The payroll office – which combines the most sensitive employee information and the ability to cause money transfers – is where the “rubber hits the road” for both cyber security and its close cousin, privacy. Managing security and privacy risk – and interfacing with information security experts – is (and should be) increasingly part of the payroll professional’s job duties. In short: payroll professionals should be a part of the cybersecurity planning process.
Here is the presentation that I recently presented at the annual meeting of the NY Metro Area chapter of the American Payroll Association.
The new Defend Trade Secrets Act (DTSA) is designed to create a federal standard for trade secret protection – and includes remedies that permit federal judicial seizure of stolen trade secrets. DTSA fills an important gap in the statutory framework that employers have available to them to retrieve trade secrets stolen by departing employees, such as the CFAA (.pdf), the Economic Espionage Act and the patchwork of state trade secret laws (.pdf).
Here is what employment lawyers need to know and do now:
Continue reading “The New Defend Trade Secrets Act (DTSA): An Employer’s Guide”
As mentioned, I am a panelist at today’s “Data Breach War Room / Breach Preparation” at iTechLaw’s 2016 World Technology Conference in Miami. I will be “live blogging” the key lessons from today’s workshop. My co-panelists, Meg Strickler, Jon Neiditz and Mark Mermelstein, will have the chance to review this content, but until they do, I am solely responsible for its content. Here goes:
Continue reading ““Live Blog”: Data Breach War Room / Breach Preparation”
Uniquely exposed and privy to the most sensitive information, executives should be a key focus of technologically-savvy employment lawyers. They are at risk on the road, targeted by adversaries at home, subject to the most vile forms of retaliation, are the victims of concerted spear-phishing and are required to act as if their emails are, in fact, public.
The world of managing cyber risk demands nothing less than a sharp focus on execs, including recognizing that every denizen of the c-suite should be carefully subject to the principle of least privilege and that executive agreements require careful drafting to include technology and data both during work and after termination. Here are a number of pieces on the subject, with many more to follow.
Attacks against employees (and by extension, against your company) can extend to their homes (see here on doxing and swatting executives).
One concern is home Wi-Fi systems – which can present an open threat vector when an employee links corporate assets to it. Some thoughts on ensuring that home networks do not become a major cyber threat:
Continue reading “Home Networks & the Corporate Computing Environment”
This month’s Wired Magazine has an interesting sidebar about preventing doxing (sometimes, doxxing), which, acccording to authors Laura Hudson and Anita Sarkeesiana,occurs when:
[p]erpetrators publish your address or other info online, exposing you to escalating abuse, even physical violence.
Doxing is related, in a way, to Swatting, during which a caller convinces law enforcement that there is an emergency (such as a hostage situation) at the address of the victim of the hoax – thereby triggering a massive police response.
Both depend on the availability of information about the victim in the online environment.
Two well-known doxing attacks – the Sony hack of late last year and the Ashley Madison attack – make it clear that this is a serious problem. As The Atlantic puts it, ‘[w]elcome to the age of organizational doxxing.” Other, lesser known attacks, show that the problem is increasing against celebrities and executives.
Unfortunately, this is relevant to readers of this blog – employers and their lawyers — because employees will increasingly become victims of these kinds of attacks, especially if the employee is high profile or otherwise controversial.
In addition to those set out by Wired, defenses include:
- Excellent corporate cyber-security, including elevating human resources systems to the highest level of protection.
- Excellent personal cyber-security, including using two-factor authentication on every service – and not using those that do not have it.
- Excellent privacy policies in HR, to ensure that information is shared only according to protocol
- Good address protection. Executives who may be subject to any of these kinds of should sit with their lawyers to work on this problem.
- Use opt-out tools from data brokers. See Ken Gagne’s excellent guidance, here.
- Recognition that the cyber and physical security of executives – and the services provided by those departments – may extend well beyond the walls of the enterprise. Comprehensive assessing, planning and testing by all security professionals is essential. Note that some security work may end up being a taxable fringe benefit if not done properly.
Employees who travel, especially internationally, are subject to unique cybersecurity and privacy risks – and risk of legal trouble if they carry the wrong kinds of data. Employers ought to develop comprehensive travel policies to protect their data.
The following is a checklist, with some explanations, of what such a policy ought to contain.
Continue reading “Cybersecurity On the Road”