Essential Technology Contract Elements

Managing a company’s technology contracts is more difficult than ever, with agreements now governing thousands of corporate tasks completed using hundreds of device types. Complicating the picture, provisions from traditional IT product licenses cannot be shoehorned into the service contracts needed for cloud computing. This checklist, derived from our in-depth articles on the subject, offers a convenient summary of some of the latest tech contract terms. It is intended to help companies navigate negotiations and contract renewals as they scramble to access the latest tech products and services. See “Negotiating Reps, Warranties and Remedies in Technology Contracts” (May 19, 2021).

Post-Pandemic Workplace Vaccines and Testing Policy Checklist

As companies plan to welcome employees back to the physical workplace, uncertainty surrounds what employers can ask employees, how the information should be handled internally, how to manage access to information and whether the information can be disclosed externally. This checklist, derived from our in-depth article series, is designed to help employers take an approach that balances equal employment, safety and privacy concerns. See also our three-part series on how to facilitate a safe and privacy compliant return to work: “Laws and Guidance” (May 13, 2020); “Policies and Protocols” (May 20, 2020); “Contact Tracing” (May 27, 2020).

Checklist for IoT Security Audits

Though still in their infancy, IoT security audits can be a useful tool in managing the security challenges that may arise from the use of unmanaged connected devices such as printers, security cameras, conference room tablets and remote property sensors. These devices, rife with risk, now comprise 30 percent of business’ network endpoints. This checklist, which stems from our in-depth article on how to address enterprise IoT risks, can serve a guide to use when conducting an IoT audit. See “How to Address Intensifying Enterprise IoT Security Risks” (Oct. 14, 2020).

Action Steps to Respond to Ransomware Attacks

Businesses are facing a surge of ransomware attacks during the COVID-19 pandemic as cybercriminals exploit employee distraction and the increased attack surfaces due to widespread remote working. Even before the pandemic, ransomware was transforming into a double-damage attack, as several criminal groups began adding theft of sensitive data to the crippling of computer systems. Maze-style attacks, named after the pioneering Maze Group gang, also often include threats to publicize the hack. This checklist offers direction for companies to prepare and respond to these complicated cyberattacks and includes considerations for developing a ransomware plan and a corporate ransomware payment policy, as well as ten immediate communication steps to take after an attack. See also “Managing Ransomware’s Mutation Into a Public Data Breach” (May 6, 2020).

Privacy Compliant Return-to-Work Checklist

Our return-to-work checklist is designed to help balance health and safety concerns with privacy and other legal considerations, which can be overwhelming when implementing plans to get employees back into a physical workplace. See our three-part series on how to facilitate a safe and privacy compliant return to work: “Laws and Guidance” (May 13, 2020); “Policies and Protocols” (May 20, 2020); “Contact Tracing” (May 27, 2020).

Eleven Key Components of an Effective Privacy Program

This article lists 11 essential elements companies should include in their privacy programs – and tailor to their risks and needs – and provides references to Cybersecurity Law Report content that contains more in-depth tips and operational advice on how to develop and implement these components. See also “How GoDaddy Built an Effective Privacy Program” (Nov. 7, 2018).

30 Creative Ideas for Compliance Messaging

Communicating compliance messages to the right people in the right format outside of formal training sessions is a perennial challenge. Using concepts from behavioral science, along with creativity and a sense of fun, the compliance professionals we have spoken with have come up with some surprising ways of getting their compliance messages across. Here we have compiled 30 real-life examples from over a dozen multinational companies to use as a jumping off point for companies looking to take a fresh approach to their compliance messaging. See “How the World’s Most Ethical Companies Are Aligning Corporate Culture and Strategy” (May 15, 2019).

Dos and Don’ts of Choosing a Cyber Insurance Broker and Navigating the Application Process

Cyber liability insurance should be part of a company’s plan to combat the inevitable damage and business loss caused by a cyber attack. Complex insurance decisions require expertise and know-how, and to make it through the maze of cyber liability insurance options, many companies opt to work with qualified cyber liability insurance brokers. This guide outlines some dos and don’ts when selecting a broker and navigating the application process. See our three-part series on using cyber insurance to mitigate risk: “From Assessing the Need to Managing Existing Policies” (Oct. 3, 2018); “Getting Savvy About Cost and Policy Terms” (Oct. 10, 2018); and “Policy Management and Breach Response” (Oct. 17, 2018); and “Guidelines for Securing Effective Cyber Insurance Policy Terms” (Apr. 17, 2019).

