lock1Last night I had the opportunity to speak to the Colonial Total Rewards Association on the topic of Data Privacy and HR.  I titled the presentation “Is Your HR Data Going Rogue” and really focused on the role that Human Resources professionals should play in ensuring that company data is secured.

For those who have been following the blog for a while, you know that I’ve spoken a bit about this before (see some posts here and here).

Lest you think, this could NEVER happen at your company, the headlines from the last few weeks show otherwise. Company after company keep reporting major  data breaches — in part due to a W-2 scam that keeps claiming victims (see here, here, here and here if you’re not convinced).

Even technology companies are not immune. My favorite blurb from the last month was the following:

On Thursday, March 16, the CEO of Defense Point Security, LLC — a Virginia company that bills itself as “the choice provider of cyber security services to the federal government” — told all employees that their W-2 tax data was handed directly to fraudsters after someone inside the company got caught in a phisher’s net.

Oops.

So if even tech companies are victims of data breaches, is there any hope for the rest of us? Well, yes. It’s not easy but there are several steps that employers can take.

  1. Learn – This is NOT simply IT’s role; rather, HR professionals should have a key role at the table in discussing a company’s data privacy culture and practice.  And the first step in that is that HR should learn the basics of data privacy.
  2. Assess – HR has access to lots of data; where is it and who has access?  Where are you “leaking” data when it comes to your employees?
  3. Develop – Develop policies and your data privacy program; and develop the teams of people that will respond in the event of a data breach
  4. Educate – Data privacy and protection ought to be part of sustained training program, just like anti-harassment training
  5. Monitor – Figure out risks and review areas; when breach happens, HR needs to be at table to discuss employee impact
  6. Inform – When (not if) if you have a data breach, inform those affected and gov’t officials and implement your data breach plan.

Once you’ve made it through, it’s time to start back at the beginning. Learn from your mistakes in a data breach and re-assess your vulnerabilities.

Data privacy and the need for companies to view it as a key part of your company’s culture should be an integral part of your employee onboarding and training.  My thanks again to CTRA for the invitation to speak to the group and the great conversation we had last night.

robertsWith the new year upon us, cyberthieves are once again attempting to prey on unwitting HR professionals, as my colleague William Roberts explained in an article last week for SHRM on phishing.

The scam goes like this. As an HR professional, you get an e-mail from your boss (or your boss’s boss) that seems legitimate…and urgent. Something like this:

I’m in the middle of a negotiation so won’t be available by cell or e-mail but I need you to send W-2s for the management team to our new accountants. You can e-mail them to [____________]. Needs to be done today. Sorry for the rush on this and please take this as an exception to normal protocol. Thanks. – Alan

It’s happened before.  Indeed, as Bill explained in the article:

“Alan was the chief financial officer,” said William J. Roberts, a Hartford, Conn.-based data privacy attorney with the law firm Shipman & Goodwin LLP. But in this case, it wasn’t Alan who was sending the e-mail. Despite the company’s policy prohibiting employees from sending sensitive documents through e-mail, a newly hired junior HR professional fell for the phishing scam and sent the W-2s to the cyberthief’s e-mail address.

That’s more than just an “Oops” moment.

Although the IRS is taking steps to help reduce this, the best defense is for HR professionals to be aware of this scam.  I previously discussed this back in March 2016 with a quick post but it’s worth looking at some of the tips presented in the SHRM article including:

  • Train employees on cybersecurity awareness. Many companies do not.
  • Use common sense and avoid making electronic requests for sensitive data. It’s not just an e-mail threat; phishing by text is also on the rise….
  • If you receive an e-mail from upper management, verify the request….

monkeyIn yesterday’s post, I talked about some of the reasons why an employee’s lawsuit against his or her employer was destined for failure.

But employers, I’m afraid you’re not off the hook that easily. This post is for any employer that just got sued or threatened with suit.

Maybe that lawsuit isn’t so frivolous after all.

Wait a second! You said yesterday that ‘Odds are, you probably weren’t discriminated against’!”  

Ah, but isn’t that rub? Odds. Statistics.  Yes, some (many?) lawsuits brought by employees are losing propositions. But some are not.

Here are some things I tell clients or prospective clients when I see a lawsuit filed or threatened as to why they should take the lawsuit seriously.

1. That frivolous lawsuit is still going to cost you thousands (if not tens of thousands) to defend.  But I thought you said this post was about non-frivolous lawsuits?  True. But for my first point, that’s beside the point entirely.  Whether a lawsuit is frivolous or not, the system of justice through our courts and administrative agencies moves slowly and with some cautiousness.  Even the frivolous ones need to be defended.  Court filings need to be, well, filed.  And court conferences need to be attended.  So your first point always is to recognize that all employment law cases have a cost associated with them.

And as such, all cases have what we call a “nuisance” value as well.  That is — you are going to spend X amount of dollars defending the lawsuit.  It may be cheaper to just pay a certain amount to avoid the cost of defense.  Now, there are business reasons why you won’t want to do so in all or even many cases, but the employer who fails to recognize the nuisance value of the case is destined to be disappointed in the long run.

It’s a bit of hyperbole to say that any person can sue anyone at any time for any reason. But not that much.  Lawsuits are a part of doing business.  Frivolous or not, you will still have spend money to defend your decision. Be prepared for this eventuality when making your employment decisions and deciding whether or not to offer severance in exchange for a release.

2. “At Will” Employment Is a Misnomer.   In Connecticut, the default employment relationship between an employer and employee is “at-will”.  As many offer letters suggest, that means either the employer or employee can terminate the employment relationship at any time for any reason or no reason at all.  And so, I sometimes hear employers exclaiming “Connecticut is at-will! We should be able to just fire them for any reason!  How can they still sue?

Continue Reading Maybe That Lawsuit Brought By Your Employee Isn’t So Frivolous

secretsEarlier this month, The New York Times ran another column in its Workalogist series that asked the following question:

Are conversations with a human resources department confidential? I’m contemplating retirement in about three years and would like to gather benefit information from human resources now — but I do not want my supervisor to know. Once I decide, I would like to give three weeks’ notice.

In responding, the Workalogist quotes one SHRM professional as saying that, “An H.R. professional should maintain the employee’s confidentiality to the extent possible.”  But note the caveat: HR is at the “razor’s edge of balancing confidentiality with the overall needs of the business.”  He notes that many workers assume some confidentiality even where it doesn’t exist:

Workers often assume there’s some sort of H.R. parallel to the confidentiality they’d expect from a doctor or a lawyer. That’s not the case, says Debi F. Debiak, a lawyer and labor and employment consultant in Montclair, N.J. Barring circumstances involving, for instance, a medical condition, “there is no legal obligation to maintain confidentiality” about a retirement discussion, she says.

Suzanne Lucas, the Evil HR Lady (her name, not mine), has often touched on this subject in her blog and columns.  She was asked whether it was “illegal” or immoral for the HR representative to forward to the company’s COO an employee’s angry e-mail:

Well, it’s not illegal (she says in her non-lawyer, non legal advice way). HR people are not required to keep a confidence as a doctor, priest or lawyer is. In fact, part of our job is to blab. Which means that I’m also going to suggest that it wasn’t necessarily immoral either.

Indeed, there may be times when such a referral is necessary to protect the company. Complaints of sexual harassment often need to be investigated, or reviewed.  In those instances, employers may not be able to honor a request to keep things “confidential”.

In short, those in human resources should realize that they shouldn’t make promises they can’t keep.  Protecting the company and investigating harassment complaints are two common areas when HR should be speaking up — instead of keeping silent.

papersA few weeks back, one to the best bloggers you may not be reading — Robin Shea — posted about the scathing press that Amazon had been receiving about its workplace and posed this question: Can Employees Trust Human Resources?

It’s not a trick question.

As Robin deftly points out:

Part of the problem, I think, comes from the fact that HR really cannot be an “advocate” for the employee — not like the employee’s lawyer, or his mother, or his best friend. The HR rep works for the company and has to do what’s right for the company. I think this is where the “HR doesn’t care” perception comes from.

But Robin goes on to say that “just because HR isn’t an employee advocate doesn’t mean HR doesn’t care about employees.”  Indeed, the HR person typically have to worry about compliance and recruitment — two areas that, if handled correctly, can be the “best way to stay out of legal trouble.”

Of course, other bloggers like Suzanne Lucas, tackle this issue on seemingly a daily basis. After all, Suzanne’s moniker is the “Evil HR Lady”.  Why?

All HR people are evil, it’s in our job description. Or at least, that seems to be the prevailing theory. In reality, there’s just more going on behind the scenes than most people know.

Now, before all the HR people reading this pat themselves on the back for a job well done — let’s not get too ahead of ourselves.  Human Resources doesn’t have to be evil, but that’s not to say that incompetence — or, more accurately, missteps — should be fostered either.

HR is under scrutiny all the time and missteps can often lead to misunderstandings and mistrust too.  Suppose, for example, an employee comes to HR with a “confidential” harassment complaint.  The HR person fails to tell the employee that they have an obligation to report it and followup; thus, when the HR person begins an investigation, the complaining employee may be surprised to find out that confidentiality is not something that can be promised.

Now let’s suppose that the HR person actually provides the caveat that confidentiality will be preserves where possible. But in the course of the investigation, the HR person divulges personal information to witnesses and is cavalier with the information.  No matter how good the investigation is, it will still be perceived as being improper.

One issue that may come up is training. Some companies hire HR people with little experience figuring that “anyone” can do that job.  But the problem is that these people (to generalize) may not even know the questions to ask.  They have little familiarity with the law and therefore make decisions that may seem good in theory, but are just not allowed.  The intersection of the ADA, FMLA, Paid Sick Leave, and Workers Compensation is a huge issue that is difficult to get right.

In my experience, most of the HR people I’ve dealt with are bright, well-intentioned people who just want to “get it right”.  It can be a thankless job, made only tougher when the HR people are asked to take the lead on a layoff or termination.  I can tell you that no one takes pleasure in having to fire an employee. The conversations I’ve had with HR people in those instances start off clinical — just the facts — but many times, it’s the “personal” side of the decision that gets tough. The families that may be impacted or the other difficulties that the person has.

In those cases, HR plays a crucial role in ensuring decisions are handled with care and, if the situation warrants, compassion.  HR can advocate for a severance package, or outplacement counseling, or other pieces to a separation.  HR should — and often times, does — try to get decisions “right”.

And ultimately, HR should be trusted. But that trust is difficult to be earned. To the HR people who read it, just keep plugging away.

Remember: HR will typically get blamed for any workplace employee issues and not get credit for the successes.  That just comes with the territory.

We’ve come a long way since “The Net”

With the headlines coming out seemingly daily about data breaches at companies, there’s a tendency to feel a bit overwhelmed with the problem.

And while a data breach regarding your employees is something that may not be as imminent as one involving credit cards, it still represents a major threat to your business.

This week, I have two presentations on the subject. But in case you can’t make it, here’s a sneak peek at four things you can do now before you have a data breach.

  • Establish and implement a written data breach response policy.  This policy will be more blueprint, than policy.  The best ones I’ve seen are in a spreadsheet format and identify a team of individuals who are already identified in case of a data breach, with roles and responsibilities clearly defined.  Notably too, you should also have outside IT consultants and a legal team identified as well.
  • Conduct a review of your systems and data, and understand where your confidential information resides.  You won’t know if you keep your data (particularly data regarding your employees) secure unless you figure out what you have and what protections are in place.
  • Conduct regular risk assessment for your company, your contractors & vendors and other business partners.  Don’t just stop at figuring out where your data resides, but understand where you data goes.  If data is sent outside the company, is it encrypted when it is sent? For example, how is employee benefit information transmitted?
  • Establish frequent privacy and security awareness trainings as part of an ongoing program.  Telling employees when they start about privacy policies isn’t good enough anymore. Regular training and followup is needed to ensure that your employees don’t provide an easy back door for your data to exit from.

If you’re interested in the subject, I would recommend attendance at one of the two programs I’ll be at.

On Wednesday, I’ll be at the National Retail Federation’s HR Executive Summit in Chicago speaking at “Protecting Your Digital Secret Sauce” at 10:15a along with representatives from Walgreens and McDonalds.  Moderated by Miller Canfield’s Adam Forman, the program description is as follows:

High profile credit card data breaches at several prominent retailers have recently made national headlines, impacting the retailers’ brand and shaking their customers’ confidence. Credit card data breaches, however, are only the tip of the iceberg. There are a whole host of related issues that are bubbling beneath the surface, many of which are within the direct control of your employees. This panel of industry experts will discuss these issues and identify practical steps to take should your organization data become compromised.

On Thursday, I’ll be at the joint program between Shipman & Goodwin and the Connecticut chapter of SHRM entitled “Raiders of the Data Ark: Data Privacy and Cybersecurity Summit.”  There are still a few spots open for registration. Attendance is strong for this program, please be sure to sign up today or tomorrow so we can lock in the space.

Six years ago, posts about layoffs were in vogue.  But it’s been a long while since we focused on posts about hiring.

With the economy generally stable (or shall we dare say improving?), it seems appropriate to talk about job interview questions.

There are lots of posts about the “best” job interview questions you can pose as an employer. (Where do you want to be in five years?)

So are there any questions that are off limits?

Yes, plenty of them. And I’m not talking about ridiculous hard ones like the ones posed by Google. Rather, the questions that have the potential to get you and your company into hot water.  Are they always illegal? Not necessarily. But there are just better ways to frame your question.

But first, a caveat: These types of lists have been done before. It’s hard to be original because the so-called “banned” questions don’t really change over time. So I’m going to pick five that I think are among the trickiest but commend you to posts like this that have much more detail.

1) Do you belong to a club or social organization?  Ok, perhaps this isn’t fair to start with this one. After all, it’s a fairly innocuous question.  However, ask yourself how the information you receive will be relevant to whether the applicant is qualified to do the job.  It has the potential of revealing information that you shouldn’t be considering about a person’s religious affiliation or sexual orientation.

What can you ask instead? Are there any professional or trade association groups you belong to? 

2) Do you have or plan to have children? This falls into the “just trying to make conversation” trap.  Most of the time, it’s not done for nefarious reasons. But it could be viewed that way.  And so long as the applicant does the job, his or her family obligations should not be a consideration.  If overtime is a consideration, ask specifically about that. Or travel.

What can you ask instead? Can you work overtime? Have you worked overtime in the past? And if the job requires travel, are you comfortable with traveling several days a month for business? 

3) Do you smoke? You may want a healthy workplace, but with limited exceptions, Connecticut law actually prohibits employers from discriminating against employees on the basis of their outside-the-workplace smoking habits.  If the concern is that it will interfere with a job or that employees have been violating company policies, be more specific. Ultimately, these types of questions probably won’t give you the answers you are seeking.

What can you ask instead? Have you ever been disciplined for violating employer policies on smoking in the workplace? 

4) Do you have a disability?  Perhaps the applicant has a visible disability. Don’t get carried away by your curiousity. Focus on the job qualifications.

What can you ask instead? Can you perform the job and, based on what you know about the position, how would you do so?

5) How much longer do you plan to work before you retire? I understand why you would want to know this information: You’re trying to stay away from hiring an older worker who will want to leave in a few years.  But the law says you can’t do so.

What can you ask instead? What are your long-term career goals?

And avoid word association tests.

One final cautionary note: It should be obvious, but don’t ever give Word Association tests. A classic late-night skit demonstrates that point.

(Caution: Even though it’s just from Saturday Night Live the language is now generally considered NSFW in this clip.)

Real hackers are more fearsome than this one.

Okay, okay.  I realize the headline is a bit misleading.  But it isn’t every day that you hear about a data breach at Home Depot in which 56 MILLION credit cards may have been hacked. To put that into perspective, that’s 16 million MORE than the infamous Target breach!

But this is an employment law blog, not a shopping one. So, why does this matter to human resources professionals and companies? Because if hackers can access credit card information, they are going to try to hack into your work files.

It isn’t a matter of “if”. It’s a matter of when they will attempt to do so.

Don’t take my word for it. This comes from the head of the military’s cybersecurity division.  Admiral Mike Rogers has been preaching for months of the need for companies to take data privacy and cybersecurity seriously.  A recent news post reported on the importance Rogers has placed on this area for private businesses.

Corporations must successfully deal with cybersecurity threats, because such threats can have direct impacts on business and reputation, Rogers told the business audience.“You have to consider [cybersecurity threats] every bit as foundational as we do in our ability to maneuver forces as a military construct,” he said.

I have little doubt you’ll hear a lot more about this at an upcoming Data Privacy and Cybersecurity Summit that I’ve been helping to put together here at Shipman & Goodwin, in conduction with CT SHRM.

It’s scheduled to be held on October 16, 2014 from 8a to 2p at the Crowne Plaza in Cromwell, CT.

The cost is just $75, which includes continental breakfast, coffee, buffet lunch, and the materials.  Full details as well as registration can be found here.

Speakers include myself, Shipman & Goodwin attorneys Scott Cowperthwait, Cathy Intravia and William Roberts as well as industry experts from Adnet Technologies, the Connecticut Attorney General’s office, ESPN, the FBI, FINEX North America, General Electric Company, JPD Forensic Accounting, Quinnipiac University, United Therapeutics Corporation, and United Technologies Corporation (UTC).

Hope to see you there. Register soon as spots have been filling up over the last week.

First off, I should let you know that I am a poor substitute for Harrison Ford.

But, don’t let that dissuade you from saving October 16th as the date for a terrific conference that I’m helping to plan.  The title is “Raiders of the Data Ark” and the subject is “2014 Data Privacy & Cyber Security Summit: Practical Tips and Legal Risks for Connecticut Companies”.

It will be held at the Crowne Plaza in Cromwell from 8a-2p and will include breakfast, lunch, and several hours of notable speakers.

The conference, which is being run by both Shipman & Goodwin (my firm) and the Connecticut chapter of SHRM, is designed for operations personnel, in-house counsel, human resources personnel, general managers, finance managers and anyone else interested in solution-oriented approaches to the topic.

Registration will be up soon, so for now, just save the date and watch this space for more information!

Back in May, I talked about how data privacy was becoming a bigger issue for companies. Included in that, is the notion that human resources will play a key role in protecting information.

Today comes work of a massive coordinated effort by Chinese hackers to seek personal information on tens of thousands of government workers.  The New York Times lead article for today states:

Chinese hackers in March broke into the computer networks of the United States government agency that houses the personal information of all federal employees, according to senior American officials. They appeared to be targeting the files on tens of thousands of employees who have applied for top-secret security clearances.

The article goes on to note that private companies, particularly those in the defense industry, have continued to see an increase in cyber attacks on items such a personnel data.

In Connecticut, there are hundreds of government contractors and subcontractors who work on defense contracts.  But there are many more that remain a target as well.

There should be little doubt now that the personal information about your employees remains an at-risk area for companies.

I’ll have details soon on a symposium coming this fall on data privacy and workplace issues. For now, save the date of October 16h and watch this space for more information.