Meeting Evolving Business Needs – A Conversation Between RIM Educators and Thought Leaders

Earlier this month I had the honor and privilege of speaking at the MERv conference with Dr. Gregory S. Hunter, Dr. Tao Jin, Dr. Patricia Franks, Rae Lynn Haliday, Cheryl Pederson, and Wendy McLain on the topic of Meeting Evolving Business Needs – A Conversation Between RIM Educators and Thought Leaders. In response to requests, below are some excerpts from my transcribed remarks.

Session Description: This special, two-part panel discussion facilitated by the ICRM will compare current academic curricula with the existing ICRM exam to identify gaps and areas of improvement for both academia and the ICRM. University Professors will discuss their programs and IG industry leaders will add perspective from the business world.


It’s really a surreal time to be having a discussion about meeting evolving business needs don’t you think? Of course, we’re doing this conference virtually for the first time, and pivoting towards presenting in this fashion is kind of representative of that evolution we’re here to talk about. You know one thing I think Records and Information Governance professionals excel at though is supporting organizations through digital transformation initiatives, and I imagine the reason that so many companies are able to move forward at such an accelerated pace today, despite COVID, is because they’ve already experienced in getting their records and information online. And I see more of that demand in the days and years ahead but also see significant risks.

But first I want to start this discussion with a sampling of questions shared with me by Tao Jin at LSU…. And I would assume it’s similar to the questions asked by students at some of the other schools with curriculums like LSU. Because I think part of framing this discussion is, you know, trying to understand what students and job seekers are actually asking as they consider these programs and navigating the job marketplace. And I’m not surprised that a majority of the questions shared here are related to emerging technologies.

One thing I think Records and Information Governance professionals excel is supporting organizations through digital transformation initiatives, and I imagine the reason that so many companies are able to move forward at such an accelerated pace today, despite COVID, is because they’ve already experienced in getting their records and information online.

I’ve had my own CRM designation about 7 years now and I can tell you the exam, and these University offerings go well beyond my original training which, at the time still focused primarily on micrographics, if you can imagine that. The exam has changed since then to address new technology and innovation. But that’s not entirely the role of the Records and Information Governance professional, is it? There are other important areas of course like management…. And I think the next panel will discuss that… But the one thing I want us ALL to think about today is this…. Are we generalists? Or are we specialists? I think it’s maybe a little bit of both…

And I think whatever direction individuals take, businesses are going to want their candidates to be well versed in emerging technologies as well as core ones, which we’re going to ask you about in just a moment.


We’ve all heard about job losses post-COVID, but I wanted to diverge from that headline for a moment and bring up what I see as some good news. And that is, from a career standpoint we are witnessing professionals with IG skillsets increasingly being tapped to lead technology upgrades, digital transformation projects, and cross-functional teams in a number of sectors. I think we’re seeing this trend for a lot of reasons. I’ve put an image up here from LinkedIN. It’s essentially a snapshot of a job search query. And I encourage you all to do this yourselves so you can see how diverse roles have become in just in a short amount of time. It’s not surprising how much of today’s work and technology now requires a solid foundation in good recordkeeping, database, and systems design. And recruiters are looking for that education and experience.


Although it’s not yet mainstream in every business, we do know that Big Data, IoT, and other emerging technologies are certainly driving some of the need for IG professionals. But it’s also a desire to find talent that can integrate privacy, data governance, and other best practices into those technologies, isn’t it?

An additional layer of assurance just makes good business sense and that layer is made possible by the talent that understands and can implement IG, especially around data governance.

Specifically, with the convergence of technology and regulatory pressures, we are seeing a specialized need for the RIM or IG professional to come in and ensure that operations, risk, and long-range planning value data governance, and that decisions about data protect the organization and prepare it for the next wave of innovation…. That’s how we make the most impact, by tying together stakeholders, prioritizing goals, and helping the corporate culture as a whole recognize the value of these data-driven initiatives and our individual contributions to them. IG reflects the thirty-thousand-foot view of the business with the experience of having been in the weeds with risk, compliance, and internal audit of its moving parts.

Employers. Their executives… and their attorneys, they all realize this. And the headlines around ransomware, GDPR fines, they’ve all prompted companies to revisit and invest in the way they tackle their biggest challenges. They know that an additional layer of assurance just makes good business sense and that layer is made possible by the talent that understands and can implement IG, especially around data governance, right?

That’s how we make the most impact, by tying together stakeholders, prioritizing goals, and helping the corporate culture as a whole recognize the value of these data-driven initiatives and our individual contributions to them.

So, I think those that succeed are those that try in earnest to gain the respect of their IT counterparts. They demonstrate adequate knowledge of the toolsets they’re working with. It’s not that you need to know how to program or code per se, but you do need to know the vocabulary, the big concepts behind what is going on to get buy-in for your portion, and to exchange ideas efficiently.


My colleagues and I are convinced more each day that closely aligned with these new opportunities created by technology is the personnel function of change. And I don’t think that means IG pros give up their methodologies or best practices or risk-averse perspectives, but they do need to embrace the demands thrust upon them. They have to move from defense to offense.