Guidelines for Securing Effective Cyber Insurance Policy Terms

With no end in sight to high-profile cyber attacks, more companies are taking out insurance against an incident. While insurance does not mitigate all of an organization’s cyber risk, it is one way to manage it. This guide outlines steps and considerations for securing the right policy terms and amount of coverage, and receiving the optimal payment and services from the insurance company after an incident. See our three-part series on using cyber insurance to mitigate risk: “From Assessing the Need to Managing Existing Policies” (Oct. 3, 2018); “Getting Savvy About Cost and Policy Terms” (Oct. 10, 2018); and “Policy Management and Breach Response” (Oct. 17, 2018).

A Quick-Start Guide to Creating a Compliance Champion Program

Many companies do not have the budget to station a dedicated compliance professional at every company outpost around the globe, but having no compliance presence at all can make it more difficult to engage local employees and spread the company’s compliance message. Selecting well-respected local employees to serve as part-time compliance liaisons – often called “compliance champions” – in addition to their regular jobs is one creative way to address this common resource issue. To help companies that are considering this approach, we have put together a quick-start guide to selecting, training and utilizing local employees as champions of the compliance program. See also “How to Make the Most of Limited Compliance Resources” (Jan. 31, 2018).

Essential M&A Cybersecurity Due Diligence Questions

Pre-acquisition cybersecurity due diligence is critical to determine whether the deal is worthwhile, what price or term adjustments may be needed and also what future remediation or fixes should be anticipated. The Cybersecurity Law Report distills expert advice into this list of must-ask due diligence questions. See “The Arc of the Deal: Tips for Cybersecurity Due Diligence Advisors in Mergers & Acquisitions From Beginning to End” (Jun. 28, 2017); and “Cybersecurity Due Diligence in M&A Is No Longer Optional” (Aug. 24, 2016).

Ten Steps for Effective Crisis Communications

Following a cyber incident, companies face substantial reputational and financial harm, and poorly handled communication can magnify the problem. Controlling the message is essential not just for preserving the brand’s reputation, but also for properly handing the investigation, meeting regulatory obligations and responding to the breach as effectively as possible. The Cybersecurity Law Report has distilled valuable advice into ten specific actions to ensure effective communication. See also “Cyber Crisis Communication Plans: What Works and What to Avoid (Part One of Two)” (Jun. 14, 2017); Part Two (Jun. 28, 2017).

A Roadmap to Preparing for and Managing a Cyber Investigation

A successful cyber investigation starts before an incident with creating an effective incident response plan and fostering strong relationships between legal and information security teams to set the foundation for tackling the challenges that arise once an investigation has begun. In this guide, we provide a roadmap to help companies ensure they take a successful approach to preparing for and managing a cyber investigation. See “Managing Cyber Investigations: A CISO and In-House Counsel Discuss Best Practices for Real-Life Scenarios” (Jun. 20, 2018) and “Investigative Realities: Working Effectively With Forensic Firms (Part One of Two)” (May 3, 2017); Part Two (May 17, 2017).

Fifteen Tips for an Effective Cybersecurity Board Presentation

Boards are becoming more engaged with cybersecurity issues as the risks have become more visible and the potential for director liability has risen. Directors want to be informed and are asking more detailed questions. For those providing the answers, an effective presentation is critical to obtain buy-in and budget in line with the company’s risk profile and tolerance. In addition, board presentations can be an opportunity to present cybersecurity efforts not as simply costing money, but also as creating business advantages. The Cybersecurity Law Report has compiled the following list to help with this task. See also “A CSO/GC Advises on How and When to Present Cybersecurity to the Board” (Feb. 22, 2017); and “How to Handle Rising Expectations for Board Cyber Education and Involvement” (Mar. 14, 2018).

Twenty Steps Toward Achieving an Effective Social Media Policy

Social media use is pervasive throughout the workplace for marketing and communication purposes, and given the complex security and privacy concerns it presents, crafting, enforcing and maintaining an effective policy is both challenging and important. The Cybersecurity Law Report has compiled a list of 20 considerations for an effective and up-to-date social media policy, whether a company is starting from scratch or looking to enhance its extant policy. See also “Crafting a Multinational Employer Social Media Policy After Cambridge Analytica” (May 16, 2018); “What It Takes to Establish Compliant Social Media Policies for the Workplace” (Mar. 22, 2017); and “Best Practices for Mitigating Compliance Risks When Investment Advisers Use Social Media” (Apr. 5, 2017).

Checklist Approach to Effective Third-Party Vendor Oversight

Firms rely heavily on third-party vendors in their day-to-day operations, but these vendors can introduce great risks. To mitigate risk, companies should systematically and thoroughly oversee each relationship. Once a third-party contract is established, companies should assess the vendor relationship for ongoing risk and develop procedures to address issues and risks as they are identified. This guide details risk-assessment considerations and steps to address and mitigate ongoing risk and compliance issues. See also “How to Maintain Effective and Secure Long-Term Vendor Relationships: Understanding the Risks (Part One of Two)” (Jun. 20, 2018); Part Two (Jun. 27, 2018).