“Technology is a wonderful thing but it’s scary when it’s weaponized against you.”

The first sign that my wife’s identity and my own were under attack came innocently enough.

It was an e-mail alert that we get from time to time from Comcast, so innocent that I almost ignored it.  But it said our password had been changed.  When we tried to log-in to download e-mail, the system indicated the password was incorrect.

“That’s weird”, we thought.

I mean, we have two factor authentication on it so that if someone DOES try to change the password, shouldn’t they need a code?

So I called Comcast and was assured repeated that our password wasn’t changed and our account was not compromised.

They said it was a phishing exercise and the e-mails were fake too. As for the account access, they said that someone may have just tried to access it but they were unsuccessful.

Comcast easily reset the password for me and since two factor authentication wasn’t invoked, it seemed like something unusual but nothing beyond that.

The second attack happened the same way.  This time, we knew something was most definitely wrong.

The war over our identities was now on, though I didn’t realize at the time how outmatched we were in our weaponry.

We were able to regain control of the account in just a few minutes with resetting the password on my side (two can play that game, so I thought).

And then I placed another call to Comcast for help.

After an hour on the phone and a reset password and security question, I was told again that there’s nothing otherwise suspicious in my account but they’ll keep “looking”.  No other outward sign of hacking.

Still, our credit cards were quiet and we changed some more passwords just in case.  What were they after?

The hacker’s next salvo though had already been launched and was operating secretly.

Later that evening, I received a notice from UPS that night that we had a package coming from Amazon, but, well, let’s just say that we are frequent Prime users and that didn’t raise any suspicions to be getting another one from them.

But by mid-morning the next day, still yet another e-mail arrived. Again, from UPS, but this time saying that the package we were expecting would be held at the Watertown customer care center “at the customer’s request”.

(Why, you might ask, is UPS sending me e-mails? It turns out, I set up an alert with UPS to send me an a separate e-mail account anytime a package for our hours is scheduled for delivery. As it turns out, this last countermeasure helped stem the tide, though I didn’t know it at the time)

Still, when we searched our Amazon account for the package, nothing showed up.  There was a package from over the summer that never turned up and showed it was “out for delivery”. Could that be it? Or was it a gift?

As “luck” happens, I was driving past the Watertown care center by late afternoon and decided to swing by.  A big box awaited.  My curiosity was piqued – What’s In The Box?

I open it up at the UPS facility.

Not one, but TWO high-end MacBook Pros.

Wow.  Was not expecting THAT.  Or perhaps I was.

A call to the local Watertown police was met with a response of a department that has seen one too many of these — “you should just contact your hometown police”.

A call to Amazon revealed that our account had been accessed, an Amazon store card opened up, and the purchase “hidden” as if it were a “gift” to ourselves that we didn’t want spoiled before its arrival.  Amazon set up for the computers to be returned at no charge and the card wiped clean.

At least we could claim victory in stopping the shipment, right?

Well, as we were also told by police later, sometimes hackers just send something to a customer care center and don’t pick it up just to see if the hacked worked.  If it does, then the sky’s the limit on the next go around.

But still, were we done? Had we hacked the hackers by seeing this UPS alert we weren’t suppose to see?

Well, it turns out the hackers had more tricks up their sleeve.

Upon a third call to Comcast, the security representative reviewed our account still further and he found three things:

  1. The hacker set up an “e-mail forwarding” so that a copy of EVERY single e-mail received would also be sent to the hacker.  Yes, even the ones we were sending to each other about the hacker were being read too.
  2. The hacker also set up “selective call forwarding”, an option I didn’t even know existed. Apparently, you can have up to a dozen phone numbers you choose get directly forwarded to another phone number.  As it turns out, the hacker knew the numbers that Amazon and the card verification service would call on and conveniently forwarded those calls directly to his own mobile number on a burner phone.
  3. Looking at phone logs, we could actually see that the hacker had taken a call from Amazon.  A-ha.

All done, right?

Well no. I continued to scour the account on my phone and found yet another devious hack in my “options”. The hacker had set up a series of filters (which didn’t have a title, so they showed up as “”) that forwarded e-mails from Amazon and Amazon’s card carrier directly to the hacker’s e-mail.  Delete, delete, delete.

Since then, police have been contacted. The Amazon card cancelled and account locked for a few days. Package returned. Fraud alerts placed. ID protection re-upped. Passwords being changed. Sleep lost.

And replaced with a sort of paranoia about what else is lurking.

While we can claim victory in preventing the MacBook Pros from falling into criminal hands, at what cost? The damage is already done. We may have foiled the crime, but the identity is compromised and we now need to be vigilant for other account pop-ups. The victory feels empty.

We have to instead hope the hacker will lose interest, knowing that we know about the scam and have alerted police.

This feeling of hopelessness doesn’t have to be that way.

Indeed, the irony of the situation isn’t lost on me. I’m part of my firm’s Privacy and Data Security Team and routinely give others advice with how to protect themselves.

And yet, even with the steps we took, we still couldn’t stop the attack. Here is where government and businesses have a role to play in helping to protect our identities.

For example, everytime I called Comcast to complain, I had to “verify” our info; in doing so, I had to provide the last four of her social security number and our address — the very information we KNEW was already compromised.

We have to do more. Here are five small steps to start:

  1. Congress should hold hearings to hear from security professionals about the best ways stores and utilities can protect customer information.  And then work with businesses to create a common standard.  Our current system is broken.  Health care information is treated as important; our identities need to be treated with similar care.
  2. Businesses that have sensitive customer information should offer real two-factor authentication, not offer work arounds that just open up a loophole. In Comcast’s case, resetting the password allows you to bypass the two factor authentication by answering a simple “security” question.
  3. Password management is broken.  Yes, I can set up some password managers, but using multiple devices and computers makes it difficult to have consistency.  Too many of us need to use similar passwords on websites because there is no one common log-in system. A new type of authentication system might be a start (though I acknowledge it might also then create a target for hacking too — see Equifax).
  4. After a hack, the government ought to mandate easy, free tools that people can use to help clean up their own identities. If we can get a free credit report once a year, can’t the government mandate that credit agencies assist you in cleaning up your identity for free?
  5. The police are woefully understaffed to deal with an international problem.  The only means that an ordinary person can use is their local police, but even they admit that they’re still playing catch up.  More consistent training and better tools for our police can at least start to make a dent on this.

Which gets me back to the first sentence here — which was a comment a friend shared with me upon learning of the hacking.

“Technology is a wonderful thing but it’s scary when it’s weaponized against you.”

Yes, my friend. It definitely is.

My law partner, Gabe Jiran, talks today about whether it’s all that easy to change the terms of a collective bargaining agreement.  Is it just as easy as a vote? Or does it require something more? The answer has implications for all employers.  

With all of the talk about the financial difficulties faced by the government, I, and others in here, sometimes get the question of whether the State of Connecticut or other states might try to change the laws on collective bargaining or try to pass legislation to alter the terms of its existing collective bargaining agreements.

Other states have started down this road, but it is not that easy.

Recently, the Connecticut Attorney General was asked to opine on whether the General Assembly could statutorily change the contracts covering State employees to address the fiscal crisis.  A link to the opinion is here.

The short answer is that the State could do so, such as by passing a statute that wage increases be delayed or eliminated in State contracts.

However, the United States Constitution imposes a pretty heavy burden on the State to justify any such changes.

The relevant factors are:

  1. the severity of the fiscal crisis;
  2. the nature and duration of the contractual changes;
  3. the extent that the State has attempted to implement other alternatives in the past;
  4. the extent to which the State has studied and made findings about the feasibility of other alternatives;
  5. whether these alternatives would be a less dramatic option;
  6. the extent to which the fiscal crisis existed or was foreseeable when the State entered into the existing contract; and
  7. the State’s representations during negotiations for the existing contract.

Based on cases utilizing some or all of these factors, the State would face an uphill battle if it wanted to change an existing contract.

For example, a federal appeals court struck down the State of New York’s plan to delay wage increases for employees because New York had alternatives such as raising taxes or shifting money around in its budget.  In another New York case, the same court found that a $1 billion deficit was not a dire enough fiscal crisis to justify a delayed wage increase.

However, one case found that the City of Buffalo was able to impose a wage freeze when it was undeniable that Buffalo was in a fiscal emergency and that the wage freeze was a last resort after looking at other options.

In discussing the matters with others here, we expect that Connecticut and other states will continue to look for creative options to address their financial situations with employees.

However, it is doubtful that these options will involve changes to existing contracts without negotiation with the unions involved.  In addition, any State attempts to change contracts in the private sector would be almost certain to fail.

My colleague, Gabe Jiran, returns the blog today with this quick post updating us on where things stand on the DOL’s proposed changes to the overtime rules (and providing me with an excuse to link to one of the few songs to mention “overtime” in the title.)

As you may recall from some of the prior posts here, employers scrambled to address the Department of Labor’s changes to the salary threshold for white collar exemptions under the Fair Labor Standards Act.  That change would have increased the salary threshold from $23,360 to $47,476 annually in December, 2016.

However, several states challenged this increase, resulting in a federal court in Texas issuing a nationwide injunction stalling the increase.  Of course, many employers had already made changes to address the increase, but the injunction still stands.

Then the election happened. Which changed everything.

Now, the DOL under the new Trump administration has indicated that it will not advocate for a specific salary level under its regulations, but will instead gather information about the appropriate salary levels.

The DOL has thus issued a request for information to get feedback, which can be accessed here.

What does this mean for employers? While this process will most likely result in an increase in the salary levels, it seems that the DOL will do so based on responses to its request for information rather than arbitrarily setting a salary level.

For now, employers should continue to follow the current regulations and the $23,360 salary level while, of course, also following the Connecticut guidelines where applicable too.

But stay tuned here: Developments in this area now seem on the way.

trumpphotoThere haven’t been a lot of stories about what Donald Trump would do as President when it comes to employment law issues. In part, that was due to the polls. But it was also due in part to the lack of policy details that his campaign put out on his website.  Back in September, I lamented the fact that we weren’t getting to hear any debate on those issues.

So, the news this morning that Donald Trump has been elected President is coming with a bit of scrambling.  What does it mean for employers in Connecticut? What’s going to happen with employment laws and enforcement?

The truth is that we really don’t know at this point.  The fact that the House, Senate and President will all be led by Republicans is something that is going to throw the whole system for a loop.

So, here are a few things to keep an eye on over the upcoming months when it comes to employment law issues:

  • As I noted last month, the new overtime regulations are set to be implemented on December 1, 2016.  Will a lame-duck Congress try to block those rules from being implemented? And if they are still implemented, will a Trump adminstration seek to roll those back? That would be a challenge.  Suffice to say for employers, this added uncertainty is a real headache. Until you hear otherwise, employers should continue to implement these changes.
  • One thing that seems clearer: The NLRB’s moves over the last few years will come to a screeching halt once the Board’s makeup is changed. The NLRB, for better or worse, always seems to change with each Presidency.  A Trump Presidency will no doubt bring changes back; this may impact everything from graduate assistants being able to unionize, the quickie election rules. Everything is in play.
  • For those wondering, the Board has two seats open now; along with the existing Republican member, that would give the Trump presidency a pretty quick majority.
  • The EEOC’s strategic plans will now be called into question as well. In recent years, it has taken aggressive litigation approaches on sexual orientation and gender identity issues. Will those tactics be abandoned? Where will the enforcement priorities lead to? Again, don’t expect big changes overnight but over time, this is definitely something to watch.
  • And do not underestimate the impact that a Trump Presidency will have on the federal court system.  He will now be appointing far different judges that we’ve seen over the last eight years — both at the U.S. Supreme Court and at lower court levels.  This will have a long-term effect on employment discrimination cases which are often heard in the federal courts in Connecticut.  As a result, we may continue to see more cases being brought in Connecticut state courts.
  • Let’s not forget that Trump also suggested a six-week paid maternity leave program.  Will we see Congress pick this issue up? Stay tuned too.  

For Connecticut employers, lost in the headlines of a Trump presidency is the fact that Republicans seem to have gained an unprecedented 18-18 split in the State Senate. This could potentially put the brakes on legislation the next two years on issues like non-competes or expanded paid leave.  It’s too early to tell but this is something we’ll be looking into as well.

But for all the uncertainty out there, remember this: Many of our federal laws are unlikely to change.  ADA, FMLA, Title VII are all fairly hearty laws that share widespread support.  The changes that may come are all things around the edges — things like enforcement approaches, guidances, etc.

For employers, it’s best to keep a close eye on the developments for employment law. It’s going to be an interesting couple of years.

Collins, left, addresses CBA; Shipman & Goodwin Partner Gabe Jiran, right, moderates.

At Monday’s Connecticut Legal Conference, CHRO Chair Gary Collins spoke for a bit about the developments at the oft-maligned agency since he’s come on board.  (You can follow all the tweets from the conference on Twitter using #ctlegalconf as the hashtag.)While he joked that attendees could just read this blog to find out what was going on, he did highlight a few new developments at the agency that are worth sharing here.

  • First, he noted that Cheryl Sharp, a 21 year veteran of the agency, was just appointed Deputy Executive Director.  Sharp — who received her law degree from UConn Law — is fairly well regarded by both sides of the labor & employment law bar.  She is also credited with starting the Kids Speak and Kids Court outreach programs as well.
  • Next, he noted that Human Rights Referee Ellen Bromley submitted her resignation last month.  No replacement has yet been named.  One look at the public hearing calendar for the agency and its clear that in order to maintain some of the gains made in reducing the backlog, one will have to be named relatively soon.
  • Mr. Collins also noted that the agency is looking to make some tweaks to Public Act 11-237 — the law that made significant changes to how the CHRO processes discrimination complaints.  (For background on that law, see my prior posts starting here.)  He encouraged attorneys and other stakeholders to provide him feedback on how changes in the law can help improve the agency.
  • Notably, he said that the agency is now closing significantly more cases than a year ago.  He indicated that while the agency is still taking in more cases each year than it closes, he hopes that within the next year, that trend will be reversed. He cautioned that he wanted the agency to do so in the right way  — not just closing cases solely to meet certain “numbers” or benchmarks.

While I won’t speak for other attendees, Mr. Collins’ outreach should be welcomed.  He is genuine in his concern to improve the agency.  To that end, here are a few minor suggestions that can be done easily to continue to increase the transparency and visibility of the agency.

The agency still has a lot of work to do to remain relevant and useful.  While opinions about the agency are still down among practitioners anecdotally, with a new Executive Director last fall and Mr. Collins’ as its Chair, the agency is certainly far from out.

In the hours before the General Assembly’s 2014 session closed, there were a number of bills being watched by employers.  I’ll have an additional recap of the session in the days ahead, but one bill that passed on Wednesday night made a number of small, but important, changes to the state’s Paid Sick Leave law that employers should take note of.

For background on Paid Sick Leave, you can check out some of my prior posts here and here.

House Bill 5269 — which still requires the Governor’s signature — makes several changes that have long been sought.  (For a full recap, see the OLR Bill Analysis here.)  The changes become effective January 1, 2015, when the bill is signed.

First, the bill changes the method for figuring out if a non-manufacturing business employs 50 or more employees.   Under the bill, the company will determine if it satisfies the annual 50-employee threshold based on the number of employees on its payroll for the week containing October 1, rather than the quarterly formula presently used.

Next, the bill prohibits employers from firing, dismissing, or transferring an employee from one job site to another to come under the 50-employee threshold.   Any affected worker can file a complaint with the Labor Commissioner.

The bill also changes the timeframe for accruing paid sick leave and makes it more in line (though not exactly parallel) with the state FMLA law.  As noted by the OLR: “Under current law, employees accrue one hour of sick leave for every 40 hours worked per calendar year. Under the bill, they accrue one hour of paid sick leave for every 40 hours worked during whatever 365-day year the business uses to calculate employee benefits. This allows the employer to start the benefit year on any date, rather than only on January 1.”

And lastly the bill adds radiologic technologists to the list of job categories eligible to accrue and take paid sick leave.

Employers who have been close the 50 employee cut-off should review these rules in particular but all employers should take note of the changes to the accural methods. That should make it easier, in the long run, for employers to track such time.

 

On Thursday morning, October 20th, the Connecticut Commission on Human Rights and Opportunities is having an informational session on Public Act 11-237 — the new law that changes the procedures before the CHRO.  The session will be held from 10 a.m. to 12 p.m. at the Old Judiciary Room at the State Capitol.   It’s open to the public.

The program should prove to be noteworthy because of a panel discussion that is planned.  Various attorneys who do work with the agency (including me) have been asked onto this panel to share our thoughts on the latest developments.

The agency is going through a difficult time now, as I’ve discussed in some prior posts.  An auditor’s report, for example, found that the agency was struggling to comply with statutory deadlines.

But the new law does hold some promise to streamline things there.  Anything that can shorten the timeframe for cases to be heard and that can resolve cases without fact-findings, is worth considering.

Come join the discussion on Thursday.  In the meantime, have any thoughts on the CHRO? Feel free to post them in the comments below.

 

Earlier this afternoon, President Obama signed the National Defense Authorization Act of 2010.  By doing so, he approved of several changes to the FMLA .  But before you rip up your existing FMLA policies, the provisions relate to the military-related leaves under the Act.  (H/T Ohio Employer’s Law Blog)  The changes as a whole expand the coverage and the availability of military family leave. 

Carl Bosland at the FMLA Blog summarizes the details:

  • Eligible employees will be able to take military caregiver leave for veterans who served in the regular Armed Forces, the Reserves within 5 years of the date the veterans undergoes medical treatment, recuperation, or therapy.  Currently, military caregiver leave is only available to care for current members of the Armed Forces, Guard, or Reserves.
  • Military caregiver leave is expanded to cover aggravation of existing or preexisting injuries incurred in the line of duty while on active duty. 
  • Qualifying exigency leave is expanded to cover members of the regular Armed Forces who are deployed to a foreign country.  Currently, qualifying exigency leave is only available for covered military members in the Reserves or Guard.

But of course, in Connecticut, this will only create another set of headaches. Connecticut just amended the state FMLA rules to be more consistent with the federal rules as they relate to military caregiver leave.  These new rules now create a significant difference between the state and federal rules.

Nevertheless, where the FMLA and the state FMLA conflict, employers in Connecticut must implement the more favorable of rules. Therefore, employers subject to FMLA in Connecticut

My office manager recently got married (congrats Kris!) and began discussing the difficulty of having to change one’s name both externally and internally.  We both began to notice that there Morgue File - public domaindoes not appear to be readily-accessible information for human resources personnel and employees on how to tackle this issue.

While a blog post certainly cannot cover everything, there are a few resources that I’ve seen that can help HR personnel deal with this issue and make it easier for their employees. Unfortunately, until the legislature and various agencies change the laws regarding name changes to make them less burdensome, employees will have to carry much of the burden. HR personnel can assist by pointing them in the right direction.

First and foremost, the employee must notify Social Security AND their employer.  Otherwise, the wages earned may not get posted correctly to the employee’s Social Security record and could delay the employee’s tax refund.

Here’s where it gets interesting, to change a name on your Social Security card, the SSA requires the employee to:

  • Complete an Application For A Social Security Card (Form SS-5);
  • Show them proof of:
    • U.S. citizenship (if you have not previously established your citizenship with us) or immigration status;
    • Legal name change; and
    • Identity.
  • All documents must be either originals or copies certified by the issuing agency. We cannot accept photocopies or notarized copies of documents.

To prove a legal name change, the employee must show either a marriage document or a court order for a name change.

To prove identity after marriage, the employee must provide a document that shows the employee’s old name, as well as other identifying information or a recent photograph. (They can accept an expired document as evidence of your old name.)  A drivers’ license should suffice.

In Connecticut, there is a "pathfinder" set up by the state to assist. For the more formal documents, this link will provide all the laws and history to make a name change. The Judicial Branch’s Law Library also has links to the necessary forms as well on a separate page that is much easier to understand.  Lastly, the state’s Infoline, also has a neat summary of the links and forms needed to change a name in Connecticut. 

In addition to the federal and state requirements, employers should obviously get updated information for their personnel files and benefit plans.  Most benefit providers have easy to use forms for the employees to fill out but a pro-active employer could provide those forms to the employees directly.  Employers should have their employees update their "emergency contact" cards. (It’s a good practice to have those contact cards updated on a yearly or bi-yearly basis to make sure the information the company has is accurate.)  A nice touch would also be to order new "name plates" or business cards for those employees too.

Weddings are stressful enough; but an employer can demonstrate its "human" side by making it easier for employees to deal with the ramifications of marriage.  Having plans to deal with employees who make name changes is one simple way to do so.  Feel free to post other useful resources for employers using the comments section below. 

For employers who are situated along the Connecticut-New York state line, keeping updated on the employment developments in both states is a challenging endeavor.  This is particularly true if the company’s sales force or business is dependent on servicing both areas.


View Larger Map

Connecticut employers with New York employees, should be aware of a number of recent amendments to New York Labor and Executive Laws.  These include:

(1) the requirement of a written agreement with commissioned salespersons;

(2) a change in the wage threshold for certain exempt employees;

(3) increased monetary fines for meal and rest period violations;

(4) leave for blood donors; and,

(5) narrowed criminal conviction inquiry.

My fellow EBG colleagues have prepared an excellent summary of these changes in an alert posted yesterday. 

For many employers, the new law on commissioned employees will be the most significant. The provision applies to all salespersons whose earnings are based, in whole or in part, on commissions from merchandise, real estate, insurance, securities, and other products or services.  As my colleagues have stated, the new law now states:

  • The employer and the commission salesperson must enter into a written document describing the terms of employment.
  • The document must be signed by both the employer and the employee.
  • The written document must describe how the wages, salary, commissions, draw-against commissions, if any, and all other monies earned and payable are calculated.
  • The frequency of reconciliation should also be included, if the agreement provides for a recoverable draw.
  • The document must also describe how commissions are paid upon termination of employment.
  • The document must also be kept on file by the employer for at least three years. 

It is easy to confuse the differences between the two states’ laws. For human resources professionals, its best to keep a running list of the applicable laws that may apply for certain issues.