Defending The Digital Workplace

An publication

Posts Tagged ‘Information Protection

Facebook Firing Ends in Settlement with NLRB

The National Labor Relations Board (NLRB) announced that it had reached a settlement in a case involving an employee’s discharge for posting negative comments about a supervisor on the employee’s Facebook page. Click here for the NLRB’s press release.

In sum, however, the NLRB had issued a complaint against American Medical Response of Connecticut, Inc., on October 27, 2010,  alleging that the discharge violated federal labor law  (the National Labor Relations Act or “NLRA”) because the employee was engaged in “protected activity” when she posted the comments about her supervisor, and responded to further comments from her co-workers.

Under the National Labor Relations Act, employees  have a federally protected right to form unions, and it prohibits employers from punishing workers — whether union or non-union — for discussing working conditions or unionization.

The NLRB complaint also alleged that the company maintained overly broad rules in its employee handbook regarding blogging, Internet posting, and communications between employees. This policy prohibited employees from making disparaging remarks about the company or depicting it online without permission. Further, the NLRB alleged that AMR (the employer) had illegally denied union representation to the employee during an investigatory interview shortly before the employee posted the negative comments on her Facebook page.

Under the terms of the approved settlement, the company agreed to revise its social media policy to ensure that the rules do not improperly restrict employees from discussing their wages, hours and working conditions with co-workers and others while not at work, and that they would not discipline or discharge employees for engaging in such discussions. The allegations involving the employee’s discharge were resolved through a separate, private agreement between the employee and the company.

The Take Away for Employers

This had been the first case in which the NLRB sought to argue that workers’ criticisms of their bosses or companies on a social networking site was a protected activity under the NLRA and that employers would be violating the NLRA by punishing workers for making statements in the context of social media. Accordingly, employers likely would have welcomed guidance from the NLRB as to how the 75-year-old NLRA would be reconciled with the technological realities of how employees communicate in the age of social media.

For example, the employee involved in the NLRB’s complaint, Dawnmarie Souza, at one point mocked her supervisor on Facebook, using several vulgarities to ridicule him. This eventually drew supportive responses from her co-workers that led to further negative comments about the supervisor. Where a Facebook conversation involves several co-workers it is more likely to be viewed as “concerted protected activity.” But what if instead, Ms. Souza had simply lashed out in a negative post against a supervisor and no co-workers joined in the discussion (not even a single “like” in Facebook terminology). Would that type of comment in the absence of “co-worker discussion” still be considered protected?

In any event, from a strategic perspective, employers should appreciate that this issue will be resolved another day, perhaps under a less “labor friendly” NLRB.

The clear take-away, however, is that the NLRB’s original complaint and this settlement signals that the NLRB intends to protect employees’ rights to discuss the conditions of their employment with co-workers irrespective of whether this discussion takes place at the water cooler or on Facebook.

Accordingly, it is critical for employers – regardless of whether your workforce is unionized or not – to review your Internet and social media policies to determine whether they would be subject to a similar attack by the NLRB that the policy ‘reasonably tends to chill employees’ ” in the exercise of their rights under the NLRA to discuss wages, working conditions and unionization. Areas to consider include:

  • Does the social media policy expressly restrict protected activity;
  • Would an employee construe the social media policy as prohibiting protected activity;
  • Has the social media policy been used to discipline employees who engaged in protected activity; and
  • Was the policy put into place in in response to concerted or protected activity.

None of  this should be taken as legal advice, but it is good advice. And we would welcome the opportunity to offer our insight as to what policies should and should not say and strategies for managing the unique risks found at the intersection of social media and employment and labor law.


Adding to your Business Toolbox: A Roundup of Resources for Business Organizations

Business ToolboxA number of resources are available at that are relevant to starting or improving your business operations. In addition to those resources, the following links also provide information worth checking out:

  1. Entrepreneur: How to Protect Remote Employees’ PCs from Security Threats
  2. Federal Trade Commission: Revised Endorsement Guides for businesses & bloggers (regulations applicable to testimonials and endorsements)
  3. Entrepreneur: Google Apps for Your Business: The Good, the Bad and the Ugly
  4. Hennessey Capital, by Joe Romeo: Business Plan Basics
  5. Mashable – Business: 5 Small Biz Web Design Trends to Watch
  6. Entrepreneur: Big Marketing Stunts, Small-Business Style
  7. Business Model Alchemist a/k/a Alexander Osterwalder a/k/a genius (ok, this might be more personal commentary than fact. Although, based on Mr. Osterwalder’s work, genius status should not be ruled out) :Combining Business Model Prototyping, Customer Development, and Social Entrepreneurship
  8. Mashable – Business: 4 Lessons Small Businesses Can Learn from Apple’s Antennagate

Internet Privacy to be Examined by Commerce Department

U.S. Commerce Secretary Gary Locke announced the launch of an initiative designed to gather public input and review the nexus between privacy policy and innovation with respect to the Internet. Additionally, Mr. Locke announced the formation of a Department of Commerce-wide Internet Policy Task Force to identify leading public policy and operational issues impacting the U.S. private sector’s ability to realize the potential for economic growth and job creation through the Internet. Click here for the full press release.

Mr. Locke explained that the motivation for this initiative is “[b]ecause of the vital role the Internet plays in driving innovation throughout the economy, the Department has made it a top priority to ensure that the Internet remains open for innovation while promoting an environment respectful of individual privacy expectations.”

Further, the Commerce Department is seeking public comment from all Internet stakeholders through a Notice of Inquiry (NOI) published in the Federal Register. One question the Department seeks to answer is “whether current privacy laws serve consumer interests and fundamental democratic values.”

Please contact me about offering insight on this topic or joining in the submission of a comment pursuant to the NOI. Your suggestions would be greatly appreciated. Thanks.

What your Company Should Know when it comes to Cyber Attacks

Concerns that U.S. business organizations are losing the digital arms race, a/k/a cyber-warfare, are widely reported. Among those raising concerns is Amit Yoran. He was appointed director of the US-CERT and National Cyber Security Division of the Department of Homeland Security, and also acted as CEO and advisor to In-Q-Tel, the venture capital arm of the CIA. He is presently the CEO of NetWitness and serves as a commissioner on the CSIS Commission on Cyber Security for the 44th Presidency and numerous other industry advisory bodies. In short, this guy might know a thing or two about the digital challenges U.S. business organizations are facing and what can be done.

And in fact, Mr. Yoran was interviewed by about these subjects and provided insight as to what steps business organizations can take to, at least, minimize the chance of being on the losing side of the cyber-war. Click here to be taken to the video clip. It is short but informative.

Cybercrime – FBI Reports Increase in Complaints & Losses for 2009.

As if your organization didn’t have enough to worry about – the FBI reported that cyber-crime is on the rise (click here for a post at InsideCounsel). The full report is available here.

Among the cyber-crime victims coming forward is a law firm that filed suit against the Chinese government (Click here for the full story from Wired’s Threat Level). In fact, the Wired article notes that “If you’re a law firm and you’re doing business in places like China, it’s so probable you’re compromised and it’s very probable there’s not much you can do about it.” The types of threats that such law firms and other companies face are called Advanced Persistent Threats (APT). An APT attack is distinctive in that they are rarely detected by antivirus and intrusion programs. Further, these attacks are espionage focused. In other words, APT hackers attempt to take business intelligence, e.g., files, e-mails, etc., rather than financial or customer data, which serves as a precursor for identity theft. For an in depth, yet very readable discussion about APT attacks, click here (also a Dark Reading post).

Equally dangerous as APT hackers or other cyber-criminals is the current or former rogue employee. For example, a federal grand jury recently indicted a former employee of the Transportation Security Administration (TSA) for trying to corrupt a database of terrorism suspects in an inside job that many within the information security industry say is a stark reminder of how important it is to track insider access to sensitive data stores. (click here for the full story originally posted at Dark Reading. ).

The preceding FBI report and stories illustrate that business organizations should assume that an attempt will be made to compromise their IT infrastructure.  I’ve talked with various IT security professionals about what are the appropriate steps to prevent APT or other cyber-attacks. Unfortunately, the general and unsatisfying response has been to the effect of if someone wants in bad enough and has the resources, they will get into your network. The sophistication and resources of some of the high-profile of cyber-victims (Google, Marathon Oil, ExxonMobil, and ConocoPhillips, to name a few), would seem to confirm this conclusion.

And many remedies available to business organizations are only available after the fact (Click here for prior post discussing theft of business assets and Computer Fraud and Abuse Act). But when it comes to discharging employees, low-tech and common sense go a long way in preventing near disasters like that allegedly committed by the former TSA employee: Make sure your termination process first removes all access to sensitive information, databases,  e-mail, etc., and then terminate the individual  – not the other way around. Such steps are especially important when the employee has administrative rights to the IT infrastructure.

Another Reason for Employers to be Wary of Social Media – Unfair and Deceptive Acts

The concerns employers face over the use of social media – e.g., blogs, Facebook, MySpace, etc. – has been widely discussed, including here and here. The Federal Trade Commission (FTC) has recently added to those concerns. Specifically, the FTC updated its guidelines about protecting consumers from misleading endorsements and advertising. Under these guidelines an employer may face liability over an an employee’s endorsements of the employer’s products or services on social media websites. Further, liability may exist even where the employer did not authorize or approve the employee’s remarks.

An Overview of the Guidelines

The FTC’s revised Guides Concerning the Use of Endorsements and Testimonials in Advertising (16 C.F.R. Part 255) (the “Guidelines”), address the application of Section 5 of the FTC Act (the “Act”) – which prohibits unfair or deceptive acts or practices and unfair competition in or affecting commerce — to the use of endorsements and testimonials in advertising. An endorsement or testimonial subject to these guidelines is one “that consumers are likely to believe reflects the opinions, beliefs, findings, or experiences of a party other than the sponsoring advertiser, even if the views expressed by that party are identical to those of the sponsoring advertiser.” Crystal clear for all, right? Further, the Guidelines require that employees endorsing their employer’s products or services to disclose their relationship to an employer when they give an endorsement or testimonial.

The duty of disclosure applies even when the employee’s endorsement appears on a site that is not maintained by the employer (e.g., Facebook, MySpace) or the employee (bulletin boards) and the statement itself is not misleading. See 16 C.F.R. Part 255.5 (entitled “Disclosure of material connections”). See  example No. 8 under 16 C.F.R. 255.5. And failing to make the required disclosure may expose the employer to liability under the Act. For example, the FTC may bring an enforcement action against an employer if an employee makes a misleading statement about the employer’s products and services that result in injury to consumers. Additionally, if I’m an employer, I would be losing sleep over the preceding example because postings on blogs, MySpace, and Facebook pages may quickly reach wide audiences and, therefore, create the risk of large-scale liability like class-action litigation.

While not the focus of this post, Bloggers should also consider how the Guidelines may apply to their posts. For example, the Guidelines apply to any endorsement of products or services. And any kind of “material connection” between an endorser (like a blogger) and an advertiser must be disclosed to the consumer, e.g., cash payments, free samples, or other benefits to the endorser from the promoter. This is not an endorsement, and even if it was (read with slight sarcasm) I have not received any benefit in connection with writing this post or referencing to the following post and I have no material connection to the brands, products, or services offered by the following post. With that smooth and beautiful literature out of the way, a post bloggers may want to review is provided by Michael Hyatt (click here) (Again – just a suggestion that you may or may not want to follow, and not an endorsement).

The Take Away for Employers

The take-away for employers is to add another item to the “Things that Keep Me Up at Night” list, followed by a note to consider reviewing the company’s technology policies with an eye towards:

  1. Determining if you have a policy? You may not. But you should. And if your company has a policy, what does it say about how the use of the company’s name, trademarks, and other proprietary information may be used (if at all) in blogs and other social media;
  2. Whether the policies include either prohibitions or proper guidance about references to company products or services. Such prohibitions and guidance should go beyond addressing just criticisms of the employer and its products and services;
  3. If endorsements are permitted, employees must understand (and document this understanding) that any endorsement must be limited to truthful and verifiable statements;
  4. Whether employees should be required (probably a good idea) to obtain prior approval by management of any proposed endorsement; and
  5. A requirement that an employee’s statement of endorsement is accompanied by a written disclosure that the employee is not authorized to make statements on behalf of the employer and a disclosure of the employment relationship so that consumers can weigh the testimonial. This statement should be drafted by the company and made readily available to employees.

Additionally, don’t forget to review your marketing contracts. In light of the widespread adoption of “Word of Mouth Advertising” (there is even a trade group for Word of Mouth Advertising, click here) in the Web 2.0 World (I lost track, but I think we are still on 2.0 … right???) companies should also review their contracts with any marketing professionals. This is because such advertising depends upon leveraging social networks in making a product or service go “viral.” Thus, in addition to assessing company employment policies, companies will want to make sure that their marketing contracts properly address compliance with the FTC’s Guidelines (this is a polite way of saying, make sure your marketing firm is going to defend you or reimburse you if you get sued because of an endorsement. After you do this, make sure the marketing firm has the finances/insurance to cover your defense tab – If you can’t avoid risks, make sure someone else has to cover the bill).

Feel free to contact me with questions about this post, about how your company is responding to the FTC’s Guidelines or leveraging social media in general, or about exorbitantly paying me to endorse your products or services, which I’m not above doing if the price and FTC language is right. I’m just kiddin,’ but seriously, I’m not (a little hat tip to Dodgeball).

Information Security — Where is the App for That? And Why Business Organizations Should Care

Smart phones such as the iPhone, BlackBerry, and other devices are as standard in today’s business organizations as business cards. But this standard creates an increasingly problematic security threat for business organizations.

This point was highlighted this past October with the release of a mobile-phone software that allows someone to eavesdrop on the user’s conversations. This program, called PhoneSnoop, can be secretly downloaded to a BlackBerry (company issued or otherwise) and the microphone can be remotely activated allowing one to listen to conversations held in proximity to the device.

In another example, a computer game developer (Storm8) was sued for violation of the Computer Fraud and Abuse Act by allegedly collecting personal data through an iPhone app. The class action litigation alleges that Storm8’s app stole user’s phone numbers. It is reported (click here) that Storm8 admits to collecting the numbers, but the collection was inadvertent due to a glitch in the source code.

For more information on the security threats posed by smart phones, click here for a BusinessWeek article by Olga Kharif, “Smartphones: A Bigger Target for Security Threats.” Also, a “must read” for any business professional using the iPhone is an excellent post “iPhone Secuirty? A Complete Misnomer,” which may be found here. This posts highlights significant iPhone vulnerabilities that can result in major harm to the business organization.

Why Care About Information Security?

So why should business organizations care about the quality of their information security practices? Setting aside bad publicity and loss of customer goodwill, there are a number of legal reasons to care about such practices.

First, for organizations in certain business sectors the short answer is because you are required to care. Gramm-Leach-Bliley Act (GLB) was enacted in 1999 to reform the banking industry and has various provisions concerning information protection. Similarly, the Health Insurance Portability and Accountability Act (HIPAA) governs the protection of medical information. Sarbanes-Oxley Act applies to publicly traded companies and may require effective security controls to be implemented. Also, the Fair and Accurate Credit Transactions Act (FACTA), which amended the Fair Credit Reporting Act (FCRA), requires “any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose” to “properly dispose of such information or compilation.”

Second, there are also at least 45 reasons why business organizations not subject to the preceding federal statutes must be concerned about information security. This is the number of states with breach notification laws on the books that impose (potentially costly) notice requirements on companies that experience security breaches, together with additional potential liabilities for non-compliance.

Third, even if your business is not subject to the preceding state and federal regulations, chances are it is subject to the Federal Trade Commission oversight. Specifically, the Federal Trade Commission Act (FTC), 15 U.S.C. § 45(a)(1) states that “Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” Under the provisions of the FTC Act, the FTC can take action against businesses that either: (a) publicly promise to keep sensitive personal information secure and confidential and then suffer a security breach; or (b) fail to implement reasonable and appropriate controls to secure sensitive personal information. Further, the FTC has promulgated its “Red Flags” rule, which address identity theft under the Fair and Accurate Credit Transactions Act of 2003. These rules, which were to originally take effect May 1, 2009, have been delayed (several times now) and are scheduled to go into effect June 1, 2010 … seriously … just trust the government … this time they will go into effect.

Fourth, in addition to statutory and regulatory sources of liability for mismanagement of information security, liability may be based on a breach of contract theory (make sure you know what you’re signing and what you are agreeing to).

Fifth, liability may also arise under a theory that the business organization was negligent in failing to secure sensitive information or information systems. See for example, a 2005 Michigan Court of Appeals case, Bell v. Mich. Council, that held a union had a special relationship with its members giving rise to a duty to safeguard personal data that the members entrusted to the union. Among the distinguishing facts cited by the court in finding a duty-imposing relationship were the union’s obligation to act in the best interests of its members, the foreseeability (under the circumstances) of theft and misuse of the data, and the union’s lack of safeguards to prevent unauthorized access to members’ personal data.

Steps towards Protecting Information

Information security is rapidly emerging as a “mission critical” component for business organizations. This is because virtually all of a company’s daily transactions and all of its key records are created, used, communicated, and stored in electronic form using networked computer technology. In other words, business organizations are, quite literally, completely dependent upon information technology and an interconnected information infrastructure. While this has provided organizations with tremendous economic benefits, e.g., reduced costs and increased productivity, it also creates a legal and public relations time-bomb for organizations that ignore information security.

Unfortunately, there is not a “silver bullet” app for responding to these challenges. But based on experience in working with business professionals, there are steps that should be considered. While far from the “Gospel,” the following measures should be evaluated because they concern the two biggest sources of security risks that I address on a regular basis:

  1. Laptops and portable storage devices routinely create information security risks for organizations. Accordingly, in addition to passwords (which may be – at best – a speed bump for cyber thieves) consider encryption software. A great open-source (and free) application is Truecrypt, which creates a virtual encrypted disk within a file and mounts it as a real disk and can encrypt an entire partition or storage device such as USB flash drive or hard drive; and
  2. Home computers used to access work may not have the appropriate protections, e.g., firewall or virus protection necessary to safeguard information. Additionally, information may be accessible by spouses and children (and if teenagers, their friends). Accordingly, it is critical for employees with home access to work information appreciate the risks and expectations for protecting company/consumer information. Also, it is important for employers to be prepared to step in if such information may be compromised or otherwise exposed due to litigation involving the employee. For example, it is a common scenario for an employee to be involved in a divorce or some other litigation. In such circumstances, the other side will commonly request access to a company provided laptop, Black Berry or related devices. Thus, it is a good practice to require employees to immediately notify their employers of any incident that may compromise the business organization’s information.

For additional information security resources, click here (FTC Resources) or feel free to contact me discuss what steps can be taken to decrease the risks and liabilities your business organization faces.