Large-Scale Data Breaches and Executives

Executives are highly targeted for social engineering and other efforts to gain access to their information.   Whether the data is from the recent-Yahoo breach (or any other breach), there is an active market for information, including information from your employees and executives.   This information can be used to access accounts, build a spear-phishing profile, gather intelligence on execs or simply embarass them.  Some thoughts:

Continue reading

The EU GDPR for US Employers: Practice Tips

The new EU GDPR will be a game changer for a number of multinational employers.  Here are a few practice pointers for US-based enterprises with European HR data:

Continue reading

‘Unpacking the Complexities’ of Algorithmic Bias

I’ve argued in detail in this blog (here and here) that management-side employment lawyers must get deep under the hood of expert systems designed to perform evaluative functions on candidates and employees (such as expert HR systems).  At each step of development — arguably from the earliest design phase — lawyers must be equipped to understand the potential bias that might creep into algorithmic decision-making and help design systems that are as bias-free as possible.

Here are two important articles for readers on the subject (and why they are relevant):

Continue reading

Attacks Against Verification-Code-to-Cell Two-Factor Authentication

This blog has advocated for the use of two-factor authentication.  Recently, however, it was revealed that several high profile social media accounts were hacked, despite using two factor authentication.

What happened?

Update: See Wired’s new piece on the subject: So Hey You Should Stop Using Texts for     Two-Factor Authentication

Update:  See Joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner at Paragraph 72, arguing that multiple iterations of the same factor is not multi-factor.

Continue reading

The New Defend Trade Secrets Act (DTSA): An Employer’s Guide

The new Defend Trade Secrets Act (DTSA)  is designed to create a federal standard for trade secret protection – and includes remedies that permit federal judicial seizure of stolen trade secrets.  DTSA fills an important gap in the statutory framework that employers have available to them to retrieve trade secrets stolen by departing employees, such as the  CFAA (.pdf), the Economic Espionage Act and the patchwork of state trade secret laws (.pdf).

Here is what employment lawyers need to know and do now:

Continue reading

“Live Blog”: Data Breach War Room / Breach Preparation

As mentioned, I am a panelist at today’s “Data Breach War Room / Breach Preparation” at iTechLaw’s 2016 World Technology Conference in Miami.  I will be “live blogging” the key lessons from today’s workshop.  My co-panelists, Meg Strickler, Jon Neiditz and Mark Mermelstein, will have the chance to review this content, but until they do, I am solely responsible for its content.   Here goes:

Continue reading

Data Breach War Room / Breach Preparation

Excited to be joining a distinguished group of lawyers to present a highly-interactive workshop called “Data Breach War Room / Breach Preparation” at iTechLaw’s 2016 World Technology Conference in Miami.

As readers of this blog know, I often write about planning for a breach. One key element of planning is practice: testing your plan.  You can test a plan in different ways, including under the real pressure of an actual incident (a bad idea), through a table-top exercise and by the use of routine scenario testing hypothetical.  Real world testing is bad for obvious reasons: you may find yourself without a workable plan at all.  Table-top exercises involve a formal, sit-down and walk-through*  where your plans are pressure-tested against an evolving (fictitious) scenario.  In the best case, all of the “actual” players are there and the scenario is spun by an outsider with little connection to the politics of the organization. Routine scenario testing involves building a cultural norm of asking “what if” questions — and answering them within the framework of your plan.

Regardless of how your plan is tested, it is essential that your plan have a feedback mechanism to receive, record and consider the honest results of the test.

 

*- I say “walk-through” because it is essential that folks not only drill on the plan, but that they know the physical spaces they are using to execute the plan.  Perhaps your “war room” needs to have a non-VOIP phone.  …or be larger…or be closer to the CEO’s office…or closer to a bathroom.  It is often quite interesting to see what comes to light when you actually move through the spaces you plan to use!