Steve Sheinberg

Doxing Execs

Posted on December 28, 2015December 28, 2015 by Steve Sheinberg

This month’s Wired Magazine has an interesting sidebar about preventing doxing (sometimes, doxxing), which, acccording to authors Laura Hudson and Anita Sarkeesiana,occurs when:

[p]erpetrators publish your address or other info online, exposing you to escalating abuse, even physical violence.

Doxing is related, in a way, to Swatting, during which a caller convinces law enforcement that there is an emergency (such as a hostage situation) at the address of the victim of the hoax – thereby triggering a massive police response.

Both depend on the availability of information about the victim in the online environment.

Two well-known doxing attacks – the Sony hack of late last year and the Ashley Madison attack – make it clear that this is a serious problem. As The Atlantic puts it, ‘[w]elcome to the age of organizational doxxing.” Other, lesser known attacks, show that the problem is increasing against celebrities and executives.

Unfortunately, this is relevant to readers of this blog – employers and their lawyers — because employees will increasingly become victims of these kinds of attacks, especially if the employee is high profile or otherwise controversial.

In addition to those set out by Wired, defenses include:

Excellent corporate cyber-security, including elevating human resources systems to the highest level of protection.

Excellent personal cyber-security, including using two-factor authentication on every service – and not using those that do not have it.

Excellent privacy policies in HR, to ensure that information is shared only according to protocol

Good address protection. Executives who may be subject to any of these kinds of should sit with their lawyers to work on this problem.

Use opt-out tools from data brokers. See Ken Gagne’s excellent guidance, here.

Recognition that the cyber and physical security of executives – and the services provided by those departments – may extend well beyond the walls of the enterprise. Comprehensive assessing, planning and testing by all security professionals is essential. Note that some security work may end up being a taxable fringe benefit if not done properly.

Thank you!

Posted on November 21, 2015December 28, 2015 by Steve Sheinberg

What Transatlantic Employers Need to Know About EU-US Data Transfers

Posted on November 7, 2015November 8, 2015 by Steve Sheinberg

Safe Harbor 2.0 will not be so useful because Schrems held that the EU Court of Justice lacks jurisdiction to enforce uniform standards.
Yesterday’s European Commission communication to the European Parliament confirms that Schrems is a serious problem for US employers with EU employees.
A key part of managing evolving privacy standards is the data governance practice of rigorously maintaining information provenance. And, model contracts are in trouble but are the best bet today.

Cybersecurity On the Road

Posted on November 3, 2015April 17, 2016 by Steve Sheinberg

Employees who travel, especially internationally, are subject to unique cybersecurity and privacy risks – and risk of legal trouble if they carry the wrong kinds of data. Employers ought to develop comprehensive travel policies to protect their data.

The following is a checklist, with some explanations, of what such a policy ought to contain.

Continue reading “Cybersecurity On the Road” →

CIA Hack: Lessons for the C-Suite

Posted on October 27, 2015October 27, 2015 by Steve Sheinberg

Republishing core lessons from an earlier federal email breach.

{workplace_tech_law}

“Never write if you can speak; never speak if you can nod; never nod if you can wink.”

Prescient advice for the age of data theft from gilded-age politician Martin Lomasney.

View original post 816 more words

Preparing to be Hacked.

Posted on October 25, 2015October 27, 2015 by Steve Sheinberg

Very excited to be presenting “Preparing to be Hacked” at the Independent Sector Embark 2015 Conference.

The theme of my presentation will be familiar to readers of this blog: the path to cyber resiliency is not just implementing a set of technical fixes, it is implementing sound policies — especially sound employment policies. Organizations need tech-savvy lawyers and leaders to ensure that the entire organization is equipped to handle the cyber challenges that lay ahead. Even the best CIO cannot (and should not) do this alone: smart leadership must emanate from all members of the C-Suite.

My two main slides:

All of my slides can also be found here.

A Fatal Blow to Transferring Employee Data from the EU to the US?

Posted on September 24, 2015October 6, 2015 by Steve Sheinberg

Update 10/6/2015: Schrems is decided (here). US law has structural deficiencies that prevent US from complying with safe harbor. See paragraphs 94-5. It’s hard to see how BCRs and Model Contracts are not in trouble, too. After all, these provisions can’t protect against the NSA and other law enforcement either. (To be clear: not commenting on the wisdom, politics, pragmatics or legality of NSA programs, just this decision).

Original post:

Employers who wish to transfer employee data from the EU should take notice of the recent opinion by the European Court of Justice’s Advocate General, Yves Bot. (Schrems v the Irish Data Protection Commissioner (Case C-362/14). It is wildly regarded as setting the Court up to deal a serious, if not fatal, blow to the EU-US Safe Harbor agreement which allows data transfer between the two, despite the US’s not being deemed an “adequate” data protector by the EU.

Even if an employer does not rely on safe harbor, it is very important to pay attention to this opinion because there will be serious damage to all forms of employee-data transfer to the US.

Continue reading “A Fatal Blow to Transferring Employee Data from the EU to the US?” →

An Employment Lawyer Looks at FTC v. Wyndham Worldwide

Posted on September 8, 2015September 8, 2015 by Steve Sheinberg

The US Court of Appeals for the Third Circuit issued its ruling in FTC v. Wyndham Worldwide Corp. in which it found that the FTC has the authority to regulate in the area of cybersecurity.

While the opinion does not specifically address the employment relationship, it is has very important implications for employment lawyers.

Continue reading “An Employment Lawyer Looks at FTC v. Wyndham Worldwide” →

Why the CISO Should Not Work for IT: Normalized Deviance

Posted on August 31, 2015August 31, 2015 by Steve Sheinberg

There is an important debate about the role of the Chief Information Security Officer (CISO), or, more precisely, about where in the organization the CISO should report. According to a Wall Street Journal piece:

High-profile data breaches have ignited debates about whom the CISO should report to. Many CIOs say corporate IT is best secured when CISOs report to them. But some consultants say that CISOs should report to CEOs to avoid conflicts of interest that could hamper cybersecurity. For others, reporting structures are less important than maintaining secure business outcomes.

In my view, for reasons of independence and given the importance of cybersecurity, the CISO function ought to report to any independent office outside of IT, or to the CEO. .

To get to the heart of this, let’s first dive into the role of the CISO.

Continue reading “Why the CISO Should Not Work for IT: Normalized Deviance” →

Thanks for Sharing!

Thanks for Sharing!

Thanks for Sharing!

Thanks for Sharing!

Thanks for Sharing!

Thanks for Sharing!

Thanks for Sharing!

Thanks for Sharing!

Thanks for Sharing!