Cross-posted from Employment Law Lookout.

Seyfarth Synopsis:  A string of recent class action lawsuits regarding businesses’ use of employees’ biometric data should put employers on heightened alert regarding compliance with various state biometric privacy laws.

As biometric technology has become more advanced and affordable, more employers have begun implementing procedures and systems that rely on employees’ biometric data. “Biometrics” are measurements of individual biological patterns or characteristics such as fingerprints, voiceprints, and eye scans that can be used to quickly and easily identify employees.  However, unlike social security numbers or other personal identifiers, biometrics are biologically unique and, generally speaking, immutable.  Thus, unlike a bank account or a social security number, which can be changed if it is stolen, biometric data, when compromised, cannot be changed or replaced, leaving an affected individual without recourse and at a heightened risk for identity theft.  Given the serious repercussions of compromised biometric data, a number of states have proposed or passed laws regulating the collection and storage of biometric data.  And plaintiffs’ attorneys are taking notice, as the number of class action lawsuits in this area has surged in recent months.

Currently, there are three states that have statutes regulating the collection and storage of biometric data: Illinois, Texas, and Washington.  In 2008, Illinois passed the Biometric Information Privacy Act (“BIPA”).  Texas followed suit in 2009, and Washington passed its biometric privacy law in 2017. Continue Reading Hazards Ahead: Uptick in Biometric Privacy Laws Can Put Employers in Hot Seat

When you bring to mind someone “hacking” a computer one of the images that likely comes up is a screen of complex code designed to crack through your security technology.  Whereas there is a technological element to every security incident, the issue usually starts with a simple mistake made by one person.   Hackers understand that it is far easier to trick a person into providing a password, executing malicious software, or entering information into a fake website, than cracking an encrypted network — and hackers prey on the fact that you think “nobody is targeting me.”

Below are some guidelines to help keep you and your technology safe on the network.

General Best Practices

Let’s start with some general guidelines on things you should never do with regards to your computer or your online accounts.

First, never share your personal information with any individual or website unless you are certain you know with whom you are dealing.  Hackers often will call their target (you) pretending to be a service desk technician or someone you would trust.  The hacker than asks you to provide personal information such as passwords, login ids, computer names, etc.; which all can be used to compromise your accounts.  The best thing to do in this case, unless you are expecting someone from your IT department to call you, is to politely end the conversation and call the service desk back on a number provided to you by your company.  Note, this type of attack also applies to websites. Technology exists for hackers to quickly set up “spoofed” websites, or websites designed to look and act the same as legitimate sites with which you are familiar.  In effect this is the same approach as pretending to be a legitimate IT employee; however, here the hacker entices you to enter information (username and password) into a bogus site in an attempt to steal the information.  Be wary of links to sites that are sent to you through untrusted sources or email.  If you encounter a site that doesn’t quite look right or isn’t responding the way you expect it to, don’t use the site.  Try to access the site through a familiar link. Continue Reading Cybersecurity Best Practices

Cross-posted from Carpe Datum Law

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4% of their global annual revenue for the most egregious violations. What does the future passage of GDPR mean for your business?

Our experienced eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners will present a series of four 1-hour webinars in August through October of 2017. The presenters will provide a high-level discussion on risk assessment tools and remediation strategies to help prepare and reduce the cost of EU GDPR compliance. Continue Reading Is your organization ready for the new EU General Data Protection Regulation?

The General Data Protection Regulation is coming, and along with it, a significant expectation of increased harmonization in the privacy rules across the EU. Considering the 60-plus articles which directly impose obligations on controllers and processors, this isn’t an unreasonable sentiment. However (as is often the case with the EU), reality is a bit more complicated than what the expectations reflect.

The reason for the retained level of complexity even under the GDPR are what are known as “opening clauses”. These clauses permit a Member State to modify the provisions of the Article in which the clause resides. In effect, the opening clauses permit the Member State to introduce a more restrictive application of the GDPR obligation via local legislation.

These opening clauses are particularly important to note as there are a number of them (around 30% of the directly applicable Articles have opening clauses), and many of them address an already complicated area of data protection law – employment. While there are a number of companies who have a large consumer impact in the EU, there are just as many (if not more) who have workers in the EU, or have clients who have workers in the EU. As a consequence, the implementation of the GDPR doesn’t fully mitigate the patchwork quilt of local law when it comes to labor & employment law. This is both because of the opening clauses in a number of related Articles, as well as the plain text of Article 88.

The lack of consistency in HR-related data protection is particularly concerning with the advances in workforce management, monitoring, and the use of personal devices in the workplace (e.g. Bring Your Own Device, or “BYOD” environments). One of the ways that the regulators have attempted to address this very real issue around inconsistent GDPR obligations is with an update to the 2001 Article 29 Working Party opinion on data protection of employees. The new opinion, published on 23 June 2017, provides an update to the recommendations which were put in place prior to the age of social media and pervasive computing (i.e. Internet of Things).

While not mandatory, the Opinion does operate somewhat as a roadmap to the way regulators in the EU will consider enforcement – both in breach situations, as well as in accountability situations (i.e. when an entity has to “show” how they are compliant). The Opinion is also instructive as much of the analysis revolves around the concept of “proportionality”.

This balancing of the legitimate interests between employees and employers was not a commonly used method of legitimizing processing under Directive 95/46/EC and its local implementing legislation. However, it seems that this is the direction the Working Party is taking.  This may be seen as both a good and bad situation. On one hand, it indicates that the regulators are starting to understand the complexity of the modern workplace, and how rigid bright-line rules won’t really work. On the other hand, it would seem to require a significant amount of analysis by data protection experts (which is subsequently documented) showing the balance of interests doesn’t harm the employee.

In any event, at least in the realm of employment law, the GDPR isn’t going to be quite the panacea that many of us were hoping for. It is still going to be a complex, difficult to manage, area of law for the foreseeable future.

The 2017 edition of The Legal 500 United States recommends Seyfarth Shaw’s Global Privacy & Security Team as one of the best in the country for Cyber Law (including data protection and privacy). In addition, based on feedback from corporate counsel, the co-chairs of Seyfarth’s group, Scott A. Carlson and John P. Tomaszewski, and Seyfarth partners Karla Grossenbacher (head of Seyfarth’s National Workplace Privacy Team) and Richard D. Lutkus were recommended in the editorial. Richard Lutkus is also listed as one of 14 “Next Generation Lawyers.”

The Legal 500 United States is an independent guide providing comprehensive coverage on legal services and is widely referenced for its definitive judgment of law firm capabilities.

Cross-posted from Carpe Datum Law

Recently, a widespread global ransomware attack has struck hospitals, communication, and other types of companies and government offices around the world, seizing control of affected computers until the victims pay a ransom.  This widespread ransomware campaign has affected various organizations with reports of tens of thousands of infections in as many as 99 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan.  The software can run in as many as 27 different languages.  The latest version of this ransomware variant, known as WannaCryWCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly.

The risk posed by this ransomware is that it enumerates any and all of your “user data” files like Word, Excel, PDF, PowerPoint, loose email, pictures, movies, music, and other similar files.  Once it finds those files, it encrypts that data on your computer, making it impossible to recover the underlying user data without providing a decryption key.  Also, the ransomware is persistent, meaning that if you create new files on the computer while it’s infected, those will be discovered by the ransomware and encrypted immediately with an encryption key.  To get the decryption key, you must pay a ransom in the form of Bitcoin, which provides the threat actors some minor level of anonymity.  In this case, the attackers are demanding roughly $300 USD.  The threat actors are known to choose amounts that they feel the victim would be able to pay in order to increase their “return on investment.”

The ransomware works by exploiting a vulnerability in Microsoft Windows.  The working theory right now is that this ransomware was based off of the “EternalBlue” exploit, which was developed by the U.S. National Security Agency and leaked by the Shadowbrokers on April 14, 2017.  Despite the fact that this particular vulnerability had been patched since March 2017 by Microsoft, many Windows users had still not installed this security patch, and all Windows versions preceding Windows 10 are subject to infection.

The spread of the malware was stemmed on Saturday, when a “kill switch” was activated by a researcher who registered a previously unregistered domain to which the malware was making requests.  However, multiple sources have reported that a new version of the malware had been deployed, with the kill switch removed.  At this time, global malware analysts have not observed any evidence to substantiate those claims.

You should remain diligent and do the following:

  • Be aware and have a security-minded approach when using any computer. Never click on unsolicited links or open unsolicited attachments in emails, especially from sources you do not already know or trust.
  • Ensure that your antivirus and anti-malware are up-to-date.
  • Apply Security Updates! Enable automatic updates and reboot weekly.  Systems that are receiving automatic updates should already be protected against this malware.  If you aren’t sure, visit https://support.microsoft.com/en-us/help/3067639/how-to-get-an-update-through-windows-update
  • Backup your data! The risk of malware is losing your data.  If you perform regular backups, you won’t have to worry about ransomware.  Make sure you utilize a backup system that is robust enough to have versioning so that unencrypted versions of your files are available to restore.  Make sure your backup system isn’t erasing your unencrypted backups with the encrypted ones!

If your organization is the victim of a ransomware attack, please contact law enforcement immediately.

  1. Contact your FBI Field Office Cyber Task Force  immediately to report a ransomware event and request assistance. These professionals work with state and local law enforcement and other federal and international partners to pursue cyber criminals globally and to assist victims of cyber-crime.
  2. Report cyber incidents to the US-CERT and  FBI’s Internet Crime Complaint Center.

shutterstock_506771554Cross-posted from Carpe Datum Law

Another week, another well-concocted phishing scam.  The most recent fraudulent activity targeted businesses that use Workday, though this is not a breach or vulnerability in Workday itself.  Specifically, the attack involves a well-crafted spam email that is sent to employees purporting to be from the CFO, CEO, or Head of HR or similar.   Sometimes the emails include the name, title, and other personal information of the “sender” that we believe might be harvested from LinkedIn or other business databases.  The email asks employees to use a link in the phishing email or attached PDF to log into a fake Workday website that looks legitimate.  The threat actors who run the fake Workday website then use the user name and password to log into the Workday account as the employee and change their direct deposit bank/ACH information to another bank, relatable Green Dot, or similar credit card.

The fraud is typically only discovered when the employees contact HR inquiring as to why they did not receive their direct deposit funds.  Unfortunately it appears that spam filters and other controls are failing to prevent this email from infiltrating the organization’s network.

In order to prevent this from happening to your organization, Workday has posted several “best practice” tips on their customer portal.  The most impactful mitigation techniques include enabling and enforcing two factor authentication on your organization’s Workday instance, and changing your Workday settings to force administrative approval upon employee requests for direct deposit account change.  Both of these will help secure your Workday environment and avoid employee loss of paychecks.   Finally, always remember to train employees on fraudulent email identification through training and security drills/tests.

Sedona-Conference-Header


When:           Monday, April 24, 2017
Where:          Offices of Seyfarth Shaw LLP, Chicago, IL
Sign in:          5:00 – 5:30 pm
Event:            5:30 – 6:30 pm
Reception:    6:30 – 7:30 pm

Topic: Interactive Dialogue concerning The Sedona Conference® International Litigation Principles (Transitional Edition): Practical Help for Companies with the EU General Data Protection Regulation and Privacy Shield

Please join us for a Working Group 6 (WG6) Membership-Building event at Seyfarth Shaw on Monday, April 24, 2017, [Sign in: 5:00 pm; Event: 5:30 pm; Reception: 6:30 pm]. A distinguished panel, including panel moderator Jim Daley of Seyfarth Shaw, Jennifer Hamilton of Deere & Company, Cameron Krieger of Latham & Watkins, and Laura Kibbe will lead a dialogue on The Sedona Conference® International Litigation Principles (Transitional Edition).

The International Litigation Principles was first published in 2011. In the intervening years, there have been important Developments in data protection law world-wide, including the passage of the EU General Data Protection Regulation (GDPR), the replacement of the Safe Harbor Data Transfer Framework with the new “Privacy Shield” framework, and the emergence of the APEC data privacy framework in the Asia-Pacific region. The situation is still fluid, particularly the implementation of the EU GDPR between now and its effective date of May 2018. Despite this, the six Sedona International Principles have remained relevant and useful. The Transitional Edition updates the commentary and analysis of the original Principles document, and includes two new model court orders to facilitate cross-border transfer of personal data for discovery in the U.S. litigation.

The event is open to the entire legal community, and there is no cost to attend.

Non-members in attendance that are interested in becoming WG6 members will receive a $100 discount for a Working Group Series (WG6) membership. Please be sure to remind any friends, colleagues or clients who are interested in joining. WGS membership is in-for-one, in-for-all. Once a WGS member, one is eligible to become a member and take part in the activities of all Working Groups, including WG6.

FACULTY

James Daley Jennifer Hamilton Laura Kibbe Cameron Krieger
James Daley Jennifer Hamilton Laura Kibbe Cameron Krieger

Carlson_Scott BW bio

Seyfarth Host: Scott Carlson

AGENDA — APRIL 24, 2017

TIME SESSION PANELISTS
5:00 – 5:30 pm Sign In
5:30 – 6:30 pm Interactive Dialogue Daley, Hamilton, Kibbe, Krieger
6:30 – 7:30 pm Reception

Seyfarth Shaw LLP is an approved provider of Illinois Continuing Legal Education (CLE) Credit.  This event is approved for 1.0 hours of CLE credit in CA, IL, NJ and NY.  CLE credit is pending for GA, TX and VA.

TO REGISTER WITH THE SEDONA CONFERENCE® FOR THIS EVENT

SPONSORS

Seyfarth logo

Consilio logo

Wednesday, February 22, 2017
Washington, D.C.

Agenda
9:00 – 9:30 a.m. — Breakfast & Registration
9:30 – 11:00 a.m. — Program

Seyfarth Shaw LLP
975 F Street, N.W.
Washington, D.C. 20004
(202) 463-2400

Finding the delicate balance between an employee’s right to privacy and the employer’s need to run its business can be challenging. There are many legitimate reasons that an employer may have for intruding on otherwise “private” matters of employees, such as conducting workplace investigations, responding to agency inquiries or subpoenas, or fulfilling its obligations during discovery in a lawsuit. With the rapid surge in the use of technology and social media in the workplace, the stakes in the workplace privacy arena are becoming even higher for employers.

Please join us on Wednesday, February 22, for a discussion of what every employer needs to know regarding recent legal developments on select issues in workplace privacy, including:

  • Monitoring employee company and personal web-based electronic mail.
  • The NLRB’s developing case law on disciplining employees based on social media postings.
  • Privacy issues presented by Bring Your Own Device policies.
  • The use of social media in hiring and legal limits on accessing employee social media information.

Cost: There is no cost to attend but registration is required and seating is limited.

register

 

 

If you have any questions, please contact events@seyfarth.com and reference this event.

shutterstock_172034426Cross-posted from Carpe Datum Law.

Beginning on April 12, 2017, U.S. organizations that are subject to the investigatory and enforcement powers of the FTC or the Department of Transportation will be able to self-certify to the newly adopted Swiss–U.S. Privacy Shield Framework (“Swiss Privacy Shield”). The Swiss Privacy Shield will allow transfers of Swiss personal data to the United States in compliance with Swiss data protection requirements. The Swiss Privacy Shield will replace the U.S.–Swiss Safe Harbor Framework and will impose similar data protection requirements established last summer for cross-border transfers of personal data from the EU under the EU–U.S. Privacy Shield (“Privacy Shield”).

With the adoption of the Swiss Privacy Shield, transfers of personal data from Switzerland under the Swiss Safe Harbor Framework will no longer be permitted. Organizations currently registered with the Swiss Safe Harbor would need to certify under the Swiss Privacy Shield or implement alternative methods for complying with Swiss data transfer restrictions, such as Standard Contractual Clauses and Binding Corporate Rules. To join the Swiss Safe Harbor, organizations would need to ensure that their privacy policies, notices, statements, and procedures are in compliance with the new framework. The Department of Commerce provides sample language that can be used in an organization’s privacy policy to signify its participation in the Swiss Privacy Shield.

Organizations with active Privacy Shield certifications will be able to add the Swiss Privacy Shield registration to their existing Privacy Shield accounts, at a separate annual fee. Similarly to the Privacy Shield, the fee for participation in the Swiss Privacy Shield will be tiered based on the organization’s annual revenue. The exact fee structure will be made available sometime before April 12.

Notably, organizations with dual registrations, would need to recertify under both the Privacy Shield and the Swiss Privacy Shield one year from the date the first of their two certifications was finalized. That means, for instance, that an organization that registered for the Privacy Shield on September 1, 2016, which then registers for the Swiss Privacy Shield on May 1, 2017, would need to complete its annual recertification under both frameworks by September 1, 2017.

While the requirements of the two frameworks are nearly identical, there are a few differences: Continue Reading The Swiss Privacy Shield Opens for Business on April 12