“Technology is a wonderful thing but it’s scary when it’s weaponized against you.”

The first sign that my wife’s identity and my own were under attack came innocently enough.

It was an e-mail alert that we get from time to time from Comcast, so innocent that I almost ignored it.  But it said our password had been changed.  When we tried to log-in to download e-mail, the system indicated the password was incorrect.

“That’s weird”, we thought.

I mean, we have two factor authentication on it so that if someone DOES try to change the password, shouldn’t they need a code?

So I called Comcast and was assured repeated that our password wasn’t changed and our account was not compromised.

They said it was a phishing exercise and the e-mails were fake too. As for the account access, they said that someone may have just tried to access it but they were unsuccessful.

Comcast easily reset the password for me and since two factor authentication wasn’t invoked, it seemed like something unusual but nothing beyond that.

The second attack happened the same way.  This time, we knew something was most definitely wrong.

The war over our identities was now on, though I didn’t realize at the time how outmatched we were in our weaponry.

We were able to regain control of the account in just a few minutes with resetting the password on my side (two can play that game, so I thought).

And then I placed another call to Comcast for help.

After an hour on the phone and a reset password and security question, I was told again that there’s nothing otherwise suspicious in my account but they’ll keep “looking”.  No other outward sign of hacking.

Still, our credit cards were quiet and we changed some more passwords just in case.  What were they after?

The hacker’s next salvo though had already been launched and was operating secretly.

Later that evening, I received a notice from UPS that night that we had a package coming from Amazon, but, well, let’s just say that we are frequent Prime users and that didn’t raise any suspicions to be getting another one from them.

But by mid-morning the next day, still yet another e-mail arrived. Again, from UPS, but this time saying that the package we were expecting would be held at the Watertown customer care center “at the customer’s request”.

(Why, you might ask, is UPS sending me e-mails? It turns out, I set up an alert with UPS to send me an a separate e-mail account anytime a package for our hours is scheduled for delivery. As it turns out, this last countermeasure helped stem the tide, though I didn’t know it at the time)

Still, when we searched our Amazon account for the package, nothing showed up.  There was a package from over the summer that never turned up and showed it was “out for delivery”. Could that be it? Or was it a gift?

As “luck” happens, I was driving past the Watertown care center by late afternoon and decided to swing by.  A big box awaited.  My curiosity was piqued – What’s In The Box?

I open it up at the UPS facility.

Not one, but TWO high-end MacBook Pros.

Wow.  Was not expecting THAT.  Or perhaps I was.

A call to the local Watertown police was met with a response of a department that has seen one too many of these — “you should just contact your hometown police”.

A call to Amazon revealed that our account had been accessed, an Amazon store card opened up, and the purchase “hidden” as if it were a “gift” to ourselves that we didn’t want spoiled before its arrival.  Amazon set up for the computers to be returned at no charge and the card wiped clean.

At least we could claim victory in stopping the shipment, right?

Well, as we were also told by police later, sometimes hackers just send something to a customer care center and don’t pick it up just to see if the hacked worked.  If it does, then the sky’s the limit on the next go around.

But still, were we done? Had we hacked the hackers by seeing this UPS alert we weren’t suppose to see?

Well, it turns out the hackers had more tricks up their sleeve.

Upon a third call to Comcast, the security representative reviewed our account still further and he found three things:

  1. The hacker set up an “e-mail forwarding” so that a copy of EVERY single e-mail received would also be sent to the hacker.  Yes, even the ones we were sending to each other about the hacker were being read too.
  2. The hacker also set up “selective call forwarding”, an option I didn’t even know existed. Apparently, you can have up to a dozen phone numbers you choose get directly forwarded to another phone number.  As it turns out, the hacker knew the numbers that Amazon and the card verification service would call on and conveniently forwarded those calls directly to his own mobile number on a burner phone.
  3. Looking at phone logs, we could actually see that the hacker had taken a call from Amazon.  A-ha.

All done, right?

Well no. I continued to scour the account on my phone and found yet another devious hack in my “options”. The hacker had set up a series of filters (which didn’t have a title, so they showed up as “”) that forwarded e-mails from Amazon and Amazon’s card carrier directly to the hacker’s e-mail.  Delete, delete, delete.

Since then, police have been contacted. The Amazon card cancelled and account locked for a few days. Package returned. Fraud alerts placed. ID protection re-upped. Passwords being changed. Sleep lost.

And replaced with a sort of paranoia about what else is lurking.

While we can claim victory in preventing the MacBook Pros from falling into criminal hands, at what cost? The damage is already done. We may have foiled the crime, but the identity is compromised and we now need to be vigilant for other account pop-ups. The victory feels empty.

We have to instead hope the hacker will lose interest, knowing that we know about the scam and have alerted police.

This feeling of hopelessness doesn’t have to be that way.

Indeed, the irony of the situation isn’t lost on me. I’m part of my firm’s Privacy and Data Security Team and routinely give others advice with how to protect themselves.

And yet, even with the steps we took, we still couldn’t stop the attack. Here is where government and businesses have a role to play in helping to protect our identities.

For example, everytime I called Comcast to complain, I had to “verify” our info; in doing so, I had to provide the last four of her social security number and our address — the very information we KNEW was already compromised.

We have to do more. Here are five small steps to start:

  1. Congress should hold hearings to hear from security professionals about the best ways stores and utilities can protect customer information.  And then work with businesses to create a common standard.  Our current system is broken.  Health care information is treated as important; our identities need to be treated with similar care.
  2. Businesses that have sensitive customer information should offer real two-factor authentication, not offer work arounds that just open up a loophole. In Comcast’s case, resetting the password allows you to bypass the two factor authentication by answering a simple “security” question.
  3. Password management is broken.  Yes, I can set up some password managers, but using multiple devices and computers makes it difficult to have consistency.  Too many of us need to use similar passwords on websites because there is no one common log-in system. A new type of authentication system might be a start (though I acknowledge it might also then create a target for hacking too — see Equifax).
  4. After a hack, the government ought to mandate easy, free tools that people can use to help clean up their own identities. If we can get a free credit report once a year, can’t the government mandate that credit agencies assist you in cleaning up your identity for free?
  5. The police are woefully understaffed to deal with an international problem.  The only means that an ordinary person can use is their local police, but even they admit that they’re still playing catch up.  More consistent training and better tools for our police can at least start to make a dent on this.

Which gets me back to the first sentence here — which was a comment a friend shared with me upon learning of the hacking.

“Technology is a wonderful thing but it’s scary when it’s weaponized against you.”

Yes, my friend. It definitely is.

robertsWith the new year upon us, cyberthieves are once again attempting to prey on unwitting HR professionals, as my colleague William Roberts explained in an article last week for SHRM on phishing.

The scam goes like this. As an HR professional, you get an e-mail from your boss (or your boss’s boss) that seems legitimate…and urgent. Something like this:

I’m in the middle of a negotiation so won’t be available by cell or e-mail but I need you to send W-2s for the management team to our new accountants. You can e-mail them to [____________]. Needs to be done today. Sorry for the rush on this and please take this as an exception to normal protocol. Thanks. – Alan

It’s happened before.  Indeed, as Bill explained in the article:

“Alan was the chief financial officer,” said William J. Roberts, a Hartford, Conn.-based data privacy attorney with the law firm Shipman & Goodwin LLP. But in this case, it wasn’t Alan who was sending the e-mail. Despite the company’s policy prohibiting employees from sending sensitive documents through e-mail, a newly hired junior HR professional fell for the phishing scam and sent the W-2s to the cyberthief’s e-mail address.

That’s more than just an “Oops” moment.

Although the IRS is taking steps to help reduce this, the best defense is for HR professionals to be aware of this scam.  I previously discussed this back in March 2016 with a quick post but it’s worth looking at some of the tips presented in the SHRM article including:

  • Train employees on cybersecurity awareness. Many companies do not.
  • Use common sense and avoid making electronic requests for sensitive data. It’s not just an e-mail threat; phishing by text is also on the rise….
  • If you receive an e-mail from upper management, verify the request….

hermanMy colleague Marc Herman returns today to bring back the story of wellness programs and whether they will continue to pass legal muster. In the first post of a two-parter, Marc updates us on some litigation. Read on.  

Here’s one for you:  Did you hear the one about the employee that turned down the opportunity to have his annual health insurance premiums waived?   Not a joke, unfortunately.  And there’s not much of a punch line either.

Way back in 2014 –– a time when Donald Trump’s entry into politics was confined to an episode of the Simpsons –– the EEOC embarked on a relentless, and unexpected, crusade against wellness programs.

“Why!?” I hear you cry.  Let me remind you.

The EEOC took issue with various employer-sponsored wellness programs because, according to the EEOC, many such programs violated the Americans with Disabilities Act (the “ADA”).  [Enter smoke, stage left].

