A few weeks back, I did a post about having our personal data hacked.

What if the hacker was you?

Yes you — the attorney, the employer, or someone else who has confidential information.

I was recently reviewing the online court file of an employment case in federal court for a recent blog post.  It’s available for anyone to see.

(You might be asking, Why? Because it’s always interesting to see other filings and the way cases turn out. Ok, it’s always interesting TO ME at least….).

In looking over some of the court-filed documents, I came across the college transcript of the employee/plaintiff.  It was filed by the attorney as evidence in the case.

Some newer transcripts don’t have some confidential information. But this college transcript was old school: It still contained the Social Security number of the employee AND his date of birth.

And just like that, the attorney has opened up the employee to hacking.

In case you are wondering, yes, there are rules in federal court about this. For example, Local Rule 5(e)8 requires that a party filing a document that will become publicly available shall redact Social Security numbers, financial account numbers, dates of birth and names of minor children.

Attorneys who represent employers should beware that the same rule applies to filings you submit as well.

Beyond court rules, employers have an independent legal obligations to protect Social Security numbers of its employees as well.

And so, in this age of data, it’s up to us all — attorneys and employers — to take the responsibility of protecting data seriously.

You don’t want to hack your own client or employee.

“Technology is a wonderful thing but it’s scary when it’s weaponized against you.”

The first sign that my wife’s identity and my own were under attack came innocently enough.

It was an e-mail alert that we get from time to time from Comcast, so innocent that I almost ignored it.  But it said our password had been changed.  When we tried to log-in to download e-mail, the system indicated the password was incorrect.

“That’s weird”, we thought.

I mean, we have two factor authentication on it so that if someone DOES try to change the password, shouldn’t they need a code?

So I called Comcast and was assured repeated that our password wasn’t changed and our account was not compromised.

They said it was a phishing exercise and the e-mails were fake too. As for the account access, they said that someone may have just tried to access it but they were unsuccessful.

Comcast easily reset the password for me and since two factor authentication wasn’t invoked, it seemed like something unusual but nothing beyond that.

The second attack happened the same way.  This time, we knew something was most definitely wrong.

The war over our identities was now on, though I didn’t realize at the time how outmatched we were in our weaponry.

We were able to regain control of the account in just a few minutes with resetting the password on my side (two can play that game, so I thought).

And then I placed another call to Comcast for help.

After an hour on the phone and a reset password and security question, I was told again that there’s nothing otherwise suspicious in my account but they’ll keep “looking”.  No other outward sign of hacking.

Still, our credit cards were quiet and we changed some more passwords just in case.  What were they after?

The hacker’s next salvo though had already been launched and was operating secretly.

Later that evening, I received a notice from UPS that night that we had a package coming from Amazon, but, well, let’s just say that we are frequent Prime users and that didn’t raise any suspicions to be getting another one from them.

But by mid-morning the next day, still yet another e-mail arrived. Again, from UPS, but this time saying that the package we were expecting would be held at the Watertown customer care center “at the customer’s request”.

(Why, you might ask, is UPS sending me e-mails? It turns out, I set up an alert with UPS to send me an a separate e-mail account anytime a package for our hours is scheduled for delivery. As it turns out, this last countermeasure helped stem the tide, though I didn’t know it at the time)

Still, when we searched our Amazon account for the package, nothing showed up.  There was a package from over the summer that never turned up and showed it was “out for delivery”. Could that be it? Or was it a gift?

As “luck” happens, I was driving past the Watertown care center by late afternoon and decided to swing by.  A big box awaited.  My curiosity was piqued – What’s In The Box?

I open it up at the UPS facility.

Not one, but TWO high-end MacBook Pros.

Wow.  Was not expecting THAT.  Or perhaps I was.

A call to the local Watertown police was met with a response of a department that has seen one too many of these — “you should just contact your hometown police”.

A call to Amazon revealed that our account had been accessed, an Amazon store card opened up, and the purchase “hidden” as if it were a “gift” to ourselves that we didn’t want spoiled before its arrival.  Amazon set up for the computers to be returned at no charge and the card wiped clean.

At least we could claim victory in stopping the shipment, right?

Well, as we were also told by police later, sometimes hackers just send something to a customer care center and don’t pick it up just to see if the hacked worked.  If it does, then the sky’s the limit on the next go around.

