Adventures in Cyber Security

cyber securityOne of the most exciting aspects of employment law is the inexhaustible list of ways that employees find to get themselves—and their employers—into trouble.  Recently, we have observed an uptick in electronic security attacks which makes the close of 2018 a perfect time to refresh ourselves on the “Dos” and “Don’ts” of cyber security.

Why Do They Do That?!

Some of the cyber security problems that employees find for themselves leave employers scratching their heads and wondering “why did s/he do that?!”  A great example:  spoofing attacks.  In the context of information security, spoofing occurs when an individual (or group) disguises itself as someone else to gain access to information.  One scenario that occurs with shocking frequency is when a cyber attacker sends an email purporting to be someone important within the organization.  For example, an employee (especially a new, or low-level employee) will receive an email from an address that shows up as Bob Smith, Chief Executive Officer of XYZ Corporation.  The employee, eager to please, takes one look at the “From” line in the email, and immediately jumps to complete the requested actions in the email.  Often, the request involves using company resources to send money or gift cards to the recipient.  The sums at issue are generally small enough that they do not trigger fraud alerts, and no one realizes that the request is fraudulent until days or weeks later when the employee follows up with the requesting manager, or someone in accounting sees a questionable charge.

Look for Real Solutions, Not Easy Ones

When you’re investigating these incidents, it’s easy to blame the subject of the attack.  Frequently, a small bit of due diligence could have avoided the problem.  In spoofing attacks, the actual email address is often undisguised.  So, while the email says that it’s from Bob Smith, Chief Executive Officer of XYZ Corporation, the email account is actually randomassortmentofletters@shadydomain.com.  When confronted with this scenario, rather than blaming the victim, a good first step is to analyze the company’s own practices.  Cyber security problems do not arise in a vacuum.  Does your company have a cyber security program?  Have you trained your employees to check the email address before responding to internal inquiries or opening document attachments?  Do you have a defined protocol for what to do with suspicious emails, so that they can be investigated?  The easy solution is to blame the victim; it’s much harder to conduct an internal inventory and find out that the company bears some of the blame.

Be Careful What You Say

Another common reaction to cyber security problems is to make generalizations—frequently involving age—about the types of people who are susceptible to these types of attacks.  The common refrain of “his generation just doesn’t understand the risk associated with . . .” is unfortunately common.  While human resources professionals are often attentive to these issues, front-line managers are not.  If you hear this type of stereotyping while investigating security breaches, be sure to nip it in the bud.  Statements about a person’s age, generation, or inability to learn and adapt to new technology—especially when coupled with disciplinary action—are a recipe for discrimination claims.  Don’t compound your problem by drawing a lawsuit while you attempt to correct for a cyber security breach.

Be Kind, Even if It’s not Required

When cyber-attacks result in employees losing their own money, one of the first questions from management is “do we have to reimburse it?”  That can be a complex question but in most cases, the answer is no.  An employee who falls for a cyber scam, such as the spoofing attack described above, has been the victim of fraud.  The company did not perpetrate the fraud, or benefit from it.  So the company is not on the hook for the loss.  The first thing you should advise your employee to do is stop payment and report the fraud, if a credit card was involved.  Often the credit card company has resources at its disposal that can limit or reverse the damage done.  But any loss that remains should be the subject of careful consideration.  It is often new, low-earning, and low-level employees who are targeted by sophisticated attackers.  The sums at issue sound small, hundreds of dollars, up to perhaps five thousand.  But for an employee earning $40,000 per year, that type of loss can be enough to cause serious financial disruption.  While employees need to understand the significance of these issues, and feel the sting of sloppy behavior, that goal may be better achieved through progressive discipline.

Remember Your Duties to Report

Finally, if a cyber-attack results in a data breach, be aware of your state’s requirements to disclose the breach to customers and clients.  Delaware law imposes some requirements for what employers must do in the event that they discover that employees’ personal information may have been compromised.  The law defines “personal information” as a Delaware resident’s first name or initial and last name, in combination with:  (1) the resident’s social-security number; or (2) driver’s license number; or (3) account number, credit or debit card number.  To qualify as personal information under the third option, the number must be combined a required security code or password that would permit access to the resident’s financial account.  An employer who learns that the security of its employees’ personal information has been breached must conduct a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused.  If the employer determines that the misuse of information has occurred or is likely to occur, it must notify the affected employees.  (6 Del. C. ch. 12B).

Bottom Line

The best plan is one that you make in advance. There’s no better time to review your internal response procedures, so you are prepared to respond to a cyber attack and address data breaches.  Delaware law does not impose significant compliance obligations but it does require employers to investigate any potential security breach and to notify all affected employees immediately in the event that their personal information may have been compromised.  So be ready, and make sure your employees are well trained on basic considerations when operating in today’s online world.