Archive for the ‘Employment’ Category

Employment Hiring Practices: Simple Mistakes, Costly To Fix

Monday, April 15th, 2013

The consequences of failing to develop employment-hiring materials can be devastating. So why do many employers fail to develop a basic set of documents governing the employment relationship with new hires?

Howard Matalon notes that although employment documents can be developed in a very cost-effective manner, many employers fail to give consideration to such documents until it is too late.  and no employer can afford to build a business without them. “Employers must reprioritize the importance of employment hiring practices and make them an actual part of their business model,” says Matalon.   Compliance as an afterthought has become an extremely expensive prospect for the unfortunate employers who ignore their human resource obligations.”

For these reasons, all employers must take a methodical approach to their hiring practices and procedures and treat these processes as seriously as they would every other critical aspect of their business. Read the full article regarding employment hiring practices.

Tags: , , , ,
Posted in Business, Data Privacy & Information Security, Employment, Intellectual Property, Litigation | No Comments »

Protecting Against Employee Lawsuits

Tuesday, February 26th, 2013

What is the best way to protect against employee lawsuits?

We recently received an inquiry about the best ways for businesses to protect against employee lawsuits. We’ve found that most employee lawsuits occur due to low morale, unaddressed personality conflicts, disparate productivity between employees and/or failure to give effective performance reviews. Of course, it is always important to have effective, well-drafted legal documents and policies that clearly delineate employee rights and obligations from the outset, which will help your business win lawsuits . However, the easiest way to protect your business from lawsuits is by preventing them in the first place. This means ensuring a good working environment, keeping employees happy, and giving employees recourse to deal with the issues that come up in the workplace, ideally through a dedicated and effective HR representative.

Tags: , , , , ,
Posted in Business, Data Privacy & Information Security, Employment, Litigation | No Comments »

Employee Who Read and Printed Coworker’s Emails Found Not Guilty of Violating the Stored Communications Act

Thursday, July 5th, 2012

Login / LogoutA New Jersey court recently held that a teacher who accessed and printed a co-worker’s personal email after the coworker left the computer  without signing out of her account was not guilty of a crime.

By Alice Cheng

In Marcus v. Rogers, 2012 WL 2428046 (N.J.Super.A.D. June 28, 2012), a New Jersey court held that a defendant was not in violation of any laws when he snooped through the emails of a coworker who had forgotten to sign out of a shared computer.

The defendant, a teacher who was involved in a salary dispute with the school district he worked for, sat down to use a computer in the school’s computer room when he accidentally bumped the mouse of the computer next to him. The screen of the adjacent computer came alive to show the Yahoo! email inbox of a member of the education association he was in dispute with, which included two emails that clearly mentioned him. He then clicked on the emails, printed them out, and used them at a meeting with the education association as evidence that they had not bargained in good faith.

The individuals who were  copied on the email conversations filed suit, claiming that the defendant had violated New Jersey’s version of the Stored Communications Act (N.J.S.A. 2A:156A-27), which reads in pertinent part:

A person is guilty . . . if he (1) knowingly accesses without authorization a facility through which an electronic communication service is provided or exceeds an authorization to access that facility, and (2) thereby obtains, alters, or prevents authorized access to a wire or [an] electronic communication while that communication is in electronic storage.

The court found that the defendant did not “knowingly access [the facility] without authorization” as it was the previous user who had logged into the account. The judge then let the jury decide whether or not he “exceed[ed] an authorization to access that facility” when she failed to close her inbox and log out of her account. The jury found that did not, as he had “tacit authorization” to access the account. On appeal, the court affirmed.

While there is no clear answer to the question of whether snooping emails is illegal (as always, it depends), always remember to log out of public computers. Similarly, all mobile devices, such as smartphones or laptops, should be password protected. As for the email snoopers, be forewarned that snooping may nevertheless carry major consequences, if hacking or unauthorized access is found.

Tags: , , , ,
Posted in Data Privacy & Information Security, Employment, Intellectual Property, Technology | No Comments »

Social Media and the Workplace

Thursday, June 14th, 2012

Employment/Workplace Social Media Policies

No one wants to lose his or her job over a Facebook post. However, most employees also do not think twice before griping about a boss in a status update, or posting a picture from last Friday night on a coworker’s wall. While free speech has historically been protected in the United States, there can also be negative repercussions for exercising that right.

By Alice Cheng

Does it violate the law to fire someone over social media activity? Possibly, depending on whether the post is determined to be a “protected concerted activity” or not. Generally, the National Labor Relations Board (NLRB) has determined that Section 7 of the National Labor Relations Act permits “concerted activity,” which involves employees talking jointly about terms or conditions of employment (i.e., coworkers discussing a disliked supervisor on Facebook), and is permissible in order to protect employees against employer retaliation. Section 8(a)(1) is related and prohibits interfering with employees rights under Section 7.

For example, merely “venting” on a social network about a workplace condition is generally not enough to constitute protected concerted activity. Protected posts usually must involve, at a minimum, initiating or inducing coworkers to action (i.e., generating discussion among coworkers on Facebook).

Last month, the Acting General Counsel of the NLRB issued his third report on social media, including an analysis of seven recent social media cases, focusing on employers’ social media policies and rules. The report mentions that rules explicitly restricting Section 7 activity would be clearly unlawful. If the rule does not explicitly do so, it may still be unlawful under Section 8(a)(1) upon a showing that: “(1) employees would reasonably construe the language to prohibit Section 7 activity; (2) the rule was promulgated in response to union activity; or (3) the rule has been applied to restrict the exercise of Section 7 rights.” Although the cases within the report do not represent “the law,” they still provide helpful general guidance for employers seeking to design appropriate policies.

Avoid broad and ambiguous language. Policies which tell employees to not use “offensive” or “demeaning” comments should be backed with a specific example (such as offensive posts meant to discriminate based on race, sex, religion, or national origin) so that reasonable employers would not construe such language to cover protected activities. The Board has also long held that any rule requiring an employee to obtain the employer’s permission prior to engaging in protected activity is blatantly unlawful. Similarly, policies cannot require posts to be “completely accurate and not misleading” and should not limit discussions of work so that any discussion would be virtually impossible.

Rules requiring employees to maintain the confidentiality of trade secrets and private and confidential information are permissible, as employees have no protected right to discuss these matters. Generally speaking, employees have few rights to workplace privacy. However, there are limits on an employer’s ability to limit the use of the employer’s logos and trademarks.  For example, an employer cannot prohibit the use of picket signs containing the logos or trademarks.

Savings clauses have no real effect. These clauses generally state that the policy will be administered in compliance with relevant laws.  The NLRB has dismissed these as not curing any ambiguities in the overbroad policies.

It is also helpful for employers to place policies in context.  The policies should acknowledge the usefulness and appeal of social media, but also remind employees that they are responsible for what they write, to know their audience, and to use their best judgment. The purpose of a social media policy should clearly be to avoid use that would adversely affect job performance or business interests (including harming clients or customers), rather than for the sake of surveillance and retaliation.

Employers should also stay updated on recent developments pertaining to the disclosure of social media passwords. Recently a number of states have considered or implemented bans on “shoulder surfing” or mandatory disclosure of private accounts.

Tags: , , , , , , , ,
Posted in Data Privacy & Information Security, Employment, Technology | Comments Off

New Jersey Considers Prohibition on Requiring Disclosure Of Personal Account Passwords

Monday, June 4th, 2012

The proposed bill prohibits an employer from requiring a current or prospective employee to provide access to a personal account or even asking if they have an account or profile on a social networking website.

By Alice Cheng

Last month, a New Jersey Assembly committee approved a measure that would prohibit an employer from requiring a current or prospective employee to disclose user name or passwords to allow access to personal accounts. The employer is prohibited from asking a current or prospective employee whether she has an account or profile on a social networking website. Additionally, an employer may not retaliate or discriminate against an individual who accordingly exercises her rights under the bill.

This bill came in light of the multitude of stories of employers and schools requesting such information, or performing “shoulder surfing,” during interviews and at school/work. Although this may be only an urban legend at best, the ACLU and Facebook itself have demanded that the privacy-violating practice come to an end, and legislators across the nation have nevertheless responded promptly. For example, Maryland, California, and even the U.S. Senate have all proposed similar legislation banning such password requests to protect employee privacy.

Not only are password requests problematic for employees, but it also may land employers in legal hot water. Social media profiles may contain information that employers legally cannot ask (such as race or religion), and may potentially open employers up to discrimination suits.

Under the New Jersey bill, civil penalties are available in an amount not to exceed $1,000 for the first violation, or $2,500 for each subsequent violation.

Recently, in Ehling v. Monmouth Ocean Hospital Service Cop., 11-cv-3305 (WJM) (D.N.J.; May 30, 2012), a New Jersey court found that accessing an employee’s Facebook posts by “shoulder surfing” a coworker’s page states a privacy claim. See Venkat Balasubramani’s excellent writeup at the Technology & Marketing Law Blog.

Tags: , , , , , , , ,
Posted in Business, Corporate, Data Privacy & Information Security, Employment, Technology | Comments Off

Concerns That Mobile Devices Present For Hedge Fund Managers (Part 2)

Thursday, April 19th, 2012

OlenderFeldman LLP’s Aaron Messing was interviewed by Jennifer Banzaca of the Hedge Fund Law Report for a three part series entitled, “What Concerns Do Mobile Devices Present for Hedge Fund Managers, and How Should Those Concerns Be Addressed?” (Subscription required; Free two week subscription available.) Some excerpts of the topics Jennifer and Aaron discussed follow. You can read the second entry here.

Three Steps That Hedge Fund Managers Should Take before Crafting Mobile Device Policies and Procedures

As indicated, before putting pen to paper to draft mobile device policies and procedures, hedge fund managers should take at least the following three steps.  Managers that already have mobile device policies and procedures in place, or that have other policies and procedures that incidentally cover mobile devices, may take the following three steps in revising the other relevant policies and procedures.

First, Aaron Messing, a Corporate & Information Privacy Lawyer at OlenderFeldman LLP, advised that hedge fund managers should ensure that technology professionals are integrally involved in developing mobile device policies and procedures.  Technology professionals are vital because they can understand the firm’s technological capabilities, and they can inform the compliance department about the technological solutions available to address compliance risks and to meet the firm’s goals.  Such technology professionals can be manager employees, outside professionals or a combination of both.  The key is that such professionals understand how technology can complement rather than conflict with the manager’s compliance and business goals.

Second, the firm should take inventory of its mobile device risks and resources before beginning to craft mobile device policies and procedures.  Among other things, hedge fund managers should consider access levels on the part of its employees; its existing technological capabilities; its budget for addressing the risks of using mobile devices; and the compliance personnel available to monitor compliance with such policies and procedures.  With respect to employee access, a manager should evaluate each employee’s responsibilities, access to sensitive information and historical and anticipated uses of mobile devices to determine the firm’s risk exposure.

With respect to technology, Messing cautioned that mobile device policies and procedures should be supportable by a hedge fund manager’s current technology infrastructure and team.  Alternatively, a manager should be prepared to invest in the required technology and team.  “You should be sure that what you are considering implementing can be supported by your information technology team,” Messing said.  With respect to budgeting, a hedge fund manager should evaluate how much it is willing to spend on technological solutions to address the various risks posed by mobile devices.  Any such evaluation should be informed by accurate pricing, assessment of a range of alternative solutions to address the same risk and a realistic sense of what is necessary in light of the firm’s business, employees and existing resources.  Finally, with respect to personnel, a manager should evaluate how much time the compliance department has available to monitor compliance with any contemplated mobile device policies and procedures.

