The Electronic Wake Employees Leave Behind

Posted by on May 21, 2013 in Data Security, Employment and Labor

Employer sues ex-employee for not updating his LinkedIn profileJefferson Audio Visual Systems, Inc. v. Light, 2013 WL 1947625 (W.D. Ky. May 9, 2013).

What would you do if your ex-employee told everybody he still works for you?  One company’s response was to sue.  In the first case of its kind, the company decided to sue its former employee for fraud for not updating his LinkedIn profile.

Jefferson Audio Visual Systems, Inc. (JAVS) fired its sales director, Gunnar Light, after he mishandled a potentially lucrative deal and made defamatory statements about JAVS to a prospective customer.  Shortly afterwards, JAVS filed a lawsuit against Light alleging various claims, including fraud.  JAVS argued that Light was fraudulent in failing to update his LinkedIn profile to reflect that he was no longer a JAVS employee.  A Kentucky federal court dismissed the fraud claim because JAVS failed to show that it was defrauded by Light’s LinkedIn profile.  At most, JAVS alleged that the profile tricked others.  Under Kentucky law, a party claiming fraud must itself have relied on the fraudulent statements.

LegalTXTS Lesson: JAVS’ actions against its ex-employee might have been rather extreme, but the case is a reminder that ex-employees can leave behind an electronic wake that is damaging.  Because computer technology is an integral part of work life, management needs to be intentional in disengaging ex-employees from the electronic systems and online persona of the organization.  Each organization must determine for itself what measures for dealing with such post-termination issues are feasible, effective, and consistent with its objectives, but here are some suggestions:

1.  Promptly update the organization’s website, social media profiles, and any other official online presence to reflect that the former employee no longer works for the organization.

2.  Specify who owns Internet accounts handled by the ex-employee for the organization’s  benefit and the information stored in the accounts.  This includes social media accounts and cloud storage accounts (e.g., DropBox, Google Drive, SkyDrive) to the extent they contain proprietary data.  As part of this measure, be sure to obtain the information needed to access the accounts, including any updates to login credentials.

3.  Restrict the amount of access to which former employees, as well as current employees whose departure is imminent, have to workstations, databases, and networks of the organization.  Limiting access helps to prevent theft of trade secrets and proprietary information.  Many CFAA lawsuits have been spawned by a failure to take this precaution.

4.  Check if the employee left behind anything that would enable him or her to gain unauthorized access to company systems, like malware, viruses, or “back doors.”

5.  Enable systems that allow of erasure of the organization’s data from electronic devices used by the ex-employee to remotely access the work network, such as smartphones, laptops, and tablet computers.

6.  Establish guidelines on employee use of the company’s intellectual property on personal internet profiles (e.g., Facebook, Twitter, LinkedIn), including trademarks and trade names.
Enhanced by Zemanta

Read More

LinkedIn Sued

Posted by on Jun 27, 2012 in Data Security, Privacy

LinkedIn announced on June 6 that it experienced a data breach compromising the passwords of some of its members.   Ten days later, LinkedIn got hit with a class action lawsuit.  The lawsuit was filed in a California federal district court.  You can read the complaint here.

A few key points about the lawsuit:

  • The plaintiffs consist of two classes — (1) anyone in the U.S. who had a LinkedIn account on or before June 6, 2012, and (2) anyone in class #1 who paid for a premium account.
  • The lawsuit alleges that LinkedIn did not comply with industry standard encryption protocols, contrary to its Privacy Policy.  Specifically, the plaintiffs contend that LinkedIn stored member passwords in “unsalted SHA1 hashed format.”
    • In simple terms, adding “salt” to a password means assigning random values to a password to make it more difficult to decipher.  For example, if the password were “JohnDoe,” you could salt it by adding the characters “5a6b7c,” giving you “JohnDoe5a6b7c.”
    • Hashing refers to the process of running a password into a cryptographic function to convert it into an unreadable and encrypted format.  The plaintiffs say that LinkedIn used an outdated hashing function that was first published by the NSA in 1995.
    • The plaintiffs say that LinkedIn should have at least salted the passwords before running them through the hash function.  Better yet, LinkedIn should have salted the passwords, input them into the hash function, salt the resulting hash value, and then run the hash value through a hash function.   Then, LinkedIn should have stored the fully encrypted password on a separate and secure server apart from all other user information.
  • The lawsuit brings claims based on California’s unfair competition law, California’s Consumers Legal Remedies Act, breach of contract, breach of implied covenant of good faith and fair dealing, breach of implied contract, and negligence.
  • The plaintiffs in the first class (all LinkedIn users) say they were in the form of loss of value in their personal information.  (Whether the court will accept that damage theory is questionable.)  Those in the second class (premium members who paid fees) say they were injured in the form of the fees they paid to LinkedIn for premium membership.
Read More
%d bloggers like this: