jobs and the doting parents desperate to get their “brilliant” but lazy kid out of the basement. It’s also for senior corporate leaders seeking an intimate understanding of the changes abounding in their organizations. It’s for the manager who wants to inspire and encourage professional development. And it’s for every knowledge worker out there who wants to leverage technology and information governance to reduce risk, generate revenue, and improve customer experiences.
Sign up for updates on the book below!
In today’s data-driven, fast-changing world, Tomorrow’s Jobs Today gives business leaders a solid overview of many complex technology trends. This book helps surface many of the issues a business leader needs to be aware of and provides food for thought on how they might be navigated as we head into a new decade. –Gregory L. Steinhauer, President, American Life
Information is the currency that fuels and funds the Digital Transformation journey. Tomorrow’s Jobs Today manages to capture a set of leadership perspectives that, while diverse, share an essential characteristic for the future of transformative work: leveraging information as one’s most valuable asset. –Peggy Winton, CEO, Association for Intelligent Information Management AIIM
If you want to stay successful, you have to embrace and adapt to changes. Tomorrow’s Jobs Today shows you how those challenges can be both enlightening and empowering. –Jim Dodson, SVP, Iron Mountain
In a world often seized by ever-accelerating change, Tomorrow’s Jobs Today has brilliantly identified, captured, and recounted liberating insights for success from a broad range of global information governance and technology professionals. There will always be challenges, but for those willing to look, the opportunity is abundant. The Information Age remains an ever-growing frontier awaiting each new wave of pioneers. –Seth Williams, President, MER Conference
This is an empowering and beautifully written book that will surely guide the reader to find a place in this quickly changing Information Age, where they can thrive and contribute to the greater good. –Dr. Angela Bair Schmider, M.S., Ph.D., Massachusetts General Hospital and Harvard Medical School
The authors bring together the voices of leading thinkers, exploring the critical themes that will dominate the years to come. Entertaining interviews reveal the best paths forward for professional development and the impending social, political, and ethical challenges of tomorrow. This is an important book. –Alex Panagides, CEO, mxHero
Tomorrow’s Jobs Today brings together an impressive group of professionals sharing their wisdom and career advice from the cutting edge of technological advancement today. These insights will inevitably bolster your career path, and the combined knowledge of so many brilliant folks in one volume is staggering. I recommend this book for anyone who is pushing or looking to push their organizations into the future. –Nick Inglis, Executive Director of Content & Programming, ARMA International
Stepping away from the mush of data that sometimes arrives through surveys, Tomorrow’s Jobs Today goes straight to the people creating the future world of work. Read this book; go interview a few visionaries yourself; help shape the world to come. –Andy Watson, Head of School, Albuquerque Academy
About John Hunt Publishing – John Hunt’s Business Books “Fresh thinking for the business world,” imprint publishes practical guides and insightful non-fiction for beginners and professionals. Covering aspects from management skills, leadership, and organizational change to positive work environments, career coaching, and self-care for managers, our books are a valuable addition to those working in the world of business.
This year’s conference takes place May 4-6th in Chicago and features Information Governance sessions on Privacy, eDiscovery, Data Remediation, emerging technologies, and operational best practices from the industry’s leading experts, along with the experiences of knowledgeable practitioners.
Tackling data privacy and maintaining consumer trust is harder than ever, especially with the sheer amount of information you need to manage and with constantly evolving privacy laws (CCPA, GDPR, etc) moving the goalposts. The usual checkbox compliance, ad-hoc governance, and reactive information security policies will fail, if they haven’t already, and create too much organizational risk. To achieve a state of consistent compliance and minimize corporate risk you must provide three things to your business: transparent governance, frictionless security, and continuous validation. To provide these things, you must build a strong information governance framework and privacy compliance plan to succeed.
This special, two-part panel discussion facilitated by the ICRM will compare current academic curricula with the existing ICRM exam to identify gaps and areas of improvements for both academia and the ICRM. University Professors will discuss their programs and IG industry leaders will add perspective from the business world. There will be ample time for members of the audience to share their thoughts as well. It is time to close any gaps between what is taught at the university level and what is needed in the world of business. More effective preparation of the next generation of IG professionals will benefit all organizations that depend on these practitioners to address the business opportunities and challenges of the future and it will provide more fulfilling careers for those emerging from school into the world of business.
Also, our partners at Ethikos will be coming all the way from Brussels to present on GDPR.
The GDPR will celebrate its second anniversary on 25 May 2020 – a good time for US companies impacted by this regulation to understand what they should expect in the coming months. In this presentation, Legal professionals working in Europe will discuss how the GDPR has been enforced so far in Europe, what the regulators’ future direction might be, and the key areas US organizations will need to focus on in the coming months. Is there a higher risk of enforcement on the horizon? What is the level of privacy awareness among Internet users, consumers and individuals in Europe? Should US organizations that collect and process personal data of EU data subjects be worried about these regulatory trends?
“California Consumer Privacy Act – Now What Do We Do?”
Register here: https://zoom.us/webinar/register/WN_inuTshVvT9SAQ_XGa
Learn: Why data protection and privacy are important to my business What to do in case of a data breach Preparation for a cyber-attack Preparation for CCPA Preparation for PII/PHI breach response
When: Wednesday, Jan. 22, 2020 Time: 10 a.m. PST/1 p.m. EST
The Federal Trade Commission is extending the deadline to submit comments on the agency’s review of the Children’s Online Privacy Protection Act Rule (COPPA Rule) until December 11, 2019.
