Forensic Update

Reflections on information management within the legal and regulatory arena

Archive for the ‘Data Breach’ Category

New species of data breach tort…

Posted by Johnny Lee on October 6, 2015

New species of data breach tort…

As predicted, new tort law creature may soon be born: “negligent data security.”

http://ow.ly/SLjMk

Advertisements

Posted in CyberSecurity, Data Breach, eDiscovery | Comments Off on New species of data breach tort…

CyberSecurity & the Audit Committee…

Posted by Johnny Lee on September 1, 2015

CyberSecurity & the Audit Committee…

New thought leadership from Grant Thornton on the important role that the Audit Committee plays in a defensible, sustainable, long-term CyberSecurity strategy.

http://ow.ly/RlLHR

Posted in CyberSecurity, Data Breach, eDiscovery | Comments Off on CyberSecurity & the Audit Committee…

Simplifying Cyber-Security Controls amid Abundant Laws…

Posted by Johnny Lee on August 3, 2015

Simplifying Cyber-Security Controls amid Abundant Laws…

Check out this solid piece from Joe Mont [ @josephmont ], staff writer for ComplianceWeek on “How to Simplify Cyber-Security Controls Amid Abundant Laws.” I enjoyed the interview, and kudos on turning out an insightful piece.

http://ow.ly/PKewj

Posted in CyberSecurity, Data Breach, eDiscovery | Comments Off on Simplifying Cyber-Security Controls amid Abundant Laws…

CyberSecurity & the CFO…

Posted by Johnny Lee on July 16, 2015

CyberSecurity & the CFO…

An in-depth discussion of a joint study from FEI and Grant Thornton on the important role that CFOs play in a complete CyberSecurity initiative. Full details, including a replay of this 2015 webinar, can be found here: [http://ow.ly/PFhX3].

Posted in CyberSecurity, Data Breach, eDiscovery | Comments Off on CyberSecurity & the CFO…

Good collection of advice on BYOD Security Best Practices…

Posted by Johnny Lee on June 4, 2015

Good collection of advice on BYOD Security via Digital Guardian…Expert Tips on Policy, Risks & Breach Prevention

http://ow.ly/NQkkW

Posted in CyberSecurity, Data Breach, eDiscovery | Comments Off on Good collection of advice on BYOD Security Best Practices…

Research group publishes its findings on known NSA data-collection & monitoring programs…

Posted by Johnny Lee on May 18, 2015

Fascinating research group [NSA Observer] publishes its findings on known NSA data-collection & monitoring programs…

http://ow.ly/N0tCH

Posted in CyberSecurity, Data Breach, eDiscovery | Comments Off on Research group publishes its findings on known NSA data-collection & monitoring programs…

@GrantThorntonUS #CyberSecurity Panel in New York on May 12th…

Posted by Johnny Lee on May 4, 2015

Topics include:

• Governance, Compliance & Privacy
• Security Architecture & Operations
• Cyber Liability Insurance coverage
• Incident Planning, Response & Management
• Third-party & Vendor Management

Panelists:
• John Kennedy, Partner, Wiggin & Dana
• Robert Parisi, Cyber & Technology Product Lead, Marsh & McLennan
• Michael Menapace, Counsel, Wiggin & Dana
• Johnny Lee, Managing Director, Forensic Technology Services, Grant Thornton
• Mark Lastner, Director, Business Advisory Services, GT
• Kevin Morgan (Moderator), Principal, Business Advisory Services, GT

Registration & logistics details: http://ow.ly/Mb2hx

Posted in CyberSecurity, Data Breach, eDiscovery | Comments Off on @GrantThorntonUS #CyberSecurity Panel in New York on May 12th…

White House Opens Door for Cybersecurity Sanctions…

Posted by Johnny Lee on April 2, 2015

White House Opens Door for Cybersecurity Sanctions

New Exec. Order allows 4 penalties against individual wrongdoers

http://ow.ly/L7Mh3

Posted in CyberSecurity, Data Breach, eDiscovery, Privacy | Comments Off on White House Opens Door for Cybersecurity Sanctions…

Data security: A field guide for Franchisors…

Posted by Johnny Lee on March 24, 2015

Data security: A field guide for Franchisors

Read the latest #CyberSecurity guidance from @GrantThorntonUS

http://ow.ly/KGlVx

Posted in CyberSecurity, Data Breach, eDiscovery, Privacy | Comments Off on Data security: A field guide for Franchisors…

Employers continue to wrestle with BYOD policies…

Posted by Johnny Lee on March 16, 2015

What follows is an excerpt from an article for which I was asked to contribute last Fall.  I hope that you find it of interest.

=-=-=-=-=-=-=-=-=-=-=-=-=-=

In your opinion, how much control a company should have over an employee-owned device?

Organizations are under increasing scrutiny to protect sensitive data of all kinds, regardless of the industry in which they operate. Some regulations provide for strict liability to the employer for actions taken (and/or disclosures made) by employees, regardless of whether such actions/disclosures originate from a personally owned device. Similarly, there are legal nuances to consider related to ownership, control, and consent — especially when obligations to preserve data in litigation arise. For these reasons, organizations should carefully review their risk profile with these legal and regulatory obligations in mind.

This risk profile should govern an organization’s exercise of control over employee-owned devices. Not all risk profiles are the same; to illustrate, a traditional manufacturing company that manufactures mechanical widgets will have a very different risk profile than an organization selling specialized securities or financial instruments.

Many of these devices include personal data, like photos and private email. Should the company be able to wipe out an employee’s personal data just because the owner broke IT policies?

This is a nuanced question, so I’ll answer that “it depends.” For some organizations, the risks attendant with employee-owned devices are quite onerous. Accordingly, those organizations might take the position that an employee’s access of company-owned assets (e.g., email, secure systems, etc.) grants the employer a broad measure of control over both the content involved with that access and the accessing device. I would also say that the justification for the remote wiping would be highly fact-specific as well. In your question, you mention a violation of an IT policy; this leaves a lot to interpretation and could range from posting a sticky note with your password to your monitor to downloading the personal financial information of the organization’s entire customer database. The remedy an organization would take for the former violation might be vastly different than the remedy sought for the latter.

Obviously there should be some kind of policy in place regarding wiping data from personally owned devices. What do you think should be included in that policy?

I agree that an organization’s stance related to employee-owned devices should be memorialized in a clearly worded policy; this protects both the employer and the employee in the event that something later occurs that implicates these issues. Such companies are well advised to reinforce such policy stances through carefully crafted policies that are both monitored for compliance and enforced consistently over time. These policies should include clear statements related to ownership (of device, data, and the underlying systems involved), consent (to access, secure, and/or destroy data as well as consent to cooperate when certain matters arise related to these data), and control (of the devices, data, and systems involved).

Any other thoughts on BYOD and when to wipe data?

I would add that there are certainly risks with an employer wiping data from an employee-owned device. These risks range from morale impacts to legal implications, and companies are approaching this area in more circumspect ways in recent years. Increasingly, companies with high-risk profiles are either moving away from a BYOD policy outright or moving toward technologies that “compartmentalize” the organization’s data in a manner that is separately stored (and separately accessible) from the employee’s personal data. These technologies allow the organization the ability to both secure and to remotely wipe the information that is self-evidently the organization’s, and these technologies also allow for the non-organizational data to persist (unmolested) when a remote-wiping context arises. This, in concert with a clearly worded policy, provides the employer with the protections it requires while not seeking to place any undue burden on the employee.

=-=-=-=-=-=-=-=-=-=-=-=-=-=

Please see the disclaimer associated with content published on (and associated with) this site.

Posted in CyberSecurity, Data Breach, Data Governance, ECM, eDiscovery, Information Security, Investigations, Litigation Hold, Privacy, Records Retention | Comments Off on Employers continue to wrestle with BYOD policies…

 
%d bloggers like this: