PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

The Deal with Data Rights: An Interview with Heather Federman

Numerous privacy laws are requiring that companies provide individuals with data rights — rights to access their data, correct their data, learn about uses of their data, delete their data, and more. Administering these rights can be quite complicated for organizations.   […]

Read More…

The Mail Machine Ate My Thumb Drive

USB zDrive - Thumb Drive

In the annals of what must be one of the most ridiculous data security incidents, a law firm employee sent a client file on an unencrypted thumb drive in the mail.  The file contained Social Security information and other financial data. Seriously? The envelope arrived without the USB drive. The firm contacted the post office. […]

Read More…

GDPR Training, Writings, and Resources: Roundup from the Past Year

General Data Protection Regulation - GDPR - Training Resources by Prof. Daniel Solove

The General Data Protection Regulation (GDPR) is one of the world’s strictest data privacy laws and requires privacy professionals around the globe to design and implement comprehensive compliance programs.  In the past year, I developed a series of resources and training courses to assist privacy professionals with this complex task.   GDPR Whiteboard 200+ pages of […]

Read More…

Law Firm Cybersecurity: An Industry at Serious Risk

Last year, major incidents involving law firm data breaches brought attention to the weaknesses within law firm data security and the need for more effective plans and preparation. An American Bar Association (ABA) survey reveals that 26% of firms (with more than 500 attorneys) experienced some sort of data breach in 2016, up from 23% in 2015. […]

Read More…

Attorney Confidentiality, Cybersecurity, and the Cloud

Law firm data security

There is a significant degree of confusion and lack of awareness about attorney confidentiality and cybersecurity obligations.  This issue is especially acute when it comes to using the cloud to store privileged documents.  A common myth is that storing privileged documents in the cloud is a breach of attorney-client confidentiality.  In other instances, many attorneys […]

Read More…

New Resource Page: How to Make Security Training Effective

Effective Security Training

I recently created a new resource page —  How to Make Security Training Effective.  The page contains my advice for how  to make security training memorable and effective in changing behavior. Training the workforce is an essential way to protect data security, but not all training endeavors are successful.  Poor training is akin to shouting […]

Read More…

New Resource Page: Security Awareness Training FAQ

Security Awareness Training FAQ 01

What laws require security awareness training?  What topics do the laws require to be covered?  What should be covered?  How frequently should training be given? I recently created a new resource page — Security Awareness Training FAQ — to answer the above questions and more.  I discuss various legal and industry requirements for security awareness […]

Read More…

Blogging Highlights 2015: Cybersecurity Issues

Cybersecurity Training

I’ve been going through my blog posts from 2015 to find the ones I most want to highlight.  Here are some selected posts about security: The Worst Password Ever Created Should the FTC Kill the Password? The Case for Better Authentication […]

Read More…

Phishing Your Employees: 3 Essential Tips

Phishing Training

A popular way some organizations are raising awareness about phishing is by engaging in simulated phishing exercises of their workforce.  Such simulated phishing can be beneficial, but there are some potential pitfalls and also important things to do to ensure that it is effective. 1. Be careful about data collection and discipline Think about the data […]

Read More…

PCI Training: Reducing the Risk of Phishing Attacks

PCI Training Payment Card Data Risks

The Payment Card Industry (PCI) Security Standards Council recently released a helpful short guide to preventing phishing attacks.  Merchants and any other organization that accepts payment cards most follow the PCI Data Security Standard (PCI DSS).  One of the requirements of the PCI DSS is to train the workforce about how to properly collect, handle, […]

Read More…