Category: Cybersecurity

How to Build a Privacy and Cyber Security Program (Nonprofit Edition)

Posted on by Steve Sheinberg

 

While many in the nonprofit community believe that a privacy and cybersecurity program is beyond their means, the fact is there are many ways to tackle this problem—many of which are low and no cost—and most of which is low-tech. And the cost of doing nothing is very high. In the highly competitive world of nonprofit reputation management, the consequences of a breach can be absolutely devastating.

I enjoyed presenting on this subject to a lively and engaged crowd at the NTEN Nonprofit Technology Conference with my colleague Raf Portnoy.

  • Session details here
  • Slides here 
  • Participant’s notes from our presentation are here.  

Don’t Ignore Payroll Pros

Posted on by Steve Sheinberg

The payroll office – which combines the most sensitive employee information and the ability to cause money transfers – is where the “rubber hits the road” for both cyber security and its close cousin, privacy.  Managing security and privacy risk – and interfacing with information security experts – is (and should be) increasingly part of the payroll professional’s job duties.   In short: payroll professionals should be a part of the cybersecurity planning process.

Here is the presentation that I recently presented at the annual meeting of the NY Metro Area chapter of the American Payroll Association.

Privacy + Security Forum

Posted on by Steve Sheinberg

Update  (10/29/16): Here is the slide deck Bret and I presented.

I am pleased to be speaking at the Privacy + Security Forum this week.  The agenda is packed with great topics — and it is clear that the employment relationship will be discussed throughout.  At the same time, only two sessions deal exclusively with the employment relationship:  one discussing on pre- and post-employment background checks (Combating the Insider Threat:  Background Screening and Monitoring) and the one I am leading, Privacy and Security in the Employment Relationship.  This tells me that the centrality of the employment relationship to the security and privacy realm is not yet fully understood to practitioners.

I am grateful to Professor Solove for the opportunity to share my views on the topic – and I look forward to being joined by my co-presenter, Bret Cohen at Hogan and Lovells!

Procuring IoT: Data Integrity and Security

Posted on by Steve Sheinberg

Update  (10/29/16): The Librarian of Congress has exercised his statutory authority to exempt bona fide security researchers from certain copyright requirements, including on consumer-oriented IOT products .

Update (10/26/16):  Important articles by the NY Times, Krebs on Security, Cloud Security Alliance, Wall Street Journal and Wired.

Repost of my original post below.

{workplace_tech_law}

The Internet of Things (IoT) is undoubtedly going to play a major role in the workplace.  Because an employer has a number of critical employee-related interests in securing IoT data, including protecting securing otherwise private employee and business information as well as protecting trade secrets, employment lawyers should be in the conversation with the technology acquisition and development teams as they develop an IoT acquisition policy.  Here is how to create such a policy.

View original post 550 more words

Attacks Against Verification-Code-to-Cell Two-Factor Authentication

Posted on by Steve Sheinberg

This blog has advocated for the use of two-factor authentication.  Recently, however, it was revealed that several high profile social media accounts were hacked, despite using two factor authentication.

What happened?

Update: See Wired’s new piece on the subject: So Hey You Should Stop Using Texts for     Two-Factor Authentication

Update:  See Joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner at Paragraph 72, arguing that multiple iterations of the same factor is not multi-factor.

Continue reading “Attacks Against Verification-Code-to-Cell Two-Factor Authentication”

“Live Blog”: Data Breach War Room / Breach Preparation

Posted on by Steve Sheinberg

As mentioned, I am a panelist at today’s “Data Breach War Room / Breach Preparation” at iTechLaw’s 2016 World Technology Conference in Miami.  I will be “live blogging” the key lessons from today’s workshop.  My co-panelists, Meg Strickler, Jon Neiditz and Mark Mermelstein, will have the chance to review this content, but until they do, I am solely responsible for its content.   Here goes:

Continue reading ““Live Blog”: Data Breach War Room / Breach Preparation”

Data Breach War Room / Breach Preparation

Posted on by Steve Sheinberg

Excited to be joining a distinguished group of lawyers to present a highly-interactive workshop called “Data Breach War Room / Breach Preparation” at iTechLaw’s 2016 World Technology Conference in Miami.

As readers of this blog know, I often write about planning for a breach. One key element of planning is practice: testing your plan.  You can test a plan in different ways, including under the real pressure of an actual incident (a bad idea), through a table-top exercise and by the use of routine scenario testing hypothetical.  Real world testing is bad for obvious reasons: you may find yourself without a workable plan at all.  Table-top exercises involve a formal, sit-down and walk-through*  where your plans are pressure-tested against an evolving (fictitious) scenario.  In the best case, all of the “actual” players are there and the scenario is spun by an outsider with little connection to the politics of the organization. Routine scenario testing involves building a cultural norm of asking “what if” questions — and answering them within the framework of your plan.

Regardless of how your plan is tested, it is essential that your plan have a feedback mechanism to receive, record and consider the honest results of the test.

 

*- I say “walk-through” because it is essential that folks not only drill on the plan, but that they know the physical spaces they are using to execute the plan.  Perhaps your “war room” needs to have a non-VOIP phone.  …or be larger…or be closer to the CEO’s office…or closer to a bathroom.  It is often quite interesting to see what comes to light when you actually move through the spaces you plan to use!

Protecting Executives

Posted on by Steve Sheinberg

Uniquely exposed and privy to the most sensitive information, executives should be a key focus of technologically-savvy employment lawyers. They are at risk on the road, targeted by adversaries at home, subject to the most vile forms of retaliation, are the victims of concerted spear-phishing and are required to act as if their emails are, in fact, public.

The world of managing cyber risk demands nothing less than a sharp focus on execs, including recognizing that every denizen of the c-suite should be carefully subject to the principle of least privilege and that executive agreements require careful drafting to include technology and data both during work and after termination.   Here are a number of pieces on the subject, with many more to follow.

Home Networks & the Corporate Computing Environment

Posted on by Steve Sheinberg

Attacks against employees (and by extension, against your company) can extend to their homes (see here on doxing and swatting executives).

One concern is home Wi-Fi systems – which can present an open threat vector when an employee links corporate assets to it.   Some thoughts on ensuring that home networks do not become a major cyber threat:

Continue reading “Home Networks & the Corporate Computing Environment”