Ultimately, our role is no longer gatekeeper. Our role is part diplomat, part subject matter expert, part change agent. And I’d like to see educators start shaping those expectations with students and businesses as well.

I talk a lot about this in my new book, Tomorrow’s Jobs Today. Take a look at some of the job openings being put out there on LinkedIn, that I referenced earlier. In each job description, although it might not say Records Manager, you can pretty easily identify that recruiters and companies are looking to fill that type of role, or support the function in one way or another. Privacy Manager, Enterprise Project Lead, Risk Analyst, GRC consultant, etc.

And actually, groups like the ICRM, they play a critical role in communicating to employers exactly how their membership and certification programs deliver the competencies they need to drive new projects forward. But they need to understand. Ultimately, our role is no longer gatekeeper. Our role is part diplomat, part subject matter expert, part change agent. And I’d like to see educators start shaping those expectations with students and businesses as well.

Technology is the main driver of our evolving profession. And it’s not simply about document management and enterprise content management infrastructures, but now about AI, Blockchain, IoT. This is a direction that the MER conference has illustrated for years now. So, I think it’s imperative for educators and curriculums to offer primers on what a distributed ledger is, the basics of natural language processing, technical requirements of the GDPR, and similar topics.

Rafael Moscatel, CIPM, CRM, IGP, is the Managing Director of Compliance and Privacy Partners. He has developed large-scale information management, privacy, and digital transformation programs for Fortune 500 companies such as Paramount Pictures and Farmers Insurance. His latest book, Tomorrow’s Jobs Today, is available soon from John Hunt Publishing. Contact him at or follow him on Twitter @rafael_moscatel.

Data Governance: How to Tackle 3 Key Issues The Importance of Accountability, Data Inventory and Automation – Full Interview with Rafael Moscatel

I was recently interviewed for an article on Data Governance & Privacy for a number of periodicals including Info Risk Today on “Data Governance: How to Tackle 3 Key Issues: The Importance of Accountability, Data Inventory, and Automation. Below is the full text of my interview for additional context.

With privacy law getting stronger by the day, it has become all the more important for companies to know where the data lies. The problem is not new but I am not sure if companies have been able to find a solution to this. What are the two main challenges of data governance?

While global privacy regulations like the GDPR and CCPA have greatly impacted contemporary data governance discussions, enterprise projects, and software solutions, we often forget that privacy itself is far from a novel concept and, in fact, one with deep roots in centuries-old ethics and social mores. What’s different now, or even from twenty years back, and what does that mean for data governance today?

The truth is that many companies have had to comply with at least some privacy requirements for decades, but the ease of digitally storing and monetizing personal information has now run up against the rights of consumers to access and in some sense, reclaim ownership of that data. That’s a paradigm shift that introduces a number of logistical burdens that some organizations, even relatively new ones, are not prepared to deal with. Especially since IT infrastructures and dependencies change quite rapidly. So the question becomes how do we build data governance rules that can keep up with these nuanced laws and demands while still supporting the greater needs of the business? The severity of fines and reputation damage from non-compliance has forced us to sit around the table and try to find the right balance between risk and reward. I think ultimately privacy-by-design as a fundamental aspect of enterprise architecture will bring needed order to some organizations despite handicapping them in the near term.

The second challenge is also privacy related, but in terms of exposure, much more consequential. Data breaches and ransomware have inundated infosec teams and exploiting poor data governance models is routine for hackers. Most breaches obviously originate with end-users, but the protection, encryption, anonymization, etc. of private data sets requires thoughtful and strict data governance to sustain disruption. How do meet that high bar and also provide a seamless customer experience? That’s a work in progress.

How have you approached these challenges? Can you walk us through the process?

We try to spend as much of our time understanding the regulatory environment our client is subject to as much as their risk tolerance. You can always look for a baseline in terms of a particular set of laws, but often a best practice approach makes more sense in the long run. I think a solution needs to be proportional to an organization’s true risk, and while it must meet certain standards, your compliance professionals, data fulfillment service teams and IT support must be able to work with each other and speak the same language. It’s not as simple as throwing together a data map. This is, to your previous question, a challenge because the stakes are now much higher and teams must now not only support each other’s requirements but go farther in understanding and appreciating the very nature of those rules. It’s not just collecting the metadata, it’s understanding the relation of the attributes not simply from a database perspective but from an ethical one. This is a convergence of law and technology that requires true cross-functional teamwork, where each stakeholder must respect and value the contribution of his or her colleague. It’s just not enough to know your little corner of the universe anymore. At Compliance & Privacy Partners we aim to facilitate discussions that enable that synergy and eventually support change management goals.

What did you discover during this journey? Where are most organizations missing the mark?

As far as privacy goes, and despite its long history as a basic component of ethics and law, most groups still haven’t understood you can’t just throw bodies and technology at something like this. The specialty is too new and the laws are in many cases too vague to leave it up to a project manager, a lawyer, a vendor, and an enterprise architect. I’m seeing a lot of companies try to check off details of regulations without understanding exactly how they fit together. What ends up happening is a whole lot of talk, a whole lot of capital spend and very little result.  Companies have to take a step back. The smartest know they need to bring somebody in who can provide an overview and roadmap for their particular challenges and then take next steps. That planning is what’s really going to set up their in-house teams and leaders for long-term success. 

What would be your advice to your contemporaries?

From my perspective, it would be to actually value privacy, not just as a consumer yourself, but as a smart business decision. Customers want companies they can trust and who provide solutions that help them solve their problem, but also don’t exploit their data. Do unto others as they say. I think building a culture that can internalize that as a golden rule will be transformative and lead to better data governance across the board.

Rafael Moscatel, CIPM, CRM, IGP, is the Managing Director of Compliance and Privacy Partners. He has developed large-scale information management, privacy and digital transformation programs for Fortune 500 companies such as Paramount Pictures and Farmers Insurance. His latest book, Tomorrow’s Jobs Today, is available soon from John Hunt Publishing. Contact him at or follow him on Twitter @rafael_moscatel.

AIIM Conference 2020 Keynote – Tomorrow’s Jobs Today – Rafael Moscatel

Full transcript below

Welcome to the AIIM 2020 Keynote Session Tomorrow’s Jobs Today, thinking beyond information management.

I’m Rafael Moscatel, I’m an AIIM member, and I’ve had the distinct pleasure of attending several of its thought leadership events over the past few years and had the opportunity to meet and become friends with many of you.

There isn’t much that could keep me away from an event like this, and I’m disappointed that I can’t be with you in Dallas, but I just became a father again, and it’s my first few weeks on the job. So I’m kind of afraid to ask for any time off yet!

Luckily, it’s a detail-oriented role, which is perfect because my background is in Compliance and Privacy, and I’ve spent most of my career building data governance programs for recognized brands like Paramount Pictures and Farmers Insurance.

But whether it’s a classic motion picture company or a premiere insurance group, I’ve learned that my ultimate goal isn’t just managing risk but rather elevating Information Governance and being an integral part of the “mission” of whatever organization I’m a part of. For a film studio, that’s producing content, and entertaining your audience. For an insurance carrier, the goal is to protect people’s livelihoods and helping us get back on our feet after a disaster.

So, whatever our organization’s mission might be, it’s imperative to connect “the what we do” to “the why we do it.” And that’s one of the wisest lessons I’ve learned from colleagues here at AIIM, like Michael Jay Moon, Dux Raymond Sy and some of the other leaders you have on the stage today.

It’s a big reason I wrote the book Tomorrow’s Jobs Today….

I interviewed almost two dozen trailblazing information management leaders in fields like AI, Blockchain, Big Data and Privacy from world-renowned organizations like Price Waterhouse Coopers, the International Criminal Court, and Iron Mountain to understand what their mission was and how they applied their unique skillsets in pursuit of that greater good.

The lessons I picked up in speaking with these folks should resonate with an information management professional. Despite their industry and diverse roles, three things stood out. First, they knew how to recognize an opportunity.

Take Ashish Gadnis of BanQu. Ashish grew up dirt poor on the streets of India, and following a life-changing experience in Africa, he developed a fantastic app that leverages the same technology behind Cryptocurrency, blockchain, to help the most deprived people and farmers in the world. By using his app, even if you’re in the last mile of a supply chain, you can establish your economic identity, better assert your value in society, and escape poverty. He saw the unequal gaps between significant brands, middle-men, and farmers on a supply chain and decided to transform those gaps into opportunities.

The second lesson I learned is also a timeless one but also speaks directly to the challenges the information age and our digital deluge. It’s Less is More. We learned from pioneers like George Socha of BDO and the EDRM that particular strategy is relevant not merely in disciplines and concepts like eDiscovery, and privacy-by-design, but how you approach your career. To be strategically selective with our words, our actions and our expectations runs contrary to the human nature of a large segment of the workforce and consumers. It’s also what makes you stand out.

Finally, coming full circle, the most important lesson I learned from all of the individuals I interviewed, and that was that Relationships Matter. Enjoying and being enriched by professional relationships is above and beyond the greatest gift you can give your career. Relationship building is, has always been and will always be, the most critical skill and strategy we should practice and master.

Now, I know it’s going to be many years before my youngest enters the workforce, and jobs are going to look a lot different, but I know the valuable lessons and wisdom that have guided me in my career and exemplified by the biographies in my book will still be around.

Because although the set decorations can be changed, and the actors, and the price of insuring your most valuable assets, what stays the same is the power you have over your destiny. I know that statement’s true because I just spent a year documenting the success stories of those who swear by it.

As working professionals in the Information Age, we must strive to recognize and even anticipate emerging technological trends. But seizing upon those opportunities is possible when we choose to partner with change agents who share our vision and can work with us to transform our enterprises. We must reach beyond our teams or spheres of influence and work closely with the legal, regulatory, and ethical communities that study, measure, and moderate the impact of our technology and products on our respective fields. We need to plan and develop ourselves with a deep respect for the world that our products and services impact.

By absorbing the perspectives, challenges, and solutions of those deeply in love with and accomplished in these new careers, we can help ourselves, our friends, and our employees transform anxiety over a job search, job loss, or just the winds of change into hope, understanding, and opportunity.

As you look ahead to your career over the next year, think back to the dreams you had as a kid. And think about how every one of us is in the business of making new dreams and opportunities come true for the next generation. Because if we don’t, they’ll never leave the house.

Thanks to each of you at AIIM for inspiring me in my own career. You can find out more about your colleagues in this book by going to tomorrow’s jobs today dot om where we’ll be publishing excerpts and updates about the book, and now I’ll turn it back to you Peggy and four visionaries who exemplify some of the best qualities our AIIM community has to offer.

Interview with Information Management Today MVP Award Winner Compliance & Privacy Partners

The competition for the Information Management 2019 IMT MVP Awards was tight – and congrats are in order to all of our winners! We got to know one of them, a bit better here! Read the winning articles here:

The 2019 Information Management Today MVP Awards Winners Spotlight from Shelley Trout on Vimeo.

Tomorrow’s Jobs Today to be released by John Hunt Publishing in 2020

Design your career for tomorrow with wisdom from leaders whose shoulders you stand on today. 

It gives me great pleasure to shout from the digital mountaintop that along with my co-author, Abby Moscatel, Esq., we’ve signed a book deal with John Hunt Publishing to release our book, Tomorrow’s Jobs Today: Wisdom and Career Advice from Thought Leaders in AI, Big Data, Blockchain, the Internet of Things, Privacy, and More. The manuscript originated from a series of in-depth interviews we’ve been conducting around the world. The insights that emerged from these conversations were so essential and relevant to workers in the Information Age that we knew we just had to share it with a bigger audience!

Discover leadership secrets and technology strategies being pioneered by today’s most innovative business executives and renowned brands across the globe in this entertaining collection of interviews and stories exploring new careers of the Information Age.*

What’s the book about?

This collection of in-depth profiles featuring Smart City CIOs, Data Protection Officers, Blockchain CEO’s, Informatics Doctors and other diverse, skilled professionals gives readers first-hand insight into what tomorrow’s jobs look like today. The hands-on experiences, subject matter expertise, and measured job advice shared within these pages demonstrate how identifying opportunities, setting the right cadence, and building strong relationships are the essential ingredients to unlocking your future’s potential.

Who is the book for?

This book is for the new graduate, the professional between jobs and the doting parents desperate to get their “brilliant” but lazy kid out of the basement. It’s also for senior corporate leaders seeking an intimate understanding of the changes abounding in their organizations. It’s for the manager who wants to inspire and encourage professional development. And it’s for every knowledge worker out there who wants to leverage technology and information governance to reduce risk, generate revenue, and improve customer experiences.

Sign up for updates on the book below!


What People Are Saying About Tomorrow’s Jobs Today

In today’s data-driven, fast-changing world, Tomorrow’s Jobs Today gives business leaders a solid overview of many complex technology trends. This book helps surface many of the issues a business leader needs to be aware of and provides food for thought on how they might be navigated as we head into a new decade. –Gregory L. Steinhauer, President, American Life

Information is the currency that fuels and funds the Digital Transformation journey. Tomorrow’s Jobs Today manages to capture a set of leadership perspectives that, while diverse, share an essential characteristic for the future of transformative work: leveraging information as one’s most valuable asset. –Peggy Winton, CEO, Association for Intelligent Information Management AIIM

If you want to stay successful, you have to embrace and adapt to changes. Tomorrow’s Jobs Today shows you how those challenges can be both enlightening and empowering. –Jim Dodson, SVP, Iron Mountain

In a world often seized by ever-accelerating change, Tomorrow’s Jobs Today has brilliantly identified, captured, and recounted liberating insights for success from a broad range of global information governance and technology professionals. There will always be challenges, but for those willing to look, the opportunity is abundant. The Information Age remains an ever-growing frontier awaiting each new wave of pioneers. –Seth Williams, President, MER Conference

This is an empowering and beautifully written book that will surely guide the reader to find a place in this quickly changing Information Age, where they can thrive and contribute to the greater good. –Dr. Angela Bair Schmider, M.S., Ph.D., Massachusetts General Hospital and Harvard Medical School

The authors bring together the voices of leading thinkers, exploring the critical themes that will dominate the years to come. Entertaining interviews reveal the best paths forward for professional development and the impending social, political, and ethical challenges of tomorrow. This is an important book. –Alex Panagides, CEO, mxHero

Tomorrow’s Jobs Today brings together an impressive group of professionals sharing their wisdom and career advice from the cutting edge of technological advancement today. These insights will inevitably bolster your career path, and the combined knowledge of so many brilliant folks in one volume is staggering. I recommend this book for anyone who is pushing or looking to push their organizations into the future. –Nick Inglis, Executive Director of Content & Programming, ARMA International

Stepping away from the mush of data that sometimes arrives through surveys, Tomorrow’s Jobs Today goes straight to the people creating the future world of work. Read this book; go interview a few visionaries yourself; help shape the world to come. –Andy Watson, Head of School, Albuquerque Academy

*The opinions expressed by the interviewees in this book are their own and do not necessarily reflect those of their employer.

