How to Build a Privacy and Cyber Security Program (Nonprofit Edition)


While many in the nonprofit community believe that a privacy and cybersecurity program is beyond their means, the fact is there are many ways to tackle this problem—many of which are low and no cost—and most of which is low-tech. And the cost of doing nothing is very high. In the highly competitive world of nonprofit reputation management, the consequences of a breach can be absolutely devastating.

I enjoyed presenting on this subject to a lively and engaged crowd at the NTEN Nonprofit Technology Conference with my colleague Raf Portnoy.

  • Session details here
  • Slides here 
  • Participant’s notes from our presentation are here.  

Privacy + Security Forum

Update  (10/29/16): Here is the slide deck Bret and I presented.

I am pleased to be speaking at the Privacy + Security Forum this week.  The agenda is packed with great topics — and it is clear that the employment relationship will be discussed throughout.  At the same time, only two sessions deal exclusively with the employment relationship:  one discussing on pre- and post-employment background checks (Combating the Insider Threat:  Background Screening and Monitoring) and the one I am leading, Privacy and Security in the Employment Relationship.  This tells me that the centrality of the employment relationship to the security and privacy realm is not yet fully understood to practitioners.

I am grateful to Professor Solove for the opportunity to share my views on the topic – and I look forward to being joined by my co-presenter, Bret Cohen at Hogan and Lovells!

The EU GDPR for US Employers: Practice Tips

The new EU GDPR will be a game changer for a number of multinational employers.  Here are a few practice pointers for US-based enterprises with European HR data:

Continue reading “The EU GDPR for US Employers: Practice Tips”

“Live Blog”: Data Breach War Room / Breach Preparation

As mentioned, I am a panelist at today’s “Data Breach War Room / Breach Preparation” at iTechLaw’s 2016 World Technology Conference in Miami.  I will be “live blogging” the key lessons from today’s workshop.  My co-panelists, Meg Strickler, Jon Neiditz and Mark Mermelstein, will have the chance to review this content, but until they do, I am solely responsible for its content.   Here goes:

Continue reading ““Live Blog”: Data Breach War Room / Breach Preparation”

Data Breach War Room / Breach Preparation

Excited to be joining a distinguished group of lawyers to present a highly-interactive workshop called “Data Breach War Room / Breach Preparation” at iTechLaw’s 2016 World Technology Conference in Miami.

As readers of this blog know, I often write about planning for a breach. One key element of planning is practice: testing your plan.  You can test a plan in different ways, including under the real pressure of an actual incident (a bad idea), through a table-top exercise and by the use of routine scenario testing hypothetical.  Real world testing is bad for obvious reasons: you may find yourself without a workable plan at all.  Table-top exercises involve a formal, sit-down and walk-through*  where your plans are pressure-tested against an evolving (fictitious) scenario.  In the best case, all of the “actual” players are there and the scenario is spun by an outsider with little connection to the politics of the organization. Routine scenario testing involves building a cultural norm of asking “what if” questions — and answering them within the framework of your plan.

Regardless of how your plan is tested, it is essential that your plan have a feedback mechanism to receive, record and consider the honest results of the test.


*- I say “walk-through” because it is essential that folks not only drill on the plan, but that they know the physical spaces they are using to execute the plan.  Perhaps your “war room” needs to have a non-VOIP phone.  …or be larger…or be closer to the CEO’s office…or closer to a bathroom.  It is often quite interesting to see what comes to light when you actually move through the spaces you plan to use!

Building a Privacy Program, Part 2

Earlier this month, I wrote Building a Privacy Program; today I appeared in Epstein Becker Green’s Employment Law This Week to discuss the the topic:


The full video can be found here (and the Tip of the Week starts here).


Building a Privacy Compliance Program

I take the (perhaps uncontroversial) view the privacy and security are intertwined.  While easier said than done, here are some steps for establishing a privacy compliance program.

Continue reading “Building a Privacy Compliance Program”

NLRB’S Roadmap for Tech & Comms

The NLRB has banned employer rules that “unqualifiedly prohibit all workplace recording.”  This opinion explicitly makes the NLRB’s position on workplace recordings consistent with its hostility to policies that purport to limit employee’s use of social media (something I suggested in 2014 would happen).

Continue reading “NLRB’S Roadmap for Tech & Comms”

Doxing Execs

This month’s Wired Magazine has an interesting sidebar about preventing doxing (sometimes, doxxing), which, acccording to authors Laura Hudson and Anita Sarkeesiana,occurs when:

[p]erpetrators publish your address or other info online, exposing you to escalating abuse, even physical violence.

Doxing is related, in a way, to Swatting, during which a caller convinces law enforcement that there is an emergency (such as a hostage situation) at the address of the victim of the hoax – thereby triggering a massive police response.

Both depend on the availability of information about the victim in the online environment.

Two well-known doxing attacks – the Sony hack of late last year and the Ashley Madison attack – make it clear that this is a serious problem.  As The Atlantic puts it, ‘[w]elcome to the age of organizational doxxing.” Other, lesser known attacks, show that the problem is increasing against celebrities and executives.

Unfortunately, this is relevant to readers of this blog – employers and their lawyers — because  employees will increasingly become victims of these kinds of attacks, especially if the employee is high profile or otherwise controversial.

In addition to those set out by Wired, defenses include:

  1. Excellent corporate cyber-security, including elevating human resources systems to the highest level of protection.


  1. Excellent personal cyber-security, including using two-factor authentication on every service – and not using those that do not have it.


  1. Excellent privacy policies in HR, to ensure that information is shared only according to protocol


  1. Good address protection. Executives who may be subject to any of these kinds of should sit with their lawyers to work on this problem.


  1. Use opt-out tools from data brokers. See Ken Gagne’s excellent guidance, here.


  1. Recognition that the cyber and physical security of executives – and the services provided by those departments – may extend well beyond the walls of the enterprise. Comprehensive assessing, planning and testing by all security professionals is essential.  Note that some security work may end up being a taxable fringe benefit if not done properly.