In preparation for next week’s Free Law Talk on Cybersecurity, I have updated the handout from the continuing education course I teach on the same topic. Below are some key reminders regarding your privacy obligations. As I discuss in my course, it’s easy to get confused because the format of information has changed. What used to come in the postal mail on paper now comes electronically, through E-mail, facsimiles, text messages, social media (regardless of how many times you warn people that it’s not wise to use this channel), and secure client portals. But the data itself hasn’t changed much. We’re still collecting personal identification, financial, medical, and other confidential information that might be privileged and must be protected from disclosure. The challenge isn’t in what or how we are collecting. It arises from how we store and protect it.
You must maintain the privacy of information entrusted to you.
- a statement of any information that will be collected and the use of the information;
- the circumstances under which information, including personal information, collected may be disclosed;
- whether any information collected will be retained and, if so, the period of time that the information will be retained;
- the procedures by which a user may gain access to the collected information pertaining to that user;
- the means by which information is collected and whether the collection occurs actively or passively;
- whether the collection of information is voluntary or required and the consequences, if any, of a refusal to provide the required information; and
- the steps being taken to protect the confidentiality and integrity of the information.
You must maintain your property safely and in good working condition.
The good news is that computer use is not known to be highly toxic—at least at this stage of our use. It’s not likely to hurt or kill you. You are more likely to be concerned with security.
- Have strong passwords. Experts are now less resistant to password keepers, such as LastPass, and encourage user to have password phrases, versus passwords.
- Back up your data daily or at least weekly. Businesses are still losing critical work documents due to the lack of timely back-ups, even when there are automatic and inexpensive options both on external hard drives and in the cloud.
- Download the security patches. These are often to fix security vulnerabilities tested by professional hackers.
- Use complete software protection like McAfee or Norton 360. This might slow your device load times by a few seconds, but it will save you hours of stress (and possibly thousands of dollars) that come with a security breach.
- Implement a cybersecurity policy and (at least) annual training. Ensure employees know to verify E-mail addresses before responding to messages and to avoid clicking links in
- messages from unidentified senders. Despite all the news stories and warnings, people still click the links!
- Disconnect devices from the Internet (cellular and Wifi), if you become uncomfortable during a call. Scammers will try to gain your trust during calls, so that you give them access to your computer—and everything on it. When in doubt, shut everything down and report suspicious calls.
You are responsible for your employees’ conduct.
A hot topic in our increasingly mobile workforce is what employers are calling “BYOD,” or bring your own device. This can clearly be a security threat if your employee, for example, brings a poorly-maintained device to work and integrates it with your system. Some experts argue that employees are more likely to take better care of their own devices than those issued by their employers, but you will need to look at this on a case-by-case basis. Some of your employees might be very tech-savvy and hyper-vigilant about protecting their devices. Others might be under-informed or even afraid to learn. They might take an “ignore it, maybe it will be okay approach.”
NOTE: This post is a general overview of cybersecurity and privacy obligations. It is not legal advice, and there is certainly no guarantee that any of the actions detailed above will generate a similar or specific result. Past success is never a guarantee of a future outcome. If you require information or advice applied to your unique situation, please make an appointment to discuss it with an attorney. Don’t rely solely on what you read on the Internet.
Nance L. Schick, Esq. is a New York City attorney and mediator who focuses on keeping people out of court and building their conflict resolution skills, especially in business and employment disputes. Her holistic, integrative approach to conflict resolution draws from her experience as a crime victim, human resources supervisor, minor league sports agent, and United Nations representative. She is a 2001 graduate of the State University of New York Buffalo Law School trained in Alternative Dispute Resolution (ADR) by the Equal Employment Opportunity Commission (EEOC), Financial Industry Regulatory Authority (FINRA), and International Center for Ethno-Religious Mediation (ICERM). She is also creator of the Third Ear Conflict Resolution process, author of DIY Conflict Resolution: Seven Choices and Five Actions of a Master, and an award-winning entrepreneur, who has been acknowledged by Super Lawyers (ADR, 2018), the New York Economic Development Corporation/B-Labs (Finalist, Best for NYC 2015 & 2016), U.S. Chamber of Commerce (2015 Blue Ribbon Small Business), Enterprising Women Magazine (Honorable Mention, 2014 Woman of the Year awards), and Urban Rebound NY/Count Me In (Finalist, 2013 Pitch Competition).