But still, were we done? Had we hacked the hackers by seeing this UPS alert we weren’t suppose to see?

Well, it turns out the hackers had more tricks up their sleeve.

Upon a third call to Comcast, the security representative reviewed our account still further and he found three things:

  1. The hacker set up an “e-mail forwarding” so that a copy of EVERY single e-mail received would also be sent to the hacker.  Yes, even the ones we were sending to each other about the hacker were being read too.
  2. The hacker also set up “selective call forwarding”, an option I didn’t even know existed. Apparently, you can have up to a dozen phone numbers you choose get directly forwarded to another phone number.  As it turns out, the hacker knew the numbers that Amazon and the card verification service would call on and conveniently forwarded those calls directly to his own mobile number on a burner phone.
  3. Looking at phone logs, we could actually see that the hacker had taken a call from Amazon.  A-ha.

All done, right?

Well no. I continued to scour the account on my phone and found yet another devious hack in my “options”. The hacker had set up a series of filters (which didn’t have a title, so they showed up as “”) that forwarded e-mails from Amazon and Amazon’s card carrier directly to the hacker’s e-mail.  Delete, delete, delete.

Since then, police have been contacted. The Amazon card cancelled and account locked for a few days. Package returned. Fraud alerts placed. ID protection re-upped. Passwords being changed. Sleep lost.

And replaced with a sort of paranoia about what else is lurking.

While we can claim victory in preventing the MacBook Pros from falling into criminal hands, at what cost? The damage is already done. We may have foiled the crime, but the identity is compromised and we now need to be vigilant for other account pop-ups. The victory feels empty.

We have to instead hope the hacker will lose interest, knowing that we know about the scam and have alerted police.

This feeling of hopelessness doesn’t have to be that way.

Indeed, the irony of the situation isn’t lost on me. I’m part of my firm’s Privacy and Data Security Team and routinely give others advice with how to protect themselves.

And yet, even with the steps we took, we still couldn’t stop the attack. Here is where government and businesses have a role to play in helping to protect our identities.

For example, everytime I called Comcast to complain, I had to “verify” our info; in doing so, I had to provide the last four of her social security number and our address — the very information we KNEW was already compromised.

We have to do more. Here are five small steps to start:

  1. Congress should hold hearings to hear from security professionals about the best ways stores and utilities can protect customer information.  And then work with businesses to create a common standard.  Our current system is broken.  Health care information is treated as important; our identities need to be treated with similar care.
  2. Businesses that have sensitive customer information should offer real two-factor authentication, not offer work arounds that just open up a loophole. In Comcast’s case, resetting the password allows you to bypass the two factor authentication by answering a simple “security” question.
  3. Password management is broken.  Yes, I can set up some password managers, but using multiple devices and computers makes it difficult to have consistency.  Too many of us need to use similar passwords on websites because there is no one common log-in system. A new type of authentication system might be a start (though I acknowledge it might also then create a target for hacking too — see Equifax).
  4. After a hack, the government ought to mandate easy, free tools that people can use to help clean up their own identities. If we can get a free credit report once a year, can’t the government mandate that credit agencies assist you in cleaning up your identity for free?
  5. The police are woefully understaffed to deal with an international problem.  The only means that an ordinary person can use is their local police, but even they admit that they’re still playing catch up.  More consistent training and better tools for our police can at least start to make a dent on this.

Which gets me back to the first sentence here — which was a comment a friend shared with me upon learning of the hacking.

“Technology is a wonderful thing but it’s scary when it’s weaponized against you.”

Yes, my friend. It definitely is.

lock1Last night I had the opportunity to speak to the Colonial Total Rewards Association on the topic of Data Privacy and HR.  I titled the presentation “Is Your HR Data Going Rogue” and really focused on the role that Human Resources professionals should play in ensuring that company data is secured.

For those who have been following the blog for a while, you know that I’ve spoken a bit about this before (see some posts here and here).

Lest you think, this could NEVER happen at your company, the headlines from the last few weeks show otherwise. Company after company keep reporting major  data breaches — in part due to a W-2 scam that keeps claiming victims (see here, here, here and here if you’re not convinced).

Even technology companies are not immune. My favorite blurb from the last month was the following:

On Thursday, March 16, the CEO of Defense Point Security, LLC — a Virginia company that bills itself as “the choice provider of cyber security services to the federal government” — told all employees that their W-2 tax data was handed directly to fraudsters after someone inside the company got caught in a phisher’s net.

Oops.

So if even tech companies are victims of data breaches, is there any hope for the rest of us? Well, yes. It’s not easy but there are several steps that employers can take.

  1. Learn – This is NOT simply IT’s role; rather, HR professionals should have a key role at the table in discussing a company’s data privacy culture and practice.  And the first step in that is that HR should learn the basics of data privacy.
  2. Assess – HR has access to lots of data; where is it and who has access?  Where are you “leaking” data when it comes to your employees?
  3. Develop – Develop policies and your data privacy program; and develop the teams of people that will respond in the event of a data breach
  4. Educate – Data privacy and protection ought to be part of sustained training program, just like anti-harassment training
  5. Monitor – Figure out risks and review areas; when breach happens, HR needs to be at table to discuss employee impact
  6. Inform – When (not if) if you have a data breach, inform those affected and gov’t officials and implement your data breach plan.

Once you’ve made it through, it’s time to start back at the beginning. Learn from your mistakes in a data breach and re-assess your vulnerabilities.

Data privacy and the need for companies to view it as a key part of your company’s culture should be an integral part of your employee onboarding and training.  My thanks again to CTRA for the invitation to speak to the group and the great conversation we had last night.

robertsWith the new year upon us, cyberthieves are once again attempting to prey on unwitting HR professionals, as my colleague William Roberts explained in an article last week for SHRM on phishing.

The scam goes like this. As an HR professional, you get an e-mail from your boss (or your boss’s boss) that seems legitimate…and urgent. Something like this:

I’m in the middle of a negotiation so won’t be available by cell or e-mail but I need you to send W-2s for the management team to our new accountants. You can e-mail them to [____________]. Needs to be done today. Sorry for the rush on this and please take this as an exception to normal protocol. Thanks. – Alan

It’s happened before.  Indeed, as Bill explained in the article:

“Alan was the chief financial officer,” said William J. Roberts, a Hartford, Conn.-based data privacy attorney with the law firm Shipman & Goodwin LLP. But in this case, it wasn’t Alan who was sending the e-mail. Despite the company’s policy prohibiting employees from sending sensitive documents through e-mail, a newly hired junior HR professional fell for the phishing scam and sent the W-2s to the cyberthief’s e-mail address.

That’s more than just an “Oops” moment.

Although the IRS is taking steps to help reduce this, the best defense is for HR professionals to be aware of this scam.  I previously discussed this back in March 2016 with a quick post but it’s worth looking at some of the tips presented in the SHRM article including:

  • Train employees on cybersecurity awareness. Many companies do not.
  • Use common sense and avoid making electronic requests for sensitive data. It’s not just an e-mail threat; phishing by text is also on the rise….
  • If you receive an e-mail from upper management, verify the request….

starrMy colleague Gary Starr returns today with a story worth reading about the need for employers to secure confidential information.  Although it is based on Massachusetts, the concepts it covers may have some carryover to employers elsewhere as well.  

Employers that maintain records of their employees and customers and allow employees have access to confidential information have long needed policies that not only secure the information, but ensure that employees who have been granted access to such information are complying with the corporate policies and are trustworthy.

An insurance agency in Massachusetts thought it had done everything right, but was sued for negligence in its retention of an employee that it thought was trustworthy, but was not.

An employee used her computer to access confidential information that she then gave to her boyfriend about the identity of a witness to a car accident in which the boyfriend had been involved with her car.  The boyfriend used that information to contact and threaten the witness.  The witness reported the threat to the police and ultimately the boyfriend and the employee pleaded guilty to witness intimidation and conspiracy.  After the police visited the employer to obtain information about the threat, which was traced back to the employee, the employer fired the employee.

That, however, did not end the tale.

The witness then sued the employer for failing to safeguard personal information, and for negligent retention and negligent supervision.  While the trial court dismissed the case, the appellate court has determined that the facts alleged are sufficient to go to trial.

Where did the employer go wrong?  The company had adopted a data security plan and policy that prohibited employees from accessing or using personal information for personal purposes.  The computer software even required employees, who wished to access the data base with confidential information, to agree to use the information for one of four limited purposes, all of which were business related.

Those were positive steps.

The problem arose because the unrestricted access did not stop the employee from reviewing information that had an impact on her personally.  The second failure had to do with an inadequate investigation of the employee’s background and simply taking the employees word about a weapons arrest that occurred during her employment in another state.

The employee told her boss that the arrest was a misunderstanding, that she was clearing it up, and subsequently said it was resolved.  The employer simply took her word for it.

What he would have discovered with a very simple inquiry was that there were serious issues with her honesty and fitness for accessing other people’s personal information.  The company could have learned that she was traveling with her boyfriend when they were stopped for speeding and that she was arrested for having two semi-automatic guns concealed in her purse, one had the serial numbers filed off and the other was stolen.  She also had a half-mask and police scanner.  After her arrest, she told the company that there had been a misunderstanding as the weapons belonged to her boyfriend, that she didn’t know anything about them and that she was exonerated.

Her story was not true, but her account itself should have raised questions about her having access to personal information.

The court said that the company had a duty to protect the confidential information and that it was foreseeable that the employee could access information and use it for personal gain.  The company had an obligation to investigate the employee’s continuing fitness after the arrest.  The court said that a jury could decide that the failure to take action under these circumstances was unreasonable as the company knew about the weapons charge and could have learned of her lies and her willingness to commit a crime with her boyfriend.  The company did not take sufficient steps to limit the risk of harm to those whose personal information its employees could access.

There are steps to take to avoid this problem.  After an employee is hired, that does not end the need to be vigilant about their fitness for the job.  When information comes to light that may raise questions about the actions of an employee, an employer cannot simply take his/her word for what occurred.  It must take affirmative steps to explore what the underlying issue is, analyze the employee’s story, and assess the risk the employee poses if access to confidential information is abused or if other employees and the public may be put at risk.

 

yankees3With Opening Day of baseball season nearly upon us, it’s time again to bring back a “Quick Hits” segment to recap a few noteworthy (but not completely post-worthy) employment law items you might have missed recently.

  • The U.S. Department of Labor released the final version of new “persuader” rules which will become effective April 25, 2016.  The new rules revise the “advice” exemption and will require a larger universe of consultants, lawfirms, and employers to report their labor relations advice and services.  You can find many recaps of the new rule (here and here, for example).  For Connecticut employers, if you haven’t had to worry about “persuader” reporting before (and don’t know what it is), it’s not likely to change things much, though for law firms and consultants, it may have a more significant impact.
  • Not every U.S. Supreme Court case is a big one.  The latest example of that is the Tyson Foods, Inc. v. Bouaphakeo et al. case that was issued last week. In that case, the court ruled that employees could use representative evidence to establish liability and damages for class certification purposes in a donning and doffing case. As another blog post stated sufficiently, this decision allowed employees to rely on a “time study conducted on a sample of class members to calculate an average donning/doffing time, which is then extrapolated to each member of the class — even if the actual time spent on the activity in question varies dramatically among employees and even if some of the class members failed to prove damages at all based on that time study.”  For most employers, however, the decision will have limited utility. Donning and doffing cases are, for example, fairly rare.
  • An interesting case up for oral argument at the U.S. Supreme Court today looks at the limited circumstances in which an employer can recover attorneys’ fees as a “prevailing party” in a Title VII suit.  The SCOTUSBlog has more on this case here.
  • Tax season has renewed fears regarding the privacy of W-2 forms.  A spear-phising e-mail scheme has been making the rounds of late, as this post reminds us.

 

shrmprogramI’m pleased to announce an upcoming program that my firm, Shipman & Goodwin and the Connecticut State Council of SHRM are producing next month and that I’ve been planning for several months.

The program, entitled “Data Privacy & Human Resources” will be a unique endeavor for us.  First, we are planning on doing it in both our Hartford & Stamford offices at the same time.  Speakers will be in both locations (though obviously not the SAME speakers, for those grammar buffs).

On top of that, we will be broadcasting it live via a webinar.

What could go wrong?

Hopefully, nothing, because really, it should be very informative.  It’s scheduled for the morning of December 11, 2015.

