On April 24, 2018, the Securities Exchange Commission (SEC) announced a $35 million fine against the company formerly known as Yahoo! Inc. (now known as Altaba, Inc.) for failing to disclose a massive cyber data breach to its investors for nearly two years. This is the first time the SEC has punished a company for such conduct.
The average internet user may be largely unaware that there are actually different “levels” of the internet. First, there is the surface level of the internet where companies post their webpages, and where employees may browse the news, shopping options, and Facebook. The surface level means that the internet is indexed, and can be accessed using a search engine such as Google. There is also the Deep Web, which means that the web pages cannot be accessed by a search engine because they are not indexed. In other words, you would not be able to search for or stumble upon these websites. Instead, you’d only be able to access them if you knew their exact web address. What may surprise people is that most of the internet today is actually considered part of the Deep Web. Next, there is the Dark Web, whose very name sounds a bit ominous. The Dark Web is a part of the Deep Web, but it also requires special browsers, such as TOR, and configurations in order to access it. The primary goal of the Dark Web is to maintain privacy and anonymity. While some may use this area for perfectly legitimate purposes, such as a journalist speaking to a source in private, not surprisingly, this setting can also be exploited for illegal purposes, such as drug and human trafficking and child pornography.
Our firm is now helping a client with damage control and data recovery upon discovering – a week after their former Chief Technology Officer (CTO) had resigned but six months after he’d been demoted to a lesser role -- that the CTO had created a back door for himself to the client’s servers and had spent those last six months of his employment accessing, downloading and storing emails of the client’s top executives, and its most important vendors.
Many of us have become comfortable with the convenience of logging into our laptops or smartphones using a fingerprint scan in lieu of remembering yet another password. We are familiar with television and movie portrayals of retina scans being required for access to top secret laboratories or other secure buildings and rooms. This kind of technology, however, is no longer the stuff of science fiction. Businesses are increasingly using biometric data (i.e., measurements of a person’s physical being) for a variety of identification purposes, such as to provide security for the financial transactions of their customers and for the tracking of work hours of their employees.
The EU’s General Data Protective Regulation (“GDPR”) has been a popular topic of late. Fisher Phillips’ Employment Privacy Blog has covered the evolution of this regulation, starting with the roll back of the previous “safe harbor” regime, as well as providing updates to GDPR compliance standards, and training recommendations.
It is tax season once again, and with it comes an increased threat of phishing scams targeting human resources and payroll personnel. In 2016, the IRS alerted employers to a then-emerging email phishing scheme in which messages purporting to come from company executives requested the release of personal information relating to employees, including W-2 tax forms. Since then, the scam has evolved into a significant threat facing employers in multiple industries, from small and large businesses to public schools and universities, hospitals, tribal governments and charities. According to the IRS, in 2017 alone, more than 200 employers reported falling victim to the scam, with hundreds of thousands of employees impacted.
As we are early into the new year, for many, hope springs eternal to get in shape during 2018. Many of us wear some kind of fitness activity tracker that monitors steps, heart rate, calories, sleep patterns, etc. Recent news coverage of Strava, the running and cycling fitness tracking app, has caused concern for the United States military. But might it cause concerns for some businesses that operate under high levels of security, as well?
The EU’s General Data Protective Regulation (“GDPR”) goes into effect on May 25, 2018. It is a mammoth regulation and perhaps the most significant European data protection legislation in more than 20 years. In fact, the European Commission just released a new website to help stakeholders, including businesses, with implementation. With its global reach, applying to any organization that processes the personal data of individuals within the EU regardless of where the data lands, GDPR compliance is top-of-mind for executives of multinationals. Despite U.S.-based multinationals spending millions of dollars and thousands of hours preparing for GDPR since it was announced two years ago, a recent survey by MediaPro reveals that more than half of U.S. employees have never heard of the regulation.
A bi-partisan privacy and data security bill, which will significantly impact companies with North Carolina employees, is in the works. North Carolina State Representative Jason Saine (R), Appropriations Chairman of Information Technology, has joined with North Carolina Attorney General Josh Stein (D) to strengthen protections against identity theft in North Carolina. The unique pair are co-authoring a bill titled, “The Act to Strengthen Identity Theft Protections” (the “Bill”). Through the Bill, the authors desire to provide stronger protections, while at the same time avoid hampering innovation in the private sector.
Continuing a trend in the last few years, in 2017, eight states amended their security breach notification laws to expand definitions of “personal information”, specify the timeframe in which notification must be provided, and require businesses to implement adequate security practices to protect personal information in their possession, among other things. New Mexico also enacted a data breach notification statute of its own, leaving only two states without specific legislation relating to data breach notification requirements. A summary of the highlights of the new law and other amendments enacted in 2017 follows: