The Tax Scams Cometh

Posted by on Jan 25, 2017 in Data Security, Employment and Labor

Tax season is miserable for many because it means having to cut a check to the IRS.  But it’s not just Uncle Sam who’s interested in your money.  Scammers are also looking to get paid, and they’ll do it by stealing personal information.  Employees tasked with preparing tax forms, like human resources (HR) professionals, are prime targets of scams.  Using various forms of subterfuge, scammers convince HR to hand over private information about an employee, which they’ll then use to file false tax refund claims.  The surge in tax scams has prompted the IRS to issue multiple alerts and host National Tax Security Awareness Week last December to educate the public about tax-related cybercriminal activity.

What’s the scam?

Scammers impersonate people whom the victim is likely to trust, like a well-known service provider (e.g., FedEx) or a person with a legitimate need for access to sensitive information (e.g., an IRS agent).  This is known as “spoofing.”  Sometimes a “spoofed” email tries to get the recipient to open an attachment containing a virus or click on a link to a malicious site (which might look legitimate).  A specific type of spoofing attack known as “phishing” aims to convince the victim to divulge personal or financial information.  For example, a phisher posing as an employee might email the HR department for a copy of his W-2 form.  Even more targeted is a “spear phishing” attack aimed at a specific individual.  The IRS has warned of spear phishing schemes involving emails to an HR professional sent from the spoofed email address of a C-suite executive.  The email will ask the HR professional to send a tax form or to provide information about an employee supposedly for a tax filing. Once the scammer has the information, he or she will file a tax refund under the employee’s name.

Protective measures

The best way to avoid being a victim of a phishing attack is to raise awareness.  Employees should be regularly trained to practice the following defensive measures:

  • Be suspicious of all email requests for confidential information, even if they come from high-level personnel within the company. Tell-tale signs are spelling or grammatical errors or language that the sender doesn’t typically use.
  • Confirm requests for confidential information by calling the requester.
  • Avoid sending confidential information electronically. Hand deliver the information or send it by mail to a verified address.
  • If confidential information has to be transmitted electronically, encrypt it before sending.
  • Never send confidential information by hitting the “reply” button. If an email is spoofed, the reply email will go to the imposter.  Instead, compose a new email and manually type in the email addresses of the recipient.
  • Apply extreme caution when opening attachments. Never open an attachment with the .exe extension.  Note that an attachment might be altered to look like an ordinary word processing document, spreadsheet, or PDF.  When in doubt, send your IT department a screenshot of the email and consult with them on what to do next.

Responding to a security breach

In the unfortunate event that a company falls victim to a phishing attack, it should immediately gather facts about the incident including the number of employees involved, where the affected employees are located, what information was stolen, and whether the stolen information has been put to use.  Consult with a lawyer to determine next steps.  In Hawaii (as in many states), a business is legally obligated to provide notice to victims of a security breach.  Experienced counsel can navigate the company through data breach notification laws and advise on liability and remedial measures to take.

Read More

Police officer suspended for controversial Facebook posts allowed to go to trial on First Amendment retaliation claim

Posted by on Oct 26, 2016 in Employment and Labor, First Amendment, Social Media

It’s generally a good practice to set standards of online employee conduct to prevent the social media activity of employees from disrupting the workplace or tarnishing your organization’s reputation.  But the mere fact that an employee comments on controversial subjects on social media doesn’t necessarily justify disciplinary action.  That’s especially true in the case of a public employer.  Disciplining a government employee for posting social media messages about a topic of public concern could violate the First Amendment, as illustrated by a recent Ohio decision.  Hamm v. Williams, Case No. 1:15CV273 (N.D. Ohio, Sept. 29, 2016).

Hamm centered around the controversy over the fatal police shooting of two unarmed African-Americans following a high-speed car chase.  The incident — sometimes known as the “137 shots” in reference to the number of bullets that were fired at the couple — was highly publicized and the target of protests by the Black Lives Matter movement.  Seven Cleveland police officers were indicted as a result.  While off-duty, a Cleveland police officer (Hamm) used his home computer to post Facebook comments criticizing the indictments and showing support for his colleagues.  Approximately one week later, Hamm wrote on Facebook that an unidentified individual found his original comments offensive and had reported the first post to his supervisors.

After conducting an investigation, the supervisors determined that Hamm had breached department rules against using social media to discuss a criminal investigation involving the department or posting material that would “tend to diminish” public esteem for the department.  The department suspended Hamm for 10 days.  Hamm sued the city for retaliating against him for exercising his First Amendment right to free expression.

Under U.S. Supreme Court precedent, government employees have a First Amendment right to speak as private citizens on matters of public concern.  However, an employee’s constitutionally protected right to free expression must be balanced against a public employer’s interest in efficient delivery of public services.