The first hour will focus on the key things employers need to know about the revisions to the state’s new data privacy law. The second hour will talk about the very latest in human resources including the current status of the proposed overtime regulations and the state’s new social media privacy law.

It’s going to be fast-paced and informative. But space is definitely limited and within the first 48 hours of our e-mail alert, we’re already halfway to our in-person room capacity.

If you’re interested in attending, check out this link and register online. The cost is just $35, but this includes breakfast and the materials. (If you’re watching via webinar, breakfast is on your own — naturally.)

And if you’d like to see the flyer, you can download it here.

lock1Last week, I had the opportunity to speak to the Corporate Compliance Forum for the Connecticut Community Providers Association. My thanks to Gayle Wintjen, General Counsel of Oak Hill, for the invitation to speak.

The topic was a familiar one to this blog — Data Privacy.  In the session, we tackled the new Connecticut law that should be keeping at least some employers up all night figuring things out.

As I said in my talk, employers that have had to adopt HIPAA compliance rules should be in a good shape to get into compliance with Connecticut law. Things like two-factor authentication aren’t nearly as intimidating when you’ve already adopted it for other areas.

Now, the rules don’t need to be adopted by everyone. But those employers who do business with the state of Connecticut are typically covered.

The Privacy and Data Protection Group of my firm put together a FAQ to inform current and potential state contractors of Connecticut’s data privacy and security requirements and to answer the most commonly asked questions about applicable Connecticut law and compliance with it. This article also includes our recommendations for analyzing compliance under applicable Connecticut law and, if necessary, developing a plan to satisfy the pertinent legal requirements.

You can download it free here.

For human resources, I think this is one of the more complicated times to be in HR. Between privacy, discrimination laws, wage & hour laws alone, there are many issues to keep on top of. Make sure data privacy is on your list of things to pay attention to for this year.

And stay tuned for more information on an upcoming program in November.

With news of yet another breach of personnel data of nearly 21 million Americans yesterday, I invited my colleague William Roberts, to chime in with an update on a new law in Connecticut that updates data privacy requirements in the state. Bill heads up our Privacy and Data Protection team here and works a lot with health care companies on compliance with various privacy laws.

My thanks to Bill for the update.

robertsOn June 1, 2015, the Connecticut Legislature passed S.B. 949, a comprehensive data privacy and security bill that tightens the state’s data breach response requirements and imposes new obligations on state contractors and the health insurance industry. While Connecticut Gov. Dannel Malloy signed the bill on June 30th. A copy of S.B. 949 is available here.

This post reviews the portions of the bill most pertinent to businesses operating in Connecticut or holding personal information of state residents.

Revisions to Breach Response Requirements

Current Connecticut law requires an entity that experiences a data breach to provide notice of such breach to the affected individuals and the Connecticut Attorney General’s Office “without unreasonable delay.” S.B. 949 amends this requirement by specifying that such notices must be provided no “later than [90] days after discovery of such breach, unless a shorter time is required under federal law.”

This amendment is striking in that it sets a maximum time period for notice that is much longer than the time periods set forth in other state or federal breach notification standards (e.g., the Health Insurance Portability and Accountability Act requires notice no later than 60 days following discovery of a breach).

Recognizing this apparent leniency, Connecticut Attorney General George Jepsen issued a press release that clarifies his office’s enforcement approach. Specifically, Jepsen clarifies that the 90-day reporting period is the “outside limit” for notifications and that “[t]here may be circumstances under which it is unreasonable to delay notification for 90 days.”

Jepsen makes clear that his office will “continue to scrutinize breaches and to take enforcement action against companies who unreasonably delay notification — even if notification is provided less than 90 days after discovery of the breach.” Thus, entities should continue to respond to breaches in a prompt manner and provide the necessary notices as soon as practicable.

In addition, S.B. 949 requires companies experiencing a breach involving Social Security numbers to provide affected individuals with free credit monitoring services and information on how such individuals may place a credit freeze on the individual’s credit file. The free credit monitoring services must be for a period of at least one (1) year.

While this new requirement has been considered by many to be a significant change in the law, it may have limited implications in practice because the state attorney general has long expected (or even required) companies to provide such services when Social Security numbers were involved.

Notably, S.B. 949 appears to set a shorter time period for free credit monitoring than what is typically expected by the state attorney general’s office. In many instances, the attorney general has insisted that companies offer no less than two years of free credit monitoring. Addressing this apparent lowering of expectations, Jepsen announced in his office’s press release that S.B. 949 “sets a floor for the duration of the protection” and that he retains the authority “to seek more than one year’s protection — and to seek broader kinds of protection — where circumstances warrant.”

Both of the modifications to Connecticut’s breach reporting requirements are effective Oct. 1, 2015.

State Contractor Obligations

Effective July 1, 2015, S.B. 949 imposes significant new requirements for state contracts that authorize a state agency to disclose “confidential information” to a contractor.

The bill defines “confidential information” as: (1) a person’s name, date of birth or mother’s maiden name; (2) any of the following numbers: motor vehicle operator’s license, Social Security, employee identification, employer or taxpayer identification, alien registration, passport, health insurance identification, demand deposit or savings account, or credit or debit card; (3) unique biometric data such as fingerprint, voice print, retina or iris image, or other unique physical representation; (4) “personally identifiable information” and “protected health information,” as defined in federal education and patient data regulations, respectively (i.e., Family Educational Rights and Privacy Act and HIPAA); and (5) any information that a state contracting agency tells the contractor is confidential. Confidential information does not include information that may be lawfully obtained from public sources or federal, state or local government records lawfully made available to the public.

This definition is very broad and contractors should be cognizant that a large number of state contracts may be subject to the bill’s new requirements.

If a state contract involves the sharing of confidential information, the contractor will be required to undertake significant efforts to protect the privacy and security of such information.

Specifically, the contract must require the contractor to, at a minimum: (1) at its own expense, protect confidential information from being breached; (2) implement and maintain a comprehensive data security program to protect the confidential information; (3) limit access to the confidential information to the contractor’s authorized employees and agents for authorized purposes as necessary to complete the contracted services or provide contracted goods; (4) maintain all confidential information obtained from the state (a) in a secure server, (b) on secure drives, (c) behind firewall protections and monitored by intrusion detection software, (d) in a manner where access is restricted to authorized employees and agents and (e) as otherwise required under state and federal law; (5) implement, maintain and update security and breach investigation procedures that are appropriate given the nature of the information disclosed and reasonably designed to protect confidential information from unauthorized access, use, modification, disclosure, manipulation or destruction; and (6) specify how the cost of any notification about, or investigation into, a breach is to be apportioned.

The bill includes numerous detailed requirements a contractor must adhere to, particularly with respect to the development of a data security program and the reporting of breaches.

Compliance may be particularly burdensome for contractors in industries without a history of data privacy regulation or for small providers with limited financial or other resources. The bill includes a waiver provision which allows the Office of Policy and Management (“OPM”) to require additional protections or alternate security assurance measures for confidential information if the facts and circumstances warrant them after considering, among other factors, the type and amount of confidential information being shared, the purpose for which the confidential information is being shared, and the types of goods or services covered by the contract.

Notably, the bill does not include the size or resources of the state contractor as factors OPM may consider when altering data security requirements.

Insurance Industry Data Security Programs

In response to the recent Anthem Inc. data breach, S.B. 949 imposes new requirements on health insurers, pharmacy benefit managers, utilization review companies and third-party administrators licensed do to business in Connecticut with respect to these entities’ maintenance of comprehensive information security programs.

Specifically, each such entity must develop and implement a written security program no later than Oct. 1, 2017. The program must address a litany of administrative, physical and technical safeguards including, among others: (1) computer and Internet user authentication protocols; (2) access control measures; (3) risk assessments; (4) sanctions for employee violation of security policies or procedures; and (5) oversight of third parties that have access to personal information.

The extent of such safeguards must be appropriate in light of the scope and type of business, the amount of resources available, the amount of data compiled or maintained and the need for security of such data. The written security program must be updated at least annually.

While extensive, many of the affected companies will already be subject to very similar requirements imposed under HIPAA and thus will likely have most, if not all, of S.B. 949’s elements already addressed in current policy. Nevertheless, insurers and others subject to this new requirement should review existing policies and procedures to determine sufficiency in light of the new requirements.