In an open letter to customers earlier this year, Apple® CEO Tim Cook wrote, “All that information needs to be protected from hackers and criminals who want to access it, steal it, and use it without our knowledge or permission.”
By Sam Karson
If you follow the latest cybersecurity news, you are certainly aware of the Apple-FBI legal dispute in California. The dispute concerns purported “back doors” into iPhones as well as attempts to “hack” secure mobile devices. While the federal government’s dispute with Apple has been resolved (for now), the threat of criminals and other ne’er-do-wells stealing our private information through hacking, “cracking,” and exploiting back doors is very much on the public’s mind.
Indeed, in April, the U.S. Department of Homeland Security’s (DHS) Computer Emergency Readiness Team issued an alert about new vulnerabilities in Apple’s QuickTime software for Windows® users. Recently, hackers started targeting HR professionals to obtain confidential information about employees.
Don’t Ignore the Front Door
While it is important to stay abreast of the latest updates regarding cracking (breaking into computers for criminal gain) and back door vulnerabilities, HR professionals must stay focused on the front door. What do I mean by “front door”? Fraudsters looking to gain access to a company’s private information, especially employees’ information, need not resort to sophisticated techniques to do so.
Many computer criminals use “spoof” e-mails to trick employees into letting them walk through the figurative front door. This is called “phishing.” A common phishing scheme involves a fraudster e-mailing an HR employee whose contact information is posted on the company’s website or the employee’s LinkedIn account®. The fraudster creates an e-mail address that is similar or identical to that of a company executive (whose contact information is also online). The criminal includes company logos in the spoof e-mail to convince the unsuspecting HR employee that he is a company executive. The fraudster requests proprietary business information or employees’ personal information, which the HR employee may provide if she believes the spoof e-mail is a bona fide request from an executive. A recent phishing scheme involved fraudsters posing as company executives and requesting employees’ W-2 forms, which include sensitive information that could be used to steal employees’ identities.
Your Employees’ Information Has Been Stolen. Now What?
If your employees’ information is compromised, the first thing you should do is get in touch with an expert. How you respond to a data breach will have a significant impact on your company’s liability and the damage that results from the breach. Employees must be notified of the breach. Keep employees updated throughout the process so they can take steps to protect themselves from identity theft.
The next step is to assess the scope of the data breach. Depending on what kind of information was stolen or accessed and how many employees are affected, you may have to notify the state government and credit reporting services. Most states have laws requiring companies to notify the state attorney general’s office and credit reporting agencies when a data breach occurs. Each state’s notification law is different in terms of what type of breach triggers the notification requirement and what information must be included in notifications, so it is important to familiarize yourself with the notification laws in states in which you operate. Preferably, that is done before a data breach occurs. Additionally, if medical information is cracked, the Health Insurance Portability and Accountability Act (HIPAA) may require you to notify affected employees.
Finally, work with your IT staff to fix system vulnerabilities and improve your system security going forward.
Sam Karson was a paralegal with Brann & Isaacson (http://www.brannlaw.com) in Lewiston, Maine and a contributor to the Maine Employment Law Letter (http://store.hrhero.com/meemp). He is currently studying for his JD at Duke University.
Tomorrow we will cover more on the subject of computer security.