Settling the Risk Quantification Debate
Different analysis methods are better suited at each phase, with the greatest concentration of quantification tools needed during…
Top 3 Quotes
RAFAEL MOSCATEL: The more that you can show your customer that you're being a good steward with their data, the more they're likely to trust you, and from a reputational standpoint and a branding standpoint, that's always one of the best benefits and one of the reasons a consumer will choose one product or service over the other.
HOST MEGAN PHEE: Hi. I'm Megan Phee and this is GRC & Me where we interview industry thought leaders in governance, risk, and compliance on hot topics, industry-specific challenges, trends, and more. Learn about your methods, solutions and outlook in this space.
Our guest today is an author, privacy expert, filmmaker, and he's the managing director of Compliance and Privacy Partners, Rafael Moscatel. During our episode today we will talk about his journey within privacy roles working at organizations such as Farmers Insurance and Paramount Pictures over the last 20 years. We'll discuss this article Seven Ways to Repair Data in the Age of Privacy and Information Governance. Raphael says it best. "Content may still be King, but now the rights to some of it belong to the people."
Thank you, Rafael, for joining us today on another episode of GRC & Me.
RM: Thanks, Megan. Thanks for having me.
MP: Of course. Let's start off. I would love to hear a little bit more about your experience. I know your background at law firms, you worked at Farmer's Insurance, you spent some time at Paramount Pictures, and now you're doing your own thing. I'd love to hear a little bit more about your experience, and as you walk through your journey of your background, you also had shared with me the other day a really interesting story about this concept of the Olympics of privacy, and I know our listeners would love to hear about that story. So would you be so kind just to share your background and then a little bit more about that Olympics of privacy event, what it was, and what it meant to you?
RM: Yeah, I'd love to. I began very early on working for law firms and consulting companies, specifically in employee benefits law firms, and that was around 1996 when HIPAA first came out, which was a kind of an omnibus bill around privacy and protection of data and which had some guidance on technology as well. It was really fascinating to me and it was something that I immediately gravitated towards because I've always seen myself as a type of a liaison between technology, which is one of my passions, and law and compliance. So I settled in there for a little while, and at some point the office of the general council at Paramount Pictures heard about me and they offered me a position working at the Melrose studio doing compliance and records management and information governance for them, so I stepped in to fill in on their data classification policy, their email retention policies, and their privacy policies.
It's a multinational conglomerate, so they're always going through mergers and acquisitions, and so a lot of policy work that was being done and folding in some of the sister companies into the greater governance plan for Viacom's. I worked closely with that group, and then I got this great opportunity at Farmer's Insurance where I was for the last few years before I started my own company. I began working there originally under the, I believe it was the business improvement group or the project management group, and very quickly we realized that this was something that needed to, this program that I was tasked with, needed probably to be under a compliance arm, so we quickly realigned and restructured that group under that compliance discipline. We started moving forward on a roadmap which would essentially define our information governance policy, and I stayed there for quite awhile right up until the point the California Consumer Privacy Act came into effect.
You sit down there and Giovanni Brunelli, who actually just passed a couple of weeks ago, gave this stirring speech about privacy and he kind of looked out across this kind of very disciplined group of compliance people, and also Tim Cook was there, Tim Berners-Lee who invented the Internet, so to speak, and when he concluded his speech, he looked out and I almost felt like he looked directly at me and he said, "And now let the Olympics of Privacy begin." It turned out that the IDCC or the privacy commissioner's group had actually picked up my tweet when I was flying over there and circulated amongst its members, so it was kind of serendipitous that it ended up being part of the opening keynote for this 40th conference. But it was quite an event and it's something that kind of put me on the path that I am right now with my company Compliance and Privacy Partners.
MP: That's fantastic. What an amazing moment that must've been, just sitting there and hearing him say that. You just mentioned it was kind of a watershed moment for those in compliance and privacy. Why do you think it was?
RM: Well, the reason I say that is because the conference came about a year and a half after the GDPR law, the General Data Protection Requirement went into effect. Tim cook actually spoke at the same conference. Tim Berners-Lee was there, the King of Spain and it was essentially the launching of this very powerful law, which we see constant headlines. I think the Wall Street Journal ran an article just yesterday on privacy. It seems like it's always in the news, and this was in some ways kind of the kickoff or the message that Giovanni and the rest of the data commissioners were sending to the world, to say that we need better policy around privacy and it begins now. That really was the big event, and I think having all the commissioners from the 28-member use states and so many international people there, it really solidified this message, which is now being discussed all over the world from Asia to right here in California where they've passed a pretty comprehensive consumer privacy law.
MP: Speaking of that, as a resident of California, you're ... and a privacy expert, you're familiar with CCPA, and the other day you were sharing with me, Rafael, a story about your experience interacting with the State of California and their records retention process. I think when we as consumers or at the organization level, we see and read about CCPA and we're thinking about the implications to us as professionals, as business owners, as well as consumers. It's sometimes nebulous to think about the implications to us as individuals. Would you be able to share your experience? I think it really gives context to the legislation not only as CCPA, but the statewide legislation and broader privacy legislations and why they're vital to consumers and not business detractors.
RM: I mean, privacy by nature is personal and it's really served to drive home the point about information governance and data security and all of these tangential type of issues because people have personal connections with privacy. It's something that brings out areas of our lives that really hit home. When we're talking kind of about these existential issues with records or data governance, they're important, but how does it really affect me? I do have a personal connection with the State of California. I believe it's now sixth or seventh largest economy in the world, but even when I was born back in 1977, it was a very large bureaucracy. I was a late discovery adoptee, which means that I didn't learn until very late in life, until I was about 30 that I had been adopted, and it was only a testament to the discipline and best practices of the State of California and their social services department that I was able to learn about my own adoption.
I had actually written a letter kind of on the fly to the State of California and I had ... didn't know where I was adopted from it, but I was living in California, so I thought I'd give it a try. I sent this note to Sacramento, I believe, and then just like that scene from Back to the Future where Doc gets the letter 150 years later after? Well, anyway, I received a manila envelope, and in this manila envelope were 30 or 40 different records collected from various different medical groups and social services groups around the time of my adoption describing everything from the condition of my mother when she gave me up to medical issues pertaining to my birth.
It was just eye opening, and I thought it was so remarkable, Megan, because if but not for the best practices and privacy standards of the State of California, I would not be able to learn so much about my own history, which of course helps me now that I have children because I can pass that information on to them. But if you think about it, it's really fascinating that this file or this set of files collected sat somewhere protected for 30-odd years, and the rules in place and the policies in place were effective enough to actually produce that document all of those years later. So I really have an appreciation for records management and the handling of governance and a lot of the policies behind what makes a process like that possible and stable, and so that's kind of, that was my own personal experience with records.
MP: Is that what led you to do what you do now with the consulting practice that you lead?
RM: Yeah. Well, I mean, it certainly did, and I've also like many people had other experiences related to my own privacy, the privacy now of my family, but that was certainly a big event for me about 10 years ago. Again, I had worked with the HIPAA law for some time and also doing related compliance work before that, so it crystallized around the time of the 40th annual conference that I went to in Brussels and definitely was a watershed moment in my own life.
MP: Thank you for sharing that. I hear about this regulation and legislation, but when you put a personal story to it, we understand why this legislation exists and why organizations need to take it seriously and need to follow the best practices to ensure secure records retention processes.
RM: The California Consumer Privacy Act in some ways is really an extension of those best practices, and here you see California leading the way in developing those protocols, really recognizing very early on that consumer data is very critical. I mean, 20 years ago it was health data and that's still important, but also today and with the cybersecurity issues we have, the data breaches, the ransomware, financial information is now becoming paramount, and that financial information and consumer information is really a key to allowing criminals to exploit other avenues, and not just that, for corporations to abuse personal privacy. But when I look at the CCPA, I like to look at the opportunity of it and I think if you look carefully, the CCPA is quite a blessing. I mean, it doesn't need to be a burdensome requirement on corporations.
First, it helps reduce expenses and monetize the information life cycle because you have a better understanding of what's under the hood in your company. Second, it presents opportunities for better governance to avoid those fines and also litigation exposure, and you see, especially with information governance teams coming into address CCPA or kickoff and run the CCPA projects, there's a focus kind of not just on checking the boxes on compliance, but taking another lap around the litigation exposure that you have when you don't properly manage those records and retain them properly. And then finally, as you were mentioning earlier, it's really fosters that trust and enhances the customer experience because the more that you can show your customer that you're being a good steward with their data, the more they're likely to trust you, and from a reputational standpoint and a branding standpoint, that's always one of the best benefits and one of the reasons a consumer will choose one product or service over the other.
MP: Thanks, Rafael. I think that's a great point. When you look at the CCPA, what is your opinion of it?
RM: We're looking at a January 1st kickoff of this law and it's going to look back 12 months. It's pretty comprehensive. I think the challenges are going to be in terms of how companies adapt to them, and I think it's very vague in terms of guidance that we have right now. If you are the type of company that is making over 25 million in revenue or meeting some of these other requirements, you're looking at a significant investment in a project to overhaul your data landscape, and so although it does seem like the law is clear cut, what's not clear for many companies is how to execute on a plan to reach compliance. I think as we go into the next year we'll get additional guidance from the attorney general on exactly what companies need to do, but you're familiar with compliance and if we look at organizations like the Department of Insurance, sometimes it takes years for this type of stuff to be worked out. It may be in some cases there's a little overkill on some of the projects, and in other areas companies may not be doing enough, so we'll really have to see what the state attorney general does in terms of the enforcement actions, and I think that that will ultimately guide companies in tweaking their existing programs.
I also don't think a lot of companies have jumped on board yet and they're waiting for some enforcement to take place, so there's probably a second and a third wave of enforcement, but overall I do think it's a good comprehensive first step. I think your listeners would really be interested in seeing how this legislation took shape. It originally began as a ballot measure, and quickly the social media companies and big data companies got in because they feared that it would be a little bit too restrictive. That article I mentioned in the Wall Street Journal actually just spoke about how they're actually running ads on social media trying to tamper down the law itself now because they're concerned about its impact on business and marketing.
MP: Hmm. That's interesting. I have another question for you in regards to CCPA. We've been talking a little bit more about how it applies to policy management, but you mentioned to me the other day it does have implications to vendor risk management. Can you share with the listeners why that may be?
RM: Yes. It's interesting you bring that up because we're living in a cloud-based world now, so the data isn't just on premise. In many cases it's in the cloud or in a variation in the hybrid cloud, and that has serious implications for the CCPA because under the CCPA you're not just obligated to take care of and provide data from your own systems, but those that are managed for you, including software as a service and repositories like Box that are kept offsite. So from that standpoint, third party vendor risk is critical and it has to start being baked into the overall compliance process. That means you need to identify vendors and service providers that are impacted by the CCPA. If that personal data does exist with those vendors, you need to be able to perform a contractual review to validate compliance based on those requirements, and you need to document your approach to all of these contracts versus attestation, which is another approach, another avenue that certain companies are taking in making their service providers attest to certain quality control measures that they've taken for their data.
But beyond that, you have to establish plans to engage those vendors for contractual changes because these laws are going to continue to get modified and change. You need to establish a controlled and timeline for the completion of attestation questionnaires, which you may provide to them. All of those processes and controls related to your third party vendors are critical again because they collect that data, so companies need to be mindful of what's outside their walls as well as what's within them.
MP: We're going to switch gears because I know you recently wrote an article in a publication regarding best practices for privacy and policy management. Would you be able to share a few of those tips with us today?
RM: I've been looking through this actually because the more I think about it, there's not one silver bullet when it comes to preparing data for an information governance strategy. IG is essentially a multidisciplinary type of approach where you're essentially gathering the best minds around your organization to make decisions about data that are not in a vacuum so that they'll be longstanding and support longterm strategy. But even if you check all the boxes on CCPA, Megan, it's still not going to prepare you for the overall needs that you'll still be subject to for so many of the other laws, including HIPAA and Sarbanes-Oxley and so many, so I put together a list of initiatives where you can have some quick wins.
I would say definitely learn how to automate your records retention schedules. There are thousands of records subject to thousands of different statutes and regulations. It's not enough to get a cookie cutter or a templated retention schedule. Really need to look into what types of records you have and then see how best you can automate that with research that feeds into you and tells you if the laws have changed rather than periodically making those reviews, which can be quite cumbersome and expensive, especially if you're hiring outside counsel.
