Main Menu

Employment Privacy Blog

News, commentary, and legal updates from attorneys in the Data Security and Workplace Privacy Practice Group at Fisher Phillips.

Have you noticed recently that when you click on most websites a notice appears stating that the host uses cookies? Many are aware that on May 25, 2018 the GDPR (“Global Data Protection Regulation”) took effect.  The law applies to any person or organization that is physically located in the European Union (“EU”) and has a website, as well as any website that targets consumers in the EU. The law requires a cookie consent notice, depending on the type of cookie used by the site. Hence, the recent increase in cookie notices.

Most companies perform background checks on employees at the outset as part of the application / new hire process. A number of background check companies are now offering “continuous screening” or re-screening services as a risk management tool where background checks are performed on all employees annually or semi-annually. Continuous background checks are gaining popularity among employers. In theory, this will catch items that were missed during the new hire process as well as criminal events that have transpired since the employee was hired. This is viewed as a risk management tool to protect against employee theft, embezzlement, fraud, violence, etc.

On May 29, 2018, Governor Hickenlooper signed HB—1128 into law.  Importantly, the Bill amends the State’s data breach notification law to require that affected Colorado residents be notified within 30 days of a data breach, and specifies the information that must be included in the data breach notice.  The new law, which takes effect September 1, 2018, applies to “covered entities,” (if your business maintains, owns, or licenses information of Colorado residents, regardless of where the business or data is based, it is a “covered entity”),  also sets forth certain data security requirements, and adds requirements regarding the disposal of personal identifying information.

The California Senate narrowly passed a bill earlier this week that would allow businesses to be sued for data breaches without proof of any injury. As this bill moves to the Assembly, there is already talk among legislators about amending it to include a safe harbor provision. But will any safe harbor address opponents’ concerns?

After much anticipation, the General Data Protection Regulation (GDPR) finally went into effect on May 25, 2018. For employers, that means some enhanced employee rights, and the risk of significant penalties for non-compliance. This includes potential maximum fines of up to 4 percent of global annual revenue or 20 million euros, whichever is greater.

Tags: GDPR

SB 1121, which is making its way through the California Legislature, would allow businesses to be sued for data breaches even when no one was actually injured. This includes being sued for failing to implement and maintain reasonable security procedures as well as for failing to properly notify affected individuals of a breach of their personal information. Opponents of this bill are calling it a “job killer”.

On April 24, 2018, the Securities Exchange Commission (SEC) announced a $35 million fine against the company formerly known as Yahoo! Inc. (now known as Altaba, Inc.) for failing to disclose a massive cyber data breach to its investors for nearly two years.  This is the first time the SEC has punished a company for such conduct.

The average internet user may be largely unaware that there are actually different “levels” of the internet.  First, there is the surface level of the internet where companies post their webpages, and where employees may browse the news, shopping options, and Facebook.  The surface level means that the internet is indexed, and can be accessed using a search engine such as Google.  There is also the Deep Web, which means that the web pages cannot be accessed by a search engine because they are not indexed.  In other words, you would not be able to search for or stumble upon these websites.  Instead, you’d only be able to access them if you knew their exact web address.  What may surprise people is that most of the internet today is actually considered part of the Deep Web.  Next, there is the Dark Web, whose very name sounds a bit ominous.  The Dark Web is a part of the Deep Web, but it also requires special browsers, such as TOR, and configurations in order to access it.  The primary goal of the Dark Web is to maintain privacy and anonymity.  While some may use this area for perfectly legitimate purposes, such as a journalist speaking to a source in private, not surprisingly, this setting can also be exploited for illegal purposes, such as drug and human trafficking and child pornography. 

Our firm is now helping a client with damage control and data recovery upon discovering – a week after their former Chief Technology Officer (CTO) had resigned but six months after he’d been demoted to a lesser role -- that the CTO had created a back door for himself to the client’s servers and had spent those last six months of his employment accessing, downloading and storing emails of the client’s top executives, and its most important vendors.

Many of us have become comfortable with the convenience of logging into our laptops or smartphones using a fingerprint scan in lieu of remembering yet another password. We are familiar with television and movie portrayals of retina scans being required for access to top secret laboratories or other secure buildings and rooms. This kind of technology, however, is no longer the stuff of science fiction. Businesses are increasingly using biometric data (i.e., measurements of a person’s physical being) for a variety of identification purposes, such as to provide security for the financial transactions of their customers and for the tracking of work hours of their employees.

Tags: biometric

Recent Posts

Category List

Archives

Back to Page