Hack attacks!

January 11, 2017 - by: Matt Gilley 0 COMMENTS
Matt Gilley

Lately, the news has led with stories about the alleged Russian hacking of various American political organizations, ostensibly for the purpose of influencing the 2016 elections. U.S. law enforcement has surmised that the Russian government orchestrated a number of incursions into networks controlled by the major political parties and that they used or disclosed certain information. You’ll recall the leaks of major Democrat Party and Hillary Clinton campaign e-mails. Now, news reports claim that the investigation revealed the Russian government may have collected compromising information about President-elect Donald Trump.Data-Breach

As with any hacking story, we can’t be sure exactly what’s out there or what’s real. However, we can’t deny that hacking goes on beyond government and politics. Private organizations and businesses are just as enticing to data thieves, and are often softer targets. We have seen prominent data thefts from all industries:  Telecommunications, manufacturing, tech, and consulting are all targets.

Human Resources in any organization plays a critical role in firming up an organization’s data security and cyber defenses. Data security has to take account of both internal threats (from employees and other insiders) and external threats (from data thieves and other hackers who want your information for personal gain or for other reasons). In this regard, Human Resources should assess the following:

  • Do we have safeguards in place to protect against internal data thefts? At a minimum, your employees with access to competitive or proprietary data should have confidentiality agreements, and the organization should have a policy in place to allow for monitoring use of company systems and advise employees that their use will be monitored. Also, walk around your office and see how many people have their passwords stuck to their computer on a Post-It note–any example you find is a weakness just begging to be exploited.
  • Do your people know how to spot threats? Attacks can come from any number of directions. For example, employees need to report suspicious activity, like a fellow employee who shows an inordinate amount of interest in data not related to his or her job. Also, employees often download data onto external storage media like hard drives or USB drives. Is your company preventing or monitoring these kinds of activities?
  • Are your employees easy marks? Hackers today gain access through any number of inventive ways. You need to ensure that your employees are trained to spot and report suspicious behavior like phishing, social engineering, and attempts to introduce malware into your organization’s systems. If any of these terms is unfamiliar to you, you need to get moving!

Training your people is the first way to prevent these attacks, because data thieves see your people as the easiest way into your system.

#Fired: Post a tweet, lose your job

August 23, 2016 - by: Katie O'Shea 0 COMMENTS
Katie O'Shea

Many people enjoy spouting off what they view as 140-character tidbits of wisdom on the social media platform Twitter. But recently several individuals have found themselves in trouble with their employers (read: former employers) for their tweets or other social media posts.  Tweet

One recent example was a loan officer from Michigan who crafted a racist tweet, not worth repeating here, following First Lady Michelle Obama’s speech at the Democratic National Convention. Twitter users saw the tweet and tracked down the home loan company the woman worked for. The result was a flood of tweets directed to the company’s Twitter profile calling their attention to the tweet and asking if the employee’s views represented the company’s values.

One individual tweeted to the company, “you can’t tell me someone who holds this view on the @FLOTUS is not abusing her powers on other minorities.” Others went straight to the point and asked the company, “Will you continue to employ someone who is racist?”

The company saw the tweets and immediately took action by issuing a statement in response on Twitter. The company denounced the woman’s reprehensible comments and stated she was no longer employed with the company. The company emphasized that they do not condone such comments, which were made on the employee’s personal account.

Similarly, a national bank employee lost her job earlier this summer after a Facebook rant filled with racist remarks. The employee’s profile listed that she was an employee of the bank, and social media users immediately began sending the bank thousands of comments about the post. The bank investigated the post and terminated the employee, issuing a statement that they were aware of the reprehensible post on Facebook and the employee had been terminated. In this instance, many customers even threatened to close their accounts with the bank.

The public appeared particularly attuned to this issue given that in 2013 the bank was ordered to pay more than 1,000 African American job applicants over $2 million in back wages and interest after a judge found one of the company’s offices had discriminated against them based on their race.

Even celebrities like Blake Shelton, a judge on the popular singing competition show The Voice, have been called out by the Twitter masses for their tweets. Just last week, the country singer tweeted what some have dubbed a “non-apology” for past racist and homophobic tweets. Some of the tweets in question stem as far back as 2008, proving once again that the Internet never forgets.