The second tip I would mention is I call it covering your assets, but really it's getting ahold of your enterprise architecture landscape, and in many cases, companies already have a lot of these resources at their fingertips so it's a matter of getting the right people in the room, in this case, taking your retention or records management people and introducing them to your enterprise architects and your IT groups so that you can really get on the same page around retention and assets and know how to protect the paper as well as the digital information. There's a lot of great tools out there now that can be leveraged for both of these cases, especially with CCPA or GDPR. It's not enough to know where this information is. You need to know how it flows upstream and downstream in particular when you're deleting data that may have unintended consequences on some of the systems that you're working with. That's that second piece.
I also would say that companies need to be careful and methodical around their legal holds because as they're destroying or cleaning up data, they could run afoul of litigation or court orders and then end up with an adverse inference ruling or an accusation of spoliation, and that can of course lead to terrible reputational damage.
Then there's some other tips, too. You can find them in the article. One being activating file analysis tools. Companies just don't realize they're just junking up their environments and their shared drives and their SharePoint and their Boxes and their Dropboxes with a whole lot of material that doesn't need to be there, but it's almost impossible to tackle it with a manual effort. There's amazing tools out there right now that do the file analysis for you, and while you're getting rid of the junk, you can also identify personally identifiable information or other vulnerabilities. Just kind of taken all together, it's more of a holistic way of looking at the data in your organization and making a commitment to really having a more holistic and healthy approach to the stewardship there.
And then finally, the best practices piece in terms of policy. I mean, policy management is the backbone of good information keeping, record keeping, and records management. It's policy that ultimately governs and guides all the practices that our companies do in which they will ultimately be judged and regulated on. The regulators almost always go immediately to the policy to see if the company is putting its best foot forward in executing on what it says, and so I think good policy management systems are critical to that effort.
MP: Thanks, Rafael. Where can the listeners read more about not only this article for data preparation and a new regulatory climate, but also, I know you have a book called Tomorrow's Jobs Today, which is advice and insights from thought leaders around a variety of things including privacy. Where could folks learn more about this?
RM: Folks can come straight to my website, which is just my name, rafaelmoscatel.com. There's links to a lot of this content and my company Compliance and Privacy Partners, as well as the book, which comes out next year in probably January or February, which is a set of interviews actually with thought leaders in privacy and policy, Internet of Things, AI, and those types of subjects. If they visit that, they'll definitely be able to find all the links to the resources I mentioned.
MP: Fantastic. Along with a passion for privacy and compliance, you have another interesting interest, which is filmmaking. I could be stepping out of turns here but Rafael, were you a theater kid growing up? Did you participate in front of the camera before you took an act into filmmaking?
RM: I had a couple little dalliances with that prior to one film that I made a last a few years ago. My father was close with an actor many years ago. His name was Michael Landon, and so I ended up being a child actor for a very, very brief time on Little House on the Prairie. After that, some years later when I learned about all of this adoption, I discovered that my biological parents were entertainers. The only problem was with that was my grandmother never received an obituary, and so I felt very strongly that she should have some type of honor or memorial. So my wife and I set out to make a film about her. At the time I was working for Paramount Pictures, and the VP of intellectual property there told me I had to proceed very carefully because there was so much copyrighted material, it would be difficult to make a story about our life.
RM: So he connected me with Stanford's Internet Society and I received a grant from them to do all of the legal and fair use work, which made this film possible, which I made, which was called The Little Girl with the Big Voice. It's the story of a radio star from the 1930s and '40s who kind of hit it really big and then drifted into obscurity as the years went on and kind of exactly how that happened. That was my foray into that, and I ... it was kind of fun because I got to use my knowledge of archives and records management to kind of support the film.
MP: Where could the listeners check it out?
RM: It'll be on iTunes likely this Christmas as well as YouTube, Vimeo, and probably in a hotel room somewhere.
MP: Well, fantastic. Rafael Moscatel, thank you so much for joining us today on GRC & Me.
RM: It was a pleasure, Megan. Thank you for having me.
MP: And thank you all for listening today. If you're interested in learning more about how LogicGate can operationalize your GRC and privacy program, visit our site at logicgate.com. And until next time, this is Megan Phee with GRC & Me.
Different analysis methods are better suited at each phase, with the greatest concentration of quantification tools needed during…
We sat down with Shannon Harrison, LogicGate’s Senior Director of User Experience, to learn why we’re making accessibility…
On this episode of GRC & Me, we explore business resilience and the differences between proactive, reactive, and…
Build a Centralized View of Assets, Risks & Cyber Controls
Find out how to take a proactive, connected approach to your cybersecurity risk management processes.