We use social media all the time. Make it a point during the day to notice how often you see a friend or colleague checking a Facebook update or sending a tweet (or giving you a three-star rating on the new Peeple app). People are on social media all day; on the phone at a bus stop, in class during a lecture, killing time before a meeting, and sometimes even on a computer in the office. Indeed, the office water-cooler talk has effectively been replaced with the office Instagram page. Some businesses even have their own social media page as an attempt to grow business and connect with a larger market share. Other businesses routinely use social media for research, recruiting, and facilitation of multi-office workplaces. But with the many benefits social media can provide, employers must be incredibly careful when navigating the web of laws that could impact social media privacy during workplace investigations.
Social media, for all of its benefits, provides employees additional ways to engage in inappropriate conduct. An employee may contribute to a hostile work environment if he or she posts a discriminatory statement, racial slur, or sexual innuendo directed at a co-worker, manager, customer, or vendor. Employee postings of gossip and false statements about co-workers could create unrest in the workplace and lead to a defamation claim. Finally, because social media can broadcast to a large audience, employees could create significant legal troubles for the company by inadvertently (or in the case of a disgruntled employee, purposely) revealing proprietary or confidential information. And the consequences are not limited to just employee activities; similar activities by management can cause even more legal concerns.
Best Laid Plans. They say the devil is in the details. One might say that is most certainly the case with the recently advanced version of the Cybersecurity Information Sharing Act (“CISA”) that recently passed the U.S. Senate by a vote of 74-21. Indeed, many people might even say such a landslide vote indicates the bill is wanted by the American people, especially in view of the concerns tied to the seemingly endless parade of large-scale breaches at Sony, Neiman Marcus and Target. The Senate’s CISA somewhat mirrors legislation previously passed in the U.S. House. Although there are similarities in the bills, reconciliation of the two is not necessarily a slam-dunk (even though the President has said he would likely sign such a bill).
Generally speaking, the CISA is designed to help reduce the number of corporate data breaches by encouraging companies to share “cybersecurity risk” data with the Department of Homeland Security (“DHS”). Under the CISA, DHS would take any such provided information and pass it on to other law enforcement and security agencies, such as the FBI and NSA, respectively. The logical questions arise as to what cybersecurity risk information would trigger such a disclosure, what personally identifiable information (“PII”) is contained in such risk data, and how is that information being used. As with any sweeping legislative bill, there remain many questions. Many entities oppose the CISA, to include companies such as Apple and Twitter. Security experts have also questioned the real value of sharing information in fulfilling the Act’s legislative intent of stopping or stemming the tide of major security breaches in the U.S. And, as you might expect, numerous privacy advocacy organizations have formally opposed the bill. So, at a minimum, it is good to see there is a healthy debate about what security is really being achieved and, at what cost to privacy. In times past (see Patriot Act), such discussions were non-existent. So, going slowly here and considering all the consequences (intended and not so much) would be wise.
Data security has been a hot topic these last twelve months, with the Office of Personnel Management, Neiman Marcus, and Ashley Madison all making headlines. But there’s never been a week quite like September 27-October 3, 2015. In those seven days alone, cell phone carrier T-Mobile, investment firm Scottrade, and crowdfunding site Patreon all suffered data breaches. The breaches underscore the dangers to companies, and the steps that can be taken to guard against such breaches.
The breadth and depth of the data breaches from that week are stunning. T-Mobile’s customer data was compromised as a result of a breach of its credit processor, Experian. The names, addresses, phone numbers, and Social Security numbers of more than 15 million United States residents who applied to be T-Mobile customers between September 2013 and September 2015. The contact information and Social Security numbers of more than 4.6 million Scottrade customers were illegally accessed. Patreon’s breach was perhaps the scariest and most surprising. At first, it appeared that “only” 2.3 million names, mailing addresses, and email addresses of its donors. Yet just one day after the initial notification of the breach, Patreon’s entire 13.7 gigabyte database was posted online. The database included password data, donation records, and most worrying, the database’s source code.
Next Page »