shutterstock_506771554Cross-posted from Carpe Datum Law

Another week, another well-concocted phishing scam.  The most recent fraudulent activity targeted businesses that use Workday, though this is not a breach or vulnerability in Workday itself.  Specifically, the attack involves a well-crafted spam email that is sent to employees purporting to be from the CFO, CEO, or Head of HR or similar.   Sometimes the emails include the name, title, and other personal information of the “sender” that we believe might be harvested from LinkedIn or other business databases.  The email asks employees to use a link in the phishing email or attached PDF to log into a fake Workday website that looks legitimate.  The threat actors who run the fake Workday website then use the user name and password to log into the Workday account as the employee and change their direct deposit bank/ACH information to another bank, relatable Green Dot, or similar credit card.

The fraud is typically only discovered when the employees contact HR inquiring as to why they did not receive their direct deposit funds.  Unfortunately it appears that spam filters and other controls are failing to prevent this email from infiltrating the organization’s network.

In order to prevent this from happening to your organization, Workday has posted several “best practice” tips on their customer portal.  The most impactful mitigation techniques include enabling and enforcing two factor authentication on your organization’s Workday instance, and changing your Workday settings to force administrative approval upon employee requests for direct deposit account change.  Both of these will help secure your Workday environment and avoid employee loss of paychecks.   Finally, always remember to train employees on fraudulent email identification through training and security drills/tests.

Wednesday, February 22, 2017
Washington, D.C.

Agenda
9:00 – 9:30 a.m. — Breakfast & Registration
9:30 – 11:00 a.m. — Program

Seyfarth Shaw LLP
975 F Street, N.W.
Washington, D.C. 20004
(202) 463-2400

Finding the delicate balance between an employee’s right to privacy and the employer’s need to run its business can be challenging. There are many legitimate reasons that an employer may have for intruding on otherwise “private” matters of employees, such as conducting workplace investigations, responding to agency inquiries or subpoenas, or fulfilling its obligations during discovery in a lawsuit. With the rapid surge in the use of technology and social media in the workplace, the stakes in the workplace privacy arena are becoming even higher for employers.

Please join us on Wednesday, February 22, for a discussion of what every employer needs to know regarding recent legal developments on select issues in workplace privacy, including:

  • Monitoring employee company and personal web-based electronic mail.
  • The NLRB’s developing case law on disciplining employees based on social media postings.
  • Privacy issues presented by Bring Your Own Device policies.
  • The use of social media in hiring and legal limits on accessing employee social media information.

Cost: There is no cost to attend but registration is required and seating is limited.

register

 

 

If you have any questions, please contact events@seyfarth.com and reference this event.

shutterstock_519689296Seyfarth Shaw is pleased to announce the launch of Carpe Datum Law, a one-stop resource for legal professionals seeking to stay abreast of fast-paced developments in eDiscovery and information governance, including data privacy, data security, and records and information management. Seyfarth’s eDiscovery and Information Governance (eDIG) practice group created Carpe Datum Law to serve as a timely and unique resource for executives and corporate in-house counsel to obtain reports on developments, trends and game-changing decisions in these data-driven areas of the law.

Click here to access the new Carpe Datum Law blogsite.

The Carpe Datum Law blog takes a comprehensive view of the legal and practical aspects of corporate data challenges, reflecting the broad strength across the spectrum of data law by Seyfarth’s veteran 14-lawyer eDIG practice group, which has served clients since 2004. Regular readers will benefit from its comprehensive perspective and guidance on how the law is adapting to the interrelated challenges of keeping corporate data secure and in compliance with data privacy laws, adapting to new best practices in information governance, and maintaining defensible data preservation, collection and review when eDiscovery is required.

Carpe Datum Law is a must-read for anyone expected to stay ahead of the curve on how best to manage the growing risks in these areas, in particular:

  • C-Level Executives whose portfolios of responsibility include managing risks with respect to their corporate data
  • In-House Counsel responsible for eDiscovery, data and cybersecurity, data privacy compliance and/or the enterprise’s information governance
  • eDiscovery, IT, IT Security and Privacy Managers who work closely on these issues with their organization’s executives and legal teams
  • Consultants, Academics and Thought Leaders who must stay up-to-speed on legal developments in order to serve their organizational clients

Whether steering policy or implementing it, Carpe Datum Law provides well-informed news and analysis that will keep you and your team up-to-speed. From judicial decisions implementing the new eDiscovery amendments to the Federal Rules of Civil Procedure to guidance on compliance with the upcoming European Union General Data Protection Regulation, Carpe Datum Law provides the news and seasoned analysis you would expect from Seyfarth’s eDIG group.

Carpe Datum Law can be accessed at www.carpedatumlaw.com.

CaptureOn Wednesday, November 2, at 1:00 p.m. Central, Seyfarth attorneys Karla Grossenbacher, Ari Hersher, Stacey Blecher, Meredith-Anne Berger, Elizabeth Levy and Selyn Hon will present “Navigating Employee Privacy Issues in the Workplace.”

The rise of technology in the workplace has resulted in a myriad of complex privacy issues. Employee privacy concerns are impacting employer decision-making more than ever. Is your company equipped to navigate these issues? In this cutting-edge webinar we will discuss:

  • The legal issues presented by an employer’s review of employee texts, emails and social media postings during workplace investigations;
  • The latest decisions from the NLRB regarding an employer’s ability to take action against employees based on social media postings;
  • Privacy considerations presented by the implementation of a BYOD policy; and
  • Private data security risks that arise from the use of cloud-based storage in the workplace

Please join us for this informative webinar so you will be prepared to confront the ever-increasing amount of privacy issues facing employers.

register

shutterstock_384992695Wearable device data may be the next big thing in the world of evidence for employment cases since social media. Given that it has already been used in personal injury and criminal cases, it is only a matter of time before wearable device data is proffered as evidence in an employment case.

From Fitbit to the Nike FuelBand to a slew of others, the worldwide wearable market has exploded in recent years. In a world increasingly obsessed with health and fitness, wearable devices offer instantaneous and up-to-the-minute data on a number of metrics that allow the user to assess his or her own health and fitness. Wearable devices can track information like heart rate, calories, general level of physical activity, steps taken, diet, blood glucose levels and even sleep patterns. Given the nature of the information captured, it is easy to see how wearable device data may be relevant to claims of disability discrimination, workers’ compensation and even harassment. Continue Reading Wearable Device Data: The Next Big Thing for Employment Litigation Cases

Cross Posted from Employment Law Lookout

PokemonYour employees may be on a quest to catch ‘em all. Over 15 million people have downloaded the Pokémon GO game since its release two weeks ago. In this augmented reality game, players use their mobile devices to catch Pokémon characters in real-life locations captured by the camera in a user’s cellular phone. Though the game is very popular with Pokémon GO players, employers may not like the game quite so much.

Data And Security Concerns

There are data security concerns that arise from use of the Pokémon GO app.

First, users that want to play Pokémon Go must sign in to the app. There are two ways to do so—through an existing Google account, or through an existing Pokémon Trainer Club Account. Up until very recently, the Pokémon website did not allow users to sign up for Pokémon Trainer Club Accounts due to overwhelming demand. Thus, for most people, the only way to play Pokémon GO was by signing in to the app with their Google accounts. Even though the option to create a Trainer Club Account is now available, doing so requires more time and effort than signing in through an existing Google account. Continue Reading Pokémon NO: New App Creates Risks For Employers

The clock is now ticking. On May 4th the European Parliament published the final text of the General Data Protection Regulation (“GDPR”), and the rules of the game have significantly changed – at least in the context of EU data protection law. First, the GDPR changes the underlying approach to data protection law, with a new emphasis placed on accountability and risk-based approaches. “Privacy by Design” and “Privacy by Default” have been included in the regulatory ecosystem. Second, significant changes have been made to the obligations of “controllers” and “processors”. These include specific criteria for having compliant privacy notices and vendor management contracts. Third, enforcement is now a very real, and potentially risky, thing. With the possibility of administrative fines being up to 4% of a business’ global gross revenue, private rights of action by individuals, and non-profit privacy watchdog groups (also known as “Civil Society”) having the right to complain of a company’s privacy practices directly to the local Data Protection Authorities; compliance with the GDPR will now be one of those risks that any business who touches EU data will need to seriously consider. Fortunately, the GDPR won’t go into effect until May 25th 2018. However, businesses with significant data from the EU need to start considering how to comply now. Continue Reading Europe Is Shifting, And It’s a Big Deal – The New GDPR

Cross Posted from Employment Law Lookout

Over the last decade, communication via email and text has become a vital part of how many of us communicate in the workplace. In fact, most employees could not fathom the idea of performing their jobs without the use of email. For convenience, employees often use one device for both personal and work-related communications, whether that device is employee-owned or employer-provided. Some employees even combine their personal and work email accounts into one inbox (which sometimes results in work emails being accidentally sent from a personal account). This blurring of the lines between personal and work-related communications creates novel legal issues when it comes to determining whether an employer has the right to access and review all work-related communications made by its employees. Continue Reading Monitoring Employee Communications: A Brave New World

Over the past several years, technology has dramatically increased employee accountability in the workplace. For example, in an office environment, employees are expected to respond to emails immediately because they are either sitting in front of their computers or carrying a mobile device on which they can access their email. As for employees who work outside the office, the availability of employer-issued phones and, alternatively, the proliferation of “bring your own device” policies, has resulted in off-site employees being generally just a phone call away. In specific industries in which employees drive motor vehicles while conducting business for the employer, yet another method of accountability exists: GPS. Continue Reading Employee GPS Tracking – Is it Legal?

It is the beginning of 2016, and American companies are anxiously awaiting news of whether or not a new “Safe Harbor 2.0” will emerge. In October of 2015, the European Court of Justice declared invalid Safe Harbor 1.0 in the Schrems decision. This had an immediate effect on any American company collecting personal data from the EU by removing the legal basis for this kind of data transfer. As of October 2015, consumer, client, and even employee data cannot be legally transferred to the US under the Safe Harbor Framework.

Fortunately, the data protection regulators (“DPAs”)recognized the turmoil this decision created within the business community on both sides of the Atlantic. As a result, the Article 29 Working Party (which is the convention of DPAs from each of the EU Member States) issued an enforcement moratorium on enforcement actions until the end of January 2016, so that they could assess the effectiveness of data transfer tools available. As part of this moratorium, the Working Party called on “…Member States and European institutions to open discussions with U.S. authorities in order to find legal and technical solutions”; and that the “current negotiations around a new Safe Harbor could be part of the solution.” Continue Reading Safe Harbor 2.0 – Is It Happening?