Tips to Avoid Employee & Outside Cyber Attacks!

August 27, 2018

Your employees are your company’s weakest link, and therefore, your greatest threat to suffering a cyber-attack and resulting data breach. While employee negligence (that is, employees not knowing or understanding how their actions risk your company’s data security) remains the biggest cyber risk, another is growing and also demands your attention—the malicious insider. In fact, one recent report stated; “malicious insiders are responsible for 27 percent of all cyber crimes.”

Believe it or not, there are actually organizations/hackers who recruit malicious actors. These cyber criminals recruit with the goal of finding insiders to steal data, make illegal trades, or otherwise generate profit. Advanced threat actors look for insiders to place malware within a business’ perimeter security.

There are three types of people who fall into the “insider” category. They are negligent employees who don’t practice good cyber hygiene, disgruntled employees with ill will, and malicious employees who join organizations with the intent to defraud them.
What is a company to do? For the negligent employees who don’t practice good cyber hygiene—training, training, and more cyber-training is the best way to go.

No amount of training, however, will stop a disgruntled employee with ill intent, or a malicious employee who joins to do harm.

These latter two categories need more specialized attention—an insider threat program. The Wall Street Journal explains:

Companies are increasingly building out cyber programs to protect themselves from their own employees.… Businesses … are taking advantage of systems … to find internal users who are accidentally exposing their company to hackers or malicious insiders attacking the company. These “systems,” however, can prove costly, especially for the small-business owner. While investment in a technological solution is one way to tackle this serious problem, it’s not the only way. Indeed, there is lots any company, of any size, with any amount of resources, can do to develop an insider threat program.

Aside from the expense of costly monitoring programs, what types of issues should employers include in an insider threat program? Here are seven suggestions:

  1. Heightened monitoring of high-risk employees, such as those who previously violated IT policies, those who seek access to non-job-related business information, and those who are, or are likely to be, disgruntled (i.e., employees who express job dissatisfaction, who are on a performance improvement plan, or who are pending termination).
  2. Deterrence controls, such as data loss prevention, data encryption, access management, endpoint security, mobile security, and cloud security.
  3. Detection controls, such as intrusion detection and prevention, log management, security information and event management, and predictive analytics.
  4. Inventories and audits for computers, mobile devices, and removable media (i.e., USB and external hard drives), both during employment and post-employment.
  5. Policies and programs that promote the resolution of employee grievances and protect whistleblowers.
  6. Pre-employment background checks to help screen out potential problem employees before they become problems.
  7. Termination processes that removes access as early as possible for a terminated employee.

No company can make itself bulletproof from a cyber-attack. Indeed, for all businesses, data breaches are a “when” issue, not an “if” issue. However, ignoring the serious threat insiders pose to your company’s cyber security will only serve to accelerate the “when.”

So, there it is! You can take this seriously or just ignore this potential problem The reality is this is a growing concern and I will be discussing this in detail on my LA Talk Radio show this coming Sunday at 3 pm PST.

 

Advertisements

Arbitration Agreements: All but Gone!

August 20, 2018

In its continuing, apparent quest to undermine federal law, the California legislature is moving to make it unlawful for employers to require applicants or employees to agree to resolve employment-related disputes by way of arbitration.  AB 3080 would add provisions to the California Fair Employment and Housing Act (FEHA) and to the California Labor Code making it unlawful for an employer to require an applicant, employee, or independent contractor to agree to waive any forum (i.e. court) for the resolution of a dispute arising under FEHA (discrimination, harassment, and retaliation) or the Labor Code (wages/wage statements/meal and rest breaks/working conditions).  The bill further specifies that an arbitration agreement is unlawful even if applicants or employees are permitted to opt out of the agreement.  In other words, even where an employee is permitted to opt out of the arbitration agreement, the agreement still will be deemed to have been forced on the employee as a condition of employment, and therefore, will be considered unlawful.

The problem with AB 3080, apart from the fact that it is horrible for California employers, is that it is plainly unconstitutional and preempted by the Federal Arbitration Act (FAA).  The California Legislature is on clear notice of this problem, too.  In the past, the California Legislature has adopted similar laws that have discriminated against arbitration agreements and the courts (including the United States Supreme Court) have refused to enforce these laws, finding them preempted by the FAA (which favors enforcement of arbitration agreements according to the terms agreed upon by the parties to the agreement and displaces state laws that discriminate against arbitration).

