Surveillance camera hanging from the top of a building.

Can US Employers Monitor Their Employees at Work?

Image by Peggy und Marco Lachmann-Anke from Pixabay.

With the ongoing events that began in 2020 (the COVID-19 pandemic and ensuing quarantine), many U.S. employers transitioned to remote work arrangements to accommodate local or state stay-at-home mandates. During this time, some employers engaged in certain types of remote workplace monitoring, such as the use of mobile device management (MDM) or productivity monitoring software.

There are many legitimate reasons why employers may monitor their employees in the U.S.

  • Customer-imposed contractual security requirements might require video surveillance on premises or implement data loss prevention (DLP) technology to prevent the unauthorized access or deletion of confidential data.
  • New privacy and security laws require employers to protect the confidentiality and privacy of consumer data, which requires monitoring of access to personal information.
  • Employers are required to protect access to proprietary information, or it may lose trade secret status if disclosed too broadly.
  • Employers can also generally monitor to improve the quality of their services and workforce productivity and satisfaction, such as through call monitoring or review of employee internet use.
  • Finally, employers have an overwhelming legitimate interest in preventing workplace harassment and criminal actions, which may require investigation and review of employees.

E-mails and Company Equipment (Computers, Phones)

U.S. employers generally have the right to monitor employees on company computers, phones, and other devices when (i) monitoring is done in the ordinary course of business, and (ii) employees are notified of the monitoring. In this situation, courts usually find that employees do not have an expectation of privacy regarding their communications and other activities on these devices.

Continue Reading Can US Employers Monitor Their Employees at Work?
cybersecurity attorney

Why Every CIO Should Have a Cybersecurity Attorney

Every day, the digital world expands by leaps and bounds, and someone could be taking advantage of your company’s information to commit illegal or unethical actions. Today, many crooks are using the Internet to disguise their identity. It can be challenging to protect your company from outside attacks. A high-quality cyber lawyer has the experience to advise businesses as to the reasonable steps to take to avoid becoming a victim and to be protected from within.

Differentiating technical specialists from those responsible for legal responsibilities and hazards enables businesses to create more effective breach response strategies. Understanding the function of a third-party cybersecurity company can aid in this process.

Cybersecurity has always been one of the primary concerns of chief information officers (CIOs). Since the number of high-profile hacks seems to increase month after month, security is plaguing Information Technology (IT) executives throughout the workday.

What is a CIO?

The Chief Information Officer, known as the CIO, holds the top technical position within a given organization. A CIO is responsible for managing, implementing, and using information and computer technologies. Because technology is increasing and reshaping industries globally, the role of the CIO has increased in popularity and importance.

The CIO analyzes how various technologies benefit the company or improve an existing business process and then integrates a system to realize that benefit or improvement.

This person makes crucial business decisions concerning the organization’s technological strategy and interfaces with other C-level executives to communicate needs, processes, and progress. One role of the CIO is to provide an executive-level interface between the technology department and the rest of the business.

What is a Cyber Security Attorney?

Cybersecurity attorneys typically advise on implementing strategies to meet state, federal, and international legal requirements. They may also represent clients before regulatory bodies and serve as the quarterback and crisis manager during incident response to mitigate loss and guide toward  compliance with the law.

A cybersecurity attorney must be knowledgeable with fundamental cybersecurity laws. It is for them to contribute effectively to the company’s operations. These laws include:

  • Electronic Communications Privacy Act 
  • Homeland Security Act
  • Cybersecurity Information Sharing Act of 2015, 
  • Federal Trade Commission Act, 
  • laws on data breach notification,
  • applicable sector-specific state and federal laws

Additionally, the cybersecurity attorney must have a firm grasp of privacy legislation. They must, at the very least, be familiar with privacy legislation. Privacy regimes set obligations to enhance data security since security is necessary for data to stay private.

A cybersecurity attorney should be bilingual in both legal and technological language. Oftentimes, a critical function of such an attorney is to convert legal requirements into design requirements and comprehend technical specifics. As a result, the attorney must grasp the fundamentals of technology or possess a genuine interest and desire to study.

