The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: BYOD

  • From Vol. 4 No.3 (Feb. 14, 2018)

    NY AG and HHS Flex Regulatory Muscles in Recent Protected Health Information Breach Settlements

    Recent enforcement actions against Aetna Inc. and Fresenius Medical Care Holdings, Inc. resulted in respondents agreeing to pay significant fines and to update their policies, procedure and training. These cases, brought by the Office of the Attorney General of the State of New York and the Office for Civil Rights of the U.S. Department of Health & Human Services, are an important reminder that human error is often a significant factor in data breaches and that physical security is a critical component of data privacy. In addition, the Aetna action is the most recent example of New York's active cybersecurity efforts. "New York has been on the leading edge of data security regulation. . . The Attorney General [] has been proactive," Patterson Belknap partner Craig A. Newman told The Cybersecurity Law Report. "It's fair to say that cyber is at the top of the state's regulatory agenda." We detail the breaches and settlement terms. See also “Takeaways From State AGs’ Record-Breaking Target Data Breach Settlement” (May 31, 2017).

    Read Full Article …
  • From Vol. 3 No.20 (Oct. 11, 2017)

    FTC Launches Stick With Security Series, Adding Detail and Guidance to Its Start With Security Guide (Part Two of Two)

    Companies continue to seek more detailed guidance on data-security expectations from regulators such as the FTC. As a follow-up to its 2015 Start With Security Guide, which contained 10 fundamentals, the FTC launched its Stick With Security blog series. It builds on those 10 principles using hypotheticals to take “a deeper dive” into proactive data-protection steps. The first article in our two-part series examined the blog posts analyzing the first five principles of Start With, and this second article continues with the remaining five. The “examples in the posts help companies with line drawing and balancing risk,” Kelley Drye partner Dana Rosenfeld told The Cybersecurity Law Report. See “FTC Priorities for 2017 and Beyond” (Jan. 11, 2017); and “A Behind-the-Curtains View of FTC Security and Privacy Expectations” (Mar. 16, 2016).  

    Read Full Article …
  • From Vol. 3 No.7 (Apr. 5, 2017)

    Effective and Compliant Employee Monitoring (Part One of Two) 

    When can companies “spy” on their employees? Monitoring data systems and employee digital activity is critical to reducing the significant cybersecurity risks that employees pose (either inadvertently or maliciously), but companies do need to make sure they comply with consent and other legal requirements when implementing surveillance programs. This first part of a two-part series on the topic addresses the role of data monitoring, effective notice, legal considerations, and specific policies regarding BYOD, termination and remote employees – including stories from the trenches. Part two will provide operational guidance on implementing effective and compliant monitoring programs, and discuss privacy concerns in different types of employee surveillance, including the contrasting rules and approaches in Europe. See also “Strategies for Preventing and Handling Cybersecurity Threats From Employees” (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 2 No.19 (Sep. 21, 2016)

    Staying Cybersecure Without Mobile Device Management

    Control over employees’ devices can offer companies reassurance that they are protecting sensitive information. Many organizations, however, find they must proceed without mobile device management or enterprise mobility management due to cost or employee pushback over privacy concerns. At a recent Gartner webinar, Rob Smith, a research director at Gartner, examined factors organizations should consider as they decide whether to purchase and deploy MDM and EMM solutions. He also explained the pros and cons of other security approaches for organizations looking for alternatives. See also “Legal and Regulatory Expectations for Mobile Device Privacy and Security” Part One (Feb. 3, 2016); Part Two (Feb. 17, 2016).

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    Avoiding Privacy Pitfalls While Using Social Media for Internal Investigations

    Social media can offer valuable information to companies conducting internal investigations.  However, companies must be vigilant about employees’ privacy rights as well as the laws and restrictions in place to protect those rights.  Lily Chinn, a partner at Katten Muchin Rosenman, spoke with The Cybersecurity Law Report about these privacy challenges and the proactive steps companies should take to avoid liability and complications, including how departments should coordinate and specific points that should be addressed in company policies.  See also “Examining Evolving Legal Ethics in the Age of the Cloud, Mobile Devices and Social Media (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 11 (Aug. 26, 2015); Part Two, Vol. 1, No. 12 (Sep. 16, 2015).

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    The Multifaceted Role of In-House Counsel in Cybersecurity 

    To effectively advise corporations on cybersecurity issues, in-house counsel must navigate myriad issues that can vary across industries, state and international jurisdictions as well as privacy and information security contexts.  A recent PLI program brought together privacy and information security counsel from various industries to share insights on the role of in-house counsel charged with securing business-critical and confidential data and technology.  They discussed the different responsibilities for data privacy and cybersecurity professionals, international data privacy and protection laws, and offered strategies for in-house counsel to prevent internal cybersecurity threats, develop breach prevention and response policies and handle vendors.  The panel was moderated by Lori E. Lesser, a partner at Simpson Thacher, and included top practitioners Rick Borden, chief privacy officer at the Depository Trust & Clearing Corporation; Nur-ul-Haq, U.S. privacy counsel at NBCUniversal Media; Michelle Ifill, senior vice president at Verizon and general counsel of Verizon Corporate Services; and Michelle Perez, assistant general counsel of privacy for Interpublic Group.  See “Analyzing and Complying with Cyber Law from Different Vantage Points (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 8 (Jul. 15, 2015); and Part Two, Vol. 1, No. 9 (Jul. 29, 2015).

    Read Full Article …
  • From Vol. 1 No.16 (Nov. 11, 2015)

    How to Reduce Cybersecurity Risks of Bring Your Own Device Policies (Part Two of Two)

    The now-common practice of employees bringing their own devices into the office offers companies savings, but use of these devices comes with complex risks that must be addressed.  Part one of our two-part series discussed these risks and recommended BYOD policies and training to mitigate the risks.  This second article in the series explores how mobile device management programs and proper protocols for outgoing employees and lost devices can further reduce BYOD risks.  It also explains how BYOD policies can impact litigation, and even result in significant sanctions. 

    Read Full Article …
  • From Vol. 1 No.14 (Oct. 14, 2015)

    How to Reduce the Cybersecurity Risks of Bring Your Own Device Policies (Part One of Two)

    Many companies now allow employees to use their own devices for work email and other work-related functions.  Allowing employees to “bring your own device,” or BYOD, provides companies with cost savings and employees with flexibility, but also presents serious cybersecurity challenges.  This first article in our two-part series on designing cybersecure BYOD policies discusses BYOD risks and recommends strategies to reduce these risks, including employee training.  Part two will discuss mobile device management tools and software as well as handling lost devices, outgoing employees and discovery.  See “Strategies for Preventing and Handling Cybersecurity Threats from Employees,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.1 (Apr. 8, 2015)

    Strategies for Preventing and Handling Cybersecurity Threats from Employees

    Not all data breaches stem from trained cybercriminals – in fact, many cybersecurity incidents come from the inside.  They are initiated by an employee’s inadvertent mistake or intentional act.  In this interview with The Cybersecurity Law Report, Holly Weiss, a partner in the Employment & Employee Benefits Group, and Robert Kiesel, a partner and chair of the Intellectual Property, Sourcing & Technology Group, at Schulte Roth & Zabel, discuss: the two categories of internal cybersecurity threats (inadvertent and intentional); specific ways to protect against those threats, including effective training methods and “bring your own device” policies; and the effect of relevant regulations.

    Read Full Article …