Business groups and employment lawyers alike, have explained to the Legislature that AB 3080, like preceding statutory efforts to preclude arbitration agreements, is unconstitutional and have urged that it not be passed.  Thus far, the Legislature appears unmoved.  AB 3080 was passed by the state Assembly, was passed out of committee in the Senate, and is now advancing to the floor of the Senate for a vote that will occur sometime between August 21-31.  Given the political makeup of the senate, it seems likely that the bill will be passed and presented to the Governor.  If signed into law, California employers will be left to foot the bill in court to litigate the invalidity of this clearly unconstitutional law.

In addition to its virtual ban on employment arbitration agreements, AB 3080 would also prohibit contractual provisions that prohibit an applicant, employee, or independent contractor from disclosing information pertaining to an incident of sexual harassment.  This would impact settlement of sexual harassment claims.  Employers will want to monitor the continued progression of AB 3080 as it pertains to this issue as well.

I will keep you posted. This is just another example of the insanity California employers have to face in order to do business in this state.

 


Reasonable Accommodation & Common Sense!

August 13, 2018

Let me ask you, “Would you rather spend seven figures to lose a lawsuit, or $1.69 to allow a diabetic employee to drink a bottle of orange juice?” This is where common sense must take over. This employer paid the price not understanding that a reasonable accommodation is just that—“reasonable!”

Linda Atkins, a former cashier at Dollar General, is a type II diabetic. She occasionally suffers from low blood sugar, to which she must quickly respond by consuming glucose to avoid the risk of seizing or passing out. When she asked her manager if she could keep orange juice at her register in case of an emergency, he refused, citing the store’s “Personal Appearance” policy (which prohibits employees from eating or drinking at registers).

In late 2011 and early 2012, Atkins suffered two hypoglycemic episodes. Because she worked alone and did not want to leave her register unattended, she took at bottle of orange juice from the store’s cooler and paid for it after the fact.

Shortly thereafter, a Dollar General Loss Prevention Manager audited the store to address employee theft and other merchandise “shrinkage” issues. Atkins admitted to drinking orange juice twice before paying for it because of a medical emergency. She was then fired for violating the employer’s “grazing” policy, which prohibits employees from consuming merchandise before paying for it.

The EEOC sued on behalf of Atkins, claiming that her ex-employer failed to reasonably accommodate her and discriminated against her because of her disability.

On appeal, the Court had little difficulty concluding that the jury correctly found in favor of Atkins on her reasonable accommodation claim:

When she asked her store manager if she could keep orange juice at her register because of her diabetic condition, the manager told her “it’s against company policy” and to “be careful of the cameras.” Once Atkins requested this reasonable accommodation, the employer had a duty to explore the nature of the employee’s limitations, if and how those limitations affected her work, and what types of accommodations could be made.… But that’s not what it did. The store manager categorically denied Atkins’ request, failed to explore any alternatives, and never relayed the matter to a superior.

And on her discrimination claim:

A company may not illegitimately deny an employee a reasonable accommodation to a general policy and use that same policy as a neutral basis for firing him. Imagine a school that lacked an elevator to accommodate a teacher with mobility problems. It could not refuse to assign him to classrooms on the first floor, then turn around and fire him for being late to class after he took too long to climb the stairs between periods. In the same way, Atkins never would have had a reason to buy the store’s orange juice during a medical emergency if Dollar General had allowed her to keep her own orange juice at the register or worked with her to find another solution. This would have been a common sense approach.

This legal and common-sense error cost the employer a judgment of nearly $725,000 (which includes almost $450,000 in the claimant’s attorneys’ fees, and does not include what it paid its own legal team to fight this absurd fight). The bottle of OJ at issue was worth $1.69 (plus tax). Which is the better economic decision?

Come on people use you heads out there!

 


Court Awards Attorney Fees to the Employer Based on a Frivolous Claim!

