Menu

Archive for Blog

For the love of the game

IMG_0984When fans of the Golden State Warriors downloaded the team’s new app to their android phones, they got more than they bargained for.  While they were now able to keep up with the latest team news, their private conversations were at risk of being heard.  That’s because the technology in the app interacts with the stadium’s Signal360 beacons which are used to send fans ads and promotions based on where they are in the stands.  Those beacon signals are received by the phone’s microphone, even when the app is not in active use, and, as a result, the user’s conversations can be constantly and continuously recorded and analyzed.  While the app requests permission to access the microphone, according to a new invasion of privacy lawsuit filed against the team by users of the app, the details about how the team will be using this permission are vague and ambiguous.   Security Tip:  before installing any program, read the terms of use/service clauses carefully, and ask yourself do I really need this.

http://www.law.com/sites/almstaff/2016/08/30/mic-check-suit-says-warriors-app-uses-phone-to-listen-in-on-fans/?slreturn=20160731131334

 

Fighting CEO Fraud with Cybersecurity Training

spear phishing the CEO

Corporate Spear Phishing on the Rise

No longer fooled by emails seeking help from friends stranded overseas or mugged in New York, scammers are looking for new ways to separate you from your money. And this time, they are thinking big—C-Suite big.  The FBI estimated that from October 2013 through December 2014, companies lost a total of $1.2 billion to CEO Fraud. The FBI blames internal security measures as the number one reason for these losses.

In one instance, the director of accounting for a company in Texas wired $480,000 to an account in China because he received an email from the “CEO” directing him to do it.  However, it was an individual posing as the CEO. The scammer had hacked into the company’s server and spent months learning how the company worked and the relationship between the CEO and the director of accounting. He then emailed the director of accounting and made what appeared to be a normal request in the ordinary course of its business. But for the scammer’s audacious request for $18 million to be wired to the same account a few weeks later, it might have continued unnoticed.

In another case, a magazine publisher lost $1.5 million. The accounting executive of the company sent the wire based on an email from the “CEO,” but prior to sending the second requested transfer, he asked the CEO if he had truly made the request, only to find that he did not.

Because these scams are targeted (known as spear phishing), they appear to come from trusted individuals, contain requests that appear normal, and are often not caught by spam filters because they are not mass-mailed.

In addition to standard internal control features for wire transfers that can and should be implemented, below are three practice pointers to help prevent this from happening to you and mitigating the loss if it does.

Training

Employees need to be trained in the ways in which scammers operate. Typically these scammers will purchase a list of emails from the Dark Web and begin sending phishing emails containing malicious attachments (or links to infected websites) to hundreds of addresses.  Once an unsuspecting employee opens the attachment (or clicks on the link) and the malware is installed, the scammer has access to the company’s network (at least as far as that employee’s computer can see into it).  Depending on the level of access, the scammer may move on if nothing can be exploited or next if the computer has access to company data/emails/etc.  Once the scammer decides to act, he may wait until the CEO/executive is away from the office, or simply alter the email address slightly to trick the non-observant receiver. For instance, jsmith@american.com may become jsmith@amer1can.com.

Proper training to prevent these issues include instructing employees not to open email attachments from a sender the employee does not know or recognize.  In addition, employees need to be instructed to look for variations in email addresses when being asked to complete tasks that are critical to the company’s business, such as releasing sensitive data, or giving access to portions of the company server reserved to departments other than the requesting party, and, most importantly, giving out the company’s money!

Many firms provide on-site and online training.

Cyber Security

Cyber security in the corporate world has become a yeoman’s task. As it pertains to CEO fraud, there are two primary fixes.  The first is to mandate company email accounts use two factor verification. If the CEO’s account is accessed from anywhere that is not a recognized, secure location, as designated by the user, a second verification method would need to be entered (either a code sent via text to the CEO’s phone or a pre-printed verification code).  This prevents a scammer from logging in from Starbucks.  The second is to institute an internal control to require more than one person’s authorization for money transfers or expenditures. Whether it be a wire transfer, check, debit, or other material financial transaction, the approval process should involve two individuals who are privy to the request, purpose, and related specifications.

Insurance Protection

Even the most vigilant company will still find itself a victim.  Traditional insurance policies contain some coverage for fraud protection, but as recent cases have shown, (AF Global Corp. v. Federal Insurance Company) they do not include this new type of fraud. Some of the policies will only pay a claim if the fraud was the result of a traditional negotiable financial instrument having been fraudulently forged or stolen, such as check fraud. Therefore, it is important to review your policies and work with your insurance company to provide a policy that includes coverage for monetary losses incurred by an electronic breach.

If you do have such coverage, your insurance company will need to follow the evidence to learn how the fraud took place.  Therefore, it is important to direct employees not to delete the emails related to the fraud. They emails can be examined forensically to help support your claim.

For more information relating to training, prevention, and investigation, contact the experts at Maragell at info@maragell.com.

Hiring in NY City? What you need to know about The Stop Credit Discrimination in Employment Act

Effective September 3, 2015, it became unlawful to conduct credit checks on nearly all potential and current employees if your business is located in the City of New York and you have more than four people on staff (including owners). As an employer, it is important to know the exceptions to this new limitation in the field of Human Resource Management.

What is actually prohibited?  According to the New York Commission on Human Rights (“NYCHR”), the governing body for this Ordinance, an employer cannot obtain a consumer credit report and use it in the hiring process unless the position falls within a specific list of exceptions.  According to the NYCHR, a consumer credit report refers to a credit score, credit accounts, bankruptcies, judgments, or liens whether obtained from a third party source or from the prospective employee directly.

While the Ordinance is being promoted by the City as the most stringent of its kind in the U.S., it does have its exceptions.   The onus is upon the employer to document the exception used to obtain a credit check.  The exceptions include:

  • Positions in which federal or state law requires credit background reports, such as FINRA licensed companies;
  • Police Officers, peace officers, or positions with a law enforcement or investigative function at the Department of Investigation (“DOI”);
  • Any positon subject to a DOI Background Investigation;
  • Positions requiring bonding under federal, state, or city law or regulation;
  • Positions requiring security clearance under federal or state law;
  • Non-clerical positions having regular access to trade secrets, intelligence information, or national security information;
  • Positions requiring responsibility for funds or assets worth $10,000 or more; and
  • Positions involving digital security systems.

It is important to consult an attorney or HR Specialist when making hiring decisions to determine whether or not you are complying with this, and other local, state and federal laws.  Before you do so, here are few practice points to get you started:

  • Research each position to determine if it fits within one of the exemptions—it may require you to develop a list of what is a trade secret or business intelligence that warrants extra HR security for that position and therefore, based on the assessment reached, exempts that hire from the Ordinance’s limitation;
  • Research your industry online to determine if there are federal or state guidelines that require credit history verifications for your industry;
  • Use Google and LinkedIn and other social media platforms when making your hiring decisions to the extent your state does not ban such research or prevent you from using protected activity found on these sites against the candidate (i.e. cannot use evidence of a person’s gender preference, marital status, age, etc. against them).
  • Create a log to document the exemptions used and the factual basis for each exemption claimed; and

The NYCHR has issued an official Guidance about the application of the Ordinance (see http://www.nyc.gov/html/cchr/html/coverage/credit-history-legalguidance.shtml) and it is expected it will continue to update the public on this topic via its FAQ page (see http://www.nyc.gov/html/cchr/html/coverage/credit-history-faqs.shtml)

Litigation Goldmine: Employee Internet History–More than Just Facebook

As printed in the New Jersey Law Journal Cyber Security Supplement (March 9, 2015):

When it comes to data breach activity, companies should be examining the Internet activity of their own employees—it is more than just Facebook and ESPN News.  In two of our most recent cases, based on the Internet history alone, we discovered one employee was logging into the webmail accounts of the CEO and CFO (and using the financial information contained therein to negotiate a bigger raise for himself), and another, aninternet investigations IT administrator, had copied thousands of files to a thumb drive before he resigned and then ran Google searches on how to destroy key operating system files on his company laptop to hide the activity.

