By now, we are all too familiar with the issues and pitfalls associated with cybersecurity breaches in a multitude of industries. Consider Equifax, Home Depot, Yahoo or Target, to name a few. Those well-publicized incidents overwhelmingly concerned customer and/or consumer privacy invasions, but touched barely, if at all, on whether those breaches compromised employees’ private information, or whether those companies should have done more to protect not only their customers’ information, but their employees’ as well. Should this be of concern and if so, what should employers be doing about it?
On January 25, 2019, the Illinois State Supreme Court ruled that the state’s Biometric Information Privacy Act (BIPA) only requires individuals to show violation of the law to bring suit. Businesses with a presence in Illinois that gather “biometric identifiers”, which include a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry, are now at a greater risk of liability if they do not follow legally required procedures for such data collected or stored in the state. BIPA’s applicability at the federal level remains to be seen, but similar laws are being considered throughout the states, raising potential liability for employers elsewhere.
For several years now, we’ve been alerting employers about the dangers of phishing scams that attempt to obtain private and personal information from employers. See some of our previous posts here, here here, and here. Many of these scams rear their ugly head around tax season, with attacks targeting human resources staff and payroll personnel in particular.
While parts of the Government continue to be shut down over concerns about people crossing the border from Mexico into the United States, the cyber borders are at risk. Many government websites are not being monitored or maintained for security. Several websites have been rendered unsecured or inaccessible during the shutdown.
Data breach liability for Pennsylvania employers of all sizes expanded with a recent Pennsylvania Supreme Court decision in Dittman v. UPMC. __ A.3d __, No. 43 WAP 2017, 2018 WL 6072199 (Pa. 2018). The Pennsylvania Supreme Court has reformed two legal principles that have protected employers against liability when they find themselves victims of third party hackers. In the wake of the Dittman decision, Pennsylvania employers – of all sizes – can no longer sit idle and should heed the opinion as a strong warning to review, assess, and revamp the adequacy (or inadequacy) of their data security protections, policies, and procedures.
Companies are increasingly faced with class actions for alleged violations of one of the “big three” —the Telephone Consumer Protection Act (TCPA), Fair Debt Collection Practices Act (FDCPA), or the Fair Credit Reporting Act (FCRA). Although several thousand of these claims are filed each year, FCRA claims related to background checks is the only category that has grown since last year.
Most attorneys are well aware of statutory obligations that require private and governmental entities to notify individuals of data breaches that involve the loss or disclosure of personally identifiable information. An area that may be less clear, however, is what ethical obligations attorneys have to guard against data breaches involving client information and what steps attorneys must take when a data breach occurs.
Our client, we’ll call them Company X, provides installation, connection, upgrades and repairs for one of the country’s largest providers of residential and commercial television, telephone and Internet service. We’ll call their customer Company Y. Pursuant to their contractual agreement, our client (Company X) retained a third party vendor to conduct civil and criminal background checks on job applicants. However, in the last year Company Y was purchased by Company Z, an even larger provider of television, telephone and Internet services. Company Z requires our client to utilize a different third-party vendor for conducting background checks.
This summer, several automakers, including Tesla, Toyota, General Motors, Ford, and Volkswagen learned that their closely held trade secrets were readily available on the internet. The source? An unprotected back-up server. The rub? The server did not belong to any of the car manufacturers. Instead, the server belonged to a vendor of industrial automation services, Level One Robotics and Control (“Level One”), who had performed work for each of the manufacturers.
On July 13, 2018, over 50 civil liberties groups, technology companies and associations submitted a joint letter to Congress in support of the Email Privacy Act (EPA), which was recently included in the House- passed version of the National Defense Authorization Act (NDAA) for Fiscal Year 2019. The list of signatories included such tech giants as Google, Facebook, Amazon, Dropbox, Cisco Systems and Adobe. The EPA, if passed, would amend the Electronics Communications Privacy Act (ECPA) by requiring law enforcement and other government agencies to obtain a search warrant, based upon a showing of probable cause, before seizing emails, texts, and other information stored in the cloud. The EPA has been proposed, yet failed to pass, in prior legislative sessions, but proponents of the bill are hopeful that the time is right for these privacy protections to be put into place.