Among those employers side-swiped by the EEOC was Orion Energy Systems, Inc. – a Wisconsin-based manufacturer that employs around 250 people.

According to the EEOC, Orion’s incentive-based wellness program violated the ADA by unlawfully subjecting employees to involuntary medical examinations.

What are those? Well, in plain English, involuntary medical examinations are a big no-no under the ADA — consider it the No Exam Rule.  Remember this.  It is important.

Orion had told its employees that if they participated in a wellness program, they would have their annual health insurance premiums waived (a saving of over $400).

Hallelujah!

Wait, not so fast.

Participation in the wellness program also obligated employees to undergo something called a “Health Risk Assessment”  – a fancy name for a medical exam.

Ah, now enter from Stage Right — the No Exam Rule.

You might say – “What’s the big deal!?” “The employees had a choice!”  “How is this involuntary!?”

Well, yes, in a technical sense, the employees had a choice.  They could decline participation if they so wished.  But that’s not the way the EEOC viewed it.

The EEOC said:  Whoa!  No sane employee would choose to forego a waiver of their annual health insurance premium.  Put another way, no employee would voluntarily choose to pay the annual health insurance premium (i.e., opt-out of the wellness program).

The EEOC reasoned that employees have no meaningful choice to opt-out of the program.  Participation would be coerced.  The Health Risk Assessment would be involuntary.

So who’s right?

Well, last week, we finally go through round one: a federal court sided with the employer, Orion.

The court explained that while there “may be strong reasons to comply with an employer’s wellness initiative,” the employee still has a choice.

Orion’s wellness program did not subject employees to involuntary medical examinations.  It was lawful.

Now, before we crack open the cigars and champagne, let us pause.  The decision, while helpful, ought be put in context.

In May, 2016, the EEOC published its long-awaited regulation regarding wellness programs.  The regulation defines exactly what a voluntary wellness program is.  However, it only applies to wellness programs commencing on or after January 1, 2017.  This means that the new regulation did not apply to Orion’s.  The decision should, as they say, be taken with a heavy pinch of salt.

I shall return with part 2 to further explore the new regulation.  Stay tuned.

ashleymendoza1alfredoMy colleagues, Ashley Mendoza and Alfredo Fernandez, return today for a guest post today that shows that employment law issues can sometimes present themselves in different formats.  My thanks to the both of them in presenting a fairly advanced topic in a form that will hopefully be of interest to a few of you out there.

Imagine your company has employed a research scientist to support your technology programs.  The scientist is a citizen of the People’s Republic of China and holds an H-1B visa, but is not authorized to view certain export-controlled technical data.  Unclear of the restrictions in place, other company employees provide the foreign scientist with technical data related to a military program in the course of his job duties.  This real life scenario recently resulted in a $100,000 settlement penalty with the U.S. State Department this summer.

It appears that a company policy to screen out foreign candidates for job openings of this sensitive nature would have prevented this violation and penalty, but a company also faces the challenge of avoiding discrimination in its hiring practices.  Is this a lose-lose scenario?  Not quite, but companies must pay close attention to recent guidance and regulatory revisions to understand their compliance obligations.

The Tricky Intersection of Legal Obligations

On March 31, 2016, the U.S. Department of Justice Office of Special Counsel for Immigration-Related Unfair Employment Practices (the “OSC”) released its most recent guidance to employers to aid them in navigating the murky waters where export regulations meet immigration antidiscrimination regulations.

These two regulated areas may contradict each other when it comes to the hiring practices of U.S. companies soliciting candidates for a position where the job duties impose compliance with export control laws. Unfortunately, the limited governmental guidance confounds some employers when it comes to complying with both sets of regulations in certain scenarios.   The OSC’s recent guidance and upcoming definitional changes within the export control laws do provide some general direction for employers; however several ambiguous issues remain unresolved.

IMG_7083What We Know About the Export Regulations in this Context

Exports are commonly associated with the shipment of a tangible item to a foreign country, but the U.S. export regulations have a much broader application.  An export also includes the transfer of controlled technical data or technology to foreign persons, even when the transfer takes place within the geographic territory of the United States.  Such a transfer is “deemed” to be an export to the country of the foreign person and is referred to as a “deemed export.”

Although not the only federal agencies administering export control laws, the U.S. State and Commerce Departments manage the two broadest export control systems.  The U.S. State Department’s Directorate of Defense Trade Controls administers the International Traffic in Arms Regulations (“ITAR”), found at 22 C.F.R. §§ 120-130, which control defense articles and services.  The U.S. Commerce Department’s Bureau of Industry and Security (“BIS”) administers the Export Administration Regulations (“EAR”), found at 15 C.F.R. §§ 730-774, which control commercial and dual-use items,  as well as limited low-sensitivity military items.  Generally speaking, all articles controlled under the ITAR and many articles controlled under the EAR require an export license before the export, including a deemed export, occurs.

Each set of regulations accounts for deemed exports but have slightly different definitions of key terms.  In fact, new and revised definitions under both regulations become effective September 1, 2016.  One primary intention of the definitional changes is to better harmonize the analogous definitions in both systems. Under both regulations, the deemed export rule applies only to foreign persons and, by definition, does not apply to U.S. citizens, persons lawfully admitted for permanent residence in the United States (e.g., green card holders) or to persons who are protected individuals under the Immigration and Nationality Act (“INA”)(e.g., certain refugees and asylees).

The below table showcases a few of the new definitions, including the improved harmonization for key terms such as export and release. Continue Reading How to Avoid Discrimination in Hiring, While Complying with Export Laws

lock1Last week, I had the opportunity to speak to the Corporate Compliance Forum for the Connecticut Community Providers Association. My thanks to Gayle Wintjen, General Counsel of Oak Hill, for the invitation to speak.

The topic was a familiar one to this blog — Data Privacy.  In the session, we tackled the new Connecticut law that should be keeping at least some employers up all night figuring things out.

As I said in my talk, employers that have had to adopt HIPAA compliance rules should be in a good shape to get into compliance with Connecticut law. Things like two-factor authentication aren’t nearly as intimidating when you’ve already adopted it for other areas.

Now, the rules don’t need to be adopted by everyone. But those employers who do business with the state of Connecticut are typically covered.

The Privacy and Data Protection Group of my firm put together a FAQ to inform current and potential state contractors of Connecticut’s data privacy and security requirements and to answer the most commonly asked questions about applicable Connecticut law and compliance with it. This article also includes our recommendations for analyzing compliance under applicable Connecticut law and, if necessary, developing a plan to satisfy the pertinent legal requirements.

You can download it free here.

For human resources, I think this is one of the more complicated times to be in HR. Between privacy, discrimination laws, wage & hour laws alone, there are many issues to keep on top of. Make sure data privacy is on your list of things to pay attention to for this year.

And stay tuned for more information on an upcoming program in November.

With news of yet another breach of personnel data of nearly 21 million Americans yesterday, I invited my colleague William Roberts, to chime in with an update on a new law in Connecticut that updates data privacy requirements in the state. Bill heads up our Privacy and Data Protection team here and works a lot with health care companies on compliance with various privacy laws.

My thanks to Bill for the update.

robertsOn June 1, 2015, the Connecticut Legislature passed S.B. 949, a comprehensive data privacy and security bill that tightens the state’s data breach response requirements and imposes new obligations on state contractors and the health insurance industry. While Connecticut Gov. Dannel Malloy signed the bill on June 30th. A copy of S.B. 949 is available here.

This post reviews the portions of the bill most pertinent to businesses operating in Connecticut or holding personal information of state residents.

Revisions to Breach Response Requirements

Current Connecticut law requires an entity that experiences a data breach to provide notice of such breach to the affected individuals and the Connecticut Attorney General’s Office “without unreasonable delay.” S.B. 949 amends this requirement by specifying that such notices must be provided no “later than [90] days after discovery of such breach, unless a shorter time is required under federal law.”

This amendment is striking in that it sets a maximum time period for notice that is much longer than the time periods set forth in other state or federal breach notification standards (e.g., the Health Insurance Portability and Accountability Act requires notice no later than 60 days following discovery of a breach).

Recognizing this apparent leniency, Connecticut Attorney General George Jepsen issued a press release that clarifies his office’s enforcement approach. Specifically, Jepsen clarifies that the 90-day reporting period is the “outside limit” for notifications and that “[t]here may be circumstances under which it is unreasonable to delay notification for 90 days.”

Jepsen makes clear that his office will “continue to scrutinize breaches and to take enforcement action against companies who unreasonably delay notification — even if notification is provided less than 90 days after discovery of the breach.” Thus, entities should continue to respond to breaches in a prompt manner and provide the necessary notices as soon as practicable.

In addition, S.B. 949 requires companies experiencing a breach involving Social Security numbers to provide affected individuals with free credit monitoring services and information on how such individuals may place a credit freeze on the individual’s credit file. The free credit monitoring services must be for a period of at least one (1) year.

While this new requirement has been considered by many to be a significant change in the law, it may have limited implications in practice because the state attorney general has long expected (or even required) companies to provide such services when Social Security numbers were involved.

Notably, S.B. 949 appears to set a shorter time period for free credit monitoring than what is typically expected by the state attorney general’s office. In many instances, the attorney general has insisted that companies offer no less than two years of free credit monitoring. Addressing this apparent lowering of expectations, Jepsen announced in his office’s press release that S.B. 949 “sets a floor for the duration of the protection” and that he retains the authority “to seek more than one year’s protection — and to seek broader kinds of protection — where circumstances warrant.”

Both of the modifications to Connecticut’s breach reporting requirements are effective Oct. 1, 2015.

State Contractor Obligations

Effective July 1, 2015, S.B. 949 imposes significant new requirements for state contracts that authorize a state agency to disclose “confidential information” to a contractor.

The bill defines “confidential information” as: (1) a person’s name, date of birth or mother’s maiden name; (2) any of the following numbers: motor vehicle operator’s license, Social Security, employee identification, employer or taxpayer identification, alien registration, passport, health insurance identification, demand deposit or savings account, or credit or debit card; (3) unique biometric data such as fingerprint, voice print, retina or iris image, or other unique physical representation; (4) “personally identifiable information” and “protected health information,” as defined in federal education and patient data regulations, respectively (i.e., Family Educational Rights and Privacy Act and HIPAA); and (5) any information that a state contracting agency tells the contractor is confidential. Confidential information does not include information that may be lawfully obtained from public sources or federal, state or local government records lawfully made available to the public.

This definition is very broad and contractors should be cognizant that a large number of state contracts may be subject to the bill’s new requirements.

If a state contract involves the sharing of confidential information, the contractor will be required to undertake significant efforts to protect the privacy and security of such information.

Specifically, the contract must require the contractor to, at a minimum: (1) at its own expense, protect confidential information from being breached; (2) implement and maintain a comprehensive data security program to protect the confidential information; (3) limit access to the confidential information to the contractor’s authorized employees and agents for authorized purposes as necessary to complete the contracted services or provide contracted goods; (4) maintain all confidential information obtained from the state (a) in a secure server, (b) on secure drives, (c) behind firewall protections and monitored by intrusion detection software, (d) in a manner where access is restricted to authorized employees and agents and (e) as otherwise required under state and federal law; (5) implement, maintain and update security and breach investigation procedures that are appropriate given the nature of the information disclosed and reasonably designed to protect confidential information from unauthorized access, use, modification, disclosure, manipulation or destruction; and (6) specify how the cost of any notification about, or investigation into, a breach is to be apportioned.

The bill includes numerous detailed requirements a contractor must adhere to, particularly with respect to the development of a data security program and the reporting of breaches.

Compliance may be particularly burdensome for contractors in industries without a history of data privacy regulation or for small providers with limited financial or other resources. The bill includes a waiver provision which allows the Office of Policy and Management (“OPM”) to require additional protections or alternate security assurance measures for confidential information if the facts and circumstances warrant them after considering, among other factors, the type and amount of confidential information being shared, the purpose for which the confidential information is being shared, and the types of goods or services covered by the contract.

Notably, the bill does not include the size or resources of the state contractor as factors OPM may consider when altering data security requirements.

Insurance Industry Data Security Programs

In response to the recent Anthem Inc. data breach, S.B. 949 imposes new requirements on health insurers, pharmacy benefit managers, utilization review companies and third-party administrators licensed do to business in Connecticut with respect to these entities’ maintenance of comprehensive information security programs.

Specifically, each such entity must develop and implement a written security program no later than Oct. 1, 2017. The program must address a litany of administrative, physical and technical safeguards including, among others: (1) computer and Internet user authentication protocols; (2) access control measures; (3) risk assessments; (4) sanctions for employee violation of security policies or procedures; and (5) oversight of third parties that have access to personal information.

The extent of such safeguards must be appropriate in light of the scope and type of business, the amount of resources available, the amount of data compiled or maintained and the need for security of such data. The written security program must be updated at least annually.

While extensive, many of the affected companies will already be subject to very similar requirements imposed under HIPAA and thus will likely have most, if not all, of S.B. 949’s elements already addressed in current policy. Nevertheless, insurers and others subject to this new requirement should review existing policies and procedures to determine sufficiency in light of the new requirements.

As I said before, the notion that this might be a quiet year for employment law legislation at the Connecticut General Assembly has long since left the train station.

Indeed, we’ve appear to be swinging completely in the opposite direction. Anything and everything appears up discussion and possible passage this year — including items that really stood no chance in prior years.

GA2I’ll leave it for the political pundits to analyze the why and the politics of it all. But for employers, some of these proposals are going to be very challenging, at best, if passed.

One such bill, which appeared this week on the “GO” list (meaning its ready for considering by both houses) is House Bill 6850, titled “An Act on Pay Equity and Fairness”.  Of course, you won’t find those words in the bill itself which is odd.  There is nothing about pay equity in the bill; indeed, it is much much broader than that.

It stands in contrast to, say, the Lilly Ledbetter Fair Pay Act, which tried to tackle gender discrimination in pay directly.

This bill would make it illegal for employers to do three things. If passed, no employer (no matter how big or small) could:

  • Prohibit an employee from disclosing, inquiring about or discussing the amount of his or her wages or the wages of another employee;
  • Require an employee to sign a waiver or other document that purports to deny the employee his or her right to disclose, inquire 1about or discuss the amount of his or her wages or the wages of  another employee; or
  • Discharge, discipline, discriminate against, retaliate against or otherwise penalize any employee who discloses, inquires about or discusses the amount of his or her wages or the wages of another employee.

You might be wondering: Isn’t this first bill duplicative of federal law? And the answer is yes, and then it goes beyond it.  Federal labor law (the National Labor Relations Act) already protects two or more employees discussing improving their pay as a “protected concerted activity”.  It’s been on the books for nearly 80 years. So, as noted in an NPR article:

Under a nearly 80-year-old federal labor law, employees already can talk about their salaries at work, and employers are generally prohibited from imposing “pay secrecy” policies, whether or not they do business with the federal government.

This provision goes beyond that by making it improper for an employer to prohibit an employee from even disclosing another employee’s pay.

Continue Reading “Pay Secrecy” Bill Goes Above and Beyond Other Proposals

Last Thursday, I had the opportunity to speak at the Tri-State SHRM Conference held at Foxwoods Resort Casino.  The session was led by Marc Kroll of Comp360 and I thank him publicly for both the invitation and the coordination. But a post about the great work that HR consultants like Marc do is a topic for another post.

If there was a phrase that I’m sure HR personnel never thought they’d hear discussed at a Human Resources conference it would’ve been “data privacy”.  After all, shouldn’t that be something for a Information Technology summit?

But in presenting the topic: “Pirates of the Data Stream: HR’s Role In Securing Corporate Information” to a full room,  it confirmed what I had been seeing anecdotally — that HR personnel have an increasing role in making sure company data remains private.  I was approached aftewards by several people who appreciated the focus on the topic.

There were several suggestions we talked about in detail at the conference.  I’ll highlight just a few things we discussed:

  • Have a policy. Yes, it’s a cliche. But you still need one.  And make sure it’s workable.   Your policy is no good if no one follows it.
  • Train and educate your workforce (with particular emphasis on your senior executives) on the need to take reasonable steps to protect confidential company data.  This can’t just be for new employees, but needs to be an ongoing effort.
  • Audit yourself to determine where your data leakage is coming from. And don’t just focus on the electronic data; your personnel files in paper format still need to be secured as well.  Consider hiring a third-party to help find the holes in your data storage.
  • Use agreements with restrictive covenants that prohibit employee use of confidential data not only when the employee is working for you, but also when the employee leaves.

And lest you think that this is mere scaremongering, the headlines from this morning illustrate that this issue is continuing to move to the mainstream: Target’s CEO stepped down because of a massive data breach last fall.

Human Resources has a significant role to play in preserving company and employee data.  It’s time to begin the discussion at your company if you haven’t already.   If you need assistance in that endeavor, consult your lawyer or your favorite HR consultant.

The snow may have stalled work in the state for a few days, but the Connecticut General Assembly is now in full swing with bills now being discussed and debated.

So far, the list of bills filed before the Labor & Public Employee Committee is small but that is expected to grow soon with bills on “Employee Privacy” for example, on the horizon.

Many of these bills will have a public hearing on Tuesday, February 18th, so if you have any objection, now is a good time to make them known to your local legislator.

And this is just in the first week.  The legislative session — in an election year, no less — is starting to move quickly and with purpose.  If employers aren’t paying attention yet, now would be a good time to do so.