Human Resources and Payroll should advise employees in their departments to be on the lookout for the latest tax season phishing scam designed to steal employees’ tax related information and social security numbers. Given the regular frequency of these types of attacks, employers should be taking appropriate steps to safeguard employee Personally Identifiable Information (“PII”).  At a minimum, Human Resources should have in place written policies regarding the handling of employee PII and provide training designed to protect employee PII against a data breach.  Because Human Resources works with employee PII on an everyday basis, it may be the best equipped to secure sensitive personnel information against the type of fraudulent scheme highlighted in the recent IRS alert.

On February 2, 2017, the IRS issued an urgent alert to employers regarding a phishing scheme intended to steal employees’ tax related information to commit identify theft and tax fraud. The IRS reports that the scam involves spoofing an email to make it appear as if it is coming from an organization’s executive.  The email is sent to an employee in the Human Resources or Payroll departments, requesting a list of employees and their Forms W-2.  The IRS reports that the phony email may also request the names and social security numbers of employees with their addresses and dates of birth.  Since the email is disguised to be from an internal email address, should the HR or Payroll employee respond with the information it will actually be sent out of the organization to a cybercriminal.  The phishing scam is presently targeting healthcare organizations, shipping companies, school districts, restaurants, and temporary staffing agencies.

What preventative steps can be taken to guard against these attacks? Human Resources should ensure that policies and procedures are in place requiring that the sending of employees’ confidential tax related information by email only be done with 100% confidence that the intended recipient is within the organization and has requested the information. Indeed, the IRS advises that employers consider adopting written policies that govern the electronic distribution of confidential employee Form W-2s and tax related information.  One simple protective measure may be that a phone call confirmation is required before hitting the send button.  As a general matter, employers should have in place comprehensive written policies and procedures that govern the electronic sending, receiving and storage of confidential personnel related PII and provide workforce training to protect against data breaches and fraudulent schemes.  In addition to procedures verifying that the recipient of sensitive PII is actually within the organization, employers may also want to consider technologies providing for use of encryption when sending personnel related PII by email.  The maxim that “an ounce of prevention is worth a pound of cure” is in full effect here since a well thought out strategy is the best defense.

For years, companies have been struggling to understand the multitude of locations where their data resides. From traditional employment files with embedded Social Security numbers, to new-aged hiring software with videos of job applicants, and enterprise software used to facilitate employee communications, controlling employee, customer, and corporate data is, to say the least, a logistical challenge. One of the newest entries into the mix is the increased use of ShadowIT and cloud-based storage systems.

ShadowIT involves workers’ use of unsanctioned products and applications to perform the work of the business enterprise. In other words, ShadowIT occurs when employees use their personal emails and applications, such as a cloud-based storage system, instead of company-approved solutions. According to a recent survey, about one-third of IT use is considered ShadowIT. Whether responding to a subpoena in a wage and hour dispute, attempting to safeguard previous corporate secrets, or analyzing the extent of a data breach, a company’s failure to understand the scope and location of ShadowIT data could be problematic. Companies should have policies in place regarding employees’ (and other workers’) use of unapproved applications, but there should also be an understanding that a policy is not a panacea.

For data storage, recent studies show that most organizations are using over 1,000 cloud-based services. Indeed, one such study found that an average organization had 1,154 cloud services in use. This large number demonstrates that companies must manage the sheer volume of data in the cloud or potentially be exposed to liability.

Companies must also think about physical storage when a laptop or a phone is stolen and suddenly control over data on that item is lost. One leaked file in California, for example, could require a company to send out a data breach notification to millions of customers in California (an issue magnified under varying state laws as well in the current landscape). No overall system is perfect for this task, and the idea that company data can be completely controlled may be an illusory one, but there are important issues for companies to consider and sensible steps that they should take to safeguard data, including the following:

  • Survey ShadowIT Usage. Companies should consider conducting anonymous data audit surveys of employees to find out what other applications or products employees are using to perform their jobs. The company can then review its IT department to determine if it lacks the functionality for a certain program or if the problem of unsanctioned product use is simply a result of a lack of employee education as to the sanctioned products available to employees.
  • Manage ShadowIT Usage. Employees using ShadowIT or unsanctioned products create control risks for companies, and employers may consider disciplining employees for not following corporate policies on approved applications. On the other hand, having draconian disciplinary measures in an effort to maintain control over data will not necessarily stop ShadowIT use but may force it deeper undercover. Discipline could also have an adverse impact on employee engagement and retention.
  • Consider “Amnesty.” Companies should consider whether it makes sense to implement a time-limited policy, whereby employees can bring their unapproved software or application to the IT department to see if the program can be moved onto an approved list from the corporation, without the threat of discipline or sanction.
  • Review Vendor Contracts. Companies should review their contracts with vendors for approved cloud-based products and software. This may include auditing other cloud-based companies where data is stored to ensure that the company is adhering to best practices of network security. The contracts should contain data breach notification clauses, as well as indemnification agreements, when possible.
  • Train Workforce. Frequently, employees are the “weak link” in data control efforts, as they are often the cause of a data breach into a company’s secure network. Training employees about how to spot scam phishing emails and protect intellectual property can go a long way toward mitigating that risk.

Technology is constantly evolving such that there will always be a new product or service that could potentially be a benefit to employee productivity. A ShadowIT survey, while helpful, is only a look back in time. Companies need a way to address ShadowIT use as it evolves going forward. A company prohibition on ShadowIT without some method for employees to submit new products for consideration without fear of reprisal keeps the company in the dark about its data. Companies must also be mindful of the other cloud-based providers’ security protocols and the likelihood that a third party could accidently let sensitive data out into the public domain.

A version of this article originally appeared in the Take 5 newsletter “Five Trending Challenges Facing Employers in the Technology, Media, and Telecommunications Industry.”

DSCN0843Employers in the technology, media and telecommunications industry are faced with many workplace management and legal compliance challenges.  Among these are trends in the shared economy and rise of the contingent workforce, data privacy and security, and use of social media in connection with recruitment, employee monitoring and termination.  At the recent  Epstein Becker Green 34th Annual Workforce Management Briefing held at the New York Hilton, members of the firm’s TMT Group including the authors of this post, along with in-house counsel speakers Rebecca Clar of AOL and Blake Reese of Google provided a panel workshop on these hot-button issues.  Some of the key take-aways from the workshop include:

Shared Economy & Contingent Workforce

As a result of changes in the post-recession, global economy, there has been a tremendous change in how goods and services are delivered and how consumers acquire these goods and services.  As businesses try to meet these demands and save costs associated with full time employees, they have implemented many alternative work arrangements and hired workers through various means including as independent contractors,  through staffing arrangements, or temporary solutions.  Many workers also have become attracted to the flexibility that these work arrangements can provide to them.  However, employers need to be mindful of the potential pitfalls associated with the contingent workforce and take requisite steps to avoid legal risks:

  • Worker misclassifications can lead to back pay, overtime, tax, unemployment insurance, and workers compensation violations as well as employee benefit plan eligibility and coverage errors.  Ensuring that workers are properly classified is mission critical and employers should self-audit their work arrangements and benefit plans periodically for compliance.
  • The NLRB’s decision in Browning-Ferris, coupled with new “quickie” election rules and the Silicon Valley Rising movement have made for a perfect storm of issues.  As a result, TMT employers who may not currently be represented by a labor organization should be mindful that non-traditional workplaces and corporations, such as new media, may be targeted for unionizations, and/or may be brought to the bargaining table as a joint-employer who engages third-party workers.
  • Given the developments at the Department of Labor, and in particular, the proposed increase in the minimum annual salary requirement in order to meet the salary basis test of the white collar exemptions, there has never been a better and more opportune time to conduct a self-assessment audit in conjunction with counsel.

Data Privacy and Security

In the global, digital world, data privacy and security is top of mind for all organizations and their leaders.  Protecting organizational data, as well as that of employees, is imperative and development of data privacy and security policies will become the norm. The issues employers should address in their policies, as well as the ways in which they do business, include:

  • Conduct a self-audit of organizational networks and systems for security vulnerabilities and train workers on information security best practices
  • Establish audit procedures of vendors engaged to provide services to the organization and any employee benefit plan, especially where the vendor stores information in the cloud or remote data centers
  • Address data privacy and security issues in service agreements including notification procedures and indemnification provisions
  • Develop a breach response plan
  • Obtain cybersecurity insurance
  • Remember:  data privacy and security are no longer just CIO/CTO/IT issues – instead, these are topics that are increasingly becoming relevant in the employment law and employee benefits space.

Social Media and the Workplace

The use of social media by employers to review background information of prospective employees in the recruitment process, as well as ongoing activities during the employment or leading up to a termination process is highly prevalent.  It is easy for employers to search an employee’s name, background and activities on the internet but, how that information is used can have legal implications.  Employers should be mindful of the following:

  • Always rely on objective criteria set forth in a job description before conducting an online search and retain information among the recruitment team at the organization
  • Carefully document reasons for all hiring (and termination) decisions that are consistent with the job description and avoid discriminatory decision making
  • Consider separating the search and decision making functions and train employees searching to remove protected categories from summary of results, upon which hiring decision is made
  • Develop a company social media policy with counsel that is narrowly tailored to survive NLRB scrutiny, but that safeguards the company’s treasures and secrets.
  • Employers can continue to discipline employees for their social media activities, provided that the objectionable conduct does not implicate Section 7 behavior – a fact and circumstances based analysis that may be counterintuitive to HR and in-house personnel.

Employers that address these issues head-on will be able to benefit from the advent of new technologies in the workplace and stay in compliance with applicable laws.

IMG_0019IMG_0023IMG_0029IMG_0030

34th Annual Workforce Management Briefing Banner

When:  Thursday, October 15, 2015    8:00 a.m. – 3:00 p.m.

Where:  New York Hilton Midtown, 1335 Avenue of the Americas, New York, NY 10019

This year, Epstein Becker Green’s Annual Workforce Management Briefing focuses on the latest developments that impact employers nationwide, featuring senior officials from the U.S. Department of Labor and the Equal Employment Opportunity Commission. We will also take a close look at the 25th anniversary of the Americans with Disabilities Act and its growing impact on the workplace.

In addition, we are excited to welcome our keynote speaker Neil Cavuto, Senior Vice President, Managing Editor, and Anchor for both FOX News Channel and FOX Business Network.

Our industry-focused breakout sessions will feature panels composed of Epstein Becker Green attorneys and senior executives from major companies, discussing issues that keep employers awake at night.  From the latest National Labor Relations Board developments to data privacy and security concerns, each workshop will offer insight on how to mitigate risk and avoid costly litigation.

View the full briefing agenda here. Contact Kiirsten Lederer or Elizabeth Gannon for more information and to register.   Seats are limited.