The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Employment

  • From Vol. 3 No.25 (Dec. 20, 2017)

    Benchmarking Employee Monitoring Policies for Practical Approaches

    Keeping current with evolving multi-jurisdictional legal requirements, technological advances and best practices in the employee-monitoring realm can seem like a constant scurry. It's not long after one policy is finalized and promulgated and its attendant training developed and administered that something often happens to raise doubts. It can help to know what some competitors are doing, what their experiences have been and the reasoning behind what they do. Panelists at a recent cyberSecure conference discussed how to keep employee monitoring policies up-to-date. In this article, we cover the key takeaways from the panel, including regulatory realities, employee pushback and cultural inhibitors that prevent maximum monitoring, as well as examples of where circumventing an on-the-job virtual Big Brother is desired and doable. See also “Effective and Compliant Employee Monitoring (Part One of Two)” (Apr. 5, 2017); Part Two (Apr. 19, 2017).

    Read Full Article …
  • From Vol. 3 No.20 (Oct. 11, 2017)

    Creating Tomorrow’s Code, Today: Designing an Effective Mobile-First Code of Conduct

    Over the past decade, companies have had to adapt to significant legal, regulatory and cultural changes driven by corporate scandal, technological innovation and the coming of age of a new generation. In order to meet changing corporate governance standards and stay relevant and engaged with employees, front-runners in the compliance arena have put increased importance on implementing, updating and mobilizing their codes of conduct. This guest article by Michael Lane and Bianca Carbonara of Designory covers the societal changes that have spawned the need for a mobile-first code of conduct and then provides guidance on how companies can begin the effort of adapting their codes to be effectively mobile-first. See “Legal and Regulatory Expectations for Mobile Device Privacy and Security (Part One of Two)” (Feb. 3, 2016); Part Two (Feb. 17, 2016).

    Read Full Article …
  • From Vol. 3 No.19 (Sep. 27, 2017)

    New Criteria for Employee Monitoring Practices in Light of ECHR Decision

    The Grand Chamber of the European Court of Human Rights has laid out new criteria for national courts to consider when evaluating whether companies have safeguarded employees’ right to privacy. The court sided with an employee who claimed his privacy rights were violated when his messages were recorded. In light of this decision, some companies operating in the 47 member states may want to revisit their policies on monitoring communications, experts told The Cybersecurity Law Report. We analyze the implications of the decision and how it aligns with other national laws. See “Effective and Compliant Employee Monitoring (Part One of Two)” (Apr. 5, 2017); Part Two (Apr. 19, 2017).

    Read Full Article …
  • From Vol. 3 No.8 (Apr. 19, 2017)

    Effective and Compliant Employee Monitoring (Part Two of Two)

    Experts agree that network monitoring is a critical proactive cybersecurity measure. But complexities arise that require cross-department coordination and deep understanding of numerous privacy limitations and other legal requirements. The second installment of this two-part series provides operational guidance on implementing monitoring programs and navigating contrasting rules in Europe, as well as issues surrounding individual monitoring, monitoring for non-security purposes, and data controlled by third parties. The first part tackled the role of data monitoring, effective notice, legal considerations, and specific policy considerations. See also “Do You Know Where Your Employees Are? Tackling the Privacy and Security Challenges of Remote Working Arrangements” (May 25, 2016).

    Read Full Article …
  • From Vol. 3 No.7 (Apr. 5, 2017)

    Effective and Compliant Employee Monitoring (Part One of Two) 

    When can companies “spy” on their employees? Monitoring data systems and employee digital activity is critical to reducing the significant cybersecurity risks that employees pose (either inadvertently or maliciously), but companies do need to make sure they comply with consent and other legal requirements when implementing surveillance programs. This first part of a two-part series on the topic addresses the role of data monitoring, effective notice, legal considerations, and specific policies regarding BYOD, termination and remote employees – including stories from the trenches. Part two will provide operational guidance on implementing effective and compliant monitoring programs, and discuss privacy concerns in different types of employee surveillance, including the contrasting rules and approaches in Europe. See also “Strategies for Preventing and Handling Cybersecurity Threats From Employees” (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 3 No.6 (Mar. 22, 2017)

    What It Takes to Establish Compliant Social Media Policies for the Workplace

    More than one billion people use Facebook every day. Another 313 million use Twitter each month, and 150 million use Snapchat daily. What’s more, many – if not most – employees use social media at work, on both personal and company-owned devices, raising a host of security, liability and privacy concerns for employers. Restricting access, however, is not always easy, desirable or even legal. The legal landscape is changing as quickly as the social media technology it covers, and during a recent PLI event, Kelly Ann Bird, Gibbons’ employment and labor law director, described that landscape and offered suggestions about the protections and policies employers should promulgate in the era of Facebook that not only facilitate compliance but also keep the business in mind. See also “The Regulators’ View of Best Practices for Social Media and Mobile Apps” (Apr. 13, 2016).

    Read Full Article …
  • From Vol. 3 No.1 (Jan. 11, 2017)

    Ten Cybersecurity Priorities for 2017

    Even companies that have mature information security practices in place must exercise constant vigilance by reevaluating their needs and improving their approaches. The Cybersecurity Law Report spoke with several experts to find out what companies should be focusing on and how they should allocate time and resources when setting cybersecurity priorities for 2017. In this article, we outline the resulting top ten cybersecurity action items for companies to tackle to ensure a more secure new year. See also “Cybersecurity Preparedness Is Now a Business Requirement” (Feb. 17, 2016).

    Read Full Article …
  • From Vol. 2 No.19 (Sep. 21, 2016)

    Managing Data Privacy Challenges While Conducting Due Diligence and Investigations in China (Part Two of Two)

    For companies doing business in China, understanding data privacy and cybersecurity legal requirements under Chinese law is critical. But once a company is familiar with these basic legal contours, more practical concerns dominate the ability to successfully conduct internal operations and external transactions. In this article, the second in a two-part series on China’s data privacy and cybersecurity laws, we share insights from practitioners working in China on how companies can manage the actual challenges of running their businesses while staying on the right side of the law. The first article in the series explained the basic structure of the data compliance regime in China, including criminal law, civil law, industry regulations and the draft Cybersecurity Law. See also Understanding the Far-Reaching Impact of Chinese State Secrets Laws on Data Flow” (Jul. 6, 2016).  

    Read Full Article …
  • From Vol. 2 No.16 (Aug. 3, 2016)

    Procedures for Hedge Fund Managers to Safeguard Trade Secrets From Rogue Employees 

    In an era when high-profile data theft cases have shaken some people’s faith in the security of personal information entrusted to fund managers, it is critically important for firms to take steps to detect, prevent and address such thefts by rogue employees. This is of particular urgency for hedge fund managers now that the SEC has stepped up its focus on cybersecurity. Data security and the measures that can help safeguard trade secrets and sensitive information were the focus of a recent Hedge Fund Association panel discussion featuring participants from the law firm Gibbons, the litigation consulting firm DOAR and the hedge fund Litespeed Partners. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.15 (Jul. 20, 2016)

    Using Data Analytics to Combat Internal Cyber Threats

    Insiders with authorized access and malicious intent to misappropriate company data present significant threats to the protection of valuable information. EY senior manager Paul Alvarez and executive director Alex Perry recently spoke with The Cybersecurity Law Report about strategies and specific tools companies can use to analyze available data – such as employee behavior (including behavior on social media) and audio information – to identify and protect against these threats. See also “Strategies for Preventing and Handling Cybersecurity Threats From Employees” (Apr. 8, 2015) and “Designing, Implementing and Assessing an Effective Employee Cybersecurity Training Program” Part One (Feb. 17, 2016); Part Two (Mar. 2, 2016); and Part Three (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.11 (May 25, 2016)

    Do You Know Where Your Employees Are? Tackling the Privacy and Security Challenges of Remote Working Arrangements

    The growing number of individuals working remotely, telecommuting or traveling with increasing frequency has challenged the traditional business cybersecurity model. With the advent of new technologies that support remote working arrangements, the secure, clearly defined perimeter many organizations once enjoyed has become a bit less distinct. The Cybersecurity Law Report spoke to Heather Egan Sussman, a privacy and data security partner at Ropes & Gray, about the privacy and security implications for employees working remotely, both in the U.S. and abroad, and proactive measures companies can take to ensure proper protections are in place and that they are compliant with the relevant laws. See also “How to Reduce the Cybersecurity Risks of Bring Your Own Device Policies”: Part One (Oct. 14, 2015); Part Two (Nov. 11, 2015).

    Read Full Article …
  • From Vol. 2 No.9 (Apr. 27, 2016)

    Mitigating the Risks of Using Social Media in the Workplace

    Both employees and employers continue to expand their use of social media, presenting a myriad of risks and spawning a spate of guidance and regulations. In a recent Practising Law Institute program, Christine Lyon, a partner at Morrison & Foerster, discussed recent developments related to social media in the workplace and detailed best practices for drafting a social media policy with the enforcement landscape in mind. See also “Avoiding Privacy Pitfalls While Using Social Media for Internal Investigations” (Dec. 9, 2015). 

