Benjamin Wright Archives

As of 2022, 83% of organizations have had more than one data breach, costing those organizations millions of dollars in damages. In today’s cyber-landscape, companies are no longer wondering if they will ever experience a breach but when a breach will occur.

Developing an Incident Response Plan is imperative for when an organization thinks they may have experienced a data security breach or security incident. One of the most important aspects of incident response is the collection and evaluation of evidence. Just because a laptop computer seems to be missing, the organization does not have conclusive evidence that they have actually suffered a data security breach. So, when an organization believes they have experienced a security incident, the incident must be carefully evaluated, following a professional, disciplined approach to gathering and evaluating evidence, to conclude whether or not a data breach has occurred.

It’s often wise to ensure that all of the details of any investigation into a data breach are maintained as confidential. Keep in mind that your legal adversary may disagree with your own evaluation of the security incident and evidence. So, when an organization is conducting an incident response plan, ensure that all the investigators have signed an appropriate non-disclosure agreement, and to have legal counsel engaged in the investigation. Often times, if counsel is involved in the investigation, they can cloak the investigation into something known as an attorney work product. This is very similar to attorney-client privilege, and a form of confidentiality that is enforced in law.

Once you’ve conducted your incident response plan, gathered and evaluated all necessary evidence, you may then determine if a security incident has occurred, and the appropriate next steps for responding to the incident.

To learn how KirkpatrickPrice can help you with your compliance objectives, contact us today!

What is an Incident Response Plan?

An important part of the incident response when an organization thinks it might have a data security breach is the collection and evaluation of evidence. Just because a laptop computer can’t be found, for example, doesn’t necessarily mean that the organization has conclusive evidence that it has in fact suffered a data security breach for which it must give notice of under different kinds of laws. Therefore, as an organization sees that is has an incident that needs to be evaluated more carefully, the organization is wise to follow a professional, disciplined approach to gathering evidence and then evaluating that evidence to conclude whether if in fact a breach has occurred for which your organization needs to give notice.

An important factor to bear in mind as your organization conducts an incident response is that the legal adversary of the organization may disagree with the organization’s own evaluation of the incident and the evaluation of the evidence. For example, a legal adversary could be a class action plaintiff’s lawyer or it could be a government regulator. These adversaries, if they were able to gain access to the organization’s full investigative details, might say, “Wait, you had all of this information that shows that you had a breach and that you should’ve given notice, therefore, you’re bad and we should sue you or punish you.” On the other hand, from the point of view of the organization, the organization may actually review the same evidence and conclude, “No, there was not a breach under the law, therefore we should not have given notice.”

So, here’s the point: when an organization is conducting an incident response, it’s often wise to ensure that all the details of that investigation are maintained as confidential. Ways to maintain confidentiality would be 1) ensure that all of the investigators have signed an appropriate nondisclosure agreement and 2) your organization may be wise to actually reach out to legal counsel and have legal counsel engaged in the investigation. Often times, if counsel is involved in the investigation, then counsel can cloak the investigation into something that’s known as an attorney work product. An attorney work product is very similar to an attorney-client privilege. It’s a form of confidentiality that can be enforced in law, so if an attorney is substantially involved in incident response and evidence is collected, and the organization doesn’t want the results of the investigation’s evidence to go to legal adversaries, the attorney work product doctrine will help the organization achieve that goal.

What is the Gramm-Leach-Bliley Act?

The Gramm-Leach-Bliley Act (GLBA) is a law that requires all financial institutions in the United States to safeguard their consumers’ sensitive data. GLBA applies to financial institutions such as organizations that offer financial or investment advice, provide consumer loans, or process consumer financial information.

Regardless of the type of institution, under the Safeguards Rule, GLBA lays out four techniques that all financial institutions must follow in order to ensure the security of consumers’ personally identifiable information (PII). In each sector of the financial industry, regulators such as the Office of the Comptroller of the Currency (OCC) and the Federal Trade Commission (FTC) enforce these requirements. For example, if you’re a pawn shop, you would want to comply with the version of the Safeguards Rule that is published by the FTC. On the other hand, if you’re a bank, you would use the version of the Safeguards Rule that is published by the OCC.

What is Included in the Safeguards Rule?

Though the versions of the Safeguards Rule can vary based on your regulator, the Safeguards Rule has typically required that these five points be included in a financial institution’s security program:

Designate a Coordinator: The coordinator should be an official within your organization who has the authority to implement and review controls and ensure that the controls are actually in place for securing data.
Conduct a Risk Assessment: The risk assessment should identify and evaluate the risks that a breach could compromise the privacy of PII.
Implement Logical Controls Based on the Risk Assessment: The controls implemented should be logical and proportional to the risks that have been identified. Controls will vary based on the type of institution, though. For example, the risks a pawn shop faces are generally much different than the risks that a bank would face.
Ensure Appropriate Vendor Controls are in Place: The organizations that process data on your behalf should be carefully vetted. Do you have an appropriate contract with your vendors? Do you have an audit of your vendors? Are you aware of any security incidents or breaches that your vendors have suffered?
Maintain an Ongoing Process for Reviewing and Updating Security Controls: The security program that’s in place should be constantly under review. GLBA requires that organizations are always reviewing and ensuring that they are secure and that their vendors have appropriate security for PII.

For more tips on GLBA and how it’s used to secure PII, follow @BenjaminWright on Twitter or contact us today!

In the financial industry, an important law related to privacy and data security is Gramm-Leach-Bliley. Gramm-Leach-Bliley applies to all financial institutions in the United States, which is a broadly defined concept. Financial institutions include not only banks and credit institutions, but other organizations, such as a pawn shop that provides consumer loans. It also includes organizations that process consumer financial information.

Gramm-Leach-Bliley provides four techniques that all of these financial institutions need to follow in order to secure consumer personally identifiable information. These expectations for security are generally incorporated into something that is known as the Safeguards Rule. The Safeguards Rule has been adopted by the various regulators that would apply within your part of the financial industry. For example, if you are a bank, you would look to the Office of the Comptroller of the Currency for the particular version of the Safeguards Rule that applies to you. If you are a pawn shop, you would look to the version of the Safeguards Rule that is published by the Federal Trade Commission.

Broadly speaking, the Safeguards Rule has five major points that it expects a financial institution to cover in its security program. The first point is to designate a coordinator. A coordinator would be an official within your organization who has the authority to implement and review controls and ensure that the controls are actually in place for securing data. The second point is that the financial institution needs to have a risk assessment. A risk assessment evaluates the risks that some breach of security could compromise the privacy of personally identifiable information. Based on that risk assessment, the organization needs to have, what I call, the third major point of the Safeguards Rule: logical controls that are based on the risk assessment. So, the risk assessment for a pawn shop is going to be different from the risk assessment that applies to a large bank. In each case, though, the bank and the pawn shop need to implement logical, proportional controls that respond to the risks that have been identified in the risk assessment. The fourth point in the Safeguards Rule is that the financial institution needs to ensure that it has appropriate controls with its vendors – those organizations who process data on behalf of the financial institution. The way to achieve those controls would be to have an appropriate contract with the vendor, have an audit of the vendor, have certifications from the vendor to confirm that the vendor is implementing the appropriate types of controls, and maybe reporting any security incidents or breaches that the vendor suffers. Finally, the fifth point in the Safeguards Rule is that the financial institution needs to maintain an ongoing process for reviewing and updating its security controls.

Thus, Gramm-Leach-Bliley is not a snapshot requirement. It’s not the requirement to go, “Snap! I’m looking at my security. I’ve confirmed my security is good. I’m done.” Instead, Gramm-Leach-Bliley emphasizes through the Safeguards Rule that organizations have a never-ending requirement to be reviewing their controls and ensuring that they are secure and that their vendors have appropriate security for personally identifiable information.

In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.

How Should I Make Legal Agreements via Electronic Communication?

Electronic communications have become an integral component of conducting business in today’s society. Agreements and contracts are formed over email, text messages, and other various collaborative platforms such as Office 365 or Google Drive. Though hard copy paper contracts still exist, digital contracts offer more accessibility, the ability to track changes, and a way to collaborate via electronic communication.

Digital contracts can be impacted by the electronic communications between organizations and their vendors/customers as time goes by. When organizations or their vendors/customers communicate through email, text messages, or in some other mode of electronic communication about performance under the contract, the final details of the agreement can potentially be affected. For example, some of the electronic communication might identify a need to modify a certain aspect of the agreement, a party might directly amend a clause of the agreement, or the interpretation of the agreement might change.

For organizations who enter into legal agreements via electronic communication, we suggest following these three key steps:

Read all of the electronic communications that relate to the business contract. Electronic communications might be more legally binding than you think.
Document and keep copies of all electronic communications (emails, text messages, etc.) with your vendors/customers. In the event that a legal dispute arises, you can refer back to those communications.
Understand that informal electronic communications, such as texting, can be a useful tool to help tilt a contractual relationship more in favor of what you want. Over time, when you communicate with vendors/customers to document your up-to-date interpretation of an agreement, it can be persuasive in court or negotiations if a dispute arises.

To learn more about the intricacies of using electronic communication to make legal agreements, follow @BenjaminWright on Twitter. For additional information, contact us today!

In the business world today, we operate in a fascinating world of electronic contracting. When I say it’s fascinating, I mean that I’m a lawyer who’s been practicing law for a long time, and I remember the old days when all contracts for business were almost all written on pieces of paper. Today, we now live in this world of electronic mail, text messages, and Office 365 where our agreements with customers and vendors are negotiated, communicated, and recorded in many different media. So, yes, we still use paper documents for contracts, but a lot of times, we may just exchange a Word document through electronic mail.

After we’ve actually signed an agreement with a vendor or customer, times goes by and the relationship evolves. As it evolves, the two parties to the agreement communicate with each other in a very rich way – a way that we didn’t communicate in the 1980s, for example. Today, we’re able to and do use text messages, for example, to communicate about performance under the agreement. We might have some kind of an online environment, such as Office 365, where the vendor and the corporate customer exchange messages and comments. Comments can even be embedded in Word documents. All of these electronic communications can affect the final agreement, so you may have a regional paper contract with your vendor, but then the years go by, and a rich collection of electronic records come to modify the agreement. They may amend the agreement in a direct sense, or they may amend the interpretation of the agreement.

It’s very important for organizations to fully recognize all the different ways that electronic records can impact the contract that they have with their trading partners. Therefore, organizations are wise to 1) read all of the electronic communications that relate to that business contract, because those electronic communications may be more legally binding than you might think; 2) try to make records of all of the relevant electronic communications, including emails and text messages, so that you know what the deal is if you end up in a dispute, you can refer back to that email; and 3) recognize the informal types of communications that are available today like text messages can be a powerful way to help tilt a contractual relationship a little bit more in favor of what you want. As time goes by in a relationship, you can send text messages and emails that help to document your up-to-date interpretation of what that old paper contract actually means. This can help, ultimately, to be persuasive in court or negotiations in the future to make clear that contract was given to me the kinds of support and expectations that I really need.

In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.

Should Companies Monitor Employee Records and Communications?

When organizations supply their employees with personal electronic devices, such as laptops, cell phones, or tablets, they will often have a policy or contract that explains that the employer reserves the right to monitor employee records and communications while they’re using company-owned equipment. Although these devices are used for personal communication as well as work reasons, such policies exist to ensure that company-owned devices are not abused by employees through participating in unauthorized activities. Even with policies or contracts in place, there is still a potential for an invasion of privacy, which makes such policies controversial.

When Should a Company Investigate an Employee’s Electronic Devices?

Just because an employer has the legal might to look at their employees’ emails or text messages does not mean that it is right to exercise that right often. Remember: might does not make it right. If an employer frequently goes through their employees’ text messages, emails, or other modes of electronic communication, employees may become unhappy with the company and feel like their personal privacy has been invaded.

Take, for example, the administration at Harvard University. Believing that someone was leaking information about a cheating scandal, the administration opened an investigation and determined they had the right to read the emails of 16 deans at Harvard. Without getting authorization to search the emails, the administration searched emails by looking only at subject lines within a specific time period. While the administration was legally within its rights to investigate the deans’ emails, it was the wrong political decision. The deans were very unhappy about the investigation into their emails and complained vocally about it. Because of the public attention that the investigation received, the administration ultimately issued a public apology to the deans.

Ultimately, even though organizations might have statements in place that explain that they have the right to monitor employee records and communications, exercising that right is not always cut-and-dry. We suggest very carefully evaluating the reasons why you want to investigate or monitor your employees’ communications so that you can avoid potentially ruining the work environment.

To learn more about monitoring employee records and communications, follow @BenjaminWright on Twitter or contact us today!

It is common for an employer to have a policy or a contract with its employees stating that the employer reserves the right to monitor the communications and activities of employees while they’re using company-owned equipment. The reason for the employer to do this, of course, is to ensure that the employer is able to maintain a disciplined workplace where unauthorized activities are not happening. Unauthorized activities could be, for example, the exchange of pornography or the running of a side business while the employee is actually in the workplace and is supposed to be doing work.

However, these policies and contracts with employees can be controversial. Employees can be really unhappy when the employer, in fact, exercises its right and starts reading employees’ emails or looking at pictures that are on a company-owned device. Employees, naturally, may feel that even though they’ve signed an agreement saying that the employer has the right to look, they may still feel personally that they have some kind of a zone of privacy.

A common lesson for employers to bear in mind is what I call “Might Does Not Make Right.” What that means is just because the employer has the legal might to look at emails or text messages doesn’t necessarily mean that it is wise for the employer to actually exercise that right very often. A real good example comes from Harvard University. A few years ago, Harvard University was conducting an investigation where it believed that someone amongst the deans of the university was leaking important information out about a scandal related to students who had allegedly been cheating. The administration at Harvard decided that they needed to find out who was leaking the information and that they had the right under policy to actually read the emails of 22 deans at Harvard. The administration decided that it would conduct a limited search of emails of those deans by just searching not the content of emails, but the subject lines of emails within a specific time period.

Well, the deans at Harvard are very politically powerful people, and they were not happy about this. The deans complained very publicly and vocally about the administration exercising its right. Legally speaking, the administration was within its rights; however, politically speaking, the administration made a mistake and was embarrassed. Ultimately, the administration apologized to the deans publicly for looking at their subject lines without going through the appropriate channels, such as getting authority from the new faculty senate.

The larger message here for all kinds of employers is your wise to have an appropriate statement with employees saying that you reserve the right to look at their communications, but actually exercising that right is a very delicate process that you need to evaluate very carefully to ensure that you’re not spooking your employees or poisoning the work environment with your workforce.

In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.

What are the Challenges of a Bring-Your-Own-Device Policy?

Given that personal electronics are so prevalent in today’s society, navigating how to implement and enforce policies in the workplace regarding the use of devices (such as cell phones, tablets, and computers) can be challenging. It is often questioned who has the control over the records that are created and stored on such devices – is it the employee or the employer? Employees argue that they have the legal rights to the digital records since they are the ones who physically own and pay for the devices. Employers, on the other hand, maintain that because they pay their employees to create those records and the work product is created specifically for the organization’s use, they have the legal rights to the digital records.

Organizations that offer a bring-your-own-device (BYOD) policy are faced with establishing appropriate legal relationships with their employees that explicitly makes clear the ownership of the digital records created on employees’ devices. This policy should also explain that the employer has the right to take control of a device, right to confiscate a device, and the right to conduct a full investigation of a device. Because employees are likely to be more sensitive about having their personal property confiscated or investigated, it is paramount that employers make policies as clear as possible to avoid any possible issues with employees.

To avoid the challenges of a BYOD policy, organizations might instead opt to implement a program that supplies employees with devices. These programs, commonly referred to as company-owned personal-enabled (COPE), limit the amount of personal purposes that an employee can use the device for. However, even with a COPE program in place, organizations should still establish policies clarifying the authorized uses of the device, the possibility for confiscation and/or investigation, and the legal rights to the digital records kept on the device.

For additional tips on BYOD policies in the workplace, follow @BenjaminWright on Twitter. To learn more, contact us today!

A controversial topic in the modern workplace is bringing your own device to work. Many employees today use their own smartphone or tablet in order to do work on behalf of their employer. Questions arise about who has control over the records that are created and stored through these devices. In a physical sense, the employee has control; however, the employer may maintain that they paid their employee a salary to write a spreadsheet or create a video, so they own that work product and need access to it. An employer may argue that if an employee doesn’t work for them in the future, they should have the legal right to take control of that work product.

A challenge today is having an appropriate legal relationship between the employee and the employer, expressing ownership rights with respect to the records that are created through bring-your-own-device (BYOD). Some organizations will have very stringent agreements with employees that makes clear that the employer has the right to take control of a device, to confiscate a device, and to conduct a full investigation of the device. However, this is controversial in the sense that a lot of employees think, “That’s my personal phone. I pay for the service. I own that phone. I use that phone for family and personal matters. I don’t want my employer seizing my phone. I don’t want them digging around looking at pictures.” Therefore, for an employer to work out the appropriate type of agreement can be a very sensitive topic. What I see in the workplace is that many different employers have many different outcomes in what is actually stated in a BYOD policy or contract with employees.

As a result of this controversy, I see another option. I see some organizations decide that they are going to own the device. They buy and pay for the service, but they give it to the employee to use for limited personal purposes. That formula is called COPE: company-owned personal-enabled. If an organization decides to have a COPE relationship with employees, the organization is often wise to have an appropriate contract and/or policy. For example, the organization would want to make clear in a COPE agreement that the employee will not use the company-owned product in a way that would be offensive to the employer or other employees. You wouldn’t want the employer to find that the employee is using the company-owned equipment to create a hostile work environment where discriminatory messages and pictures and so on are exchanged in the workplace.

In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.