“Technology is a wonderful thing but it’s scary when it’s weaponized against you.”

The first sign that my wife’s identity and my own were under attack came innocently enough.

It was an e-mail alert that we get from time to time from Comcast, so innocent that I almost ignored it.  But it said our password had been changed.  When we tried to log-in to download e-mail, the system indicated the password was incorrect.

“That’s weird”, we thought.

I mean, we have two factor authentication on it so that if someone DOES try to change the password, shouldn’t they need a code?

So I called Comcast and was assured repeated that our password wasn’t changed and our account was not compromised.

They said it was a phishing exercise and the e-mails were fake too. As for the account access, they said that someone may have just tried to access it but they were unsuccessful.

Comcast easily reset the password for me and since two factor authentication wasn’t invoked, it seemed like something unusual but nothing beyond that.

The second attack happened the same way.  This time, we knew something was most definitely wrong.

The war over our identities was now on, though I didn’t realize at the time how outmatched we were in our weaponry.

We were able to regain control of the account in just a few minutes with resetting the password on my side (two can play that game, so I thought).

And then I placed another call to Comcast for help.

After an hour on the phone and a reset password and security question, I was told again that there’s nothing otherwise suspicious in my account but they’ll keep “looking”.  No other outward sign of hacking.

Still, our credit cards were quiet and we changed some more passwords just in case.  What were they after?

The hacker’s next salvo though had already been launched and was operating secretly.

Later that evening, I received a notice from UPS that night that we had a package coming from Amazon, but, well, let’s just say that we are frequent Prime users and that didn’t raise any suspicions to be getting another one from them.

But by mid-morning the next day, still yet another e-mail arrived. Again, from UPS, but this time saying that the package we were expecting would be held at the Watertown customer care center “at the customer’s request”.

(Why, you might ask, is UPS sending me e-mails? It turns out, I set up an alert with UPS to send me an a separate e-mail account anytime a package for our hours is scheduled for delivery. As it turns out, this last countermeasure helped stem the tide, though I didn’t know it at the time)

Still, when we searched our Amazon account for the package, nothing showed up.  There was a package from over the summer that never turned up and showed it was “out for delivery”. Could that be it? Or was it a gift?

As “luck” happens, I was driving past the Watertown care center by late afternoon and decided to swing by.  A big box awaited.  My curiosity was piqued – What’s In The Box?

I open it up at the UPS facility.

Not one, but TWO high-end MacBook Pros.

Wow.  Was not expecting THAT.  Or perhaps I was.

A call to the local Watertown police was met with a response of a department that has seen one too many of these — “you should just contact your hometown police”.

A call to Amazon revealed that our account had been accessed, an Amazon store card opened up, and the purchase “hidden” as if it were a “gift” to ourselves that we didn’t want spoiled before its arrival.  Amazon set up for the computers to be returned at no charge and the card wiped clean.

At least we could claim victory in stopping the shipment, right?

Well, as we were also told by police later, sometimes hackers just send something to a customer care center and don’t pick it up just to see if the hacked worked.  If it does, then the sky’s the limit on the next go around.

But still, were we done? Had we hacked the hackers by seeing this UPS alert we weren’t suppose to see?

Well, it turns out the hackers had more tricks up their sleeve.

Upon a third call to Comcast, the security representative reviewed our account still further and he found three things:

  1. The hacker set up an “e-mail forwarding” so that a copy of EVERY single e-mail received would also be sent to the hacker.  Yes, even the ones we were sending to each other about the hacker were being read too.
  2. The hacker also set up “selective call forwarding”, an option I didn’t even know existed. Apparently, you can have up to a dozen phone numbers you choose get directly forwarded to another phone number.  As it turns out, the hacker knew the numbers that Amazon and the card verification service would call on and conveniently forwarded those calls directly to his own mobile number on a burner phone.
  3. Looking at phone logs, we could actually see that the hacker had taken a call from Amazon.  A-ha.

All done, right?

Well no. I continued to scour the account on my phone and found yet another devious hack in my “options”. The hacker had set up a series of filters (which didn’t have a title, so they showed up as “”) that forwarded e-mails from Amazon and Amazon’s card carrier directly to the hacker’s e-mail.  Delete, delete, delete.

Since then, police have been contacted. The Amazon card cancelled and account locked for a few days. Package returned. Fraud alerts placed. ID protection re-upped. Passwords being changed. Sleep lost.

And replaced with a sort of paranoia about what else is lurking.

