See you at Hofstra Law!

Looking forward to speaking at Hofstra Law’s Labor & Employment Law Journal’s “Spring 2016 Symposium: Technology in the Workplace.”    I am joining a very impressive panel on Cyber Security and Electronic Employment Records.   I will be talking about the need for employment lawyers to be active participants in cybersecurity-related discussions — and to share some thoughts on how to do so.

The program is Friday, April, 15 2016 | 9 a.m.-3 p.m.   Details follow.

Continue reading “See you at Hofstra Law!”

A short note on ransomware.

News of a new OS X ransomware has brought ransomware to the forefront.  Indeed, TrendMicro thinks ransomware attacks are one of the biggest threats this year.  Why?  Despite increasing sophistication in prevention, according to Security Magazine, “greater numbers of inexperienced cybercriminals will leverage ransomware-as-a-service offerings which could further accelerate the growth of ransomware.”

And one way these criminals will attack your enterprise is through your employees.

Continue reading “A short note on ransomware.”

Easier than Stealing a Base: Lessons From the MLB Hack

A Computer Fraud and Abuse Act case involving the Houston Astros and St. Louis Cardinals provides some key lessons for employers and their lawyers about cybersecurity.  While this case is getting press because it involves Major League Baseball, nothing in this matter is surprising and everything was avoidable.

 

Continue reading “Easier than Stealing a Base: Lessons From the MLB Hack”

Doxing Execs

This month’s Wired Magazine has an interesting sidebar about preventing doxing (sometimes, doxxing), which, acccording to authors Laura Hudson and Anita Sarkeesiana,occurs when:

[p]erpetrators publish your address or other info online, exposing you to escalating abuse, even physical violence.

Doxing is related, in a way, to Swatting, during which a caller convinces law enforcement that there is an emergency (such as a hostage situation) at the address of the victim of the hoax – thereby triggering a massive police response.

Both depend on the availability of information about the victim in the online environment.

Two well-known doxing attacks – the Sony hack of late last year and the Ashley Madison attack – make it clear that this is a serious problem.  As The Atlantic puts it, ‘[w]elcome to the age of organizational doxxing.” Other, lesser known attacks, show that the problem is increasing against celebrities and executives.

Unfortunately, this is relevant to readers of this blog – employers and their lawyers — because  employees will increasingly become victims of these kinds of attacks, especially if the employee is high profile or otherwise controversial.

In addition to those set out by Wired, defenses include:

  1. Excellent corporate cyber-security, including elevating human resources systems to the highest level of protection.

 

  1. Excellent personal cyber-security, including using two-factor authentication on every service – and not using those that do not have it.

 

  1. Excellent privacy policies in HR, to ensure that information is shared only according to protocol

 

  1. Good address protection. Executives who may be subject to any of these kinds of should sit with their lawyers to work on this problem.

 

  1. Use opt-out tools from data brokers. See Ken Gagne’s excellent guidance, here.

 

  1. Recognition that the cyber and physical security of executives – and the services provided by those departments – may extend well beyond the walls of the enterprise. Comprehensive assessing, planning and testing by all security professionals is essential.  Note that some security work may end up being a taxable fringe benefit if not done properly.

Cybersecurity On the Road

Employees who travel, especially internationally, are subject to unique cybersecurity and privacy risks – and risk of legal trouble if they carry the wrong kinds of data.  Employers ought to develop comprehensive travel policies to protect their data.

The following is a checklist, with some explanations, of what such a policy ought to contain.

Continue reading “Cybersecurity On the Road”

Preparing to be Hacked.

Very excited to be presenting “Preparing to be Hacked” at the Independent Sector Embark 2015 Conference.

The theme of my presentation will be familiar to readers of this blog: the path to cyber resiliency is not just implementing a set of technical fixes, it is implementing sound policies — especially sound employment policies. Organizations need tech-savvy lawyers and leaders to ensure that the entire organization is equipped to handle the cyber challenges that lay ahead.  Even the best CIO cannot (and should not) do this alone: smart leadership must emanate from all members of the C-Suite.

My two main slides:

Slide2 Slide3

All of my slides can also be found here.

An Employment Lawyer Looks at FTC v. Wyndham Worldwide

The US Court of Appeals for the Third Circuit issued its ruling in FTC v. Wyndham Worldwide Corp. in which it found that the FTC has the authority to regulate in the area of cybersecurity.

While the opinion does not specifically address the employment relationship, it is has very important implications for employment lawyers.

Continue reading “An Employment Lawyer Looks at FTC v. Wyndham Worldwide”

Why the CISO Should Not Work for IT: Normalized Deviance

There is an important debate about the role of the Chief Information Security Officer (CISO), or, more precisely, about where in the organization the CISO should report.   According to a Wall Street Journal piece:

High-profile data breaches have ignited debates about whom the CISO should report to. Many CIOs say corporate IT is best secured when CISOs report to them. But some consultants say that CISOs should report to CEOs to avoid conflicts of interest that could hamper cybersecurity. For others, reporting structures are less important than maintaining secure business outcomes.

In my view, for reasons of independence and given the importance of cybersecurity, the CISO function ought to report to any independent office outside of IT, or to the CEO.   .

To get to the heart of this, let’s first dive into the role of the CISO.

Continue reading “Why the CISO Should Not Work for IT: Normalized Deviance”

FTC: Employment Law #Gamechanger?

The Federal Trade Commission is deeply involved in the intersection of emerging technology and the employer-employee relationship.  Two such areas merit a closer look: social media endorsements and cybersecurity.  (I have previously written about the FTC on the subjects of big data and IoT in the workplace).

Continue reading “FTC: Employment Law #Gamechanger?”