Third, hedge fund managers should specifically identify their goals in adopting mobile device policies and procedures.  While the principal goal should be to protect the firm’s information and systems, hedge fund managers should also consider potentially competing goals, such as the satisfaction levels of their employees, as expressed through employee preferences and needs.  As Messing explained, “It is not that simple to dictate security policies because you have to take into account the end users.  Ideally, when you are creating a mobile device policy, you want something that will keep end users happy by giving them device freedom while at the same time keeping your data safe and secure.  One of the things that I emphasize the most is that you have to customize your solutions for the individual firm and the individual fund.  You cannot just take a one-size-fits-all policy because if you take a policy and you do not implement it, it can be worse than not having a policy at all.”  OCIE and Enforcement staff members have frequently echoed that last insight of Messing’s.

Aaron and Jennifer also discussed privacy concerns with the use of personal devices for work:

Firm-Provided Devices versus Personal Devices:

As an alternative, some firms have considered adopting policies that require employees to make their personal phones available for periodic and surprise examinations to ensure compliance with firm policies and procedures governing the use of personal phones in the workplace.  However, this solution may not necessarily be as effective as some managers might think because many mobile device functions and apps have been created to hide information from viewing, and a mobile device user intent on keeping information hidden may be able to take advantage of such functionality to deter a firm’s compliance department from detecting any wrongdoing.  Additionally, Messing explained that such examinations also raise employee privacy concerns.  Hedge fund managers should consider using software that can separate firm information from personal information to maximize the firm’s ability to protect its interests while simultaneously minimizing the invasion of an employee’s privacy.

Regardless of the policies and procedures that a firm wishes to adopt with respect to the use of personal mobile devices by firm personnel, hedge fund managers should clearly communicate to their employees the level of firm monitoring, access and control that is expected, especially if an employee decides that he or she wishes to use his or her personal mobile device for firm-related activities.

Jennifer and Aaron also discussed controlling access to critical information and systems:

Limiting Access to and Control of Firm Information and Systems

As discussed in the previous article in this series, mobile devices raise many external and internal security threats.  For instance, if a mobile device is lost or stolen, the recovering party may be able to gain access to sensitive firm information.  Also, a firm should protect itself from unauthorized access to and use of firm information and networks by rogue employees.  A host of technology solutions, in combination with robust policies and procedures, can minimize the security risks raised by mobile devices.  The following discussion highlights five practices that can help hedge fund managers to appropriately limit access to and control of firm information and networks by mobile device users.

First, hedge fund managers should grant mobile device access only to such firm information and systems as are necessary for the mobile device user to perform his or her job functions effectively.  This limitation on access should reduce the risks associated with use of the mobile device, particularly risks related to unauthorized access to firm information or systems.

Second, hedge fund managers should consider strong encryption solutions to provide additional layers of security with respect to their information.  As Messing explained, “As a best practice, we always recommend firm information be protected with strong encryption.”

Third, a firm should consider solutions that will avoid providing direct access to the firm’s information on a mobile device.  For instance, a firm should consider putting its information on a cloud and requiring mobile device users to access such information through the cloud.  By introducing security measures to access the cloud, the firm can provide additional layers of protection over and above the security measures designed to deter unauthorized access to the mobile device.

Fourth, hedge fund managers should consider solutions that allow them to control the “business information and applications” available via a personal mobile device.  With today’s rapidly evolving technology, solutions are now available that allow hedge fund managers to control those functions that are critical to their businesses while minimizing the intrusion on the personal activities of the mobile device user.  For instance, there are applications that store e-mails and contacts in encrypted compartments that separate business data from personal data.  Messing explained, “Today, there is software to provide data encryption tools and compartmentalize business data, accounts and applications from the other aspects of the phone.  There are also programs that essentially provide an encryption sandbox that can be removed and controlled without wiping the entire device.  When you have that ability to segment off that sensitive information and are able to control that while leaving the rest of the mobile device uncontrolled, that really is the best option when allowing employees to use mobile devices to conduct business.  The solutions available are only limited by the firm’s own technology limitations and what is available for each specific device.”  This compartmentalization also makes it easier to wipe a personal mobile phone if an employee leaves the firm, with minimal intrusion to the employee.

Fifth, hedge fund managers should adopt solutions that prohibit or restrict the migration of their information to areas where they cannot control access to such information.  Data loss prevention (DLP) solutions can provide assistance in this area by offering network protection to detect movement of information across the network.  DLP software can also block data from being moved to local storage, encrypt data and allow the administrator to monitor and restrict use of mobile device storage.

Tags: , , , , , ,
Posted in Business, Data Privacy & Information Security, Employment, Intellectual Property, Litigation, Technology | Comments Off

Mobile Device Policies

Thursday, April 12th, 2012

Laptops, Smartphones, Mobile Computers, Mobile DevicesCompanies are increasingly allowing their employees to use their own personal mobile devices, such as laptops, tablets, and smartphones, to remotely access work resources.

This “bring your own device” trend can present certain security and privacy risks for companies, especially in regulated industries where different types of data require different levels of security. At the same time, companies need to also be mindful of employee privacy laws.

Most individuals now have personal mobile devices, and companies are finding it increasingly convenient to allow employees (and in certain situations, independent contractors) to access company data and networks through these personally owned devices. However, when an organization agrees to allow employees to use their own personal devices for company business, it loses control over the hardware and how it is used. This creates security and privacy risks with regards to the proprietary and confidential company information stored or accessible on those devices, which can lead to potential legal and liability risk. Similarly, when employees use the same device for both personal and professional use, determining the line between the two becomes difficult. If your company is considering letting its employees use their personal devices in the workplace, you should consult with an attorney to craft a policy that’s right for your business.

Tags: , , , , ,
Posted in Business, Data Privacy & Information Security, Employment, Technology | Comments Off

Entertainment Weekly Calls On OlenderFeldman For Comments

Tuesday, October 18th, 2011

On Tuesday, October 18th, a 40-something year old actress filed a law suit against IMDb and Amazon for publishing her real name and age on IMDb’s website. Entertainment Weekly asked Michael J. Feldman, Esq., CIPP, to weigh in on the merits of the plaintiff’s privacy claim.

Feldman, a partner at OlenderFeldman who is also not involved in the IMDb suit, believes “the most pivotal issue in the case” will be the clarity of IMDb’s Privacy Policy and Subscriber Agreement. According to Feldman, IMDb’s “mistake here is that neither the Privacy Policy nor the Subscriber Agreement are clear as to the purpose for obtaining credit card information, and how that information will be used.” Without that confusion, Feldman speculated that IMDb could have avoided this lawsuit altogether. Still, he agreed that Doe “has numerous hurdles to overcome,” primarily that she “appears to confuse promises made in those agreements concerning security of information provided to IMDb and the privacy rights afforded to subscribers of the website.”

Making the case even less promising, Feldman thinks the $1 million price tag on Doe’s suit is unreasonable: “She will have an extremely difficult time proving damages under the facts alleged.” Added Feldman, a founding member of privacy and data protection consulting firm Acentris: “Even if IMDb is at fault, damages are limited to the total amount [she] paid” as an IMDbPro subscriber.

To read more on this intriguing matter, click here.

Tags: , , , , , ,
Posted in Data Privacy & Information Security, Employment | Comments Off

FTC Settles Enforcement Actions Concerning Protection of Social Security Numbers

Thursday, May 5th, 2011

Yesterday, the Federal Trade Commission (FTC) announced two proposed settlements of complaints filed against Ceridian Corporation and Lookout Services, Inc.   Both proposed consent orders require the companies to implement security measures similar to other such settlements, including development and implementation of more robust information security programs, along with biennial security assessments and reporting by qualified personnel for 20 years.

Ceridian provided payroll services allowing input of sensitive employee information such as social security numbers.  Lookout provided a tool to allow employers to create and track immigration status information for employees which also allowed input and storage of employee sensitive personal information.

Both companies made security representations on their web-pages and/or through customer contracts creating the impression that the companies used industry standard secure technologies and security practices to safeguard their customers’ employee information.

Hackers breached Ceridian’s online perimeter defenses through SQL injection attack, resulting in compromise of the sensitive data.

An employee gained unauthorized access to Lookout’s database by using “predictable resource location” – essentially a brute force attack using educated guessing to reveal hidden files or functionality using common naming conventions in order to by-pass Lookout’s secure log-in page.  In addition, Lookout supposedly allowed a “test” environment to allow access to real data, again enabling the Lookout employee to access sensitive information through logging-in with a “test” username, along with other predictable measures.  Lookout allegedly did not use an intrusion detection system, and did not review logs in a timely manner.

Lookout allegedly made the following claims in marketing materials:

“Although the data is entered via the web, your data will be encoded and transmitted over secured lines to Lookout Services server. This FTP interface will protect your data from interception, as well as, keep the data secure from unauthorized access. Perimeter Defense – Our servers are continuously monitoring attempted network attacks on a 24 x 7 basis, using sophisticated software tools.”

Ceridian allegedly made the following representations on its web-page and in contracts with customers:

“Worry-free Safety & Reliability . . . When managing employee health and payroll data, security is paramount with Ceridian. Our comprehensive security program is designed in accordance with ISO 27000 series standards, industry best practices and federal, state and local regulatory requirements.

Confidentiality and Privacy: [Ceridian] shall use the same degree of care as it uses to protect its own confidential information of like nature, but no less than a reasonable degree of care, to maintain in confidence the confidential information of the [customer].”

Although there are no admissions of liability in the settlements, the alleged liability in Lookout’s situation seems fairly clear.  As alleged, the interface simply did not protect the information, the company did not monitor its network, and sophisticated software tools were seemingly not in use.

The situation for Ceridian is somewhat more troubling.  Its claims and representations focused on the design of its security program, and using “reasonable care.”   The FTC alleged that Ceridian’s practices were not “reasonable.”  Specifically, the Commission alleged that Ceridian: “(1) stored personal information in clear, readable text; (2) created unnecessary risks to personal information by storing it indefinitely on its network without a business need; (3) did not adequately assess the vulnerability of its web applications and network to commonly known or reasonably foreseeable attacks, such as “Structured Query Language” (“SQL”) injection attacks; (4) did not implement readily available, free or low-cost defenses to such attacks; and (5) failed to employ reasonable measures to detect and prevent unauthorized access to personal info! rmation.”

It’s pretty much a given that if a hacker is intent on accessing your network, no amount of security layering will necessarily prevent that unauthorized access.  However, certain things are clear from these cases: companies must assess the sensitivity of the information they hold, and design and implement security programs which correspond to the risk associated with that information.  Even if layers of defense are employed, if you handle sensitive data, assessments of the need for encryption, hashing, truncation, tokenization, limitation and minimization, application and network vulnerability testing, and monitoring of the network systems must be considered and implemented where appropriate.

It is also extremely important to use language that accurately reflects what is supported in policies (public facing and internal), as well as in contracts and privacy and security addenda.  This is not an area to gloss over as an additional exhibit to a master agreement.  The language of privacy and information security addenda or stand-alone contracts, as well as the promises made in marketing materials, SOWs, websites, etc., must be accurate, and should not downplay risks.  In certain cases, more specific contractual obligations are better than broader “reasonable” clauses.  These might clearly define the security requirements to be implemented, and what can be supported.   A corollary to this, particularly in the SaaS service provider context is accurately advising the business customers about disclosures and consents to be made to the users and data subjects whose info! rmation will be processed through the use of the system.

Additionally, merely advising about all risks and disclaiming responsibility for everything is not sufficient, because of the negative effects on business and marketing.  There is also no guarantee that even if there is a broad advice and disclaimer concerning security risk, that the FTC would not seek to use its “harm based” as opposed to “deception based” approach.  That is, “You handle sensitive information under circumstances where the harm may outweigh the benefit; therefore, you have a concomitant responsibility to protect that information.”

Service providers (and others) handling sensitive information must develop, document, manage, and train on their information security architecture.  The risks and obligations spread clearly beyond simple security mechanisms, but to the whole panoply of security layering and defense in depth.

Tags: , , , ,
Posted in Business, Corporate, Data Privacy & Information Security, Employment, Technology | Comments Off