While we can claim victory in preventing the MacBook Pros from falling into criminal hands, at what cost? The damage is already done. We may have foiled the crime, but the identity is compromised and we now need to be vigilant for other account pop-ups. The victory feels empty.

We have to instead hope the hacker will lose interest, knowing that we know about the scam and have alerted police.

This feeling of hopelessness doesn’t have to be that way.

Indeed, the irony of the situation isn’t lost on me. I’m part of my firm’s Privacy and Data Security Team and routinely give others advice with how to protect themselves.

And yet, even with the steps we took, we still couldn’t stop the attack. Here is where government and businesses have a role to play in helping to protect our identities.

For example, everytime I called Comcast to complain, I had to “verify” our info; in doing so, I had to provide the last four of her social security number and our address — the very information we KNEW was already compromised.

We have to do more. Here are five small steps to start:

  1. Congress should hold hearings to hear from security professionals about the best ways stores and utilities can protect customer information.  And then work with businesses to create a common standard.  Our current system is broken.  Health care information is treated as important; our identities need to be treated with similar care.
  2. Businesses that have sensitive customer information should offer real two-factor authentication, not offer work arounds that just open up a loophole. In Comcast’s case, resetting the password allows you to bypass the two factor authentication by answering a simple “security” question.
  3. Password management is broken.  Yes, I can set up some password managers, but using multiple devices and computers makes it difficult to have consistency.  Too many of us need to use similar passwords on websites because there is no one common log-in system. A new type of authentication system might be a start (though I acknowledge it might also then create a target for hacking too — see Equifax).
  4. After a hack, the government ought to mandate easy, free tools that people can use to help clean up their own identities. If we can get a free credit report once a year, can’t the government mandate that credit agencies assist you in cleaning up your identity for free?
  5. The police are woefully understaffed to deal with an international problem.  The only means that an ordinary person can use is their local police, but even they admit that they’re still playing catch up.  More consistent training and better tools for our police can at least start to make a dent on this.

Which gets me back to the first sentence here — which was a comment a friend shared with me upon learning of the hacking.

“Technology is a wonderful thing but it’s scary when it’s weaponized against you.”

Yes, my friend. It definitely is.

lock1Last night I had the opportunity to speak to the Colonial Total Rewards Association on the topic of Data Privacy and HR.  I titled the presentation “Is Your HR Data Going Rogue” and really focused on the role that Human Resources professionals should play in ensuring that company data is secured.

For those who have been following the blog for a while, you know that I’ve spoken a bit about this before (see some posts here and here).

Lest you think, this could NEVER happen at your company, the headlines from the last few weeks show otherwise. Company after company keep reporting major  data breaches — in part due to a W-2 scam that keeps claiming victims (see here, here, here and here if you’re not convinced).

Even technology companies are not immune. My favorite blurb from the last month was the following:

On Thursday, March 16, the CEO of Defense Point Security, LLC — a Virginia company that bills itself as “the choice provider of cyber security services to the federal government” — told all employees that their W-2 tax data was handed directly to fraudsters after someone inside the company got caught in a phisher’s net.

Oops.

So if even tech companies are victims of data breaches, is there any hope for the rest of us? Well, yes. It’s not easy but there are several steps that employers can take.

  1. Learn – This is NOT simply IT’s role; rather, HR professionals should have a key role at the table in discussing a company’s data privacy culture and practice.  And the first step in that is that HR should learn the basics of data privacy.
  2. Assess – HR has access to lots of data; where is it and who has access?  Where are you “leaking” data when it comes to your employees?
  3. Develop – Develop policies and your data privacy program; and develop the teams of people that will respond in the event of a data breach
  4. Educate – Data privacy and protection ought to be part of sustained training program, just like anti-harassment training
  5. Monitor – Figure out risks and review areas; when breach happens, HR needs to be at table to discuss employee impact
  6. Inform – When (not if) if you have a data breach, inform those affected and gov’t officials and implement your data breach plan.

Once you’ve made it through, it’s time to start back at the beginning. Learn from your mistakes in a data breach and re-assess your vulnerabilities.

Data privacy and the need for companies to view it as a key part of your company’s culture should be an integral part of your employee onboarding and training.  My thanks again to CTRA for the invitation to speak to the group and the great conversation we had last night.

When the U.S. Supreme Court rules on an issue in a 9-0 fashion — with a decision penned by Justice Thomas, no less — you can fairly conclude that the issue is not all that difficult.

Indeed, the SCOTUSBlog summed up the employment law decision today pretty succinctly:

Workers who are required to stay after their normal hours on the job to undergo a security screening are not entitled to overtime pay while they wait for that process and then go through it, the Supreme Court ruled unanimously on Tuesday.

