OCR Issues Cyberattack Response Checklist and Infographic

The United States Department of Health and Human Services’ Office for Civil Rights has just issued a checklist and infographic to aid healthcare organizations and their vendors in quickly responding to cyberattacks in compliance with HIPAA requirements.

Cybersecurity Legal Issues: What you really need to know (slides)

Shawn Tuma delivered the presentation Cybersecurity Legal Issues: What you really need to know at a Cybersecurity Summit sponsored by the Tarleton State University School of Criminology, Criminal Justice, and Strategic Studies’ Institute for Homeland Security, Cybercrime and International Criminal Justice. The presentation was on September 13, 2016 at the George Bush Institue. The following are the slides from Tuma’s presentation — a video of the presentation will be posted soon!

Continue reading “Cybersecurity Legal Issues: What you really need to know (slides)”

Cybersecurity Incident Response Checklist

Business leaders, when people like me tell you that having a cybersecurity incident in your company is like being in a building on fire, we are not exaggerating. Take a look at the following checklist (note, this is not an incident response plan!) while keeping in mind that over half of the items on that checklist should be performed almost simultaneously within hours of learning that your company has had a data breach.

While this is not an exhaustive list, these are the items that most often need to be performed in the cases in which I guide clients through the incident response and remediation process. Of course there will be exceptions, additions, and omissions — take this for what it is, a starting point. Finally, note that the picture below is an image of the checklist and is blurry — you can download the original here.

checklist-image

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

 

 

Computer Use Policies – Are Your Company’s Illegal According to the NLRB?

4c00b10767cf8a5c15a4cde1b4c4f0a4_f120The National Labor Relations Board (NLRB) has continued its assault on businesses and their ability to legitimately protect their computer systems and information against unauthorized non-business use by employees.

A few weeks ago, I wrote 3 Important Points on Computer Policies in which I stressed (1) why your company must have them but (2) that such policy must comply with the NLRB’s Purple Communications case. The NLRB has struck again.

On May 3, 2016, an NLRB Administrative Law Judge struck down as overbroad a Computer Use Policy in Ceasars Entertainment Corporation d/b/a Rio All-Suites Hotel and Casino (NLRB Docket Sheet). The policy, titled Use of Company Systems, Equipment, and Resources, was part of the company handbook and stated that computer resources may not be used to do several things that were listed out and is standard in many similar policies. The NLRB decision (Decision) found that prohibitions against the following was illegal:

  • Share confidential information with the general public, including discussing the company, its financial results or prospects, or the performance or value of company stock by using an internet message board to post any message, in whole or in part, or by engaging in an internet or online chatroom
  • Convey or display anything fraudulent, pornographic, abusive, profane, offensive, libelous or slanderous
  • Send chain letters or other forms of non-business information
  • Solicit for personal gain or advancement of personal views
  • Violate rules or policies of the Company

The NLRB found that prohibiting the conduct mentioned above made the policy overbroad and could effectively limit employees’ use of their employer’s email system to engage in Section 7 communications during nonworking time. Because of that, it found the employer has engaged in an unfair labor practice prohibited by the National Labor Relations Act.

Welcome to Wonderland.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Managing Cybersecurity Risks for Boards of Directors

Ethical Boardroom Winter 2016In his latest Ethical Boardroom article, Shawn Tuma explains why it is important for board members to have an active role in their company’s cybersecurity preparation and tells them several key steps they can take to do so. Tuma also explains why cybersecurity is as much a legal issue and business issue as it is an IT issue. Continue reading “Managing Cybersecurity Risks for Boards of Directors”