With social media, it’s possible for a tweet or post to go viral immediately, and companies must be attuned to their social mentions and quickly take action if problematic posts surface. As with the bank case, delaying an investigation and taking action could cost a company customers and create bad PR.

If a company is considering taking action against an employee for a problematic post on social media, HR should be sure to immediately save or print a copy of the post in question in case the employee attempts to delete it. Employers also should keep in mind that some states might limit an employer’s ability to investigate social media or take action against an applicant or employee based on off-duty conduct.

Of course, employers also must be cognizant of the National Labor Relations Act (NLRA) in analyzing employees’ social media posts. In recent cases, the National Labor Relations Board (NLRB) has found that certain employee posts, and even rants, were protected activity under the NLRA because they pertained to concerted activity and union activity. The NLRB has found that employers violated the NLRA by terminating employees for participation in protected conduct, and has awarded back pay.

In light of these recent tweets, it’s important for employers to evaluate their social media policies and consider how they might respond to an employee who makes a racist, sexist, or otherwise inappropriate remark on a personal social media page. Employers should be extremely careful when disciplining employees over social media posts, however, especially if the posts pertain to conditions of employment. Employers considering disciplinary action or termination based on an employee’s social media post should act swiftly but consult with counsel beforehand.

Deflategate: Tom Brady’s fumble provides valuable lesson about spoliation of evidence

August 03, 2015 - by: Marilyn Moran 0 COMMENTS
Marilyn Moran

Tom Brady is one of the best quarterbacks in NFL history, but he fumbled big time when he ordered the destruction of his cell phone before he was to be questioned about his involvement in the deflation of footballs during last season’s AFC championship game. Importantly, prior to the phone’s destruction, NFL investigators had asked Brady for text messages and other electronic information stored on his phone. Although he continues to deny any wrongdoing, the NFL upheld his four-game suspension, concluding that his destruction of the cell phone proved he wanted to hide incriminating evidence of his involvement in the scandal.  Spoilation of Evidence tsk tsk Tom Brady

Destruction of evidenceoften referred to as “spoliation of evidence”refers to the destruction of documents, information, or other tangible items that are potentially relevant to a claim before the other side has had an opportunity to review the evidence. Spoliation of evidence can have dire consequences for offenders. As a result, employers should know the when, what, why, and how of preserving evidence to avoid liability and ensure a fair playing field.

When to preserve
In employment cases, the duty to preserve relevant records, documentation, and other evidence may arise when an employee files a discrimination charge or lawsuit against an employer. In certain instances, however, the duty to preserve arises even earlier if the employer has a reasonable basis to believe that the employee may pursue legal action against the employer. Thus, an employer should implement measures to preserve relevant evidence as soon as it reasonably anticipates that the employee may file a claim.

What to reserve
Generally, employers must preserve any evidence that is relevant, which means it tends to prove or disprove any material fact in dispute. In determining what may be relevant, employers should cast a wide net and preserve all information that may reasonably be related to the employee’s claim, including but not limited to the personnel file of the complaining employee, correspondence between the employee and employer (or co-workers), and the personnel records of any employees who are similarly situated to the complaining individual.

Of course, the duty to preserve evidence doesn’t just apply to official personnel records or paper documents kept in desks and filing cabinets. Relevant evidence also may be housed on network servers, laptop and desktop computers, smart phones, e-mails, text messages, voicemail, and other electronic devices.

Why to preserve
As shown in the case of Brady’s destroyed cell phone, spoliation of evidence may lead to an adverse inference of guilt. In other words, if a court concludes that a party has destroyed evidence, the judge may instruct the jury that the missing evidence would have been incriminating. Spoliation of evidence also may subject parties to financial penalties, exclusion of relevant evidence, and dismissal of defenses.

How to preserve
So now that you know the when, what, and why of preserving evidence, you will need to know how to do it. Usually the first step in the preservation process is to issue a litigation hold letter to those who may have custody of relevant information, which should include the employee’s supervisor and IT personnel. When asking custodians to preserve evidence, you should provide a broad description of the types of documents and other information that must be preserved and follow up as needed to ensure the appropriate measures have been taken. Based on the individual circumstances of your case, you also may want to collect electronic devices for safekeeping or have a virtual image made of a device’s hard drive to avoid the alteration or destruction of electronically stored information and its metadata.

In addition, you should instruct your business’s IT personnel (and the material witnesses) to suspend any automatic destruction policy and forego the routine purging of e-mails or other data. Although malicious spoliation of evidence is clearly wrong, even the negligent destruction of evidence may result in sanctions if the employer was on notice of a potential claim but failed to suspend its document-destruction policies. Therefore, if you are put on notice of a potential claim, you should immediately notify the appropriate personnel to suspend your business’s routine destruction protocols to avoid the inadvertent destruction of relevant evidence.

As Tom Brady can surely attest, spoliation of evidence may undermine your business’s ability to defend itself in a lawsuit and cast doubt on your credibility in the process. To protect yourself, at the first sign of a claim, immediately seek guidance from experienced employment law counsel. Working together, you can assess your business’s duty to preserve evidence and develop a winning game plan for identifying and preserving relevant information.

Some extra points about fantasy football and your workplace

September 15, 2014 - by: Andy Tanick 2 COMMENTS
Andy Tanick

Although the actual games have been overshadowed lately by the off-the-field misbehavior of some of the players, the NFL season opened last week. And if you listened closely enough, you could almost hear HR managers and small business owners across the country yelling at their employees, “Get off your fantasy football website and get back to work!”shutterstock_134095112

Like college basketball’s March Madness, fantasy football’s massive popularity arises in large part from the fact that it gives zealots and non-enthusiasts alike a chance to “get in on the action,” and not just enjoy a sporting event but also win bragging rights over all of their friends. Indeed, anyone who has ever participated in either endeavor is sure to have bitter memories of losing the NCAA pool to someone who picked teams based on uniform colors or mascot cuteness, or losing a fantasy football championship to someone who couldn’t pronounce Tim Biakabatuka’s name if his life depended on it. Let’s just say, there is a certain amount of luck involved (except when I win).

In any event, what does this have to do with workplaces, and in particular, YOUR workplace? A lot. Challenger, Gray & Christmas, a global employment consulting firm, recently estimated that employers worldwide suffer $13.4 billion per year in lost productivity due to fantasy football. In other words, employers these days no longer worry about their workplace becoming a modern-day “Peyton Place.” Instead, they worry about their employees wasting valuable work time trying to guess whether Peyton Manning will throw his customary three touchdown passes this week.

What can employers do about it? Some businesses block fantasy football websites from their employees’ computers, but with everyone carrying a smartphone in their pocket these days, that’s kind of like going for a field goal when you’re down by 28 points in the fourth quarter. Of course, employers can hardly ban their employees from participating in fantasy leagues altogether; not only is it impractical, but most employees do save their fantasy sports obsession for after work, and some states have statutes forbidding employers from taking adverse action against employees for engaging in lawful activities on their own time.

The answer is actually deceptively simple, like benching your quarterback when he’s playing on the road against the Seahawks. Just remind your employees about, and continue to enforce, your existing practices and policies about workers devoting their time and energy–during working hours–to their jobs. The issue is really no different from the employee who spends all day scanning Facebook or looking for deals on Craigslist. Or for that matter, playing solitaire on his computer or engaging in personal telephone calls. Any of this conduct, if it rises to an inappropriately high level, more than likely violates company policy and therefore warrants corrective action by the employer.

And don’t forget, distractions like NCAA office pools and fantasy football leagues, if handled appropriately, can actually be positive factors in the workplace. What better way for employees to get to know each other than talking trash about their teams and debating  age-old questions like “If I bench my kicker because he’s playing in a snowstorm in Lambeau Field, am I being incredibly clever, or am I over-thinking my way to the consolation bracket?” (From personal experience, I can tell you it’s the latter. Curse you, Mason Crosby, circa 2009.) Just be sure that the league doesn’t intentionally or inadvertently exclude certain employees, for example, along the lines of gender. “He got more face time with the boss because of the office fantasy football league, and therefore he got the promotion” could well show up in a discrimination lawsuit in your company’s future; it has already shown up in some cases across the country.

Bottom line, fantasy football leagues can be fun team-building events for your workplace, but like all things HR-related, they must be monitored closely. And when problems arise, don’t be afraid to call a time out or throw a penalty flag, or your employees’ fantasy may become your company’s worst nightmare.

Caught AND recorded in the act

September 10, 2014 - by: David Kim 1 COMMENTS
David Kim

E-mails, audio recordings, and video surveillance. This trifecta of evidentiary support was put front and center in two disturbing incidents from the sports world that made headlines in the past week.

Earlier this week, Atlanta Hawks controlling owner Bruce Levenson stepped down, stating his intention to sell the team, because of a 2012 e-mail that he had written and that was to (and eventually did) become public. In the e-mail, Levenson expresses his thoughts on attracting more white fans to the arena and marketing to white fans in general, including for example that there were “not enough affluent black fans to build a significant season ticket base” and that he wanted “some white cheerleaders” and “music familiar to a 40-year-old white guy.” Levenson, in stepping down, issued a statement apologizing for his e-mail and its “inflammatory nonsense.” Interestingly, Jason Whitlock, an African-American columnist for ESPN.com, and former NBA player Kareem Abdul-Jabbar have both written pieces that have defended Levenson and his e-mail, stating that the Hawks owner is not a racist, but a businessman asking reasonable questions about race and how to put customers in seats.

It has come to light that the existence of Levinson’s e-mail wasshutterstock_180735251 actually uncovered as a result of an investigation due to a separate incident. In June, Atlanta Hawks General Manager Danny Ferry had a conference call with the various owners of the organization, which was recorded so notes could be made for the partners unable to participate live. In discussing player personnel issues, Ferry allegedly was reading off a report generated by team sources when he spoke about then-free agent Luol Deng (now signed with the Miami Heat) and stated “he has a little African in him. Not in a bad way, but he’s like a guy who would have a nice store out front but sell you counterfeit stuff out in the back” and further describing Deng as a two-faced liar and cheat. As a result of Ferry’s comments, a minority owner of the Atlanta Hawks spearheaded an investigation that eventually also led to the discovery of Levenson’s e-mail. Ferry has issued an apology but has refused to step down as GM despite outside pressure to do so.

And finally, the biggest news in the sports world this week involves the video of now former Baltimore Ravens running back Ray Rice punching his then fiancé and now wife, in a hotel elevator in Atlantic City, NJ. Although the incident occurred in February, the graphic video of the action inside of the elevator was just made public this week by TMZ. Previously, the only video made available to the public (and allegedly to the NFL and the Ravens) was video from outside the elevator that showed Rice pulling his apparently unconscious fiancé from the elevator. Until TMZ’s release of the second video, Rice had been suspended by the NFL for only two games, an amount universally decried and that Commissioner Roger Goodell later admitted was an egregious mistake, prompting him to institute more stringent domestic violence penalties. With the release of the second video and amidst a firestorm of people outraged by its contents, Rice has now been released by the Ravens and suspended indefinitely by the NFL. So many questions remain unanswered. Did the NFL and/or the Ravens have access to and view this new video prior to Rice’s two-game suspension? Did they ask for access to it? And on and on. About the only thing everyone seems to know for sure is that this video depicts a horrific and heinous act.

One question being debated is why does it take the existence of this video for Rice’s punishment to be increased – shouldn’t he have been punished this severely no matter what? While the moral answer is most decidedly yes, the reality is that seeing something this horrific has a much more visceral reaction than hearing about it.

And these days, the ability to record audio and video is as easy as ever. It’s not just grainy surveillance video, either. Mobile phones and other portable devices can record video or capture audio of anyone the user wishes. It used to be that the common warning was to watch what you put down in an e-mail. E-mails are preserved, and what’s in writing could harm a company down the road, whether it be in connection with employee complaints, actual litigation, or labor issues, to name a few. Still true, but these days you have to watch what you do period, because of the concern that your actions and statements will be captured in audio or video recordings. That is especially true since most states, not all, permit you to record a conversation you are a party to without informing the other party they are being recorded.

E-mail still comprises a large portion of discovery with respect to employment-related matters, so of course you should continue to ensure that e-mail is used appropriately and professionally. More and more often, however, audio and video recordings also are being uncovered and produced in employment-related matters and often are the key evidentiary element in the case. Sometimes they are favorable to an employer’s defense. Sometimes they form the basis for plaintiffs’ claims. The key is understanding that this form of evidence exists and can be obtained and that it’s only going to increase in usage with the advent of better technology. So be wary. If , as they say, a picture is worth a thousand words, then a video is worth about a million of them.

With pals like this, who needs enemies?

May 12, 2014 - by: Andy Tanick 2 COMMENTS
Andy Tanick

For those entrepreneurs who have struck it rich thanks to the Internet, Al Gore’s invention has been a wonderful thing. But a news story last week illustrated that the Internet also can cause a lot of headaches–even for the same people whose children and grandchildren may never have to work a day in their lives because of the worldwide wealth created by the worldwide web.

This story comes to us courtesy of the Internet payment processing giant, Paypal. According to Paypal, the company’s former director of strategy, Rakesh “Rocky” Agrawal, responded to anshutterstock_166165568 offer to take on a new role at the company last week by “choosing to turn a career-defining moment into career-destroying infamy.” Specifically, “Rocky” responded to the offer by inexplicably posting a series of angry, profane, and bizarrely nonsensical tweets on Twitter. Those tweets that were actually comprehensible included suggestions that Paypal executives perform physically impossible feats that best not be described here. Those tweets that were less decipherable included messages such as, and we quote, “jjjjj 999 I’mk nokkkkkiikkknokkkkkiikkkkkkjjnmo88iok99okkoolooolo.” Rocky has since claimed that his tweets were meant to be private (oh, THAT explains it) and has apologized, but Paypal isn’t buying what he is selling–probably even if he offers to accept payment via Paypal.

The Paypal situation provides yet another example of the havoc that employees can wreak on their employers through social media. Gone forever are the days when employees limited their sexual harassment, defamation, and just plain old stupid behavior to old-fashioned media such as memos, letters, emails, and the spoken word (remember that one?). These days, men and women who are intent on behaving badly have so many more ways to do so. “Older” employees (i.e., those over 30) still use Facebook and Twitter, while the millennials have long since moved on to things like Snapchat, Instagram, and other social media that the author, being decidedly well beyond millennial status, doesn’t even know about.

What can an employer do to minimize its risks arising from employees’ social media use?  For starters, adopt a written social media policy that makes the following points:

  • Communications that would violate the company harassment policy are equally prohibited if posted on the Internet.
  • Confidentiality policies, including policies regarding client or patient confidentiality, apply with equal force to Internet posts.
  • Employees should state that any controversial (e.g., political) views expressed in their posts are personal and not those of the company.
  • Employees should not post statements, photos, or videos that reflect poorly on their employer, unless the post is legally protected (see below).

In addition, employers should revise their existing harassment, misconduct, and confidentiality policies, among others, to make sure they cover online conduct.

Of course, employers also need to avoid violating their employees’ rights with regard to social media. While there is no right to “free speech” in connection with private employment, the National Labor Relations Act (NLRA) provides both union and nonunion employees with certain protections that can apply to their use of social media. Specifically, the NLRA provides employees with a right to “engage in concerted activity for the purpose of collective bargaining or for other mutual aid and protection.”  To be protected, the activity must be undertaken by two or more employees, or by one employee with the authority of others, and it must relate to terms and conditions of employment. The NLRA also makes it illegal for an employer to interfere with employees in their right to engage in such protected activity, and forbids rules, policies, or actions that “reasonably tend to chill employees in the exercise” of these rights.

In addition to the NLRA, other laws can come into play when employers affirmatively seek out information about employees via social media. The Stored Communications Act (SCA) prohibits unauthorized access of disclosures of stored communications, like emails or social media postings. The Computer Fraud and Abuse Act (CFAA) prohibits obtaining information via intentional unauthorized access to “protected computers” involved in interstate commerce. The Fair Credit Reporting Act (FCRA) may come into play when employers seek out certain background information about employees. And there’s always a basic claim for invasion of privacy.

So, what’s the lesson here? Like Paypal recently learned, your employees’ use of social media, even on their own time, in their own homes, on their own computers, can still create headaches for you as their employer. A good social media policy can help reduce the risks, but tread lightly, because your employee’s post–no matter how irritating–could be legally protected.