The case of Integrity Staffing Solutions v. Busk involved screenings of employees at Amazon.com warehouses after their shifts concluded.

The screenings, which could take up to 25 minutes, were deemed by the court to not be “integral” to the employee’s job.  Those screenings could have been eliminated and it would have had no impact on the employee’s ability to do the job itself.

Contrast that with the “Donning and Doffing” case of earlier this year, where the putting on of personal protective equipment could be seen as necessary for employees to do their jobs (but that some clothes might not be.)

In Connecticut, the decision should have minimal impact.

The Second Circuit has been pretty consistent in its reading (essentially in concurrence with the Supreme Court’s conclusion) and even the U.S. Department of Labor had said that the employee’s arguments were contrary to the established reading of the law.

It’s not very different that the employees who are required take shuttle buses to parking lots after their shift. That is not compensable either.

Nevertheless, if you are an employer that requires your employees to come into work early or stay after and go through some type of screening or process, this is definitely a decision to review to make sure your practice falls within the applicable state and federal laws.

When we think about protecting customer and employee data, we often think that the biggest hazards are outside hackers.

But a recently publicized incident involving AT&T shows that the threats may also be from within. As The New York Times reported:

“[I]t serves as a cautionary tale about the types of information that employees at technology and communications companies can retrieve just by breaking the rules, no hacking required.”

What happened? According to the Times, “AT&T, the telecommunications provider, said on Monday that it had fired an employee who inappropriately gained access to customer information this year, possibly including Social Security and driver’s license numbers.”

While the breach was relatively small (1600 people affected), the company dealt with the breach by sending out letters to those affected and paying for credit monitoring services.

What else should you do in a breach? Well, next week, I’m heading up a major Data Privacy & Cybersecurity Summit where we will discuss exactly that topic — particularly as it applies to employee data. The summit is scheduled for October 16th in Cromwell.  Co-sponsored with the Connecticut chapter of SHRM, the program includes speakers from GE, ESPN and the Connecticut Attorney General’s office.  The cost is just $75 and includes breakfast, lunch and materials.  You can register here.

For more details, click here. 

 

Real hackers are more fearsome than this one.

Okay, okay.  I realize the headline is a bit misleading.  But it isn’t every day that you hear about a data breach at Home Depot in which 56 MILLION credit cards may have been hacked. To put that into perspective, that’s 16 million MORE than the infamous Target breach!

But this is an employment law blog, not a shopping one. So, why does this matter to human resources professionals and companies? Because if hackers can access credit card information, they are going to try to hack into your work files.

It isn’t a matter of “if”. It’s a matter of when they will attempt to do so.

Don’t take my word for it. This comes from the head of the military’s cybersecurity division.  Admiral Mike Rogers has been preaching for months of the need for companies to take data privacy and cybersecurity seriously.  A recent news post reported on the importance Rogers has placed on this area for private businesses.

Corporations must successfully deal with cybersecurity threats, because such threats can have direct impacts on business and reputation, Rogers told the business audience.“You have to consider [cybersecurity threats] every bit as foundational as we do in our ability to maneuver forces as a military construct,” he said.

I have little doubt you’ll hear a lot more about this at an upcoming Data Privacy and Cybersecurity Summit that I’ve been helping to put together here at Shipman & Goodwin, in conduction with CT SHRM.

It’s scheduled to be held on October 16, 2014 from 8a to 2p at the Crowne Plaza in Cromwell, CT.

The cost is just $75, which includes continental breakfast, coffee, buffet lunch, and the materials.  Full details as well as registration can be found here.

Speakers include myself, Shipman & Goodwin attorneys Scott Cowperthwait, Cathy Intravia and William Roberts as well as industry experts from Adnet Technologies, the Connecticut Attorney General’s office, ESPN, the FBI, FINEX North America, General Electric Company, JPD Forensic Accounting, Quinnipiac University, United Therapeutics Corporation, and United Technologies Corporation (UTC).

Hope to see you there. Register soon as spots have been filling up over the last week.

Today brings an another chapter in the occasional chapter of interviews with interesting people in the HR and employment law areas. William J. Smith, President and CEO of Jennings Smith Investigations, Inc.  takes a few minutes to answer some pressing questions in the security field.

Jennings Smith Investigations, Inc., is a fully licensed Connecticut investigative and security consulting firm which has provided quality investigative, security and forensic services to the corporate, industrial and governmental sectors for the past 25 years. 

