The explosive growth of the Internet has dramatically changed the demands of reputation management. The manipulation of search engine results—what used to be considered the central activity of ORM firms—has lost its utility as search engine algorithms have grown more sophisticated.
The National Cybersecurity Institute Journal has published my new paper addressing this topic. “The New Demands of Online Reputation Management” provides an overview of the leading online reputational threats faced by companies in the United States, as well as an explanation how such events unfold, the motivations behind them, and how they can be protected against and resolved.
OUCH!, the security awareness newsletter from the SANS Institute, covers the basics of encryption in its August edition. OUCH! is the world’s leading, free security awareness newsletter designed for the common computer user. It is available in multiple languages.
Check prior editions for information on email security, malware, safe social networking, and many other topics relevant to professionals and Internet users.
SANS is one of the world’s leading sources for information security training and security certification. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet’s early warning system – the Internet Storm Center. Other free SANS resources include the weekly news digest (NewsBites), the weekly vulnerability digest (@RISK), and more than 1,200 award-winning, original information security research papers.
More and more often, a fresh batch of compromising emails threatens to torpedo a reputation, whether it’s Chris Christie staffers coordinating political retaliation, the swirl of exchanges that sparked the Petraeus scandal, or the embarrassing and costly boasting of former Goldman Sachs trader Fabrice “Fabulous Fab” Tourre.
These are some of the most egregious examples of the havoc that can ensue, but the risks of errant mails aren’t limited to top government offices and Wall Street skyscrapers. Nor are the dangers they pose anything new. Half of computer users “have accidentally sent a sensitive email to the wrong person” and “70 percent of businesses are concerned about sensitive material falling into the wrong hands as a result of data leakage via email.” Before you click that send button again, let’s take a look at what we’re up against, as well as some ways we can protect ourselves.
Data Leaks
One of the first things to keep in mind is that email isn’t as private as you might think, especially at work. “Even if your employer doesn’t have an email policy, it still probably has the legal right to read employee email messages sent using its equipment and network,” says attorney and author Lisa Guerin. Emails are often exposed in the course of investigations and trials. They can also be stolen by hackers, such as the recently-jailed Guccifer, whose exploits included posting paintings by George W. Bush, or Christopher Chaney, who’s serving time for hacking the email accounts of stars like Scarlett Johansson and Christina Aguilera. Then there are the major email providers, which often reserve the right to snoop on you in their privacy policies, and the NSA, which can probably intercept your messages.
Gone But Not Necessarily Completely
It’s also important to remember that, even though an email may be long gone from your inbox, that doesn’t mean it’s vanished completely. Those who’ve had their private messages go viral can attest to that. “E-mail, Twitter, texting and the rest all intuitively feel like short fuse ephemeral communications—a quick word in passing, if you will,” explains former British intelligence officer John Bassett in an article on India’s NDTV.com. “Yet as soon as we push the send button, these communications take on an enduring digital permanence that means that in effect they never quite go away.”
Generally, what are the considerations to keep in mind when drafting a “bring your own device” (BYOD) policy for the work environment?
– What is a BYOD? BYOD programs allow employees to use personally owned devices to connect and interact with their employers’ business networks for work-related matters.
– What are the benefits? Increased workforce productivity and lower costs of administration.
– Why does BYOD matter? The BYOD movement is here to stay. A recent survey revealed that 71 million BYOD devices are currently in use in the United States, and this number is expected to grow to 108 million by 2016.
Sources: CIO.com, Cisco Internet Business Solutions Group
BYOD programs create potential legal issues for employers:
– Protecting Confidential Information: BYOD programs may lead to misappropriation of proprietary company information, disclosure of trade secrets, and other security risks.
– Employee Privacy Issues: An employer may inadvertently access an employee’s private data in violation of federal and state laws.
– e-Discovery and Litigation Issues: An employer has an obligation to retain documents in the event of litigation – this includes documents that are stored in an employee’s personal device.
– Off-The-Clock Work: Because a BYOD program allows an employee to work after hours, it may trigger overtime and other wage and hour liability under the Fair Labor Standards Act and similar state laws.
Recommendations: Have a BYOD strategy in place.
• Some workplaces are more conducive to BYOD programs than others.
• Assess the risks and determine whether a BYOD program is right for you.
• For example, if preserving the security/confidentiality of internal communications is a material priority, then a BYOD program may not be appropriate.
– Not having a BYOD strategy may prove costly.
• In Brooks v. AM Resorts, LLC, 954 F. Supp.2d 331 (E.D. Pa. 2013), an employee allowed his employer to “remotely access and control” his personal computer through a computer program.
• After the employee’s termination, the employee planned on suing the employer, and the employee accused the employer of using the remote access program to access his attorney-client privileged emails.
• The Court denied the employer’s motion for summary judgment and held that there was a “genuine dispute of material fact” as to whether the employer improperly accessed the employee’s personal emails in violation of the Stored Communications Act.
• Recommendations: Considerations in creating a BYOD policy.
– Communicate expectations on how the device will be used/maintained (e.g., procedures on the use of passwords, encryption, and reporting lost/stolen devices).
– Provide specific procedures on security, retention, and protection of company data.
– The employer should have reasonable access to the device for legitimate business purposes whenever needed (e.g., to retrieve work-related emails or documents for e-discovery).
– Include reasonable protections for employees’ private data (e.g., the employer will make reasonable efforts to protect personal information) but disclaim the risk of data loss in the event of a security issue.
– Consider having “routine” security and maintenance inspections.
– Have a “security or remote wipe” provision that allows the employer to delete company data from the employee’s device at any time (e.g., upon termination).
– Secure the employee’s consent to the policy and maintain a record of this consent.
– The policy should be clear, complete, and readily available to employees.
– Apply and enforce the policy consistently.
– Recommendations: Supplement the policy with BYOD training.
• Promote cooperation between the employee and the employer regarding the use, maintenance, and security of the employee’s device.
• Identify potential problems and educate employees on workable solutions to these problems during training (e.g., procedures for lost/stolen devices and document retention in the event of litigation).
• Have a framework in place to monitor employees’ adherence to the BYOD policy, and respond to questions or concerns as they occur.
• Recommendation: A well-crafted policy and training program can prevent BYOD issues.
• See, e.g., Sitton v. Print Direction, Inc., 718 S.E.2d 532, (Ga. App. 2011), (holding that employer was not liable to discharged employee for viewing and printing employee’s personal emails from employee’s personally owned laptop computer where at the time of the access, the computer was linked to employer’s network and company had a published and well-crafted computer usage policy that authorized the employer’s access under the circumstances presented).
Scott L. Vernick is a partner at Fox Rothschild LLP and a nationally ranked trial lawyer. He represents Fortune 500 companies in commercial litigation matters that focus on technology, intellectual property, health care, privacy and data security.
Cyber experts aren’t surprised that digital footprints enabled FBI investigators to identify Paula Broadwell as the writer of anonymous emails that ignited the General Petraeus crisis.
“Every year careless hackers, cyberstalkers and others are undone by the digital trails they leave behind for law enforcement to collect and trace back to them,” she writes. “But who would have thought the nation’s top spy chief would be undone so easily by digital footprints left behind in e-mail?”
In recent years there have been numerous cases where well-educated, white-collar professionals have been identified as anonymous emailers and posters in a range of Internet situations. Law enforcement officials and the cyber experts who help solve such cases are full of such stories, which often remain out of the news.
IP addresses and other digital footprints make online anonymity more difficult to attain than it appears – especially when public email servers like Google, Yahoo and similar providers are used for their emails. Such sites are easy to hack…which is why leaving emails on servers instead of deleting them is a mistake.