About John Hunt Publishing – John Hunt’s Business Books “Fresh thinking for the business world,” imprint publishes practical guides and insightful non-fiction for beginners and professionals. Covering aspects from management skills, leadership, and organizational change to positive work environments, career coaching, and self-care for managers, our books are a valuable addition to those working in the world of business.

Compliance and Privacy Partners and Ethikos to Speak at the 2020 MER Conference in Chicago

The 2020 MER Conference Agenda has been announced and conference registration is now available.

This year’s conference takes place May 4-6th in Chicago and features Information Governance sessions on Privacy, eDiscovery, Data Remediation, emerging technologies, and operational best practices from the industry’s leading experts, along with the experiences of knowledgeable practitioners.

Compliance and Privacy Partners is participating in two sessions this year:

Using Information Governance with a Privacy Compliance Plan as the Fulcrum for Data Privacy and Compliance – Monday, May 4, 20202:10 – 3:00pm

Tackling data privacy and maintaining consumer trust is harder than ever, especially with the sheer amount of information you need to manage and with constantly evolving privacy laws (CCPA, GDPR, etc) moving the goalposts. The usual checkbox compliance, ad-hoc governance, and reactive information security policies will fail, if they haven’t already, and create too much organizational risk. To achieve a state of consistent compliance and minimize corporate risk you must provide three things to your business: transparent governance, frictionless security, and continuous validation. To provide these things, you must build a strong information governance framework and privacy compliance plan to succeed.

Meeting Evolving Business Needs – A Conversation Between RIM Educators and Thought Leaders – Tuesday, May 5, 202011:45am – 12:35pm

This special, two-part panel discussion facilitated by the ICRM will compare current academic curricula with the existing ICRM exam to identify gaps and areas of improvements for both academia and the ICRM. University Professors will discuss their programs and IG industry leaders will add perspective from the business world. There will be ample time for members of the audience to share their thoughts as well. It is time to close any gaps between what is taught at the university level and what is needed in the world of business. More effective preparation of the next generation of IG professionals will benefit all organizations that depend on these practitioners to address the business opportunities and challenges of the future and it will provide more fulfilling careers for those emerging from school into the world of business.

Also, our partners at Ethikos will be coming all the way from Brussels to present on GDPR.

GDPR – Two Years On -Monday, May 4, 202012:50 – 1:40pm

The GDPR will celebrate its second anniversary on 25 May 2020 – a good time for US companies impacted by this regulation to understand what they should expect in the coming months.  In this presentation, Legal professionals working in Europe will discuss how the GDPR has been enforced so far in Europe, what the regulators’ future direction might be, and the key areas US organizations will need to focus on in the coming months. Is there a higher risk of enforcement on the horizon? What is the level of privacy awareness among Internet users, consumers and individuals in Europe? Should US organizations that collect and process personal data of EU data subjects be worried about these regulatory trends?

“California Consumer Privacy Act – Now What Do We Do” – Free Webinar 1/22/19


“California Consumer Privacy Act – Now What Do We Do?” 

Register here:

Learn: Why data protection and privacy are important to my business What to do in case of a data breach Preparation for a cyber-attack Preparation for CCPA Preparation for PII/PHI breach response 

When: Wednesday, Jan. 22, 2020 Time: 10 a.m. PST/1 p.m. EST 


No comments

FTC Finalizes Settlement with Company that Misled Consumers about how it Accesses and Uses their Email

The Federal Trade Commission finalized a settlement with an email management company that allegedly deceived some consumers about how it accesses and uses their email.

The FTC alleged that Unrollme Inc., which helps users unsubscribe from unwanted emails or consolidate their email subscriptions, falsely told consumers that it would not “touch” their personal emails in order to persuade consumers to provide access to their email accounts.

In fact, Unrollme shared users’ email receipts from completed transactions with Unrollme’s parent company, Slice Technologies, Inc. E-receipts can include, among other things, the user’s name, billing and shipping addresses, and information about products or services purchased by the consumer. Slice uses anonymous purchase information from Unrollme users’ e-receipts in the market research analytics products it sells.

As part of the settlement with the Commission, Unrollme is prohibited from misrepresenting the extent to which it collects, uses, stores, or shares information from consumers. It must also notify those consumers who signed up for Unrollme after viewing one of the allegedly deceptive statements about how it collects and shares information from e-receipts. The order also requires Unrollme to delete, from both its own systems and Slice’s systems, stored e-receipts previously collected from those consumers, unless it obtains their affirmative, express consent to maintain the e-receipts.

After receiving two comments, the Commission voted 4-0-1 to approve the settlement with Unrollme as well as responses to the commenters. Commissioner Rohit Chopra abstained from the vote.

Rafael Moscatel is Managing Director of Compliance and Privacy Partners, a consulting firm specializing in data governance and privacy solutions. He is an award-winning Information Governance Professional (IGP), Certified Records Manager (CRM), Certified Information Privacy Manager (CIPM). Rafael has spent the last twenty years developing large-scale Information Management Programs for the Fortune 500 including Paramount Pictures and Farmers InsuranceReach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit to learn more.

5 Ideas To Kickstart Your Governance, Risk and Compliance Program

We’ve all been there. Sitting around the conference room with our compliance teams, droning on about scheduling conflicts, procedural details and strategy about strategy. Here are some actual substantive ideas, initiatives and approaches to privacy, data governance and cyber-security that can get the ball rolling .

1. Policies aren’t just documents you keep around in case you might have to show them to a judge one day. Start putting them to work and leveraging their authority to cut costs and reduce operational risks!

For example:

  • Privacy policies, now required to be updated annually by the State of California, can actually help drive data mapping exercises, leading to new insights into structured and unstructured data systems. Use those insights to help patch gaps in your IT infrastructure and even retire costly, redundant systems, classify shadow IT and discard unused shelfware.
  • Retention policies can be used as virtual blueprints to justify and destroy, costly, over-retained paper records and electronic data lingering around the office and waiting to be discovered… by your adversaries!
  • Cyber-security policies like those required by the New York DFS can be used to help IT decision makers prioritize strategic investments in your cyber-defense software.
2. Chief executives realize audits are necessary to continually optimize business processes, but even the sharpest leaders sometimes forget the most sobering, useful assessments are conducted by outside parties who don’t have an inherently biased interest in determining the findings.

Executives need to make sure they are told what they need to hear, not what they want to hear.

3. One of the reasons assurance departments like compliance, risk and internal audit struggle with their annual reviews is because of a lack of policy organization within their OWN departments.

Lack of procedural consistency, ownership of policy and overlap and confusion over a directives authority in can create even more conflict, risk and uncertainty for an organization. But relying on institutional knowledge and spreadsheets just doesn’t cut it anymore. That’s why every regulated company needs a strong technology backbone in the form of a GRC or governance risk and compliance software.

4. These days the risk is not just internal. With so much of our data in the cloud and managed by other parties, some of the greatest risks have moved outside of the firewall.

Organizations need strategies and tools to help them prioritize and manage those vendor risks effectively. Sophisticated and affordable tools that address consumer data privacy requests can also be used to map and streamline an organizations external data, whether it’s private in nature or otherwise.

5. Finally, risk is not a one size fits all problem. Investment needs to be proportional to the exposure. That’s why it’s important to spend enough time planning your long-term strategy rather diving headfirst into solutions that promise the moon and end up creating more infrastructure dependency than you bargained for.

Rafael Moscatel is Managing Director of Compliance and Privacy Partners, a consulting firm specializing in data governance and privacy solutions. He is an award-winning Information Governance Professional (IGP), Certified Records Manager (CRM), Certified Information Privacy Manager (CIPM). Rafael has spent the last twenty years developing large-scale Information Management Programs for the Fortune 500 including Paramount Pictures and Farmers Insurance. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit to learn more.

Meeting Evolving Business Needs: A Conversation Between RIM Educators and Thought Leaders

ICRM will not only conduct their spring Board and Business meetings at the MER Conference next May in Chicago, but will also facilitate a panel discussion  “Meeting Evolving Business Needs: A Conversation Between RIM Educators and Thought Leaders.” 

The panel of experts include: John Isaza, Esq, FAI, Rafael Moscatel, CRM, IGP, CIPM, and Wendy McLain, MLIS, CRM.  The panel of Academic Partners include: Patricia Franks, Ph.D, CRM, CA, IGP – San Jose State University; Gregory S. Hunter, Ph.D, CA, CRM, FSAA – Long Island University, Palmer School of Library and Information Science, and Tao Jin, Ph.D – Louisiana State University, School of Library and Information Science.

The desired outcome is to expand and nurture an ongoing and productive dialogue between our profession and academic institutions to ensure graduates are well prepared to fill current and future positions in key areas of Records and Information Management (RIM) and Information Governance (IG).  If interested in joining us at the MER Conference – go to their website and register for conference.

FTC Extends Deadline for Comments on COPPA Rule until December 11

The Federal Trade Commission is extending the deadline to submit comments on the agency’s review of the Children’s Online Privacy Protection Act Rule (COPPA Rule) until December 11, 2019.

The federal government’s portal is temporarily inaccessible. The FTC is giving commenters additional time to submit comments, as well as an alternative mechanism to file them. Those unable to submit comments via can submit them via email with the subject line “COPPA comment” to All comments, whether filed through or sent by email, must be submitted by11:59 p.m. ET on December 11, 2019.

The Commission voted 5-0 to extend the comment deadline until December 11, 2019.

Rafael Moscatel, CRM, IGP, is the Managing Director of Compliance and Privacy Partners, LLC. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit to learn more.

No comments

Russian National Charged with Decade-Long Series of Hacking and Bank Fraud Offenses

From the US Justice Department

Russian National Charged with Decade-Long Series of Hacking and Bank Fraud Offenses Resulting in Tens of Millions in Losses and Second Russian National Charged with Involvement in Deployment of “Bugat” Malware

Reward of up to $5 Million Offered for Information Leading to Arrest or Conviction

The United States of America, through its Departments of Justice and State, and the United Kingdom, through its National Crime Agency (NCA), today announced the unsealing of criminal charges in Pittsburgh, Pennsylvania, and Lincoln, Nebraska, against Maksim V. Yakubets, aka online moniker, “aqua,” 32, of Moscow, Russia, related to two separate international computer hacking and bank fraud schemes spanning from May 2009 to the present.  A second individual, Igor Turashev, 38, from Yoshkar-Ola, Russia, was also indicted in Pittsburgh for his role related to the “Bugat” malware conspiracy. The State Department, in partnership with the FBI, announced today a reward of up to $5 million under the Transnational Organized Crime Rewards Program for information leading to the arrest and/or conviction of Yakubets.  This represents the largest such reward offer for a cyber criminal to date.

Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division, U.S. Attorney Scott W. Brady for the Western District of Pennsylvania, U.S. Attorney Joseph P. Kelly for the District of Nebraska, FBI Deputy Director David Bowdich, Principal Deputy Assistant Secretary James A. Walsh of the State Department’s Bureau of International Narcotics and Law Enforcement Affairs (INL), and Director Rob Jones of the Cyber Crime Unit  at the United Kingdom’s National Crime Agency (NCA) made the announcement.

“Maksim Yakubets allegedly has engaged in a decade-long cybercrime spree that deployed two of the most damaging pieces of financial malware ever used and resulted in tens of millions of dollars of losses to victims worldwide,” said Assistant Attorney General Benczkowski.  “These two cases demonstrate our commitment to unmasking the perpetrators behind the world’s most egregious cyberattacks.  The assistance of our international partners, in particular the National Crime Agency of the United Kingdom, was crucial to our efforts to identify Yakubets and his co-conspirators.”

“For over a decade, Maksim Yakubets and Igor Turashev led one of the most sophisticated transnational cybercrime syndicates in the world,” said U.S. Attorney Brady. “Deploying ‘Bugat’ malware, also known as ‘Cridex’ and ‘Dridex,’ these cybercriminals targeted individuals and companies in western Pennsylvania and across the globe in one of the most widespread malware campaigns we have ever encountered.  International cybercriminals who target Pennsylvania citizens and companies are no different than any other criminal: they will be investigated, prosecuted and held accountable for their actions.”

“The Zeus scheme was one of the most outrageous cybercrimes in history,” said U.S. Attorney Kelly.  “Our identification of Yakubets as the actor who used the moniker ‘aqua’ in that scheme, as alleged in the complaint unsealed today, is a prime example of how we will pursue cyber criminals to the ends of justice no matter how long it takes, by tracking their activity both online and off and working with our international partners to expose their crimes.”

“Today’s announcement involved a long running investigation of a sophisticated organized cybercrime syndicate,” said FBI Deputy Director Bowdich. “The charges highlight the persistence of the FBI and our partners to vigorously pursue those who desire to profit from innocent people through deception and theft. By calling out those who threaten American businesses and citizens, we expose criminals who hide behind devices and launch attacks that threaten our public safety and economic stability. The actions highlighted today, which represent a continuing trend of cyber-criminal activity emanating from Russian actors, were particularly damaging as they targeted U.S. entities across all sectors and walks of life. The FBI, with the assistance of private industry and our international and U.S. government partners, is sending a strong message that we will work together to investigate and hold all criminals accountable. Our memory is long and we will hold them accountable under the law, no matter where they attempt to hide.”

“Combatting cybercrime remains a top national security priority for to the United States,” said INL Principal Deputy Assistant Secretary of State Walsh. “The announcements today represent a coordinated interagency effort to bring Maksim Yakubets to justice and to address cybercrime globally.”

“This is a landmark for the NCA, FBI and U.S. authorities and a day of reckoning for those who commit cybercrime,” said NCA Director Jones. “Following years of online pursuit, I am pleased to see the real world identity of Yakubets and his associate Turashev revealed.  Yakubets and his associates have allegedly been responsible for losses and attempted losses totalling hundreds of millions of dollars. This is not a victimless crime, those losses were once people’s life savings, now emptied from their bank accounts.  Today the process of bringing Yakubets and his criminal associates to justice begins.  This is not the end of our investigation, and we will continue to work closely with international partners to present a united front against criminality that threatens our prosperity and security.”

Yakubets and Turashev Indicted in Relation to “Bugat” Malware

A federal grand jury in Pittsburgh returned a 10-count indictment, which was unsealed today, against Yakubets and Turashev, charging them with conspiracy, computer hacking, wire fraud, and bank fraud, in connection with the distribution of “Bugat,” a multifunction malware package designed to automate the theft of confidential personal and financial information, such as online banking credentials, from infected computers.  Later versions of the malware were designed with the added function of assisting in the installation of ransomware.

According to the indictment, Bugat is a malware specifically crafted to defeat antivirus and other protective measures employed by victims.  As the individuals behind Bugat improved the malware and added functionality, the name of the malware changed, at one point being called “Cridex,” and later “Dridex,” according to the indictment.  Bugat malware was allegedly designed to automate the theft of confidential personal and financial information, such as online banking credentials, and facilitated the theft of confidential personal and financial information by a number of methods.  For example, the indictment alleges that the Bugat malware allowed computer intruders to hijack a computer session and present a fake online banking webpage to trick a user into entering personal and financial information.

The indictment further alleges that Yakubets and Turashev used captured banking credentials to cause banks to make unauthorized electronic funds transfers from the victims’ bank accounts, without the knowledge or consent of the account holders.  They then allegedly used persons, known as “money mules,” to receive stolen funds into their bank accounts, and then move the money to other accounts or withdraw the funds and transport the funds overseas as smuggled bulk cash.  According to the indictment, they also used a powerful online tool known as a botnet in furtherance of the scheme.

Yakubets was the leader of the group of conspirators involved with the Bugat malware and botnet, according to the indictment.  As the leader, he oversaw and managed the development, maintenance, distribution, and infection of Bugat as well as the financial theft and the use of money mules.  Turashev allegedly handled a variety of functions for the Bugat conspiracy, including system administration, management of the internal control panel, and oversight of botnet operations.

According to the indictment, Yakubets and Turashev victimized multiple entities, including two banks, a school district, and four companies including a petroleum business, building materials supply company, vacuum and thin film deposition technology company and metal manufacturer in the Western District of Pennsylvania and a firearm manufacturer.  The indictment alleges that these attacks resulted in the theft of millions of dollars, and occurred as recently as March 19, 2019.

Yakubets Charged in Relation to “Zeus” Malware

A criminal complaint was also unsealed in Lincoln today charging Yakubets with conspiracy to commit bank fraud in connection with the “Zeus” malware.  Beginning in May 2009, Yakubets and multiple co-conspirators are alleged to have a long-running conspiracy to employ widespread computer intrusions, malicious software, and fraud to steal millions of dollars from numerous bank accounts in the United States and elsewhere.  Yakubets and his co-conspirators allegedly infected thousands of business computers with malicious software that captured passwords, account numbers, and other information necessary to log into online banking accounts, and then used the captured information to steal money from victims’ bank accounts.  As with Bugat, the actors involved with the Zeus scheme were alleged to have employed the use of money mules and a botnet.

Yakubets and his co-conspirators are alleged to have victimized 21 specific municipalities, banks, companies, and non-profit organizations in California, Illinois, Iowa, Kentucky, Maine, Massachusetts, New Mexico, North Carolina, Ohio, Texas, and Washington, identified in the complaint, including multiple entities in Nebraska and a religious congregation.  According to the complaint, the deployment of the Zeus malware resulted overall in the attempted theft of an estimated $220 million USD, with actual losses of an estimated $70 million USD from victims’ bank accounts.  According to the complaint, Yakubets’ role in the Zeus scheme was to provide money mules and their associated banking credentials in order to facilitate the movement of money, which was withdrawn from victim accounts by fraudulent means.

An individual charged as John Doe #2, also known as “aqua,” was indicted in District of Nebraska in case number 4:11-CR-3074.  The indictment in that case charges that individual and others with conspiracy to participate in racketeering activity, conspiracy to commit computer fraud and identity theft, aggravated identity theft, and multiple counts of bank fraud related to the Zeus scheme.  As alleged, the complaint unsealed today associates use of the moniker “aqua” in the Zeus scheme to Yakubets.

In case number 4:11-CR-3074, two of the co-conspirators of “aqua,” Ukrainian nationals Yuriy Konovaleko and Yevhen Kulibaba, were extradited from the United Kingdom to the United States.  Konovalenko and Kulibaba both pleaded guilty in 2015 to conspiracy to participate in racketeering activity and have completed prison sentences that were imposed.  Konovalenko and Kulibaba were previously convicted in the United Kingdom, after an investigation conducted by the Metropolitan Police Service, for their role in laundering £3 million GBP on behalf of the group responsible for the Zeus malware.

State Department $5 million USD Reward

The U.S. Department of State’s Transnational Organized Crime (TOC) Rewards Program is offering a reward of up to $5 million for information on Yakubets.  Cyber threats are a top national security threat to the United States, and the Department of State’s TOC Rewards Program is one of the many tools used by U.S. authorities to bring significant cybercriminals to justice.  Congress established the TOC Rewards Program in 2013 to support law enforcement efforts to dismantle transnational criminal organizations and bring their leaders and members to justice.  The U.S. Department of State’s Bureau of International Narcotics and Law Enforcement Affairs manages the program in coordination with other U.S. federal agencies.

In addition to NCA, the law enforcement actions taken related to these two prosecutions were assisted by the efforts of law enforcement counterparts from The Netherlands, Germany, Belarus, Ukraine, and the Russian Federation.

The FBI’s Pittsburgh and Omaha Field Offices led the investigations of Yakubets and Turashev with assistance by the FBI’s Major Cyber Crimes Unit and Global Operations and Targeting Unit.  The prosecution in Pittsburgh is being handled by Assistant U.S. Attorney Shardul S. Desai of the Western District of Pennsylvania, and the prosecution in Lincoln is being handled by Senior Counsel William A. Hall, Jr., of the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) and Assistant U.S. Attorney Steven A. Russell of the District of Nebraska.  The Criminal Division’s Office of International Affairs provided significant assistance throughout the criminal investigations.  The Department’s National Security Division also provided investigative assistance.

The details contained in the indictment, criminal complaint and related pleadings are merely accusations, and the defendants are presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.

Continue reading “Russian National Charged with Decade-Long Series of Hacking and Bank Fraud Offenses”