cyber law = business law

Cyber Law is (the new) Practical Business Law

Image courtesy of 89studio at FreeDigitalPhotos.net

Image courtesy of 89studio at FreeDigitalPhotos.net

I have had a thing for simplicity lately. A couple of months ago I was on stage speaking and something really hit me. I was watching the audience and the looks on their faces made me realize that, while what I was saying was technically accurate, to most of the people in the crowd, it sounded like gibberish — like when my mathematics-obsessed son tries to talk to me about Calculus. Or is it Trigonometry?

Who knows? And, I’ll bet that’s exactly what that audience walked out of there thinking. I vowed to do things differently. To simplify. More.

Cyber is the new reality. The business world is now fully immersed in the cyber world. Indeed, every business now has cyber issues unless it operates without a computer, data, or connection to the Internet. Can you think of any? Me either.

CircuitsSince cyber is now a real-world issue that affects everyone, not just the uber-sophisticated techno-types, but real world people too, cyber law has likewise made its way into the mainstream.

The cyber world poses incalculable cyber risks for businesses and that means that cyber law is now practical business law.

That is the point of my recent article Practical Cyber Law: Yes, Even Your Clients May Face Cyber Risk Issues that was published in Volume 3: Winter 2015 Edition of Circuits, a publication of the Computer & Technology Section of the State Bar of Texas (full issue). Please give it a read and let me know your thoughts.

 

Shawn Tuma (@shawnetuma) is a cybersecurity lawyer business leaders trust to help solve problems with cutting-edge issues involving cyber risk and compliance, computer fraud, data breach and privacy, and intellectual property law. He is a partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes across the United States and, through theMackrell International Law Network, around the world.

secret-205648_1920

Private Investigators, You Are Not Immune From the Computer Hacking Laws

I have seen far too many cases where private investigators do things like install keyloggers on estranged-spouses computers, install sniffer programs to find their login credentials, and do other nefarious activities to hack their way into computers. Why should it come as a surprise to anyone that a PI has now been busted for hiring a professional hacker to break into the email accounts of individuals he was investigating?

Good! It is about time this starts getting some attention. Maybe one day they’ll realize that all of these computer hacking laws that we’re always talking about actually apply to them too.

Here is a nice write-up of a recent case if you’d like to read more: Private Investigator Pleads Guilty to Hacking Email Accounts

#LMAMKT

Post Webinar Thoughts: Simple Ways to Effectively Use Social Media to Help Build Your Law Practice

Here is a great post by Cordell on a few takeaways from our webinar on social media marketing for lawyers. Check it out and let us know what you think: Simple Ways to Effectively Use Social Media to Help Build Your Law Practice | Cordell Parvin Blog.

Texas Business Guide for Identifying and Protecting Trade Secrets - Cover

Get Your Free Texas Business Guide: Identifying and Protecting Trade Secrets Under the (New) Uniform Trade Secrets Act

Trade secrets are the lifeblood of a company but it can be a difficult issue to understand.

Here is a free guide to help you identify and protect your company’s trade secrets.

DOWNLOAD: Texas Business Guide for Identifying and Protecting Trade Secrets

Yes, Your Business Has Trade Secrets

Texas Business Guide for Identifying and Protecting Trade Secrets - CoverWhether they realize it or not, virtually every business has trade secrets which can be as simple as something unique or remarkable about the way it makes a product or provides a service that sets it apart from the competition. This is something that gives the business a competitive advantage and is usually something it has spent significant time and resources to develop.

Unfortunately, in today’s business environment, honor and integrity are not always the rule and many businesses find their trade secrets are being taken and used to compete against them. This can come from as close as disloyal employees or local competitors to around the world from foreign state‐sponsored organizations engaging in industrial espionage.

Preparation is the Key to Successfully Protecting Your Businesses’ Trade Secrets

The first-time many businesses ever gives serious thought to their trade secrets is when they find that they have been taken. It is then that the business begins scrambling to identify its trade secrets and, assuming it can put together a comprehensive list, hopes and prays that it has satisfied the requirements for keeping that information protected under the law of trade secrets so that it can use the legal process to keep it from being used by the businesses’ competitors. To make matters worse, when the disclosure of trade secrets is being threatened and an injunction from a court is all that will stop it, Time is precious and every minutes can make the difference between winning or losing.

Here Is The Guide

Shawn Tuma has prepared a comprehensive Guide to help you understand how to identify and protect your businesses’ trade secrets. The Guide provides a step-by-step explanation of everything from what trade secrets are in general, to how to identify your own businesses’ trade secrets, to the most common threats against trade secrets, and how to protect against those threats.

You can download a free .pdf copy of the Guide by clicking on this link: Texas Business Guide for Identifying and Protecting Trade Secrets 

Once you have downloaded the Guide, you can be proactive in protecting your businesses’ trade secrets by using it to prepare for the problem before it ever arises and, in doing so, help reduce the chances that the problem will ever arise by:

  1. carefully evaluating what information it has that qualifies as trade secret information;
  2. implementing security measures, policies, and procedures to prevent the disclosure of that information and protect its trade secret status; and,
  3. in the event its trade secrets are ever compromised, be much better prepared to quickly and efficiently make its case in a court of law and successfully prevent others from using its trade secrets.
About the author

Shawn Tuma is a lawyer who is experienced in advising clients on complex intellectual property issues such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act. He is a partner at Scheef & Stone, L.L.P., a business law firm with offices in Dallas and Frisco, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as across the nation pro hac vice ). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

shutterstock_59508448

Executives & Board: The conversation security leaders need to have about Amy Pascal’s departure

This is an excellent article that covers a very important topic you need to consider. You — as in Executives and Board Members of Companies all around the world.

Stop, close your eyes, and ask yourself these three questions that are in this article:

  1. “What did you think of the announcement?” (i.e., put yourself in her position and envision that day)
  2. “Is there anything in your emails and files that, if exposed, would get you fired?” (this is self explanatory, but see this related post for advice on this issue: #SonyHack: Will Executives’ Embarrassing Emails Better Motivate Cybersecurity Change?)
  3. “In the event we experience a breach, what are our priorities?” (again, self explanatory, but see this related post for advice on planning: Breach Response Planning)

Now check out the full article: The conversation security leaders need to have about Amy Pascal’s departure | CSO Online.

7 Ideas for Security Leaders – What Do You Think About My Suggestion?

Many thanks to CSO Online and Michael Santarcangelo (@catalyst) for including my suggestion as one of 7 inspiring ideas for small changes that lead to big improvements in both security posture and leadership within organizations.

The article is 7 Ideas for security leaders. Here is a teaser from my suggestion on slide 5 but please go check out all of the great tips in the article:

“One change for this year: reconsider and take contracts and policies that relate to the access and use of their computer networks and data seriously.”

Please go give a shout-out to Michael and re-share the article; more importantly, let us both know what you think about the suggestions and what more we could add!

Happy Data Privacy Day!

Data Privacy DayWhat are you doing to observe it?

Today is Data Privacy Day! If you have been wondering “what is Data Privacy Day?” then this is your lucky day because not only is today Data Privacy Day, but here is the answer and an explanation for why it really matters to you and your company’s future success.

What is Data Privacy Day?

Data Privacy Day is observed every year on January 28 and is led by the National Cyber Security Alliance (NCSA), a nonprofit, public-private partnership dedicated cybersecurity education and awareness. According to the NCSA,

Data Privacy Day is an international effort to empower and educate people to protect their privacy and control their digital footprint.

Data Privacy Day began in the United States and Canada in January 2008 as an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the January 28, 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. Data Privacy Day is now a celebration for everyone, observed annually on January 28.

Data flows freely in today’s online world. Everyone – from home computer users to multinational corporations – needs to be aware of the personal data others have entrusted to them and remain vigilant and proactive about protecting it. Being a good online citizen means practicing conscientious data stewardship. Data Privacy Day is an effort to empower and educate people to protect their privacy, control their digital footprint, and make the protection of privacy and data a great priority in their lives.

14 Tips For Keeping Your Company’s Data Secure

In honor of Data Privacy Day, the International Association of Privacy Professionals (iapp) has posted an article with 14 tips you need to consider when evaluating how to keep your company’s data secure:

  1. Know Thy Data. Determine what data you collect and share. Classify it according to its level of criticality and sensitivity. What could be considered PII? Define whether data is “in use,” “in motion” or “at rest.” Know where the data is physically stored.
  2. Terms and Conditions May Apply. Make sure your privacy policy reflects current data practices (see Tip #1). This includes the use of third-party advertisers, analytics, and service providers. Periodically review and confirm these third parties comply with your written policies.
  3. You Don’t Know What You’ve Got Till It’s Gone. Conduct annual audits to review whether your data should be retained, aggregated or discarded. Data that’s no longer used needs to be securely decommissioned. Create a data retention policy dictating how long you keep information once it’s fulfilled its original purpose. And, of course, continually ask whether that purpose is still valid and relevant.
  4. Practice or You’ll Breach. Forged e-mail, malvertising, phishing, social engineering exploits and data snooping via unencrypted transmissions are on the rise. From simple controls to sophisticated gears, make sure you’ve implemented leading security “best practices.”
  5. AYO Technology! Data Loss Prevention (DLP) technologies identify vulnerabilities of potential exposures. These work in conjunction with existing security and antivirus tools. From early warnings of irregular data flows to unauthorized employee access, DLP solutions help minimize and remediate threats.
  6. BYOD Is Like a BYOB House Party. The lack of a coherent bring-your-own-device (BYOD) program can put an organization at risk. User devices can easily pass malware and viruses onto company platforms. Develop a formal mobile device management program that includes an inventory of all personal devices used in the workplace, an installation of remote wiping tools and procedures for employee loss notification.
  7. Insist on a List. To mitigate the grave impact on your organization, inventory key systems, access credentials and contacts. This includes bank accounts, registrars, cloud service providers, server hosting providers and payroll providers. Keep this list in a secure yet accessible location.
  8. Forensics – Don’t Do This at Home. The forensics investigation is essential in determining the source and magnitude of a breach. This is best left to the experts as it’s easy to accidentally modify or disrupt the chain of custody.
  9. Where the Logs At? Logs are fundamental components in forensics analysis, helping investigators understand what data was compromised. Types of logs include transaction, server access, firewall and client operating system. Examine all logs in advance to ensure correct configuration and time-zone synchronization. Routinely back them up; keep copies, and make sure they’re protected.
  10. Incident Response Team to the Rescue! Breaches are interdisciplinary events requiring coordinated strategies and responses. The team should represent every functional group within the organization, with an appointed executive who has defined responsibilities and authority. Establish “first responders” available 24/7 (hackers don’t work a 9 to 5 schedule).
  11. Get Friendly With the “Fuzz.” Reach out to law enforcement and regulators prior to an incident. Know who to contact so you won’t have to introduce yourself in the “heat of the battle.” When you have bad news to report, make sure they hear directly from you (a courtesy call goes a long way). Don’t inflame the situation by becoming defensive; focus on what you’re doing to help affected parties.
  12. Rules, Rules, Rules. Become intimately familiar with the international, domestic and local regulations that specifically relate to your organization. The failure to notify the appropriate governmental body can result in further inquiries and fines.
  13. What Did You Say? A well-executed communications plan not only minimizes harm and potential legal consequences, it also mitigates harm to a company’s reputation. Address critical audiences and review applicable laws before notifying. Tailor your message by geographic region and demographics. Knowing what to say is just as important as knowing what NOT to say.
  14. Help Me Help You. Customers want organizations to take responsibility and protect them from the potential consequences of a breach. The DIP should include easy-to-access remedies that offset the harm to affected parties.

Here is a link to the full post: How to Lose Your Data in 10 Days

The 14 tips are a great place to start when thinking about securing your company’s data. As shown by the recent data breaches that have hit Target, Neiman Marcus, Michaels, and Barnes & Noble, the question is no longer one of if your company will have a data breach, but when.

When Your Company is Breached, Your Preparation Will Be Vital to the Company Surviving the Crisis

A data breach is a crisis situation for any company–especially given the amount of attention data breaches are getting these days. From a very big picture perspective, there are two goals to strive for when a company responds to a data breach: (1) avoid, or at least mitigate, any legal and regulatory trouble; and, (2) more importantly, minimize the impact of the breach on the company’s overall business. (see related data breach discussions) The only way your company can achieve these goals is to be proactive by getting prepared before the inevitable occurs–the breach.

If your company is prepared, it is in a much better position to minimize the loss of data, be better able to respond to the breach, and demonstrate to the legal and regulatory authorities that it acted reasonably in protecting its data, which can be very helpful in minimizing the legal and regulatory repercussions, which is the first step. By being prepared and better able to address the first step, the company is then able to focus more of its efforts on polishing its response to be more palatable for its customers and better addressing their feelings and concerns. In other words, if the company is prepared, it is not panicking and scrambling just to get out a response–any response–but instead can take the time to analyze the situation through its customers’ eyes and provide a much better response that takes their feelings and concerns into consideration. This is the vital step because this is what helps preserve the company’s customer relationships.

The best way to be prepared for this is for your company to have a thorough and custom data breach incident response plan. The data breach incident response plan should be tailored to fit your company in many ways, including the following ways just to name a few:

  • the nature of your company’s culture, both internally and externally
  • the nature of your company’s customers
  • the nature of your company’s products or services
  • the nature of your company’s operations and management structure
  • the type, volume, and sensitivity of the data your company collects and retains
  • the security measures your company has in place
  • the resources your company has to devote to data security issues
  • the security standards of your company’s particular industry

Could you figure these things out on your own, with enough time and effort? Probably so — but would that really be efficient? More importantly, and I can not over-emphasize this point enough: You need an attorney to assist you with many of these things because, when done under the guidance of an attorney and if the proper formalities are observed, much of the process can be protected by the attorney-client privilege, but not if you don’t have an attorney assisting with the process.

Help is Only a Telephone Call Away

I have assisted many companies with data security issues from assessing their cybersecurity and data privacy strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches. When it comes to cybersecurity and data privacy, I see the whole playing field. If you have questions about how you can help better prepare your company, please feel free to give me a call (214.472.2135) or email me (shawn.tuma@solidcounsel.com).