August 6, 2018

Here is a decision that will hopefully deter frivolous lawsuits by former employees as well as plaintiff attorneys! As employers know, there is little disincentive for an employee to sue, because plaintiff-side lawyers represent them on a contingency fee basis and most claims are brought under statutes that allow an employee (but not an employer) who prevails to recover the attorneys’ fees incurred in the case.  However, it is important for employees to recognize that an employer may refuse to settle and may win at trial.  If the employer wins, the employer often has a statutory right to recover its costs of suit from the employee.  Depending on the extent and type of litigation, the employer’s recoverable costs could be in the tens of thousands of dollars.  In some instances, a prevailing employer also may recover its attorneys’ fees incurred to defend the unmeritorious case. Well, her is one time an employer fought back and the Court awarded them attorney fees to be paid by the former employee AND her attorney! Let’s look at the facts.

Sandra D’Amato Flores was a branch manager for Opus Bank who decided to jump on the bandwagon of employees suing their employers for often baseless wage and hour claims in California.  As is common in these wage and hour cases, Flores alleged that she was misclassified as an exempt employee and denied overtime compensation as a result.  She filed an individual lawsuit seeking unpaid wages from Opus.  Then, she separately filed a putative class action lawsuit on behalf of all of Opus Bank’s branch managers in California, alleging that the entire class of employees was misclassified and denied overtime compensation.  Flores’ counsel, eventually recognized that Flores had a conflict of interest in seeking to pursue her own individual lawsuit against the Bank while simultaneously seeking to represent a class of employees on similar claims in a separate case.  As such, her attorneys proposed substituting in a different, former branch manager to represent the class.  Unfortunately for Flores, the other former branch manager had signed a severance agreement releasing any and all claims, known or unknown, against Opus Bank in exchange for being provided severance benefits.  As a result, he rather obviously had no standing to pursue any claims against Opus Bank, either on his own behalf or on behalf of a class of employees.  However, Flores, through counsel, was unconvinced, and insisted on litigating the issue of whether the former branch manager’s severance agreement barred his claims.  This was not the wisest of decisions, given that the severance agreement had a provision entitling the prevailing party in any action to enforce the severance agreement to recover its attorneys’ fees.  Sure enough, the Los Angeles Superior Court agreed with Opus Bank that the severance agreement barred the former branch manager’s claims and awarded Opus Bank close to $55,000 in attorneys’ fees against the former branch manager and his attorneys.  The former branch manager, apparently unhappy with this outcome, sued his attorneys for malpractice. Now there’s retribution for you!

Meanwhile, Flores’ individual wage and hour claims went to trial. Opus’ defense was that Flores was properly classified as an exempt employee, due to the fact that she earned a salary well above the minimum required for exempt status and easily spent the majority of her time on exempt duties.  Indeed, Flores was responsible for managing a branch of the Bank (and at times, two branches), with ultimate supervisory responsibility over all branch employees and branch operations, and was responsible for representing Opus in the community and developing business for the Bank.  Following the bench trial, Judge Wiley found in favor of Opus Bank and issued judgment (as well as an award of costs) in favor of Opus.

Not to be deterred, Flores appealed the judgment following the bench trial against her, and also appealed the order enforcing the other former branch manager’s severance agreement, as well as the order awarding Opus Bank its attorneys’ fees incurred in enforcing the agreement.  Last week the Court of Appeal issued its opinions in favor of Opus Bank on all three appeals.  The Court held that the trial court’s judgment in favor of Opus Bank on Flores’ individual claims was supported by substantial evidence, and dismissed the other two appeals, agreeing with Opus that these appeals were procedurally defective because (1) Flores was attempting to appeal non-appealable, intermediate rulings of the trial court without any final judgment ever having been entered in the class action; (2) Flores did not have standing to appeal the order adjudicating her former colleague’s rights or awarding attorneys’ fees against him, and the former branch manager did not himself appeal these orders (no doubt because he did not want to risk being ordered to pay even more attorneys’ fees to Opus Bank for causing the Bank to incur fees to defend the appeals); and (3) Flores’ counsel did not file a valid notice of appeal on their own behalf in order to challenge the fee award issued jointly against them.  As such, the order awarding Opus Bank its attorneys’ fees against the plaintiff’s attorneys, Flores’ former branch manager colleague and also awarded its (Opus Bank) costs on appeal from Flores.

The takeaway here is that, contrary to popular thought, it does not always pay to sue.  In this case, the employee (and her counsel) have to pay.  Let this be a word of caution to other employees out there to think twice before carelessly pursuing unmeritorious claims against their employer.

This was a great decision for employers!