The court determined that Hamm was speaking as a private citizen, as he had posted the Facebook comments while he was off-duty using his home computer.  The subject of his comments – a highly publicized police shooting and the aftermath – was a matter of “political, social or other concern to the community” and not just a “quintessential employee beef.”

The city argued that a police department, as a paramilitary organization charged with maintaining public safety and order, had a greater interest in regulating the speech of its employees than an ordinary public employer.  The city contended that it was justified in ensuring that officers are not publicly criticizing an investigation or placing a stigma on the criminal justice system or internal police operations.

The court rejected the city’s arguments because it found no evidence that Hamm’s posts actually resulted in work stoppages or that any officers declined to fulfill his or her duties because of Hamm’s posts.  The court therefore allowed Hamm to proceed to trial on his First Amendment retaliation claim.

Hamm is a good reminder that discipline should not be a knee-jerk reaction to controversial social media posts of an employee.  Conduct an investigation and collect evidence of the actual or potential disruptive impact of the comments before taking disciplinary action.  If you’re a public employer, the First Amendment adds an extra layer of protection for employees.  Consult experienced counsel to help you analyze the impact of constitutional protections for online employee speech.

Read More

Six Years Later, NLRB’s Social Media Guidelines Still Confound

Posted by on Sep 21, 2016 in Employment and Labor, Social Media

youre-fired

Six years ago, the National Labor Relations Board (NLRB) became one of the first governmental agencies to regulate social media use in the workplace.  In 2010 and 2011, the NLRB issued a series of guidance memos and decisions sketching the contours of acceptable limitations on social media conduct of employees.  Largely aimed at protecting the right of employees to act together to improve their working conditions and terms of employment – what Section 7 of the National Labor Relations Act (NLRA) calls “protected concerted activity” – the NLRB’s social media guidelines can be downright frustrating for employers.  Conduct that might seem proper to ban, like making defamatory comments about management personnel or discussing confidential company information online, could be protected under Section 7, according to the NLRB.

Little has changed after six years.  Three recent cases show that the NLRB is still as confounding as ever when it comes to regulating social media work rules.

  • In Chipotle Services LLC d/b/a Chipotle Mexican Grill, Case No. 04-CA-147314 (Aug. 18, 2016) the NLRA struck down parts of Chipotle’s “Social Media Code of Conduct” that prohibited employees from posting “incomplete, confidential or inaccurate information” and making “disparaging, false, or misleading statements” about Chipotle, other employees, suppliers, customers, competitors, or investors. Chipotle fired an employee for violating this rule by posting tweets that criticized Chipotle’s hourly wage.  The NLRA concluded that the rule was unlawful because it could reasonably chill employees in the exercise of their Section 7 rights.
  • In G4S Secure Solutions (USA) Inc., 364 NLRB No. 92 (Aug. 26, 2016), the NLRB ruled that a private security company’s policies concerning confidentiality and social media postings violated Section 7 rights of employees.  The confidentiality policy prohibited employees from making “public statements about the activities or policies of the company[.]”  The NLRB found this rule overbroad because it could be understood to prohibit discussion of rules concerning employee conduct, which is a term and condition of employment.  Also unlawful was a social media policy banning social media postings of pictures of employees dressed in their security guard uniforms.  The NLRB rejected the company’s argument that the policy protected a legitimate privacy interest.
  • In Laborers’ International Union of North America and Mantell, Case No. 03-CB-136940 (NLRB Sept. 7, 2016), the NLRB found that a union violated the Section 7 of the NLRA by disciplining a union member who criticized union leadership for giving a journeyman’s book to a mayoral candidate who had not gone through the union’s 5-year apprenticeship program.  The comments were posted on a Facebook page accessible to approximately 4,000 people, some of whom were union members.  Even though certain aspects of his comments were false, they did not lose protection because they were not “knowingly and maliciously untrue.”

Does your organization have similar social media rules concerning anti-disparagement, confidentiality, or privacy?  If so, it might be time to freshen up your social media policy with the help of experienced counsel.

Read More

Clicking Your Way to Enforceability – Court Enforces “Clickwrap” Non-Compete Agreement

Posted by on Jul 11, 2016 in Employment and Labor, Miscellaneous

click-here

You’ve heard the buzz about Pokemon GO and decide to give it a try.  After installing the game on your phone and moving past the initial splash screen, you’re presented with the game’s Terms of Service, which you may “Accept” or “Decline.”  Just a single click stands between you and Pokemon-hunting goodness!

If you clicked the “Accept” button, you just entered into a “clickwrap” agreement.  Does that mean you’re now bound by everything stated in the Terms of Service?  The answer to that question is important from an HR perspective because work forms are increasingly being digitally executed by current and prospective employees over a computer network.  Thankfully, the answer is yes, as a recent New Jersey decision confirmed.

In ADP, LLC v. Lynch (D.N.J. June 30, 2016), a business outsourcing company (ADP) sued two former employees to enforce non-compete, non-disclosure, and non-solicitation provisions in a restrictive covenant agreement.  The defendants had enrolled in ADP’s stock award program electronically.  In order to receive awards in the program, they were required to click an “Accept Grant” button.  The option to click this button was unavailable until they affirmatively check a box acknowledging that they had read a collection of documents, including the restrictive covenant agreement.  The defendants had checked the box and clicked on the “Accept Grant” button.

The significance of this fact became apparent when the defendants, who were not residents of New Jersey, argued that the New Jersey court lacked personal jurisdiction over them.  The court noted that defendants had consented to the personal jurisdiction of New Jersey courts in the restrictive agreements.  The defendants argued that that the forum selection clause in the restrictive covenant agreement was unenforceable because they did not receive adequate notice of the clause.  The court rejected this argument as well, noting other cases in which clickwrap agreements incorporating additional terms by reference were regarded as providing reasonable notice that additional terms apply.  Some courts have even enforced clickwrap agreements that do not require affirmative confirmation that the signatory reviewed the terms before agreeing to them.  ADP was therefore allowed to pursue its lawsuit.

ADP confirms that electronic consent to agreements incorporated by reference into a clickwrap agreement is legally valid, assuming the agreements are supported by adequate consideration.  To build an even better case for enforceability, employees should be required to confirm their agreement with (not just acknowledgment of) the incorporated documents.  But beware of the clickwrap agreement’s close cousin—the “browsewrap” agreement, which states that continued action (like browsing the contents of a web page) constitutes agreement with certain terms.  Courts routinely refuse to enforce browsewrap agreements.   Requiring employees to manifest their agreement through affirmative conduct – like clicking on a button – is essential.

Read More

Website Accessibility Issues Mean ADA Liability Might Be Just a Click Away

Posted by on Apr 28, 2016 in Employment and Labor, Litigation

Human Hand, Digital Tablet, Touching.

Since the Americans with Disabilities Act (ADA) was passed in 1990, businesses have been vulnerable to “drive-by lawsuits” alleging that their facilities are physically inaccessible to disabled customers or guests.  The new trend in ADA litigation is the “surf-by” lawsuit—disabled individuals who sue under the ADA because a business website they visited was allegedly inaccessible to them.  The U.S. Department of Justice also has been aggressively enforcing website inaccessibility violations even though it won’t issue regulations until 2018.

If you’re still not convinced that the threat of website accessibility lawsuits is real, consider that in March, a California trial court became the first in the nation to rule on summary judgment that a retailer’s website violated the ADA and California’s anti-discrimination law (the Unruh Act).  The court determined that the website was inaccessible to visually impaired individuals.  The judge slapped the retailer with $4,000 in statutory damages under the Unruh Act, ordered it to either modify or remove the website, and awarded the plaintiff its attorneys’ fees, which are estimated to be in the six-figure range.

What can business owners do to prevent being sued for website accessibility violations?  Start with these steps:

  1. Determine if the ADA applies to you. Title I of the ADA applies to private employers with 15+ employees.  Covered employers may not discriminate against employees with disabilities and must make reasonable accommodations for them.  In addition, accessibility may be an issue for business websites that allow job applicants to apply online.  Title II applies to State and local governments.  Under Title III, the website of an organization that qualifies as a “public accommodation” must be accessible to individuals with disabilities.  Courts are split on whether “pure Internet” organizations (i.e., those without a bricks-and-mortar presence) are subject to website accessibility requirements.
  1. Identify accessibility issues. If the ADA applies to you, determine if your website poses accessibility problems to disabled individuals.  The DOJ has not yet officially adopted rules for website accessibility, but is considering two sets of standards – the Web Content Accessibility Guidelines (WCAG) 2.0 created by the World Wide Web Consortium and the Electronic and Information Technology Accessible Standards published by the U.S. Access Board for compliance with Section 508 of the Rehabilitation Act.  Common accessibility barriers include lack of closed-captioning for audio and video content, a site navigation structure unfriendly to keyboard-only users, and failure to provide descriptive text for images and non-text content.
  1. Get expert help. Web accessibility standards are highly technical.  Consider consulting an IT expert with web accessibility experience to help you identify accessibility problems and solutions.  You should also consult a lawyer with ADA experience to help you evaluate and mitigate legal risk, or to devise a defense strategy if you’ve already received a demand letter threatening litigation.
Read More
%d bloggers like this: