Cyber Security: Is Your Organization Vulnerable?
More than ever, everything about a person is being tracked and stored as data on a super computer somewhere in the world. In fact, 90 percent of all data has been generated during the last few years.“All of this data collection has many benefits, but it also has many risks,” said Jennifer Mitchell, attorney and cyber security legal expert with Dinsmore & Shohl LLP. “Almost no data can be considered truly anonymous anymore.”
It’s important for companies to be diligent with cyber security measures; the more data a company stores, the bigger the risk of it being breached. A few years ago Target’s data systems were breached by hackers and financial information on more than a million customers was stolen, causing a legal, business and public relations nightmare for the company and its customers.
Experian, T-Mobile and Scottrade were breached last year. In the case of Scottrade, 4.6 million clients had their personal information, such as social security numbers and email addresses, stolen. eBay, University of California Los Angles, JP Morgan and even the Internal Revenue Service has been hacked recently.
These organizations have sophisticated cyber security infrastructures, but it wasn’t enough, Mitchell says. However, with each breach, cyber security experts are getting smarter and hopefully learning how to stay one step ahead of hackers.
In the first eight months of 2015, it is estimated that more than 500 major breaches occurred involving more than 140 million individual records. As a result, the Federal Bureau of Investigation ranks cyber security near the top of its list of concerns next to terrorism, Mitchell says.
A data breach for a business can cause all sorts of problems, such as damage to the company’s reputation, disruption to business operations, regulatory investigations, lawsuits and financial losses for necessary reimbursements to customers, public relations, regulatory reviews and technical upgrades.
What further complicates matters is the patchwork of federal regulations such as the Health Insurance Portability and Accountability Act, Federal Trade Commission, Gramm-Leach-Bliley Act, and State Data Breach Notification Laws, among others. Government regulations are on top of industry self-regulation and the European Data Protection Directive.
These regulations are detailed, complicated and often updated, and violations can carry heavy fines, lawsuits or settlement costs. For example, if a hacker breaks into a healthcare system’s computers and steals information, the patients must be notified within 45 days in Ohio, but in Florida the patients must be notified within 30 days.
The average cost of a breach can be upwards of $6.5 million per breach, according to a Ponemon Data Breach Study in 2015.
There are standards companies must meet to protect medical, personal and financial information on individuals. For example, the Payment Card Industry Data Security has a dozen specific standards to process a credit card payment in an age when individuals can use their smart phones at a festival booth to sell products or services to customers. The standards include measures such as installing and maintaining a firewall to protect data, encrypt transmission of cardholder data, use and regularly update anti-virus software and assign a unique identification number to each person who has access to the data.
Organizations can protect themselves from a breach by making sure there is enough money in the company’s cyber security budget, conducting a security risk analysis, encryption, scrutinize cloud services, develop a response plan, use third-party, nationally-certified data centers and train all employees. It is wise to have an outside expert evaluate the company’s cyber security measures to ensure the latest technology is being utilized.
Social Media and Employment
Social media is ubiquitous, but in spite of the benefits, employees and employers should be cautious. Even a seemingly harmless misstep can result in unintended and unwelcome consequences, says Jennifer Hageman, attorney with Ulmer & Berne LLP.
Employers should use caution when reviewing social media during the interview process. A responsible employer would not ask an applicant his or her age, marital status, religion or other protected class. However, that information can often be found on social media.
If an applicant is not hired, incorrectly or improperly reviewed social media could provide basis for a lawsuit. To avoid that situation, the employer should assign a person to review the social media, typically someone outside the hiring process. That individual should not report information related to protected classes, but report only on information relevant to the position, such as confirmation of facts on the resume, ability to communicate effectively or participation in illegal activities.
Countless examples exist of employees losing their jobs over inappropriate posts. For example, a high school teacher who posted vacation pictures, some of which depicted her holding glasses of alcohol, was reported to the school board by an anonymous parent who spotted the pictures.
School officials had previously warned about “unacceptable online activities” and claimed that the posts “promoted alcohol use.” Although of legal drinking age, the teacher was forced to resign or be disciplined. Employees should use good judgment when posting to social media. The question is always whether it is worth the risk if an employer might see the content.
The best practice is having solid policies in place to ensure social media is used properly to avoid the cost and stress of potential legal issues.
Careless Social Media Will Cost You
Social media has helped many employers market its business and speak directly to consumers in real time. The advantages of social media to advance a business is huge, however, there are many careless mistakes that can have dire legal consequences, says April Besl, a partner who specializes in intellectual property, trademark, copyright and social media law with Dinsmore & Shohl LLP.
Messages, pictures, hashtags and even location tags can create major legal, ethical and marketing problems for employers. One of many examples is when comedian Gilbert Gottfried, the voice of the duck in the Aflac commercials, sent offensive tweets after the tsunami in Japan.
One of his tweets read, “I just split up with my girlfriend, but like the Japanese say, ‘They’ll be another one floating by any minute now.’ ”
Gottfried claimed the tweets were meant to be humorous, but the damage was done. Since 75 percent of Aflac’s business is in Japan, Gottfried issued an apology but was fired by the company.
Since many employees can have access to post on a company’s social media site, serious mistakes can happen. One example was a tweet from KitchenAid USA after a 2012 debate between President Barack Obama and Republican candidate Mitt Romney. The tweet, about the president’s grandmother, said, “Obamas gma even knew it was going 2 b bad! She died 3 days b4 he became president. #nbcpolitics.” The tweet was quickly removed by the company’s marketing director and replaced with multiple apologies. Apparently, an employee who had permission to send tweets, thought she was sending the tweet on her personal account. Oops.
In another example, the chief executive officer of Netflix was so excited when the company reached one billion hours of streaming that he posted the fact on his Facebook page. The next day, the company’s stock jumped in price and it caught the attention of the Securities and Exchange Commission (SEC). Officials investigated to determine if the CEO violated fair disclosure laws. Ultimately, he was cleared of wrongdoing, but this serves as an example of how an otherwise simple post on social media can have legal implications for a company, Besl says.
Another Facebook incident that drew attention occurred when an employee took a photo of a co-worker at his desk and posted the image on her personal page. That seemed innocent enough, except when the image was enlarged, it was easy to read information posted on the employee’s wall and her computer that put the company at risk of SEC violations.
With social media, it is important to follow all copyright, trademark and intellect property laws. Employees can easily violate laws by simply pulling images with a copyright off the internet and using it on the company’s website or social media. Getty Images, one of the world’s largest photo agencies, is known for searching the internet for their images that are posted without paying a fee. “A $40 image can cost a company $100,000, if they aren’t careful,” Besl says.
The Federal Trade Commission has published a list of guidelines for social media usage. “It’s important to review and be fully aware of the FTC guidelines,” Besl says. “There are pictures and examples on the FTC website.”
An employer needs to have clear, understandable guidelines on what can be posted on the company’s social media sites. Those who have permission to post should be limited to the fewest number of people possible. If there is any question about the risk of a tweet or post, err on the side of caution and have an attorney review the post or do not send it.
Protecting Yourself From Copyright Violations
The Recording Industry Association of America (RIAA) has successfully sued individuals for copyright infringement for obtaining electronic music, movies or books illegally. Employees are putting their employer at risk of similar lawsuits, says Gabriel Kurcab, a corporate and healthcare attorney with Katz Teller.
The RIAA has the technology to monitor the Internet Protocol (IP) address for every computer that downloads material that is copyrighted. Pursuing individuals can be complicated because the IP addresses often change randomly. However, a company’s IP address is well established and more stable than
an individual’s.
For years, people have used file sharing to download music, movies, books and software. Recently, a student at Boston University was ordered to pay $675,000 to four recording companies for illegally downloading 30 songs and sharing music online, which is in violation of copyright laws. If the verdict is upheld, the student plans to file bankruptcy.
Under federal law, copyright owners can seek damages up to $150,000 per infringement. Like the graduate student, most people do not have the assets to pay such large judgments. That is one reason the RIAA is going after the businesses where employers are using the company’s internet connection to download movies and other electronic materials illegally. The recording industry is using a legal theory that employers are vicariously contributing to copyright infringement.
Under the law, an employer can been seen as contributing to infringement when company officials induce, cause or materially contribute to the copyright infringement. Vicarious liability is a legal theory that is based on an employer’s failure to stop a person from infringing activities while contributory liability is based on the employer’s failure to prevent an employee from using a work computer and internet connection from downloading material illegally.
Integrated Information paid more than $1 million to the RIAA because its employees shared music over the company’s internal network. In this particular case, company officials knew the employees were using company equipment to download and share music. Officials even provided employees with a dedicated server for the illegal practice, Kurcab says.
There are steps an employer can take to safeguard themselves:
Make sure policies clearly outline the rules regarding the use of company owned equipment and internet usage.
Clearly state in the employee handbook that downloading or sharing copyright materials is illegal and has negative consequences if caught.
Include the potential risk of a copyright lawsuit in the company’s liability insurance policy.
Implement technical measures to monitor, manage and discourage downloading or sharing copyright materials.
Make sure the company’s Wi-Fi is secure and password protected to prevent any unauthorized person from using the company’s network.
Remove any software that allows employees to conduct file sharing or potentially download copyright material anonymously.
Kurcab says company officials should make sure they have done everything possible to discourage and prevent employees from sharing or downloading material illegally.