Search Results

Listen to Randy Kahn, Erica Toelle, Senior Product Marketing Manager on the Microsoft Purview product team, and Natalie Noonan, Microsoft’s information governance expert, discuss information governance and industry trends that they are seeing in the space. Three Steps to Master Information Governance in Your Organization Check it out! #infogov #informationgovernance #recordsmanagement #microsoftpurview #microsoft #microsoft365

The risk of insiders stealing data or causing privacy breaches is a growing concern for many companies. Insider threats can come from current or former employees, contractors, or anyone accessing a company's systems and data. These threats can be intentional or unintentional and have significant consequences for the company, its customers, and its stakeholders. In this blog post, we'll explore some real-world examples of insider threats, the costs of these threats, and steps companies can take to mitigate the risk. Shocking Statistics Insider threats are rising, and companies must take them seriously. According to a study by IBM, human error is the main cause of 95% of cybersecurity breaches. Tenfold Security reports that 72% of departing employees admit to stealing company data, and 1 in 5 employees admit to using external cloud apps to share sensitive corporate. Insider threats can have significant costs for companies. According to the Ponemo n Institute, the average cost of an insider threat is $11.45 million per incident. These costs include direct costs like investigation, remediation, and legal fees, as well as indirect costs like loss of productivity, reputational damage, and regulatory fines. Not All Are Intentional While some insider threats are intentional, such as a malicious employee who steals data or destroys systems, not all are intentional. For example, employees may inadvertently put company data at risk by falling prey to phishing or email compromise scams. Phishing is a fraudulent attempt to obtain sensitive information such as login credentials or financial data by disguising it as a trustworthy entity in an electronic communication. This attack often uses email as a delivery mechanism and can trick employees into disclosing their login credentials to an attacker. Similarly, email compromise involves an attacker sending a convincing email impersonating an executive or vendor and requesting the recipient to make a payment or share sensitive information. These insider threats are not always intentional but can have significant consequences for an organization, including data breaches, financial losses, and reputational damage. An IBM report (below chart) indicates that Phishing attempts are costly and high in frequency. This data only reinforces why organizations need to implement adequate security awareness training programs to educate their employees about the risks of insider threats and how to avoid falling victim to them. Mitigate Risk In addition to the financial costs, insider threats can damage a company's reputation and erode customer trust. Companies need to take proactive steps to mitigate the risk. Here are five actions companies can take to reduce the risk of insider threats: 1. Implement access controls: Companies should limit access to sensitive data and systems to only those who need it to do their jobs. This can include using role-based access controls, two-factor authentication, and monitoring user activity. 2. Educate employees: Companies should provide regular training on security best practices and the risks of insider threats. This can help employees understand their role in protecting the company's data and systems. Such programs should educate employees on the potential consequences of mishandling sensitive information, highlight the importance of cybersecurity policies and procedures, and teach employees how to detect and report any suspicious activity. Training can also inform employees of the actions to identify exposure so they know you are watching them if they misbehave. 3. Monitor user activity: Companies should monitor user activity for unusual or suspicious behavior. This can include monitoring network traffic, user logins, and file access. 4. Conduct background checks: Companies should conduct thorough background checks on employees and contractors before granting them access to sensitive data or systems. 5. Implement a data loss prevention (DLP) solution: DLP solutions can help companies identify and prevent data exfiltration by insiders. These solutions can monitor data flows and block unauthorized transfers of sensitive data. Conclusion Insider threats are a real and growing risk for companies, particularly in the age of remote work and virtual teams. Companies must take proactive steps to mitigate this risk, including implementing access controls, educating employees, monitoring user activity, conducting background checks, and using DLP solutions. By following the recommendations outlined above, companies can significantly reduce the likelihood of an insider threat causing a data breach, ultimately saving the company from potentially significant financial and reputational damage.

The use of drones has witnessed a significant surge in recent years, and their use is not limited to military and recreational purposes anymore. Many businesses are now using drones to improve their operations and offer better services to their customers. The implementation of drones in business operations brings along potential data management and legal hurdles that organizations need to consider. Drones collect a vast amount of data, including images, videos, and other sensory data. This data is typically stored, analyzed, shared, or even sold in some situations. Managing this data can be challenging and expensive, as it requires advanced data management tools and can become a storage hog. Often the tools and data are not under management by information governance programs such as privacy and records management. Often when conducting inventories and assessments for information governance programs, the departments that are taking advantage of drones to improve business activities can be overlooked because it is a new type of data being generated. Today, drones are used to monitor inventory levels in its warehouses, saving time and reducing the risk of injury to employees who would otherwise need to climb ladders to check inventory levels. Drones are used to perform inspections of solar panel installations, reducing the time and cost of manual inspections and improving safety. Companies are using drones to inspect their own facilities and infrastructure, such as power lines and wind turbines. Unless your company has a centralized process to acquire, inventory, and manage drones, it can be challenging to identify what departments may be using drones and what data they may be collecting. Traditional data generated by these business activities have been part of IG programs for decades, but the newly generated images and videos generated by drones are routinely overlooked. Privacy concerns have also been raised in relation to the use of drones, particularly when they are equipped with cameras or other sensors. Drones may collect sensitive information about individuals, such as their location, activities, and behavior. This data needs to be protected from unauthorized access and use, and businesses need to comply with privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). The data collected also needs to have a predictable end of life. Moreover, the data collected by drones may also be subject to litigation, as it can be used as evidence in legal proceedings. Businesses need to ensure that they have proper policies and procedures in place to manage the data from a legal perspective. As companies mature their Information Governance programs, such as Privacy, Security, and Records Management, they need to think about the technology that is now generating information, such as drones, IoT devices, AI, etc., and ensure they unearth all the uses in the company to identify the information the technology uses, generates, receives, shares, sells, etc. The use of drones in businesses is becoming more common, and while they offer many benefits, they also come with data management and legal challenges. Businesses need to be aware of these challenges and take steps to address them. Businesses should have proper policies and procedures in place to manage the data from a legal and business perspective.

Kahn Consulting understands the importance of staying up-to-date with the latest laws and regulations that impact your organization's information governance programs. With over 25 years in the industry, we are dedicated to helping our clients navigate the complex information landscape. We invite you to assess your IG programs with a mini-assessment designed to help you determine if your current information governance policies and directives need updating. The survey is quick and easy to complete; you can take it privately without submitting it. However, if you choose to submit your responses to our experts, we will provide you with a complimentary personalized verbal consultation on the results. We will review your responses and advise on improving your information governance program. We aim to help companies mitigate risks, protect sensitive information, and ensure compliance with applicable laws and regulations. By taking this survey and engaging with our experts, you will gain valuable insights and actionable recommendations to enhance your organization's information governance program. If you would prefer not to submit your results but would like to take advantage of the complimentary personalized verbal consultation, please book an appointment with one of our experts, and we will walk through the survey together. If you take the assessment yourself and want to learn more about Kahn's Assessment service, check out this fact sheet and/or contact our Assessment Lead at (989) 763 - 6611. or awcollison@kahnconsultinginc.com.

Data and compliance: A guide to being an information herder This is the second article in our two-part series: “Data and compliance: A guide to being an information herder.” Part 1 of the article, published in the January 2023 issue of CEP, described the dangers of information hoarding, including the legal, compliance, and business issues affecting companies lacking adequate insights about the information assets they possess and how that information is being used, managed, protected, and retained. This installment provides practical steps and a high-level roadmap to help fix the sprawl of your company’s information footprint so you can transform from a collection of information hoarders to an organization of information herders. We have divided this second installment into two parts: General advice on developing a business profile assessment (BPA) that will enable you to better manage data and compliance. Tips to address some of the specific data management issues and concerns highlighted in Part 1. How to find and end information hoarding: The BPA As we explained in Part 1, you cannot transform from information hoarding to information herding without understanding what information your company has, what obligations exist with that information, how long the information needs to be retained for legal or business reasons, and who should have access to it. Answering these questions requires a foundational understanding of what you are doing today as a business. Invariably, when we help businesses with data and compliance, we learn that management generally understands what business activities the company is engaged in but does not comprehend all initiatives, relationships, contracts, projects, and potential sources of revenue and risks across their enterprise and how this affects their information ecosystem. #infogov #informationgovernance #security #privacy #recordsmanagement Continue Reading CEP Magazine

As a Third-Party Marketing Organization (TPMO) with Medicare Advantage (MA) (Part C) and Prescription Drug Benefit (Part D) programs, it is important to ensure that your company is meeting the call recording retention requirements required by the Centers for Medicare and Medicaid Services (CMS). The retention of call recordings is crucial for quality assurance and training purposes, as well as to comply with CMS regulations. CMS issued clarity on Rule 87 FR 27704 regarding the retention of marketing and communications for Part C and Part D programs. The rules were developed to address an increase in complaints regarding inappropriate marketing practices. After reviewing call recordings from various marketing entities, including individual agents and brokers, CMS discovered that 80% of the calls reviewed did not provide accurate information to make an informed choice about coverage. To ensure compliance, here are some key points that CMS has clarified around call recordings: Recorded calls between beneficiaries and plans, including TPMOs, that pertain to the sales and enrollment processes must be retained for ten years. Zoom calls and conversations through virtual platforms must also be recorded. The requirement to record went into effect on October 1, 2022, and it applies to enrollments made for a January 1, 2023, effective date and beyond. Plans are responsible for ensuring that the calls between TPMOs and beneficiaries are recorded and retained for ten years. There are no exceptions to the call recording requirement if a beneficiary refuses to be recorded. The call must be ended, and the sale cannot be completed. It is crucial for companies to update their records retention policies to ensure compliance with regulations. When doing so, it is important to review any clarifying supplemental materials that may be published, such as the FAQs related to CMS call recordings. This is especially important in today's technologically advanced world, where supplemental materials can provide clarity related to newer technology that may create or manage records. If you have any questions or need help updating your records retention schedule, schedule some time with one of our team consultants. This post is only informational and is not intended to be legal advice.

In today's digital age, managing and protecting information can be a daunting task for any organization. With the unprecedented growth of data, including new types of data generated by advanced technologies like IoT, AIoT, and Artificial Intelligence, increased customer expectations, and the ever-evolving regulatory landscape, companies must take steps to ensure that their information ecosystem is properly managed and protected. Failure to do so can result in serious consequences for the company. Source: Gartner An Information Governance (IG) risk assessment can identify potential risks associated with new types of data and ensure that traditional data is being managed in accordance with ever-changing laws and regulations. By conducting an IG assessment, organizations can identify potential gaps in their information management policies and practices and take steps to address them. An IG assessment is an inexpensive way for companies to determine if they are managing one of their most important assets – information -- in compliance with laws, regulations, and public expectations. By taking this step, organizations can demonstrate their commitment to responsible information management and protect their reputation as trustworthy business partners. At Kahn Consulting, we offer an IG assessment that can help organizations identify potential risks and take proactive steps to address them. Our experienced team of professionals will work with you to assess your current information management practices and policies, identify areas of weakness or noncompliance, and provide actionable recommendations to improve your overall IG program. Learn more about the challenges companies are facing today with managing information. Contact us if you want to chat more about this topic. #infogov #informationgovernance #recordsmanagement #records #riskassessment

A large number of data privacy breaches have had a significant impact on insurance premiums for cyber insurance policies. The overall trend has been increased premiums as insurance providers have had to adjust their risk assessments and pricing models to account for the growing risk of data breaches and other cyber incidents. In the early days of cyber insurance, premiums were relatively low as there were relatively few data breaches and cyber incidents. However, as the frequency and severity of cyber incidents have increased, insurance providers have had to adjust their pricing models and requirements to reflect the increased risk. In addition to the increase in premiums, insurance providers have become more selective about the risks they are willing to cover. Some providers have stopped offering coverage for certain types of cyber incidents, such as ransomware attacks, while others have increased their underwriting standards to ensure that they are only covering risks that they consider to be manageable. Insurance policies typically have terms and conditions that define the circumstances under which coverage will be provided. Failure to comply with those terms and conditions can result in a denial of coverage. Adequate policies and procedures to protect information are a common requirement. Companies need to understand their insurance policy's requirements and comply with them if they want a claim paid in the future. Companies need to carefully review and comply with the terms and conditions of their insurance policies to ensure that they are not inadvertently giving up their coverage. #infogov #informationgovernance #cyberinsurance #privacy #recordsmanagement

Does Your Company's Information Governance Policies Address Motion Data? "Motion data" is a type of sensor data that captures information about movement, position, acceleration, and other physical attributes of objects or individuals (Gartner, n.d.). This data is typically captured using a variety of sensors, such as accelerometers, gyroscopes, and magnetometers, which are commonly found in smartphones, wearable devices, and other Internet of Things (IoT) devices. This data is becoming increasingly crucial for various applications, including logistics and transportation, fitness and health tracking, sports performance analysis, security, and surveillance. By capturing and analyzing motion data, companies and organizations can gain valuable insights into how people and objects move and interact with their environment. They can use this information to improve processes, enhance user experiences, and mitigate risks. However, managing motion data can be challenging, particularly from a data retention standpoint and in e-discovery. An example of the use of motion data is in logistics and transportation. Shipping and logistics companies use motion data to track the location and movement of goods and vehicles and to optimize delivery routes and schedules. For example, a delivery company can use motion data to monitor its trucks' location and movement and adjust delivery routes based on traffic and weather conditions. Motion data is typically collected in large volumes and at high frequencies, which can lead to storage and processing challenges. In addition, motion data is often linked to other types of personal data, such as location and biometric data, which can raise privacy and security concerns. From a policy and e-discovery standpoint, motion data can be challenging to identify, analyze, collect, and produce due to its complexity and volume. Motion data must be part of your information governance programs, such as privacy, records, information management policies, retention schedules, security policies, etc. Companies that collect, buy, share, sell, or use motion data must ensure appropriate management and procedures and carefully consider the privacy and ethical implications of using this data in different contexts. #informationgovernance #infogov #recordsmanagement

