Tax season is miserable for many because it means having to cut a check to the IRS. But it’s not just Uncle Sam who’s interested in your money. Scammers are also looking to get paid, and they’ll do it by stealing personal information. Employees tasked with preparing tax forms, like human resources (HR) professionals, are prime targets of scams. Using various forms of subterfuge, scammers convince HR to hand over private information about an employee, which they’ll then use to file false tax refund claims. The surge in tax scams has prompted the IRS to issue multiple alerts and host National Tax Security Awareness Week last December to educate the public about tax-related cybercriminal activity.
What’s the scam?
Scammers impersonate people whom the victim is likely to trust, like a well-known service provider (e.g., FedEx) or a person with a legitimate need for access to sensitive information (e.g., an IRS agent). This is known as “spoofing.” Sometimes a “spoofed” email tries to get the recipient to open an attachment containing a virus or click on a link to a malicious site (which might look legitimate). A specific type of spoofing attack known as “phishing” aims to convince the victim to divulge personal or financial information. For example, a phisher posing as an employee might email the HR department for a copy of his W-2 form. Even more targeted is a “spear phishing” attack aimed at a specific individual. The IRS has warned of spear phishing schemes involving emails to an HR professional sent from the spoofed email address of a C-suite executive. The email will ask the HR professional to send a tax form or to provide information about an employee supposedly for a tax filing. Once the scammer has the information, he or she will file a tax refund under the employee’s name.
The best way to avoid being a victim of a phishing attack is to raise awareness. Employees should be regularly trained to practice the following defensive measures:
- Be suspicious of all email requests for confidential information, even if they come from high-level personnel within the company. Tell-tale signs are spelling or grammatical errors or language that the sender doesn’t typically use.
- Confirm requests for confidential information by calling the requester.
- Avoid sending confidential information electronically. Hand deliver the information or send it by mail to a verified address.
- If confidential information has to be transmitted electronically, encrypt it before sending.
- Never send confidential information by hitting the “reply” button. If an email is spoofed, the reply email will go to the imposter. Instead, compose a new email and manually type in the email addresses of the recipient.
- Apply extreme caution when opening attachments. Never open an attachment with the .exe extension. Note that an attachment might be altered to look like an ordinary word processing document, spreadsheet, or PDF. When in doubt, send your IT department a screenshot of the email and consult with them on what to do next.
Responding to a security breach
In the unfortunate event that a company falls victim to a phishing attack, it should immediately gather facts about the incident including the number of employees involved, where the affected employees are located, what information was stolen, and whether the stolen information has been put to use. Consult with a lawyer to determine next steps. In Hawaii (as in many states), a business is legally obligated to provide notice to victims of a security breach. Experienced counsel can navigate the company through data breach notification laws and advise on liability and remedial measures to take.
Whether it’s the secret recipe for your gourmet cupcakes or a unique process for manufacturing your best-selling product, trade secrets are valuable company assets. When an employee leaves, there’s a risk they will take your trade secrets with them to a competitor or to start their own business. So what relief is available if you’re a victim of trade secret theft? Hawai‘i companies already can seek relief from the Hawaii Uniform Trade Secrets Act, but now there’s another tool to combat trade secret theft. On May 11, 2016, President Obama signed the Defend Trade Secrets Act (DTSA) into law, which adds a federal layer of protection for trade secrets.
Here are the highlights of the new law:
What does DTSA do? The DTSA creates a new federal remedy for trade secret misappropriation. Prior federal trade secrets law only criminalized certain misappropriations of trade secrets. The DTSA allows victims of trade secret misappropriation to sue in federal court.
Is the DTSA my exclusive remedy? No. The DTSA creates a national standard of trade secret law and gives you more options for seeking relief, but it doesn’t pre-empt state law. You may still take advantage of trade secret protections under state laws like the Hawaii Uniform Trade Secrets Act.
What’s so special about the DTSA? One feature of the DTSA is that it allows a court to grant an “ex parte seizure order.” This new remedy lets trade secret owners seek a court order to seize allegedly stolen trade secret items in the accused wrongdoer’s possession without first giving them notice. Seizure orders are granted only in “extraordinary circumstances.” To safeguard against abuse of seizure orders, the DTSA entitles victims of wrongful seizure to damages, punitive damages in cases of bad faith, and attorneys’ fees. It remains to be seen how courts will apply the ex parte seizure provisions of the DTSA and how often the remedy will be used.
What do employers need to know about the DTSA? Injunctive relief granted under the DTSA may not “prevent a person from entering into an employment relationship” and must be consistent with state law “prohibiting restraints on the practice of a lawful profession, trade, or business.” In other words, the DTSA does not override state law governing non-compete covenants. Claims under state law may need to be included in the lawsuit to enforce non-compete provisions in an employment agreement.
The DTSA also provides immunity for whistleblower employees (which the DTSA defines broadly to include independent contractors and consultants) who disclose trade secrets to any government official solely for the purpose of reporting or investigating a suspected violation of law or in a court filing made under seal. Notice of the whistleblower immunity provisions must be given in every agreement entered into after May 11, 2016 that restricts the employee’s use of a trade secret or other confidential information. The notice requirement may be satisfied by referencing the immunity provisions in a policy document (like an employee manual) rather than inserting the provisions into each employment agreement.
For more specific information on how the DTSA affects you, consult experienced legal counsel.
Your employees may return to the office after the holidays with new gadgets strapped to their wrist. Wearable devices like the Apple Watch, Android Wear smart watch, and FitBit are some of the hottest holiday gifts of 2015. Or maybe your company gave wearable devices as gifts to its employees. Either way, wearables are showing up more and more in the office. With that trend come a slew of legal concerns. Here are some of the legal issues created by wearables to be aware of:
Wearable devices make it easier to violate privacy rights. If the wearable device is employer-issued, it could be used to track and monitor employees. Be sure to give notice to employees before doing that, and obtain their written consent to having their activity monitored. Employees should be told what information the company collects and how it will be used. If your workforce is unionized, use of wearables for monitoring purposes may be a point for collective bargaining.
Then there’s the privacy of co-workers. Some wearables can record audio and video, but they’re generally less detectable than smartphones and cameras. An employees’ ability to record interactions with co-workers and customers without their knowledge raises a variety of legal challenges. Workplace policies should explain the circumstances under which certain categories may or may not be used and describe the kind of notice employees who use wearables in the workplace must give to co-workers and customers.
If a wearable device is allowed access to the company network, it should be subject to BYOD policies like use of encryption, strong password requirements, device locks, etc. Don’t let wearables be an undetected hole in your network’s security. Also be sure to preserve the right to collect work-related information stored on your employees’ wearable devices, as such access might be necessary to comply with information requests in an investigation or litigation.
Smartphones and web browsers already give employees plenty of opportunities to engage in distractions that kill productivity, and wearables make that problem even more challenging. Consider modifying your workplace policies to address the use of company resources and company time to engage in personal activity using wearables.
The National Labor Relations Board (NLRB) recently took the unprecedented position that an employer violated federal law by failing to engage its employees’ union in collective bargaining regarding its response to a data breach. The U.S. Postal Service (USPS) was the target of a 2014 data breach affecting over 800,000 of its current and former employees. The NLRB filed complaints against the USPS claiming that it executed its response to the breach without engaging in collective bargaining with the union. That’s a violation of National Labor Relations Act (NLRA) provisions mandating collective bargaining for any issue that relates to the “wages, hours, and other terms and conditions of employment,” the NLRA alleged.
The NLRB complaints specifically allege that the USPS violated the NLRA by failing to collectively bargain with the union about the impact of the breach on union members. The USPS also allegedly violated the NLRA by unilaterally providing a remedy for the breach (one year of credit monitoring services and fraud insurance at no cost to employees) without giving prior notice to the union and providing it with an opportunity to negotiate the remedy. The NLRB complaints arose from charges filed by the American Postal Workers Union and the National Rural Letter Carriers’ Association regarding the manner in which the USPS handled the breach.
This marks the first time the NLRB has suggested that data breach response and notification measures affecting employees relate “to the wages, hours, and other terms and conditions of employment” under the NLRA. If the NLRB’s position is found to have merit, that potentially makes the breach response process more complicated and costly for unionized organizations. Union negotiations would need to be conducted at the same time the organization is dealing with fallout from the data breach, such as repairing damage to internal systems, investigating the breach, and complying with breach notification laws. Union negotiations could put tremendous pressure on organizations trying to comply with data breach laws that require notification within a short time period after discovery of the breach. There is also a heightened risk of leaks to the press if organizations must notify unions before giving formal notification as required by law.
The NLRB’s complaints against the USPS reinforce the urgency of developing well-crafted breach response plans. Union organizations might wish to add items to their response plans that engage employee unions in the response process. Another precautionary measure is to solicit the input of the union in developing acceptable breach response protocols before a breach occurs rather than in the midst of a crisis situation.
The New York Times recently reported that Hillary Rodham Clinton used a personal email address for work and personal matters while she served as Secretary of State. Many employees could probably appreciate why Ms. Clinton chose to use a private email address for work purposes. She enjoyed the convenience of carrying one mobile device instead of two. That’s the same reason the Bring Your Own Device movement has been rapidly gaining momentum.
The convenience of commingling professional and personal online accounts comes at a price. One danger is unauthorized disclosure of confidential information. Work-related information stored in an employee’s personal online account is not subject to security measures like firewalls, anti-virus software, and metadata scrubbing programs. Private online accounts may be vulnerable to cyberattacks, putting the confidentiality of their contents at risk. While such records might not concern national security matters as in the Clinton controversy, they could contain personnel information, medical history, or trade secrets, the disclosure of which could violate data privacy laws like HIPAA and the Sarbanes-Oxley Act, not to mention hurting a company’s competitive edge or creating a public relations debacle.
Another risk is noncompliance with recordkeeping policies. Work rules dictating how long work files are kept before they’re disposed help organizations manage the task of responding to information inquiries like discovery requests in litigation. In some jurisdictions, an organization’s failure to produce a document in discovery because it was destroyed in compliance with the organization’s document retention policy generally is not considered unlawful destruction of evidence. (Note: Hawaii’s court rules were amended this year to recognize such a defense). But spotty enforcement of a document retention policy could destroy that defense. Popular ways of transferring work files include forwarding them to a personal email address or uploading them to a personal cloud storage account. Such practices could result in work files being kept beyond their authorized retention period, thus casting doubt on whether an organization actually follows its document retention policy.
Managing these risks begins with adopting a formal policy on use of personal accounts for work purposes and training employees to follow the policy. Without a policy in place, employees might have few qualms about using their personal accounts for work. Consult with a lawyer with data privacy experience to ensure that your policy manages legal risks.
If your company decides to prohibit the transfer of work data to external locations, enforce that policy diligently. Work with your IT department or outside vendors to implement physical and software safeguards against unauthorized transfers. Conduct audits to ensure compliance with the policy.
Another strategy is to offer solutions that allow employees to work outside of the office conveniently without having to use their personal accounts. Consider hosting a private cloud storage site where employees can share files in a secured environment under your control. Also popular is virtual desktop software that allows employees to access their workstation remotely in a controlled environment.
Don’t wait until your employees’ data handling practices make the headlines before taking action to protect the confidentiality of your work files.