Software and Technology

Do you remember your first day at work?

I’m not just talking about a new job.

I mean your first day EVER at a workplace.

For my oldest daughter, today is that day.

She starts as an intern at a local manufacturer of “Highly Complex Machined Parts and Precision Cams for Aerospace, Medical and Commercial Applications” to help her focus on aerospace engineering.

This internship program started a few years ago from our town’s high school and gives students a chance to see the workplace from the inside, all under the supervision of an internship program.

When she came home earlier this week from an “interview” (which I think was more of a guided tour, truth be told), the excitement from her was palpable.

“The machines are so….cool!”

When asked to explain, she said, well, it was just “cool”.  She had a huge smile and couldn’t wait for today to come.   She loves engineering (we’re starting on college applications this fall!) and the chance to have her work at a place where engineering is at its core is pretty, well,  “cool”.

Of course, like any good father (who is also an employment lawyer), I talked to her about some workplace notions — she needed to be on time, to be helpful, and to work hard.

And I told her that she had a right to be treated fairly, to be free of harassment (not that I had any notions that is going to happen here), and that the internship program was intended as a learning tool (and thus ask questions).

Of course, I could’ve pointed her to prior blog posts on internships here, here and here but that would just be asking for the classic teenage eye roll.

I’m wise enough to know that someday she’ll have a tough day at a job.

But I hope she remembers the excitement of Day One.

Because it’s really “cool”.

Are you ready for blockchain’s impact in employment law?

This seems to be the new equivalent to the buzz a decade ago that social media was going to change the world (it kinda did).

Perhaps bigger.

At this point in the post, there are probably two reactions: 1) Tell me more!; and 2) What are you even TALKING about?

So, let’s start with the second question first — what is the “blockchain”? There are many discussions, but one recent ABA article had this to say:

Blockchain is commonly defined as a decentralized digital ledger in which transactions are recorded chronologically and publicly. In its infancy stages, blockchain was the mechanism that tracked cryptocurrencies such as Bitcoin. However, as the technology evolved, variations such as private, permissioned, and consortium blockchains have emerged. Ultimately, blockchain technology can facilitate many types of business transactions.

Another article by a lawyer described the hype as follows:

By design, blockchains are inherently resistant to modification of the data—once recorded, the data in a block cannot be altered retroactively without obviously corrupting later blocks, which depend on the original data from the earlier block as part of the hash. It can take enormous time and energy to go back and rehash subsequent blocks to try to hide the earlier alteration, and in the meantime new blocks are being added to the chain. This makes a blockchain extremely resistant to modification.

The applications of the blockchain are still in the infancy phase.  (The hype cycle for blockchain is in the “peak of inflated expectations” period and it projects that we are still 5-10 years off from maturity.) And thus, any discussion regarding its implications in the employment law arena are necessarily speculative.

But let the speculation begin.

For example, one human resources expert suggested some uses for this technology as follows:

  • It may make the concept of a “self-sovereign identity” for employees a reality, making verification of past employment or certifications easier and more secure. (Or this breathless article about “Blockchain-based CVs Could Change Employment Forever.“)
  • Potentially, you could run payroll off the blockchain to make those transactions more secure.
  • It could also be used to help employers keep confidential health information and transmit it more easily.

It only takes some imagination to go beyond that as well.

  • “Smart” employment law contracts, in which transactions automatically happen, could be introduced into the workplace.
  • Or the blockchain could be used to secure IP rights to company products, thereby avoiding the confusion as to whether the employee or the employer “owns” such rights.

Blockchain is still very much developing and I wouldn’t be surprised if this article seemed a bit dated a few years from now.  After all, who would’ve thought you could order a car (Uber) inside a social messaging app (Facebook) just a decade ago?

But employers and their attorneys who stay up on technology should understand the potential implications for blockchain in the workplace and be ready to adapt once the technology becomes mature enough to use.  From my perspective, there’s still time to keep reading about this developing technology; the time for action is still yet to come.

With a weekend of football championships behind us, this post tackles the privacy developments that employers here in Connecticut need to run down.  Indeed, while I could just pass off two recent posts from my colleagues, it’s worth going through a progression of options.

One development is for the U.S. “patriots”, while another one lets you fly like an eagle to Europe to understand the implications that an EU regulation can have on US employers.

Since my beloved New York football giants were out of it since week one, I’m going to just quarterback what you need to know and, for the sake of everyone, put the football puns on the sideline for the rest of the post.

First up, the Connecticut Supreme Court last week recognized a private right of action that patients have against their doctors for unauthorized disclosure of confidential information obtained in the course of that relationship.”  My colleagues in the Health Law group have a detailed post here. As noted by my partners:

This case is significant because it provides yet another avenue by which physicians may be held liable for violating HIPAA. This is because the Court decided in 2014 that “HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records …” Thus, if physicians owe a duty of confidentiality to their patients and violating HIPAA is found to breach that duty, the Court held that patients now have the right to sue their physician for damages caused by a violation of HIPAA. Whether a patient will be successful in such a lawsuit remains to be seen.

The case serves as a reminder to health care professionals and, perhaps just as importantly, to their staff to protect confidential health information to comply with the law and avoid legal liability from patients.  If you do any work in the health care area, the decision and the tips flowing from the case are a must read.

On a broader scale, Connecticut employers that do business in Europe or do business from EU citizens should also take note of new regulations coming into effect in late May 2018.  Again, my colleagues posted about this on the School Law blog, but it’s worth a look.

So what are we talking about? As my colleagues noted:

The requirements of the European Union (“EU”) General Data Protection Regulation (“GDPR”) come into effect on May 25, 2018.   These regulations promise to usher in sweeping changes to the way institutions, companies, and other organizations collect and handle the personal data of EU residents.

The GDPR is a holistic set of data privacy requirements that address the entire life cycle of collection, use, and disclosure of the “personal data” of EU residents. While we anticipate jurisdictional challenges that may someday limit the GDPR’s reach outside of the EU, the law as currently drafted purports to affect institutions of higher education, companies, and other organizations, such as boarding schools, worldwide. This means that the GDPR will affect not only institutions that do business with or operate inside of the EU, but will also affect institutions in the United States that processes the personal data of persons residing in the EU.

For more on the subject, check out this comprehensive post from my fellow law partners.  

Privacy law has increasing implications for employers and employees.  Employers need to ensure proper training in these areas to ensure compliance.

This current wave of sexual harassment (and, in some cases, sexual assault) allegations that are making headlines every single day is downright astonishing to many employment lawyers that I know.

It is the tsunami that knows no end.

And right now, that makes me nervous.  But maybe not for the reason you might think.

It’s not that I am nervous for companies or the risk of lawsuits.

I think many companies are prepared to deal with claims of harassment that arise and will adapt quickly to the landscape where more employees are bringing such matters to their attention.

What makes me nervous is the potential rush to judgment that seems to increase with every case.

Think of Matt Lauer last week: A claim brought Monday evening and he was fired late Tuesday night. Quick.

Thorough? Perhaps. Correct? Probably (based on the media reports).  But still pretty quick.

This is not a defense of harassers or even of Matt Lauer.  If someone commits sexual harassment, companies ought to take prompt corrective action. Companies that ignore complaints do so at their own peril.

As a lawyer though, I’m think I’ve been trained to be wary of allegations.  I went to law school in St. Louis, Missouri where they are proud of the slogan “Show Me”.

I have yet to see two identical sex harassment cases. Each matter brings a different set of people, a different set of circumstances, and different set of facts.

Facts still matter.

I’m waiting for the potential (or inevitable?) backlash to come from the current wave.

It may just start with a Duke Lacrosse-type situation — allegations so outrageous that everyone will want to believe them true.  And then we’ll find out that the allegations aren’t true.

And I worry about the harm to the process as a result.  It will set back those with legitimate complaints as well.

So, deep breathes everyone.

See harassment allegations come your way? Investigate. Seek to get the truth. Or as close to it as possible.

Some complaints will be true; others may not be.  What is alleged to be harassment, may instead be a consensual relationship.

And most of all, be cautious. And avoid the rush to judgment.

Yesterday, I had the opportunity to speak to the IASA Northeastern Conference on a favorite topic of mine of late — Privacy and Data Breaches in the workplace.

Of course, that sounds kinda of boring.

So my presentation is actually called the title of this post: “The Rise of Smartphone Fueled, Social Media Addicted Workplace Zombies.”

Much catchier right?

Speaking before the Insurance Accounting & Systems Association (IASA) Northeastern Chapter at their 54th Annual Regional Conference was great fun though.

In my talk, I highlighted items like Business E-mail Compromise scams, Ransomware, and yes, even workplace zombies.

What do I mean by that? Well, too many of us (including me at times) stare at our phones and sometimes respond to e-mails or click without thinking.  (Think Before You Click would make the name of a good book; fortunately, I wrote a chapter in that very book a while back.)

Protecting workplace data IS about thinking. It’s about protecting personnel files, or benefit information, or retirement plan data.  It’s about protecting trade secrets or just plain confidential information.

It’s about building a CULTURE of data privacy. Where employees buy in that protecting data is a core value and where employees are REWARDED for good data practices while enforcement (with a bit of punishment where needed) is encouraged by all.

It’s not the most exciting topic to be sure but everyone wants to be protected from the zombies, right?

I gave a similar talk early this summer as keynote lunch speaker for the ADNET Worksmart conference and it worked so well, word got around.  Maybe data privacy can be interesting after all.

My thanks to IASA for the invitation and opportunity to speak to the group yesterday.

A few weeks back, I did a post about having our personal data hacked.

What if the hacker was you?

Yes you — the attorney, the employer, or someone else who has confidential information.

I was recently reviewing the online court file of an employment case in federal court for a recent blog post.  It’s available for anyone to see.

(You might be asking, Why? Because it’s always interesting to see other filings and the way cases turn out. Ok, it’s always interesting TO ME at least….).

In looking over some of the court-filed documents, I came across the college transcript of the employee/plaintiff.  It was filed by the attorney as evidence in the case.

Some newer transcripts don’t have some confidential information. But this college transcript was old school: It still contained the Social Security number of the employee AND his date of birth.

And just like that, the attorney has opened up the employee to hacking.

In case you are wondering, yes, there are rules in federal court about this. For example, Local Rule 5(e)8 requires that a party filing a document that will become publicly available shall redact Social Security numbers, financial account numbers, dates of birth and names of minor children.

Attorneys who represent employers should beware that the same rule applies to filings you submit as well.

Beyond court rules, employers have an independent legal obligations to protect Social Security numbers of its employees as well.

And so, in this age of data, it’s up to us all — attorneys and employers — to take the responsibility of protecting data seriously.

You don’t want to hack your own client or employee.

“Technology is a wonderful thing but it’s scary when it’s weaponized against you.”

The first sign that my wife’s identity and my own were under attack came innocently enough.

It was an e-mail alert that we get from time to time from Comcast, so innocent that I almost ignored it.  But it said our password had been changed.  When we tried to log-in to download e-mail, the system indicated the password was incorrect.

“That’s weird”, we thought.

I mean, we have two factor authentication on it so that if someone DOES try to change the password, shouldn’t they need a code?

So I called Comcast and was assured repeated that our password wasn’t changed and our account was not compromised.

They said it was a phishing exercise and the e-mails were fake too. As for the account access, they said that someone may have just tried to access it but they were unsuccessful.

Comcast easily reset the password for me and since two factor authentication wasn’t invoked, it seemed like something unusual but nothing beyond that.

The second attack happened the same way.  This time, we knew something was most definitely wrong.

The war over our identities was now on, though I didn’t realize at the time how outmatched we were in our weaponry.

We were able to regain control of the account in just a few minutes with resetting the password on my side (two can play that game, so I thought).

And then I placed another call to Comcast for help.

After an hour on the phone and a reset password and security question, I was told again that there’s nothing otherwise suspicious in my account but they’ll keep “looking”.  No other outward sign of hacking.

Still, our credit cards were quiet and we changed some more passwords just in case.  What were they after?

The hacker’s next salvo though had already been launched and was operating secretly.

Later that evening, I received a notice from UPS that night that we had a package coming from Amazon, but, well, let’s just say that we are frequent Prime users and that didn’t raise any suspicions to be getting another one from them.

But by mid-morning the next day, still yet another e-mail arrived. Again, from UPS, but this time saying that the package we were expecting would be held at the Watertown customer care center “at the customer’s request”.

(Why, you might ask, is UPS sending me e-mails? It turns out, I set up an alert with UPS to send me an a separate e-mail account anytime a package for our hours is scheduled for delivery. As it turns out, this last countermeasure helped stem the tide, though I didn’t know it at the time)

Still, when we searched our Amazon account for the package, nothing showed up.  There was a package from over the summer that never turned up and showed it was “out for delivery”. Could that be it? Or was it a gift?

As “luck” happens, I was driving past the Watertown care center by late afternoon and decided to swing by.  A big box awaited.  My curiosity was piqued – What’s In The Box?

I open it up at the UPS facility.

Not one, but TWO high-end MacBook Pros.

Wow.  Was not expecting THAT.  Or perhaps I was.

A call to the local Watertown police was met with a response of a department that has seen one too many of these — “you should just contact your hometown police”.

A call to Amazon revealed that our account had been accessed, an Amazon store card opened up, and the purchase “hidden” as if it were a “gift” to ourselves that we didn’t want spoiled before its arrival.  Amazon set up for the computers to be returned at no charge and the card wiped clean.

At least we could claim victory in stopping the shipment, right?

Well, as we were also told by police later, sometimes hackers just send something to a customer care center and don’t pick it up just to see if the hacked worked.  If it does, then the sky’s the limit on the next go around.

But still, were we done? Had we hacked the hackers by seeing this UPS alert we weren’t suppose to see?

Well, it turns out the hackers had more tricks up their sleeve.

Upon a third call to Comcast, the security representative reviewed our account still further and he found three things:

  1. The hacker set up an “e-mail forwarding” so that a copy of EVERY single e-mail received would also be sent to the hacker.  Yes, even the ones we were sending to each other about the hacker were being read too.
  2. The hacker also set up “selective call forwarding”, an option I didn’t even know existed. Apparently, you can have up to a dozen phone numbers you choose get directly forwarded to another phone number.  As it turns out, the hacker knew the numbers that Amazon and the card verification service would call on and conveniently forwarded those calls directly to his own mobile number on a burner phone.
  3. Looking at phone logs, we could actually see that the hacker had taken a call from Amazon.  A-ha.

All done, right?

Well no. I continued to scour the account on my phone and found yet another devious hack in my “options”. The hacker had set up a series of filters (which didn’t have a title, so they showed up as “”) that forwarded e-mails from Amazon and Amazon’s card carrier directly to the hacker’s e-mail.  Delete, delete, delete.

Since then, police have been contacted. The Amazon card cancelled and account locked for a few days. Package returned. Fraud alerts placed. ID protection re-upped. Passwords being changed. Sleep lost.

And replaced with a sort of paranoia about what else is lurking.

While we can claim victory in preventing the MacBook Pros from falling into criminal hands, at what cost? The damage is already done. We may have foiled the crime, but the identity is compromised and we now need to be vigilant for other account pop-ups. The victory feels empty.

We have to instead hope the hacker will lose interest, knowing that we know about the scam and have alerted police.

This feeling of hopelessness doesn’t have to be that way.

Indeed, the irony of the situation isn’t lost on me. I’m part of my firm’s Privacy and Data Security Team and routinely give others advice with how to protect themselves.

And yet, even with the steps we took, we still couldn’t stop the attack. Here is where government and businesses have a role to play in helping to protect our identities.

For example, everytime I called Comcast to complain, I had to “verify” our info; in doing so, I had to provide the last four of her social security number and our address — the very information we KNEW was already compromised.

We have to do more. Here are five small steps to start:

  1. Congress should hold hearings to hear from security professionals about the best ways stores and utilities can protect customer information.  And then work with businesses to create a common standard.  Our current system is broken.  Health care information is treated as important; our identities need to be treated with similar care.
  2. Businesses that have sensitive customer information should offer real two-factor authentication, not offer work arounds that just open up a loophole. In Comcast’s case, resetting the password allows you to bypass the two factor authentication by answering a simple “security” question.
  3. Password management is broken.  Yes, I can set up some password managers, but using multiple devices and computers makes it difficult to have consistency.  Too many of us need to use similar passwords on websites because there is no one common log-in system. A new type of authentication system might be a start (though I acknowledge it might also then create a target for hacking too — see Equifax).
  4. After a hack, the government ought to mandate easy, free tools that people can use to help clean up their own identities. If we can get a free credit report once a year, can’t the government mandate that credit agencies assist you in cleaning up your identity for free?
  5. The police are woefully understaffed to deal with an international problem.  The only means that an ordinary person can use is their local police, but even they admit that they’re still playing catch up.  More consistent training and better tools for our police can at least start to make a dent on this.

Which gets me back to the first sentence here — which was a comment a friend shared with me upon learning of the hacking.

“Technology is a wonderful thing but it’s scary when it’s weaponized against you.”

Yes, my friend. It definitely is.