Cyber Security Attorney as a Need

When you don’t have an experienced professional to help protect your company from an inside attack, you subject your operations to a higher level of risk. It’s better to hire a specialist today than at the moment you find out you’ve been compromised.

Many crooks rely on attacks from abroad to gain access to U.S. corporations. Law firms with a reputation for solid cybercrime protection have the upper hand when defending their clients. It is why every CIO should have a comprehensive cyber defense attorney to advise them. When it comes to demonstrating in court that a corporation’s security has been compromised despite implementing reasonable security controls, a professional cyber law firm is more likely to be able to fight back and win. If a cyber crimes attorney does not represent you, you may never know.

A skilled cybercrime attorney can help them get that understanding. They are more likely to know what to ask in court and potentially defeat the government’s case against the company. It can be an expensive process to fight a cyber case. However, the outcome could mean the difference between accepting a settlement or paying big money to defend against an action. Every CIO needs to make sure their law firm is fully staffed to handle cyber cases. The best ones will be located in cities with thriving cybercrime defense attorneys.

The Internet has created a world where criminals can create a fake Twitter account to impersonate a famous person. They can use burner accounts to send emails to spammers. There are even some who use false identity information to try to trick people into opening bank accounts or PayPal accounts under pretenses. An experienced law firm can make these and other cases stick. When cases do make it through the system, the attorney representing the company will know when they have a winning situation.

A good CIO will be aware of the need for an experienced lawyer who can work on cyber cases. Because cyber crimes often involve stealing information, the information may need to be presented as evidence in court. It may mean the company’s entire network should be checked, from top to bottom and back up. In this kind of scenario, an ounce of prevention is worth a pound of treatment. Any company that fails to put in the necessary time and resources to protect itself is putting itself at risk of getting sued.

For a cyber law firm to win its cases, it must also put its client’s interests on the same level as their own. Any information that is stolen or misused needs to be appropriately represented. That means the management must train every employee working to treat documents over the Internet and any company’s computer systems. A good lawyer will also work closely with the IT department to stop any unauthorized access to the company’s computers.

When a CEO realizes that they may be subjecting their companies to cyberattacks, the company’s CIO and cybersecurity attorney should help them out. Law firms should work hard to track down every instance of cybercrime they are liable for, not just the common ones. Every person should know how to prepare defenses in cyber cases. Every business should have an IT department that can track down any attacks when they do happen.

To know what you need for your cybersecurity attorney, contact Metaverse Law today and learn more.

GDPR for small businesses

GDPR For Small Business

In May 2018, the General Data Protection Regulation (GDPR) went into effect, strengthening the rights of EU residents regarding data privacy and protection. Essentially, these rights comprise two things:

  • Besides transparency, organizations must provide individuals with the ability to review, amend, or challenge the processing of their personal information.
  • To protect individual data, organizations should implement security measures and manage the liability for any breach or misuse of this information.

This article will discuss how GDPR may applyies to small businesses and some of the essential tasks these businesses need to determine whether the data privacy of their clients is being protected and whether they are GDPR compliant.

GDPR and Small Businesses

Small Businesses with 250-500 Employees

A small company is generally considered as one with fewer than 500 employees in the United States. It is a requirement under GDPR for companies to keep a record of all data processing operations, if they meet certain thresholds. If subject to GDPR, the GDPR’s record-keeping requirements apply to every business with 250-500 employees.

Whether a Data Protection Officer (DPO) is needed is not determined by the business’ size but by the scale and sensitivity of its core processing operations. DPOs are knowledgeable about data protection legislation and processes. A person in this position is also responsible for notifying the authorities of any data breaches.

Small Businesses with Fewer Than 250 Employees

Generally speaking, Article 30 of the GDPR exempts small businesses with less than 250 workers from the need to maintain records of their processing operations, whether as a controller or processor. The size exemption does not apply, however, if the businesses are processing data in any of the following activities:

  • The data processing operations may jeopardize an individual’s rights and freedoms.
  • The information to be processed may involve an individual’s racial origin; political, religious, or philosophical opinions; union membership; genetic or biometric data; or the individual’s health or sexuality.
  • The personal data involved are related to criminal offender, conviction, or arrest-related.
  • The personal data is processed regularly.

As long as these minor requirements are met, small businesses should consider themselves equivalent to larger firms under GDPR for Article 30 compliance requirements.

Small businesses are generally understood to have fewer resources than large corporations. Thus, the Information Commissioner Office (ICO) will consider any smaller company’s challenges in complying with the new legislation. 

GDPR Compliance of Small Businesses

In most instances, your personal data, client information, and company connections will all have this kind of information in some manner. Therefore, let us examine the GDPR’s fundamental principles and how you will be required to comply with them.


privacy policy compliance

Prepare to add more check-the-boxes to your systems since enhanced consent demands getting permission for each use of a customer’s data. Suppose your business requests an email address and permission to deliver purchase information. In that case, it might need permission once more before utilizing that email for marketing reasons. Businesses should phrase all permission requests in a manner that is understandable to the company’s targeted customers.

Access and Control

Data owners should be given control over their information, including the right to delete, receive and reuse their data. It also includes the ability to move, copy, or transfer their data securely. As a business owner, you may need to provide a system for customers to control the use of their personal data, from data entry to data deletion.

Data Breach Reporting

Businesses may have to notify data owners if a security breach occurs. While this may conjure up visions of large-scale attacks, it also encompasses minor errors such as granting access to your data to a contractor or an employee losing a laptop. No matter how minor the breach is, the business might have to inform the data owner about it if it poses risks to the data owner.


After the data is provided, you’ll need security measures in place to preserve it. Merely said, you should see that data is appropriately protected. Thus, it would be best if you consider encrypting any database that holds your clients’ data rather than simply password protecting it.


You may need to provide proper surveillance to third-party applications and organizations that are involved in the data processing. When using online newsletter services, the use of mailing lists should be in GDPR compliance. 

Additional GDPR Compliance

The following factors may help illustrate the most critical actions that US small businesses will need to do to be GDPR compliant:

Audit the Data

Proper auditing of data for GDPR compliance is not a simple undertaking. Thus, businesses must make wise decisions. They may be required to do Data Protection Impact Assessments (DPIAs) before initiating any data processing. It proactively protects data and assesses potential risks to data subjects associated with any new data processing. Most European data protection authorities provide guidelines on their websites on DPIAs and when they should be conducted.

Audit the Service Providers

Auditing your service provider’s compliance is a chore that many US businesses struggle with and may be the source of your business’s most significant risk. Businesses need to evaluate and execute data processing agreements with third-party service providers that handle personal data on your behalf. GDPR requires the data controller to enter contracts, and the data processor may only act on the controller’s orders. A service provider that does not comply with GDPR may be subject to non-compliance and put the controller at risk.

What Happens To Non-Compliant Small Businesses?

Investing the effort to design a GDPR-compliant privacy policy may significantly assist small businesses in showing compliance. Those who have not done so may be deemed non-compliant. They may face reprimands, temporary or permanent data processing limits, data restriction or deletion orders, and suspension of data transfer to third countries from supervisory authorities.

Article 83 of the GDPR alerts enterprises to infractions and imposes discretionary fines. It incentivizes enterprises to handle personal data legally and responsibly. 

GDPR Compliance is Important for Small Businesses

GDPR compliance is crucial for both small and large businesses. Many businesses have hired a Data Protection Officer (DPO) to monitor GDPR compliance. 

Inadequate comprehension is a poor excuse for GDPR non-compliance. Whether it is a sole proprietor or a global corporation, businesses should review how they handle personal data and verify that suitable processes and policies are in place. Systems for granting data access requests and systems for detecting and reporting data breaches may need to be in place. Businesses should also implement appropriate technical and organizational protections to oversee the safety and security of data.