In both cases, the employees thought they had hidden their tracks by deleting their recent browsing history.  But because a computer’s operating system maintains the URL addresses of the websites visited in separate files, and other operating system files record images of those sites, through the use of forensic tools, these disparate files were extracted, combined, displayed visually, and the story of their activity revealed.  One ended with the employee being terminated, the other with the IT administrator haled into federal court after he surfaced at a competing firm.

While most forensic experts identify the information as the computer’s “Internet history” it is much more than just a compendium of web addresses.  Because a number of Windows Explorer system files act in the same fashion as the Internet browser system files, when the “history” is extracted, information such as what files were viewed on a thumb drive or where the user went on the company server can often be determined.  This user activity is betrayed by the formation of link files, which are created when a user inserts a USB device into the computer and opens a document from it or uses Windows Explorer to navigate to a location on the server.  If an employee is suspected of stealing a customer list or other confidential or proprietary information, but the USB device is not available for inspection, the Internet history might seal his/her fate.

The history will also provide evidence of online document storage sites like Dropbox and Google Drive, and data backup sites such as Carbonite and Mozy.  Whenever company file access activity on the employee’s computer matches that of visits to these categories of websites, it is best practice for counsel to issue preservation letters and/or subpoenas to prevent the information from becoming lost.

More sophisticated forensic software can also rebuild cached images of webpages and webmail messages just as the user saw them. Because webmail does not reside on the local hard drive, the only evidence that an employee was communicating with others about potentially unlawful activity or sending company documents to a personal email account might come from an examination of email fragments recovered from the Internet history.

Practice Point: The immediate preservation of a suspect computer should be the top priority for any in-house counsel, litigation counsel, Human Resources Professional or IT administrator.  Electronic evidence is ephemeral and can be destroyed through the normal use of the computer.  Permitting even the weekly updates by Microsoft to be installed can destroy essential evidence needed to prove a case.  In short, to maximize the amount of available evidence in cases like those described above, the computer should be turned off and secured in a location where it cannot be accessed until a forensic bit-by-bit mirror image of its hard drive is created.  If the subject of the investigation is suspected of downloading or actively running malware in an effort to harm the company (such as Cryptowall or other ransomware), the computer should be left running, but its power cord or battery removed (to keep its RAM intact for analysis).

New Jersey About Set to Restrict the Use of Criminal Records in Employment Settings

Despite pressure from business leaders and private detectives, the latest version of the New Jersey Senate Budget and Appropriations Committee’s “Opportunity to Compete Act” [SENATE, No. 2124] continues to impose restrictions upon New Jersey employers when advertising for, and interviewing, prospective employees as it applies to criminal records.

According to the Committee, it determined that “[r]emoving obstacles to employment for people with criminal records provides economic and social opportunities to a large group of people living in New Jersey, increasing the productivity, health and safety of New Jersey communities.” It also asserted “[c]riminal background checks by employers have increased dramatically in recent years, with estimates of 90 percent of large employers in the United States now conducting background checks as part of the hiring process…. and that [b]arriers to employment based on criminal records stand to affect an estimated 65 million adults in the United States with criminal records.”

Concerned by employment advertisements in New Jersey that include language regarding criminal records that either explicitly preclude or strongly dissuade people from applying, the Committee advanced its bill to the entire Senate to tackle these obstacles to employment.

If passed, the bill will preclude an employer (of 15 or more people) from requiring a job applicant to complete any employment application that makes any inquiries regarding the applicant’s criminal record during the “initial employment application” process. It will also preclude the employer from making any oral or written inquiry regarding an applicant’s criminal record during the initial employment application process. The term “initial employment application” means the period from advertisement through completion of initial interview.

If an applicant discloses any information regarding the applicant’s criminal record, by voluntary oral or written disclosure, during the initial employment application process, the employer may make inquiries regarding the applicant’s criminal record during the initial employment application process.

Notwithstanding the foregoing, employers should be aware that if the employment is for a position where a criminal history record background check is required by law, rule or regulation, or where an arrest or conviction by the person for one or more crimes or offenses would or may preclude the person from holding such employment as required by any law, rule or regulation, or where any law, rule, or regulation restricts an employer’s ability to engage in specified business activities based on the criminal records of its employees, the restrictions of the bill do not apply.

This last exception is key for many of our clients. For our non-regulated clients that send employees into regulated entities like banks, hospitals, and mortgage lenders, their contracts routinely contain clauses that require all employees to be screened and failure to produce proof of a background check can void the contract.

Hence, when advertising for a position, consider all job assignments the candidate may be obligated to fulfill. If a potential assignment is in a regulated industry where a background check will be needed, the bill’s restrictions on advertising and interviewing may not apply.

NJ Employers Now Barred from Seeking Social Media Passwords

Effective December 1, 2013, New Jersey employers will be prohibited from requiring both job candidates and current employees to disclose the user names and passwords to their personal social media accounts.  Last Thursday, Governor Christie signed into law a revised version of Assembly Bill 2878 making it a violation of NJ law to do so.  An earlier version of the same bill had previously provided for a private right of action allowing individuals to sue for violations of the law.  As of now, only civil penalties (up to $2,500) can be imposed and are to be collected by the Commissioner of the New Jersey Department of Labor and Workforce Development.

Under the new law, employers can still monitor social media accounts that are open to the public, are provided by the company for use by the employee, or in the case of suspected wrongdoing, to conduct an investigation of a current employee’s social media account if the account is used for business purposes of the employer or if used to engage in business-related communications, but only if the employer independently received information about the suspected wrongful conduct (i.e. in a lawful manner from a third party).

Key Practice Points:

  1. Employers should review their application and background check forms and conform them to the new law.
  2. Social media policies should be updated to warn employees that the use of personal social media accounts for business purposes may entitle the company to examine them for compliance with company policies regarding marketing, advertising, data transfer, regulatory affairs, and other business rules.
  3. Managers should be made aware of how they may conduct examinations of social media sites to enforce the issues raised in Point 2 above.  The NJ federal court case of Ehling v Monmouth Ocean Hospital Service Corp  (decided August 20, 2103) and the NJ state court case of Pietrylo v. Hillstone Restaurant Group (decided July 24, 2008) both provide real world examples of how these issues may play out when an employer begins to peek under the gurney/table.
  4. Litigants must be wary of using usernames/passwords found on company computers to access these social media sites.  Properly crafted computer use policies may enable an employer to use information found on company equipment even if it is from a password protected account.  Moreover, employees who configure their social media sites to automatically boot at start-up should be made aware that the employer may have instant access to those sites in the event the employer takes possession of or simply uses the computer for legitimate business purposes.

For additional information, please give us a call or email us at info@maragell.com.

Unloading Electronic Social Media “Baggage” May be Hazardous to the Health of Your Case

 

Social Media ediscovery

Computer forensics and social media

 

You already know that the privacy settings on many social media websites are not as private as you want, and that “delete” doesn’t really mean delete.  But did you also know that if you try to unload some of that electronic “baggage” to improve your online presence, you might fall into even hotter water?  That’s what one New Jersey plaintiff learned the hard way in the case of Gatto v. United Airlines and Allied Aviation Services., et al., No. 10-CV-1090 (D.N.J. March 25, 2013).

 

 

Gatto, a former baggage handler at John F. Kennedy Airport, sued United Airlines and Allied Aviation Services for damages when a set of fueler stairs crashed into him while he was unloading suitcases from an airplane.  He claimed his injuries left him permanently disabled, and that his disability limited his physical and social activities.

In the course of discovery, the defendants sought authorization from Gatto to access his social media and online business accounts, including sites such as Facebook, PayPal and eBay.  Gatto complied with the request for many of his accounts, but not Facebook.

On December 1, 2011, during a settlement conference, the parties worked out an agreement that would give (and did give) the defendants access to Gatto’s Facebook account.  However, shortly thereafter, after receiving an alert from Facebook that someone had accessed his account from an IP address in NJ unknown to him, Gatto deactivated the account (he claimed he thought it was hacked).  When the parties tried to re-gain access, it was determined that all of his information was gone.

The defendants then subpoenaed Facebook (and provided a copy of Gatto’s authorization) seeking all the account information directly.  Facebook responded to the subpoena with its usual defenses regarding the Stored Communications Act (which it claims prevents it from disclosing all information), but more importantly, it advised that all the account data had been automatically deleted once the 14 day reactivation period expired. (There was some discussion in the opinion as to whether Gatto merely deactivated his account or went further and intentionally wiped it out, but the issue became moot in the end).

Based on several screen shots of Gatto’s Facebook page that were printed by one of the attorneys for United which showed Gatto engaging in activities that were inconsistent with his testimony, the defendants moved for sanctions against Gatto for destroying evidence they believed would have further shown that Gatto was not as limited as he claimed.  The court granted their request for an adverse inference at trial ruling that it was

[c]lear that Plaintiff’s Facebook account was relevant to the litigation. Plaintiff alleges to have sustained serious injuries in this personal injury action, and further alleges that said injuries have limited his ability to work and engage in social and physical activities. The Facebook information sought by defendants focused upon posts, comments, status updates, and other information posted or made by the Plaintiff subsequent to the date of the alleged accident, as such information would be relevant to the issue of damages.

The Court finds that it was reasonably foreseeable that Plaintiff’s Facebook account would be sought in discovery. Defendants requested Plaintiff’s Facebook account information as early as July 21, 2011, nearly five months before Plaintiff deactivated his Facebook account. Furthermore, Plaintiff’s Facebook account was discussed during the December 1, 2011, Settlement Conference, where Plaintiff was present and the Court order related to the discovery of information associated with Plaintiff’s Facebook account. Accordingly, it is beyond dispute that Plaintiff had a duty to preserve his Facebook account at the time it was deactivated and deleted.

A copy of the Gatto decision can be downloaded here:

Gatto v United Airlines et al.

The takeaways from this ruling are many-fold:

For the socialite who enjoys posting pictures of anything that pops in front of his/her camera or the earth-moving thought that creeps into his/her mind, or better yet, the cell phone user who activates software that automatically updates his or her whereabouts (“Sally just checked into Starbucks at 3rd and Vine…”) these life moments could become Exhibit A at trial.  Alternatively, deleting them could result in the case being dismissed.

For the plaintiff’s attorney, social media sites can help assess the veracity of a client’s story.  Better to know up front that your client is stretching the truth or corroborating his case.

For the defense attorney, early preservation letters with detailed instructions regarding what to preserve and what not to destroy or terminate can help with early case assessment or serve as a basis for a successful spoliation motion months or years later.

For all litigants, knowing how to preserve these online life-storehouses is paramount.  Printing screenshots is sophomoric, but may be enough to prove a point.  Capturing entire accounts, in real time, using forensically sound techniques, may be a game changer. And for those awkward posts and pictures, once the accounts have been preserved forensically, the good news is they can be deleted from the active account without fear of retribution.

Background Checks–A Lesson in Reading Tea Leaves

employment screening

Reading the Tea Leaves

This morning, the Today Show’s investigative reporter, Jeff Rossen, revealed once again the pitfalls of cutting corners when it comes to conducting employee background checks.  In his report, Jeff highlighted the plight of several prospective employees who were denied positions because the firms hired to conduct their background checks failed to use reasonable procedures to vet the information they retrieved.

Unfortunately for US employers, there is no central location they can check to determine if a prospect has a criminal record.  To obtain a “national criminal record check,” a search must be conducted at the federal, state, county, and if warranted, municipal, levels for every place the prospect ever lived, worked, visited or vacationed.  No employer would incur the cost to conduct such a search (nor could it given the need for the prospect to divulge his/her life’s itinerary).

Instead, employers often rely upon database searches as an alternative to conducting a thorough manual background check.  The trade-off is that while such research is cost and time efficient, the databases often link erroneous dates of births, crimes and litigation matters to individuals with similar names and social security numbers.  Until a human being takes a moment to analyze the data and compare it to what was provided by the prospect, as well as comparing it to other pieces of independently developed information about the prospect, the type of misinformation described in Rossen’s report will continue to be conveyed to the employer.  Background checks are an art form, not a mouse click.

Practice Tip:  If your firm must rely upon database searches for budgetary reasons, ask the prospective employee for a 10 year address history.  Use it to compare it to the results from your background check firm.  If crimes are listed on the report in states the prospect did not live, question your vendor—demand they check with the courthouse directly.