Our colleagues over at the Privacy & Security Matters blog wrote a really good piece entitled “It’s Tax Time – Don’t be Phished,” which guides employers on how to avoid phishing scams during this tax season. It’s a must read because the targets of these scams are HR and payroll departments, and employer awareness is necessary not only to protect employees, but also because responding to one of these scam emails constitutes a reportable data breach under state laws.  Employers could have significant liability for failure to provide notice to employees and/or state regulators (where required).

 

From:     Ned Help

To:          Carrie Counselor

Date:      June 1, 2016

Subject:  Lost laptop containing European customer information

Carrie,

A couple of weeks ago, you wrote me about an employee who will be engaging in a six-month temporary assignment around Europe to scope market opportunities.   The employee was Abbie Absent-Minded.  Well, we hit a snag pretty quickly.  Abbie just e-mailed me to say that she left her laptop on a train in London last evening and it hasn’t turned up yet in the train company’s lost-and-found.  It was a brand-new laptop that we had given her for her European assignment, so fortunately it didn’t have a lot on it.  Abbie said that the laptop had contact information for her various marketing prospects, plus some sample customer data that she was given by one of her prospects to use in a demo of our web-based advertising product.  She thinks that the customer data included around 200 records with the customer’s name, age, gender, e-mail address and the history of purchases that the customer made from our prospective client’s retail stores.

I assume that we should tell our prospective client that the laptop with their customer data was lost.  What else do we need to think about?

Thanks,
Ned

Continue Reading Innocents Abroad: My Employee Lost a Laptop With Customer Data

From:             Carrie Counselor

To:                  Ned Help

Date:              May 19, 2016

Subject:         RE: Privacy considerations for employees working abroad

Dear Ned,

I understand that one of your employees will be engaging a six-month temporary assignment around Europe to scope market opportunities, and you’d like to have a better understanding of what to be thinking about in terms of privacy.  Great question!  This is an area where many employers struggle because other jurisdictions protect privacy and personal data quite differently than we do here in the United States.

Continue Reading Innocents Abroad: Privacy considerations for employees working abroad

Everyone loves a good courtroom drama.  So just imagine this pitch: henchmen of an evil dictator hack their way into a movie studio computer system.  Once inside, they steal the most sensitive personal information of the studio’s stars, executives and employees.  Their most intimate secrets, spilled over the Internet.  Who can help these poor souls?  Why, the brave and hard working class action lawyers, that’s who.  Through grit, pluck and lawyerly derring-do, our intrepid heroes soon bring the evil wrongdoers to justice.  Think “The Manchurian Candidate” meets “Erin Brockovitch”.

But real life is rarely like the movies, even when it involves the movies.  Yes, Sony Pictures Entertainment (“SPE”) did suffer a cyberattack that disclosed employees’ personally identifiable information (“PII”).  The data breach was allegedly perpetrated by North Korean hackers in retaliation for SPE’s release of “The Interview,” a satirical comedy depicting an attempt on the life of North Korean dictator Kim Jong-Un.  And class action litigation predictably followed.  But the evil wrongdoers who faced the wrath of class counsel?  Alas, the hackers were inconveniently beyond the reach of our legal system and, thus, unavailable to answer for their crime.  So SPE, the studio victimized by the hack, would have to do.

And the result of this drama?

Continue Reading It’s A Wrap! Sony Pictures Data Breach Case Settles Without A Hollywood Ending For The Plaintiff Class

My colleague Mitch Danzig, was quoted in a SHRM article entitled, Keep Employees on the Ball During March Madness, in which he provides strategies for employers to avoid legal claims when monitoring employees’ computer use. The article outlines ways employers can both manage “cyberslacking” and boost morale in the workplace during March Madness.

 

My colleague, Sue Foster, is out with a quick, but important post on our sister blog, Privacy and Security Mattersabout a European Court of Human Rights decision that approved employer access to personal employee communications under limited circumstances.  You can read it here.   As Sue notes, the decision serves as a reminder that employers should consult local counsel before monitoring of employee communications.

In a sign of the growing trend of states enacting statutes protecting employee privacy, Maine became the latest state to prohibit employers from requiring employees and job applicants to provide passwords to their personal Facebook and other social media accounts.  Since 2012, nearly half of the states have passed such laws.  Indeed, since February alone, when we discussed this issue in our employment privacy webinar, three states enacted social media privacy laws, including Connecticut.  We briefly outline Maine’s new law below.

Continue Reading Maine Social Media Employee Privacy Law Goes Into Effect October 15, 2015

The NLRB continued its assault on employee handbooks and policies, as an administrative law judge recently found several provisions in the Macy’s handbook, including the confidential information policy, to be unlawful, as employees would reasonably read them to restrict protected concerted activity.  Specifically, the judge ruled: “The Respondent violated Section 8(a)(1) of the Act by unlawfully restricting its employees’ use of information regarding their fellow employees and the Respondent’s customers, the use of the Respondent’s logo, and requiring the employees to notify Respondent’s Human Resources representative prior to providing information for a government investigation.”

Continue Reading No Parade for Employers: NLRB Judge Invalidates Several Policies in Macy’s Handbook

These days most employers manage a vast amount of electronic information about their employees, including the employees’ personal identifying information.  But, what obligations do employers have to unionized employees with respect to managing that information and bargaining with them in the event of a breach of their private information?

Continue Reading More Than Employers Bargained For: Do Union Employees Have a Right to Bargain Over Company Data Breaches?

By George Patterson

In the past few years the National Labor Relations Board (“NLRB”) has taken an increased interest in whether workplace policies prohibiting employees from discussing the terms and conditions of their employment on social media such as Facebook and Twitter violate the National Labor Relations Act (“NLRA”) by interfering with workers’ rights to engage in concerted activity.  Federal law prohibits an employer from interfering with employees who come together to discuss work-related issues for the purpose of collective bargaining or other mutual aid or protection, and the NLRB has (correctly) noted that social media has become one of the primary avenues through which employees engage in such activity.  A spate of recent decisions makes clear that the NLRB has intensified (and will likely continue to intensify) its scrutiny of employer social media policies and this scrutiny extends no less to non-unionized employers.

Continue Reading NLRB Continues Aggressive Crackdown on Social Media Policies