To comply with the GDPR requirements, your business must work with experts in data privacy and protection. Contact Metaverse Law today and learn more.

Image of the United States Capitol Building at night.

Strengthening the U.S. Government Supply Chain: Cybersecurity under Executive Order 14028

Image Credit: Michael Jowen from Unsplash.

U.S. government agencies have a reputation for occasionally clinging on to outdated technology. Some illustrative examples include the U.S. Department of Defense (DoD) paying Microsoft $9 million to continue supporting the defunct Windows XP in 2015 and a U.S. Government Accountability Office (GAO) report from 2019 documenting multiple agencies using legacy systems with 8 to 50-year-old components. In its findings, the GAO unsurprisingly concluded that such legacy systems using outdated or unsupported software languages and hardware poses a cybersecurity risk.

In the wake of the SolarWinds, Microsoft Exchange, and Colonial Pipeline security incidents that impacted U.S. government agencies and/or U.S. critical infrastructure, President Biden issued Executive Order 14028 to update minimum cybersecurity standards for all software sold to the federal government and throughout the supply chain.

Existing Requirements under FedRAMP, DFARS, and CMMC

The new obligations arising out of Executive Order 14028 add to existing security regulations for certain government contractors and subcontractors.

The Federal Risk and Authorization Management Program (FedRAMP) oversees the safe provisioning of cloud products and services from a Cloud Service Provider (CSP) to any government agency. As part of the FedRAMP authorization process, an accredited Third-Party Assessment Organization (3PAO) assesses the CSP’s controls under NIST SP 800-53, a security framework for federal government information systems. The 3PAO also assesses additional controls above the NIST baseline that are unique to cloud computing.

Contractors who supply products or services specifically to the DoD are subject to the Defense Federal Acquisition Regulation Supplement (DFARS). The DFARS standards establish compliance with fourteen groups of cybersecurity requirements under NIST SP 800-171, meant to protect Controlled Unclassified Information (CUI).  

In November 2020, the DoD released the Cybersecurity Maturity Model Certification (CMMC) framework, which builds upon DFARS. Contractors undergo an audit by a CMMC Third Party Assessment Organization (C3PAO), which issues a certification for the contractors’ assessed cybersecurity maturity level. The certification ranges from CMMC Level 1, indicating a low, ad-hoc maturity, to CMMC Level 5, indicating a high, optimized maturity. As contractors progress further up the DoD supply chain all the way to prime contractors—those working directly with the DoD—the DoD scale requirements for those contractors to meet higher certification levels. Meeting all DFARS controls and 110 controls in NIST SP 800-171 roughly correlates to CMMC level 3.

Cybersecurity Requirements of Executive Order 14028

Continue Reading Strengthening the U.S. Government Supply Chain: Cybersecurity under Executive Order 14028
Business Affected By GPDR?

GDPR and Its Impact on Business – Find Out Here!

Over the years, the internet has changed the way we communicate and how we handle day-to-day tasks. There are so many things that we can do via the internet, from sharing documents to paying our bills. All of these are convenient, but these tasks require us to enter personal details.

With so much information that we share online, how can you guarantee that your information will be kept safe? Have you ever wondered what happened to the information you share online, like your bank details, addresses, contacts, etc.

Companies say that they collect this information to serve you better to provide you with more targeted and relevant communication. In turn, you get better customer experience in the end.

The question is, what do they do with that data?

That’s where the GDPR comes in.

The General Data Protection Regulation (GDPR) took effect on May 25, 2018 and many companies have taken steps to comply with it; otherwise, they could face fines and other consequences. But what is GDPR and what are the companies that are strongly affected by this change? 

GDPR Compliance: What is it? 

GDPR is the set of rules designed for EU individuals that allow them to have more control over their data. The main goal of this regulation is to make the digital environment simple so that businesses and their customers in the EU can benefit from a digital economy, yet still protect individual privacy. 