    Read Full Article …
  • From Vol. 2 No.6 (Mar. 16, 2016)

    Designing, Implementing and Assessing an Effective Employee Cybersecurity Training Program (Part Three of Three)

    An effective employee cybersecurity program does not start or end with a single training session. To combat evolving threats, companies need to establish ongoing communications with employees and continuously evaluate their training program. In this final article in our three-part series on the topic, outside counsel, consultants, and in-house experts provide actionable insight and recommendations on how companies should follow up after the initial training. They also address the challenges of establishing an employee cybersecurity training program and how to handle training when dealing with third-party vendors. Part one of the series discussed tailoring policies and training to the type of company and universe of employees and part two highlighted ten important topics to cover during training, as well strategies for engaging employees and getting the message across. See also “Strategies for Preventing and Handling Cybersecurity Threats From Employees” (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 2 No.5 (Mar. 2, 2016)

    Designing, Implementing and Assessing an Effective Employee Cybersecurity Training Program (Part Two of Three)

    Cyber threats, commonly attributed to outside malfeasance, often originate from within – employees’ negligence or lack of awareness can open the door for cyber criminals. Establishing an effective employee cybersecurity training program can go a long way in combating that threat. The process can be distilled into three phases: (1) designing the relevant policies and planning the best training approach, considering the type of company and universe of employees; (2) ensuring the necessary topics are covered effectively during the actual training sessions; and (3) following up after the training, including certification and evaluating the efficacy of the training. This three-part series will cover each of those phases, respectively. In this second part, outside counsel, consultants, and in-house experts provide insight on ten important topics to cover during training, as well as strategies for engaging employees and getting the message across. Part one provided advice for developing the proper program based on the company’s industry and types of employees. See also “Strategies for Preventing and Handling Cybersecurity Threats From Employees” (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 2 No.4 (Feb. 17, 2016)

    Designing, Implementing and Assessing an Effective Employee Cybersecurity Training Program (Part One of Three)

    While cyber threats are frequently attributed to outsiders, many breaches are caused, often inadvertently, by company employees. The effective training of employees to keep data secure and respond properly to breaches is a hallmark of any cybersecurity program. The development and implementation of a good training program can be broken down into three phases: (1) designing the training policies and planning the best training approach, considering the type of company and types of employees; (2) conducting the actual training sessions and ensuring the necessary topics are covered effectively; and (3) following up after the training, including certification and evaluating the efficacy of the training. This three-part series will cover each of those phases, respectively, with insight from outside counsel, consultants, and in-house experts. See also “Strategies for Preventing and Handling Cybersecurity Threats From Employees” (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    Avoiding Privacy Pitfalls While Using Social Media for Internal Investigations

    Social media can offer valuable information to companies conducting internal investigations.  However, companies must be vigilant about employees’ privacy rights as well as the laws and restrictions in place to protect those rights.  Lily Chinn, a partner at Katten Muchin Rosenman, spoke with The Cybersecurity Law Report about these privacy challenges and the proactive steps companies should take to avoid liability and complications, including how departments should coordinate and specific points that should be addressed in company policies.  See also “Examining Evolving Legal Ethics in the Age of the Cloud, Mobile Devices and Social Media (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 11 (Aug. 26, 2015); Part Two, Vol. 1, No. 12 (Sep. 16, 2015).

    Read Full Article …
  • From Vol. 1 No.16 (Nov. 11, 2015)

    How to Reduce Cybersecurity Risks of Bring Your Own Device Policies (Part Two of Two)

    The now-common practice of employees bringing their own devices into the office offers companies savings, but use of these devices comes with complex risks that must be addressed.  Part one of our two-part series discussed these risks and recommended BYOD policies and training to mitigate the risks.  This second article in the series explores how mobile device management programs and proper protocols for outgoing employees and lost devices can further reduce BYOD risks.  It also explains how BYOD policies can impact litigation, and even result in significant sanctions. 

    Read Full Article …
  • From Vol. 1 No.14 (Oct. 14, 2015)

    How to Reduce the Cybersecurity Risks of Bring Your Own Device Policies (Part One of Two)

    Many companies now allow employees to use their own devices for work email and other work-related functions.  Allowing employees to “bring your own device,” or BYOD, provides companies with cost savings and employees with flexibility, but also presents serious cybersecurity challenges.  This first article in our two-part series on designing cybersecure BYOD policies discusses BYOD risks and recommends strategies to reduce these risks, including employee training.  Part two will discuss mobile device management tools and software as well as handling lost devices, outgoing employees and discovery.  See “Strategies for Preventing and Handling Cybersecurity Threats from Employees,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.10 (Aug. 12, 2015)

    Can an Employee Be Liable for Inadvertently Providing Security Details to a Fraudulent Caller?

    An investment management firm’s CFO allowed a fraudulent caller to obtain security details leading to the illegitimate transfer of nearly $1.16 million from the firm’s accounts and is liable for the damages, a new claim filed in the U.K. High Court of Justice alleges.  The firm says that its CFO acted negligently and in breach of his contractual, tortious and fiduciary duties in failing to protect assets in corporate bank accounts.  The CFO – who believed he was providing security details to a member of the anti-fraud team of the firm’s’ private bank – denies these allegations, asserting that he was acting honestly, in what he reasonably and genuinely believed to be the best interests of his employer.  We examine the claim, the defense, and six issues the case raises relating to cybersecurity and employees.  See also “Analyzing and Mitigating Cybersecurity Threats to Investment Managers (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 3 (May 6, 2015); Part Two of Two, Vol. 1, No. 4 (May 20, 2015).

    Read Full Article …