Resources

Client Alerts, News Articles, Blog Posts, & Multimedia

Everything you need to know about BMD and the industry.

Five Things That Owners and Boards Need to Know About Privacy and Cybersecurity Compliance

Client Alert
August 21, 2020

Do you serve on a Board of Directors or serve in a similar advisory capacity for a company or organization? Do you own your own business? Here are five things you should know about privacy and cybersecurity compliance.

  1. Upholding Your Fiduciary Duties

As a fiduciary of an organization, you may already know that you have a duty of loyalty and duty of care, including the duty to keep investors and owners informed of the cybersecurity risks of the organization. You also have the duty to protect the organization from undue risk, balancing the organization’s ability to conduct its operations with appropriate levels of risk mitigation strategies.

  1. Basic Knowledge of Privacy and Cybersecurity Issues

To properly fulfill your fiduciary duties, you need to obtain and maintain a basic knowledge of cybersecurity and privacy issues and risks facing the organization. Lack of understanding is not an excuse, and it is expected that Boards familiarize themselves with the cybersecurity efforts in the organization, champion and drive the organization’s commitment to ensure adequate cybersecurity protections are established and maintained. Board members and owners are also strongly encouraged to engage in the organization’s training and awareness campaigns and gain additional awareness as it relates to advising organizations effectively.

  1. Maintain the Company’s Reputation and Public Perception

Privacy and cybersecurity compliance builds the foundation of trust and reinforces an organization’s reputation for honoring the privacy expectations of both customers and business partners. A company’s character and brand are driven by industry expectations, treatment of customer data, legal requirements and product development. Mishandling a security breach can have devastating effects on the organization’s reputation, financial, operational and other aspects of the business. Many companies do not recover from a data breach due to the lack of proper advance planning and proper oversight.

  1. Watchdogs

In the United States alone, there are several different government authorities that maintain varying levels and scopes of authority over organizations with respect to privacy and cybersecurity issues, including the Securities and Exchange Commission, Federal Trade Commission, Department of Justice, Federal Sentencing Commission, and State Attorneys General, to name a few. There are also non-governmental watchdogs, from privacy advocacy groups who lobby for stricter laws and regulations and plaintiffs’ attorneys who bring actions against organizations that fail to comply with laws and regulations as well as organizations’ own stated privacy practices.

  1. Board Personal Liability

Breaches of fiduciary duties can be a slippery slope: subjecting board members to personal liability if the failure to exercise a minimum level of care, such as ignoring cybersecurity risks of the organizations, delegating responsibility without oversight, and lack of proper skill or training to properly advise the organization in these matters. Penalties can range from debarment from eligibility to bid on future federal contracts, large fines and jail time for individuals.

What Owners and Board Members can Do Today:

  • Call your insurance provider:
    • Do you have a cyber insurance policy?
    • Understand what is covered and make sure that the coverage is appropriate for your business risks.
  • Meet with your technology experts to talk about current protections and risks that they are aware of. Understand where there may be gaps in current protections from a technology perspective and what recommendations the technology experts have to fill those gaps.
  • Consult with legal counsel to identify the laws and regulations that apply to your business related to privacy and cybersecurity compliance.
  • Assemble a cross-functional team of internal and external subject matter experts and professionals who handle critical data of the company to form a privacy steering committee. The Committee’s core responsible should be implementing and maintaining a compliance program that addresses the company’s privacy and cybersecurity risks.

Need conversation starters about privacy and cybersecurity for your board or organization? Contact Partner Allison Cole at aecole@bmdllc.com to discuss ways to address this important topic for your business.

CybersecurityPrivacy RuleComplianceCompliance ProgramCompliance Plancompliance plan guidanceownersboardsAllison Cole
Client Alert

First-of-Its-Kind Federal Ruling Finds Use of Consumer AI Tool May Destroy Attorney-Client Privilege

February 17, 2026On February 10, 2026, Judge Jed Rakoff of the U.S. District Court for the Southern District of New York issued a first-of-its-kind ruling finding that documents generated by a criminal defendant using a consumer AI platform were not protected by attorney-client privilege after being shared with counsel. The court treated the AI tool as a third party, concluding that entering sensitive information into a publicly available platform may waive confidentiality. The ruling also suggests that the work product doctrine may not apply where AI-generated materials are created independently by a client rather than at counsel’s direction. The decision signals that parties should exercise caution when using consumer AI tools in connection with legal matters.Client Alert

Your Golden Chance for H-1B Lottery Registration - March 2026

February 16, 2026USCIS H-1B registration opens March 4–19, 2026. U.S.-based employees on valid nonimmigrant status are exempt from the $100,000 fee for change of status petitions. The new weighted lottery favors higher-skilled and higher-paid employees, improving odds for advanced degree holders and Wage Level 3 or 4 workers.Client Alert

Invisible Algorithms: The Hidden Role of Artificial Intelligence in USCIS Immigration Processing

February 10, 2026The Department of Homeland Security has confirmed that artificial intelligence and machine learning tools are now integrated into numerous operational functions within U.S. Citizenship and Immigration Services (USCIS). These tools are described as mechanisms to improve efficiency, reduce backlogs, and assist officers in managing an unprecedented volume of applications. DHS emphasizes that human adjudicators retain decision-making authority and that AI systems do not independently grant or deny immigration benefits. Find out how AI affects the U.S. immigration process.Client Alert

OAAPN | Year In Review: 2026 Ohio Board of Nursing and Ohio Law Rules

February 9, 2026Find out key changes to Ohio law and the Ohio Board of Nursing rules that have directly impacted APRN practice over the past year, including Psychiatric Inpatient Documents, Intimate Examinations, Signature Authority, Duties Related to Fetal Death, Retail IV Therapy Clinics, Release from Permanent Restrictions, Disciplinary Action, Course on Drugs and Prescriptive Authority, Overdose Reversal Drugs, Office Based Opioid Treatment, Withdrawal Management for Substance Use Disorder, Safe Haven Program, and more.Client Alert

Ohio House Bill 537: Proposed Regulations for Midwives and Birthing Centers

January 28, 2026House Bill 537, introduced in the Ohio House of Representatives, proposes a comprehensive regulatory framework for certified nurse-midwives, certified midwives, licensed midwives, and traditional midwives. The legislation would clarify scope of practice, establish licensure standards, and impose new requirements for freestanding birthing centers and home births. Healthcare providers and facilities should be aware of the proposed changes and their potential operational impact.
Older posts