Kahn Consulting, Inc. is excited to announce the launch of our YouTube channel! Stay up to date on the latest in information governance best practices, industry news, and expert insights from our team of seasoned professionals. Subscribe to join our community of information governance enthusiasts. Head over to our channel, hit the subscribe button, and stay tuned for our upcoming content, including our new Series: The Executive’s Guide to Navigating the Information Universe. YouTube Channel #newyoutubechannel #informationgovernance #infogov #excitingnews #subscribe #staytuned #engagingcontent #infogov #kahnconsultinginc #informationgovernance #newseriesalert #passionate #weloveourfollowers #recordsmanagement #recordsretention

Information flows like a stream, In every organization, it's a common theme, From emails to files, we hold it tight, But over retention can pose a fright. The risk of loss, the risk of breach, The risk of damage, beyond our reach, Sensitive data, it's all around, And if it's not secure, it can bring us down. Our customers trust us with their data, And it's our responsibility to be its curator, To ensure it's safe, to ensure it's sound, And in doing so, we'll stand our ground. But when we hold onto information too long, We increase the risk of things going wrong, From hackers to accidents, to simple mistakes, Our organization's reputation, it all takes. So let us manage our data with care, And let us ensure it's not just sitting there, But is secure, and is protected, For in doing so, we'll be respected. For the risks of over retention are too great, And in the end, it's our customers who we cannot betray, So let us delete, let us archive, And ensure our organization continues to thrive. (generated by Chat CPT)

There are several benefits to using machine learning and artificial intelligence for records management, policy compliance, personal information identification, and eDiscovery on unstructured content. Companies have tried using this technology for over a decade and often get frustrated in the setup and implementation process and end up abandoning the technology. Technology has significantly advanced in the last few years and should be reconsidered. This blog will remind you why this technology can add value to your organization. 1. Compliance with policies: Machine Learning and AI technology can help organizations comply with records management policies, data privacy regulations, and other legal requirements by automatically classifying records, identifying personal information, and flagging potential compliance issues. 2. Increased efficiency: Machine learning and AI can automate many time-consuming tasks associated with records management, such as identifying and classifying records and automating the disposition of records in accordance with policy. This can result in faster and more efficient processes and reduced employee manual labor. 3. Identify Risk: Machine Learning and AI technology can analyze large volumes of unstructured content to find risks associated with personally identifiable information, trade secrets, intellectual property, etc. 4. Improved accuracy: ML/AI systems can process large amounts of data quickly and often more accurately than humans. This can result in higher accuracy in classifying records, finding personal information, and identifying relevant information for eDiscovery. 5. Cost savings: By automating many of the manual tasks associated with records management, privacy management, policy management, and eDiscovery, organizations can save time and resources, leading to cost savings. It can also reduce storage footprint and associated costs by reducing data that has met its useful life. 6. Better decision-making: ML and AI can provide organizations with insights and analytics to help them make informed decisions about their records management processes and overall compliance posture. Machine Learning and AI can provide significant benefits for helping organizations reduce the burden associated with complying with laws and regulations and removing some of the burdens from employees. Even though technology has advanced significantly, organizations should still need knowledgeable professionals to set up, implement and oversee these technologies to ensure that they are used in a manner that is consistent with organizational policies and legal requirements. Kahn Consulting has been working with these technologies for over a decade and has developed a methodology to help organizations through the upfront work required to get the technology humming along. If you are interested in a small pilot to demonstrate the advances in the technology and get some accurate data on some demographics (outdated date, age of data, last accessed, Personal Identifiable Information (PII), etc.) of your unstructured data, please give us a call at (989) 763 – 6611. #artificialintelligence #machinelearning #informationgovernance #compliance #moderntechnology #ediscovery #recordsmanagement #privacy #policycompliance #personalidentifiableinformation