The federal government’s Regulations.gov portal is temporarily inaccessible. The FTC is giving commenters additional time to submit comments, as well as an alternative mechanism to file them. Those unable to submit comments via Regulations.gov can submit them via email with the subject line “COPPA comment” to secretary@ftc.gov. All comments, whether filed through Regulations.gov or sent by email, must be submitted by11:59 p.m. ET on December 11, 2019.
The Commission voted 5-0 to extend the comment deadline until December 11, 2019.
Rafael Moscatel, CRM, IGP, is the Managing Director of Compliance and Privacy Partners, LLC. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.
The Federal Trade Commission issued an Opinion finding that the data analytics and consulting company Cambridge Analytica, LLC engaged in deceptive practices to harvest personal information from tens of millions of Facebook users for voter profiling and targeting. The Opinion also found that Cambridge Analytica engaged in deceptive practices relating to its participation in the EU-U.S. Privacy Shield framework.
In an administrative complaint filed in July, FTC staff alleged that Cambridge Analytica and its then-CEO Alexander Nix and app developer Aleksandr Kogan deceived consumers. Nix and Kogan agreed to settle the FTC’s allegations. Cambridge Analytica, which filed for bankruptcy in 2018, did not respond to the complaint filed by FTC staff, or a motion submitted for summary judgment of the allegations.
The FTC staff’s administrative complaint alleged that Kogan worked with Nix and Cambridge Analytica to enable Kogan’s GSRApp to collect Facebook data from app users and their Facebook friends. The complaint alleged that app users were falsely told the app would not collect users’ names or other identifiable information. The GSRApp, however, collected users’ Facebook User ID, which connects individuals to their Facebook profiles.
The complaint also alleged that Cambridge Analytica claimed it participated in the EU-U.S. Privacy Shield—which allows companies to transfer consumer data legally from European Union countries to the United States—after allowing its certification to lapse. In addition, the complaint alleged the company failed to adhere to the Privacy Shield requirement that companies that cease participation in the Privacy Shield affirm to the Department of Commerce, which maintains the list of Privacy Shield participants, that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program.
In its Opinion, the Commission found that Cambridge Analytica violated the FTC Act through the deceptive conduct alleged in the complaint. The Final Order prohibits Cambridge Analytica from making misrepresentations about the extent to which it protects the privacy and confidentiality of personal information, as well as its participation in the EU-U.S. Privacy Shield framework and other similar regulatory or standard-setting organizations. In addition, the company is required to continue to apply Privacy Shield protections to personal information it collected while participating in the program (or to provide other protections authorized by law), or return or delete the information. It also must delete the personal information that it collected through the GSRApp.
The Commission voted 5-0 to issue the Opinion and Final Order.
Rafael Moscatel, CRM, IGP, is the Managing Director of Compliance and Privacy Partners, LLC. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.
The Federal Trade Commission has reached settlements with four companies that allegedly misrepresented their participation in the EU-U.S. Privacy Shield framework, which enables companies to transfer consumer data legally from European Union countries to the United States. The FTC also alleged that two of the companies failed to comply with Privacy Shield requirements.
In separate actions, the FTC settled Privacy Shield cases against:
In addition to allegations that each company falsely claimed to participate in the EU-U.S. Privacy Shield framework, the FTC also alleged that Click Labs and Incentive Services falsely claimed to participate in the Swiss-U.S. Privacy Shield framework, which establishes a process for companies to transfer consumer data in compliance with Swiss law.
In its cases against Global Data and TDARX, the FTC further alleged that the companies continued to claim participation in EU-U.S. Privacy Shield after allowing their certifications to lapse, and that those companies failed to comply with the framework. The companies allegedly failed to verify annually that statements about their Privacy Shield practices were accurate, and failed to affirm that they would continue to apply Privacy Shield protections to personal information collected while participating in the program.
“The Privacy Shield Framework is critical to facilitating transatlantic commerce and assuring our European partners of our commitment to data protection,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Enforcement of the Privacy Shield framework is a priority of the FTC, and we will hold companies accountable where, as here, they fail to keep their Privacy Shield promises.”
The Department of Commerce administers both the EU-U.S. and Swiss-U.S. Privacy Shield frameworks, while the FTC enforces the promises companies make when joining the programs. With today’s announcement, the FTC has now brought a total of 21 enforcement actions related to the EU-U.S. Privacy Shield framework since it was established in 2016.
Under the settlements, all four companies are prohibited from misrepresenting their participation in the EU-U.S. Privacy Shield framework, as well as any other privacy or data security program sponsored by any government, or any self-regulatory or standard-setting organization. As part of their settlements, Global Data Vault and TDARX also are required to continue to apply the Privacy Shield protections to personal information they collected while participating in the program, or return or delete the information.
The Commission voted 5-0 to issue the proposed administrative complaints and to accept the consent agreements with the four companies. The FTC will publish a description of the consent agreement packages in the Federal Register soon. The agreements will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent orders final. Once processed, comments will be posted on Regulations.gov.
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $42,530.