Bill and his company have assisted several Fortune 500 companies in the investigation of issues of Workplace Safety and provided expertise to nullify threats of violence directed against senior management and/or facilities. 

His full bio can be accessed here.  My thanks to Bill for his time and responses. 

1) What is the first thing employers should consider when dealing with safety and security issues? 

The most important consideration is that every business with 11 or more employees is required develop a site specific Facility Emergency Action Plan (FEAP) to comply with OSHA Standards (29 CFR 1910.38) and NFPA 1600. These statutes clearly outline Safety, Security, Emergency Management and Business Continuity standards every employer must address to provide operational policies and procedures in the event of an emergency or crisis.

2) You’ve got years of experience in the investigative and security fields. What are the biggest changes you’ve seen?

Without question, the use of technologies in our Investigative units; DNA, Latent Fingerprint collection and identification, Trace evidence examination (hair, fiber, substance), and GPS Surveillance systems to name a few. On the Security side, biometric readers, retina scans, RFID Tracking, Facial Recognition software, covert camera systems are exceptionally effective and cost efficient tools to preclude or prevent loss and protect employees and property.

3) As the economy improves, I suspect that there is going to be more hiring. What are some best practices employers can use in hiring as they relate to your field? 

  • Conduct comprehensive background investigations on prospective employees to include Criminal Conviction history, Motor Vehicle Driving Records History (If driving a Company Vehicle), and Drug Screening.
  • Avoid service providers who provide ‘instant checks’ as they oftentimes use unreliable and outdated data sources. 
  • Check and verify all prior employment history. Our firm provides Live Scan Fingerprinting Services for companies in the Financial, Educational, Transportation and Medical sectors. Once obtained, they are forwarded electrically to the FBI for clearance which typically takes less than 48 hours.

4) Suppose you’re an employer and you suspect an employee of theft, what should an employer do immediately.

First, Contact your Attorney and advise him of the situation. Secure all pertinent information and documents to validate your suspicions and determine the scope of the loss. Do not play "detective", rather heed the advise of your Counsel who will most probably call in a firm such as ours to conduct an investigation. Most importantly, do not directly accuse an employee of theft as it could subject you and your company to litigation.

5) Are there any online resources that you can recommend if people have an interest in this area?

For information regarding OSHA Regulations, you can download a .pdf document at: http://www.americanbusinesssafety.com/american-business-safety-compliance-reviews.html

The National Fire Protection Association ( NFPA) 1600 can be viewed online or purchased at: http://www.nfpa.org/aboutthecodes/AboutTheCodes.asp?DocNum=1600

 

 

In light of the horrific workplace shootings in Connecticut earlier this month, I’ve heard people wonder about various steps an employer can take in anticipation of a termination meeting. One question raised is whether it is ever appropriate to have the police nearby or available during a termination meeting.  Or, alternatively, can you have security escort the fired employee from the premises. 

Interestingly enough, the Connecticut Supreme Court has chimed in on this subject in some cases before.

In 1997, the Court in Parsons v. United Technologies Corp., held that "it is not patently unreasonable for an employer to remove a discharged employee from its premises under a security escort."  In so ruling, the court rejected a negligent infliction of emotional distress claim by the employee that the termination was so unreasonable as to warrant a claim for damages.

Similarly, in 2000, the Court in Appleton v. Board of Education, found that being escorted out of the building by police (after being called by the employer) was also not enough to raise a claim against the employer.  

Both of those cases cite a notable District Court case out of South Carolina, Toth v. Square D. Co., which also rejected a claim by the employees for "outrage" when the employer escorted the terminated employee out of the building in front of his peers.

That’s not to say that termination meetings are exempt from possible claims. The Connecticut Supreme Court in 2002 (Perodeau v. Hartford) explicitly said that negligent infliction of emotional distress claims in the workplace can still arise out of a termination meeting. Thus, if the meeting is held in such a way as to be deemed to be "outrageous", it could subject the employer to liability.  But it is rate that a fired employee can actually make a legitimate claim.

What are the lessons to take away from these cases?

  • First, don’t overreact. Most cases do not warrant having security on the premises. 
  • But, in some rare circumstances, having a police officer present on the premises during a termination meeting may be warranted. (Most police departments will offer to have an officer sit in the parking lot if asked by the employer.) 
  • If the employer is truly concerned, it may also be allowable to have a security officer or even police nearby or outside the room ready to escort the employee out immediately upon termination.

These situations require a deft touch and particularized legal advice to ensure that the meetings don’t turn into a circus.