The GDPR applies to all companies that sell to the EU, store personal information about EU residents, including EU B2B personal information collected from companies on other continents. 

Which Companies are Affected by GPDR?

As mentioned, companies that sell to the EU, store personal information about EU residents, and have customers in the EU are affected by this.

In addition, GDPR applies to all companies established in the EU, regardless of where their data processing takes place. In fact, even non-EU established companies will be subject to GDPR, as long as the business offers goods and/or services to EU citizens. Therefore, this puts consumers from the EU in the driver’s seat, and businesses must comply with the regulation.

Here are some of the industries that are most hit by GDPR: 

Social Media

Ever since GDPR took effect, social media users have noticed changes in the privacy policies of social platforms they frequent, and they were notified of these changes via email. The reason behind these changes is the GDPR and other privacy laws. 

Companies in the social media marketing industry are one of the most affected by this new regulation. Therefore, social media marketers must disclose and ensure that users know how their data are being used

In addition to that, they need to request full consent from users to use their data outside of what is strictly necessary to provide the social media information society services. 

There are also other strict rules that GDPR expects social media companies to do, such as: 

  • Users have the right to be forgotten, which means that users now have the right to delete all their data. 
  • Companies that collect information directly from users must inform users within 72 hours after a data or security breach is detected. 
  • Plain language must be used in all privacy policies and explanations regarding users’ data. 

Despite this drastic change in the social media industry, users can highly benefit from this shift in data privacy rights. 

Online Retail

GDPR has become a challenge for online retail companies as it urges them to make changes that make many brands rethink their strategies. Due to GDPR restrictions, like limitations with the use of third-party information, or limitations on sharing of user information to third parties, it has become a challenge for online retailers to thrive. 

However, these changes have its advantages as well because it puts online retailers on better standing with consumers. This will help them build a more trustworthy relationship with consumers today, which is crucial in today’s digital environment. 

Digital Banking

Undeniably, the effects of GDPR to financial services are significant. GDPR has made the privacy of users their primary concern. The main principle of GPDR is “incorporating privacy and data protection” considerations into all sectors that use personal information, which is critical for the digital banking industry

Your Business Affected By GPDR

Although GPDR encourages best practice and data compliance, it comes with a side effect. Digital bank owners see the new regulation as costly and can affect their projects further. Therefore, many have their reservations that lead to them to be hesitant to invest because they fear they would get it all wrong. 

However, there are many benefits when digital banks comply with data privacy law. For one, it will provide them with more opportunities for innovation and investment because it’s more than regulatory compliances. In fact, it’s a profitable strategy in which bank owners can make bolder decisions and enter new territories due to the integration of data protection into core development strategies. 

Secondly, GPDR compliance allows digital bank owners to more ethically handle data—a huge advantage in the industry. 

Finally, GPDR provides digital defense by considering internal and vendor security, and reinforcing good data handling processes that banks can follow should there be a security breach. 

Cloud Computing

Cloud computing companies are also affected by GPDR, due to the sensitivity of customers’ information in the cloud. Since cloud service providers host various types of data, they often deal with sensitive and classified information, which could fall under the wrong hands.

Another challenge is the externalization of privacy because businesses that get a cloud service expect privacy agreements and commitments that they shared with their customers and staff will still work. However, if the cloud service provider operates in various locations, the rights of data owners may be subject to different regulations and requirements. Therefore, it’s advisable to have a customized agreement with a cloud computing company when it comes to privacy commitments. 

In a Nutshell

It’s been years since GPDR came into effect. Today, it still remains as a rigorous compliance process. However, GPDR has brought many opportunities that can improve strategies and deliver more innovation in the market. 

Even if you’re not in any of the industries listed above, as long as you operate a business that sells products online to EU individuals, you need to consider GPDR -compliance; otherwise, you could risk facing hefty fines or lose customers.

So, if you’re unsure whether your company is GPDR compliant, contact someone with GDPR experience to assess your GDPR compliance.

1 2 3 4 5 13