Tuesday, December 31, 2013

Set Your “Target” on Data Security in 2014

Target Corp.’s data breach has been big news this holiday season, with as many as 40 million holiday shoppers across the nation exposed to potential credit and debit card fraud. According to the Identity Theft Resource Center, which tracks U.S. data breaches, the Target breach was one of over 600 data breaches in 2013. In our increasingly digital world, data breaches are a growing risk with many potential causes, including system failures, human error, employee misconduct, or outside theft. 

In the wake of the Target incident, many companies will be setting a 2014 new year’s resolution to review and upgrade their data security measures and to adopt or update their data breach response plan. These types of data security efforts are often focused on a company’s customers, but companies should remember that they have human resources data security responsibilities as well. A number of federal and state laws require the safeguarding of sensitive employee information. For example, criminal and credit background check information is protected by the Fair Credit Reporting Act, employee medical data is protected by HIPAA and the American with Disabilities Act, and many states – including Minnesota - have laws requiring the safeguarding of employee social security numbers. In addition to laws about safeguarding data, at least 46 states have enacted data breach notification laws that require a company to promptly inform individuals of security breaches involving personal data that might expose the individual to identity theft or financial fraud.

In light of this legal landscape, protecting employee data, whether in hard copy or electronic form, should be an HR priority in 2014. Protecting customer data is also an important HR issue given that employee error or misconduct can lead to a data security breach. While any information security program and data breach response plan needs to be customized to the particular company, the following are some steps that might be incorporated into a 2014 data security resolution:
  • Appoint an employee to be in charge of overseeing and coordinating the company’s information security efforts for sensitive employee and customer information stored in hard copy or electronic form.
  • Have each company department that handles sensitive employee or customer information work with the company’s information security coordinator to: (i) conduct and document an inventory of the type of sensitive information handled by that department; (ii) assess potential internal and external data security risks; (iii) develop and document information security safeguards for addressing these risks; and (iv) communicate and train department employees on these safeguards.
  • Limit access to sensitive employee or customer data to only those employees whose position requires access to the data and prohibit other employees from engaging in unauthorized access, use, or disclosure of the data.
  • Ensure that hard copy records are stored in secured, locked locations and that only authorized personnel have keys to the locked areas.
  • Ensure that the company has appropriate technology safeguards in place to secure electronic data from unauthorized access and to limit access to only authorized employees.
  • Consider encrypting data when it is transmitted electronically over networks or stored on-line.
  • Require employees to use unique, secure password-activated screensavers on computers and any personal devices used for work purposes and to regularly change passwords.
  • Ensure that the company has a method for carefully selecting and only hiring third party vendors/contractors capable of securing confidential data and that third party contracts contain language requiring the third party to safeguard the data.
  • Regularly train employees on information security measures and requirements.
  • Ensure that the company has an effective system in place for obtaining hard copy and electronic data back from departing employees or third party vendors/contractors when their relationship with the company ends.
  • Require employees and third party vendors/contractors to promptly report any potential data security breach to the company.
  • Adopt a data breach response plan in advance so that the company is prepared to promptly and appropriately address any data breach that does occur.
  • Conduct periodic tests and audits of security measures and make adjustments as appropriate.

Thursday, December 19, 2013

Week in Review

The holiday season is a time for reflection, including reflection on our technology habits. Many individuals are aiming to be truly home for the Christmas holiday by engaging in digital detox plans and setting their smartphones and other mobile devices aside to spend time with family and friends. Disconnecting from workplace technology during non-work hours is also becoming a trend at other times of the year, and many employers are encouraging this trend. Another take-away from this holiday season may be to reflect on what your shopping habits can teach you about hiring, including things like “making a list, checking it twice” and incorporating technology into the process. In addition, when you aren’t engaging in a digital detox, you might check out the holiday app links below.

We’re hopping on the “digital detox” bandwagon this year, and we won’t be posting next week. We wish everyone a very happy and peaceful holiday season, and we’ll be back posting again after the holiday!

Technology and the Workplace
3 Hiring Lessons From Your Holiday Shopping List (Mashable)
What Millennials And Older Workers Can Teach Each Other (Forbes)
Disconnecting From Work: A New Trend (MN Labor & Employment)
To Flex, or not to Flex - Top Issues Related to Flexible Workplace Arrangements (Employment Law Lookout)
Email is not always best (Tech for HR)

Technology and the Law
Judge: NSA domestic phone data-mining unconstitutional (CNN)
England and Wales Crack Down on Googling Jurors; U.S. Not So Much (WSJ)
2 Charged in UK for Twitter Threats (Mashable)
Mobile carriers and FCC reach deal to allow smartphone unlocking (LA Times)
Tech companies call for 'aggressive' NSA reforms at White House meeting (Guardian)

There's an App for That
Unplug for the Holidays With These 5 Digital Detox Plans (Mashable)
Top 10 apps to save Christmas (Telegraph)
Turn Smartphones and Tablets Into Helpful Elves (NY Times)
The top 10 tech gadgets of 2013 (LA Times)
Top Business Executives Name Their 10 Must-Have Mobile Apps (Forbes)

Tuesday, December 17, 2013

Sleeping with Siri: An FLSA Perspective

I sleep with Siri, and I’m not alone. According to a Pew Internet and American Life Project study, 44% of Americans sleep with their cell phone, many of which contain a work email account. Like that critical mass, I want to be connected and to be able to respond to a client if they email at 11:59 p.m. Because attorneys are “exempt” under wage and hour law, they don’t have to be paid extra above and beyond our salary for emailing in the wee hours. That’s not, however, the case with non-exempt employees. For employers that don’t have effective policies and policing of after-hours technology use by non-exempt employees, the wage and hour risks can be significant.

The federal wage and hour law (known as the FLSA) requires employers to pay all non-exempt employees at least minimum wage for all hours worked and one and an half times the employee’s regular rate for all overtime hours above 40 hours in a work week. This requirement applies regardless of whether the employer directed the work or the employer simply “suffered or permitted” the employee to work. So, that 11:59 pm email that took me 15 minutes to write would be compensable if done by a non-exempt employee even if a supervisor didn’t direct or know about it. 

On top of its pay requirements, the FLSA also requires employers to keep accurate records of all time worked by a non-exempt employee. This can get tricky when employees are, with the help of technology, able to work remotely at all hours of the day.  
Failing to pay minimum wage and overtime or to keep accurate time records could land an employer in hot water. The remedies available under the FLSA include back wages, an additional amount equal to back wages as liquidated damages, and a winning party’s attorneys’ fees and costs. An employee can sue under the FLSA individually or on behalf of a class of similarly affected employees, or the Wage and Hour Division of the U.S. Department of Labor can initiate an investigation. None of this is pleasant or cheap.

The following tips, however, can help to avoid these risks:
  1. Give non-exempt employees clear, written instructions on when they should and should not work. Include direction about when emails and/or calls should be checked, taken, or returned. Enforce your instructions.
  2. Instruct employees to record all working time accurately, including all the time they work at or outside the office. Provide forms for employees to complete and sign to verify the time worked.
  3. As a general rule, you should always pay employees for all the time that they work, regardless of whether the work was authorized. If an employee does not follow policies on working time, use coaching and discipline up to termination of employment, not pay withholding, to correct the issue.
  4. Consider “turning off” email, voicemail, or other technology access outside of normal business hours to prevent non-exempt employees’ ability to work at times that you don’t want them working. While this could lead to morale issues (i.e. “You don’t need me anymore?”), it can help to control working outside of normal business hours.
  5. Remain diligent on tracking hours, while avoiding pressure that leads to “off the books” work. While it is not necessary to watch the clock every second, creating proper expectations and procedures will go far in preventing liability under the FLSA.
The 24-7 workweek appears to be here to stay, so proactively working to set clear work time expectations now may prevent bigger problems later on. By 2020, market researchers anticipate that 85% of workplaces will have bring your own device (BYOD) programs in place allowing employees to access company files and emails at any time of day or night.  

Now, all this typing is making my thumbs hurt, time to go back to sleep.

Thursday, December 12, 2013

Week in Review

Your company holiday party can be added to the list of things impacted by technology. In addition to the risk of alcohol-induced harassment, injuries, or property damage, employers should be mindful that technology and mobile devices permit employees to easily broadcast holiday party activities through social media. Of course, company parties are not the only thing changed by technology in the workplace. Technology has also transformed workplace communication, and, to make this a positive change, employees must use the right technology in the right ways. Outside the workplace, technology is even transforming the way we find holiday light displays by allowing us to use apps to locate the best holiday lights.

Technology and the Workplace
Hey, Your Company Gathering Is on Facebook! (TLNT)
Facebook Posts by Police Officer Not Protected by the 1st Amendment (Delaware Employment Law Blog)
How Technology Has Changed Workplace Communication (Forbes)
How Your IT Workers Are Putting Your Company at Risk (Mashable)
The Path to Happy Employment, Contact by Contact on LinkedIn (NY Times)
BYOD Policy and Best Practices for When Employees Leave (i-Sight Blog)

Technology and the Law
SCOTUS to review standard for software patents (ABA Journal)
Police Made 1.1 Million Data Requests to Cellphone Carriers in 2012 (Mashable)
Bitcoin Fraud Stays Ahead of Bitcoin Law (NY Times)
YouTube Unleashes Strange Storm Of Copyright Claims On Video Game Content Producers (Forbes)
Sarah Jones case: Internet giants urge Fed court to set aside decision (CBS)

There's an App for That
'12 Days of Gifts' Will Get You Free Apps, Songs and Music from Apple (abc)
An App to Find Holiday Light Displays (NY Times)
AskMD Is a Health Dashboard For Your iPhone (Mashable)
An App That Will Never Forget a File (NY Times)
When You See An Outfit You Want, Style-Eyes Will Help Your Smartphone Find It Online (Forbes)

Tuesday, December 10, 2013

Willful Blindness on Trade Secrets: Employers Could Pay a Heavy Price

A recent trial experience provided an extraordinary lesson on the significant legal exposure employers face when hiring away employees from a competitor. I recently completed a jury trial in which my client obtained a $22.7 million verdict against a competing company that had hired away two of my client’s employees who had secretly taken numerous computer files belonging to my client and then used them for the benefit of their new employer. Although there ended up being many actions of the new employer to criticize, I believe that the most egregious one was the new employer’s failure to actively manage this risk at the hiring stage. The new employer appeared to – at best – utilize a conscious strategy of “turning a blind eye” toward the unlawful activity of its newly hired employees, while at the same time profiting significantly from the use of the purloined computer files.

Although the new employer at trial argued that the employees were essentially “rogue employees” who had acted without any direction or knowledge of their new employer, the trial evidence demonstrated a tremendous failure by the new employer to manage the situation in order to limit its legal exposure. No effort was made to ensure that the new employees did not possess and bring with them any trade secret or confidential information of their former employer. Nor were any efforts undertaken to meaningfully search the new employer’s computer system to ensure that such information was not being used by the new employees nor uploaded to the new employer’s computer system.  

Minnesota and more than 40 states protect trade secret misappropriation through the Uniform Trade Secrets Act. Employers need to be aware that it is an unlawful misappropriation under that statute if a party (such as a new employer) benignly comes into possession of trade secrets – even unknowingly – and does not, upon discovery that the trade secrets are in the company’s possession, take action to cease using the information and to return that information to its owner. It is, therefore, not an effective defense to trade secret misappropriation claims for a new employer to merely claim that they did not direct new employees to bring trade secret or other confidential information along with them.

To effectively manage legal exposure for misappropriation of trade secrets and confidential information, all employers should consider consistently taking the following steps when hiring new employees who were previously working for a competitor: 

·       Ask job offerees if they have signed a confidentiality agreement and/or noncompete agreement with their existing employer and, if so, review that agreement.
·       Inform job offerees (and new employees) that they are expected to comply with the terms of any confidentiality and/or noncompete agreement with their prior employer and to not bring with them or use any confidential or trade secret information of their former employer. For maximum protection, this direction should be made in writing (such as including it within any employment offer letter).
·       Promptly and seriously investigate any concerns that may arise about the improper possession or use of trade secret and confidential information by your employees.
·       Implement serious discipline (including possible termination) of offending employees.

Thursday, December 5, 2013

Week in Review

You may have thought you’d seen it all, but technology continues to change the world, the law, and the workplace. The headlines were abuzz this week with Amazon's announcement that it will soon be ready to use drones to deliver packages within 30 minutes of an order. However, the announcement has produced skepticism based on logistical and legal barriers. In other news, the U.S. Court of Appeals for the Ninth Circuit will become the first federal appeals court to live stream oral arguments in all en banc cases starting this month. In the workplace, employers are looking for ways to use their employees to market their company through social media.

Technology and the Workplace
Paid to Tweet? What the Social Workforce Means for All of Us (Wired)
Applicants' mug shots may be just a click away (HR Hero)
Employee legally fired for complaining on Facebook about the boss' "creepy hands" (Employer Handbook) (Employer Law Report)
What Your Employees Steal May Be Used Against You In a Court of Law (Delaware Employment Blog)
Lawyer pleads no contest to charge of recording workers' comments while away from the office (ABA Journal)
Wisconsin Gov. Scott Walker Fires Two Employees for Racist, Anti-Hispanic Remarks (International Business Times)

Technology and the Law
Nation's Largest Federal Appeals Court to Livestream Arguments (WSJ) (LA Times)
Facebook chat about 'hit' on judges adds to court problems for 2 defendants (ABA Journal)
What FAA Rules Will Amazon Need To Navigate Before A 30 Minute Delivery Drone Becomes Reality? (Forbes) (CBS)
State appeals court upholds parole board ban on use of social media by sex offenders (ABA Journal)
Supreme Court Won't Review Case on New York's Online Sales Tax (Mashable)
Motion on Arias Jurors' Twitter Handles Denied (abc)

There's an App for That
Coming Soon: Workout Gear That Monitors Your Muscles (Wired)
From Backyards to Boroughs, CO Everywhere Allows Users to Find Local News (abc)
Dislike? Facebook is adding an 'Unfollow' button (NBC)
Google sees Amazon's drones, and raises its own army of robots (Guardian)
Uber Will Deliver Christmas Trees to Your Door for $135 (All Things Digital)

Tuesday, December 3, 2013

The Supreme Court to Hear Hobby Lobby Case: What does it mean for Title VII?

The Supreme Court announced last week that it will hear two cases in which for-profit businesses are challenging the Affordable Care Act’s (“ACA”) “contraceptive mandate” on freedom of religion grounds. The key issue before the Supreme Court will be whether or not corporations have religious rights.

The two lawsuits at issue were brought by Hobby Lobby, a company owned by Evangelical Christians, and Conestoga Wood Specialties, a family business owned by devout Mennonites. In both cases, the companies claim that the ACA’s mandate that all group health plans provide and pay for all forms of FDA-approved contraceptives violates the religious rights of the companies based on their owners’ religious views. Of particular concern for these companies’ owners is the obligation to pay for “Plan B” (the morning-after pill), ella (the “week after” pill), and certain intrauterine devices (IUD’s). These items are classified by the FDA as contraceptives, but Hobby Lobby’s and Conestoga Wood’s owners consider these items to be “abortifacients,” meaning they terminate rather than only prevent a pregnancy.
The Hobby Lobby case comes to the Supreme Court from the Tenth Circuit Court of Appeals, which held that Hobby Lobby had the right to challenge the ACA’s contraceptive mandate on religious grounds under the First Amendment. The Conestoga Wood case comes to the Supreme Court from the Third Circuit Court of Appeals. The Third Circuit held that for-profit businesses forfeit any right to challenge a law on religious grounds by utilizing the corporate form and accepting its accompanying benefits.

One interesting question to consider is what, if any, impact the Supreme Court’s opinions on the “contraceptive mandate” may have on Title VII or other laws that may contradict a corporate owner’s religious views. One concern expressed about the ACA contraception mandate cases is that any ruling exempting a business owner from the ACA on religious grounds could create a “slippery slope” that erodes other laws that protect employees from discrimination. For example, if a for-profit business does not have to comply with the ACA on religious grounds, could it also be exempted from laws prohibiting religious discrimination? It does not necessarily follow, however, that a Supreme Court win for Hobby Lobby will result in for-profit businesses being able to disregard Title VII or other laws on religious grounds. The Hobby Lobby cases will likely turn on whether the federal government can prove a compelling state interest in enforcing the “contraceptive mandate” in light of the business owners’ arguments that contraceptives are widely available, often for free, from other sources. What does or does not constitute a compelling state interest in the ACA context may be very different than what a court would find to constitute a compelling state interest with respect to discrimination or other laws.