Social Media

Digital Spring Cleaning

Spring is traditionally a time when people do a deep cleaning of their homes. Have you thought about taking this one step further and doing a digital security deep clean? We recommend reviewing at least every quarter to minimize the risk of identity theft. Here are four steps to get you started to protect your personal data. 

  • Change your passwords. Your company probably automatically asks you to switch passwords every 4-6 weeks. But when is the last time you changed your passwords on your personal social media accounts, subscriptions, or places you shop? You should consider updating these passwords, too. In fact, old passwords can be easy ways for hackers to steal your identity. Delete old accounts you no longer use. You might be surprised to find that some of those are decades old with easily guessed passwords. When you choose your new passwords, do not repeat them across various accounts. You’re just making it easier to get hacked.
  • Review your social media accounts. Have you been cloned on Facebook, Instagram, or other social media platforms? Take a moment and search for yourself on these sites and see if you appear more than once. Don’t wait for your friends to send you a text saying, “I just got a friend request from you, but we’re already friends.” If you’ve been cloned, report it and change your passwords.
  • Avoid oversharing. Think twice before you overshare information or play a social media game that asks you to list personal information about yourself. These simple activities are ways that hackers gather your data. The latest high-risk trend is sharing a picture of your COVID vaccination record with your full name and date of birth clearly visible. Instead, consider sharing a photo of an “I got vaccinated” sticker. 
  • Have you been hacked? A cybersecurity FBI agent once told me, “It used to be a case of not if, but when you’ve been hacked. Now it’s a case of you’ve been hacked, and you either know it or don’t know it yet.” HaveIBeenPwned is one of several free sites where you can check if you’ve been caught up in a security breach.

These four steps will help you do a simple yet effective spring cleaning of your digital presence and protect your online identity. 

New Draft Guidelines Attempt to Clarify Territorial Scope of the GDPR

Since the adoption of the General Data Protection Regulation (GDPR) by the European Union (EU) in May 2018, businesses established outside of the EU have grappled with the question of whether the GDPR’s strict rules apply to them. Many commentators have noted that the GDPR provisions and recitals do not have an easy answer. The European Data Protection Board (EDPB) recently attempted to provide some clarification by publishing draft guidelines that include a commentary on the territorial scope of the GDPR. The EDPB’s guidelines also address the related issue of whether a non-EU company subject to the GDPR must have an EU-based representative.

GDPR’s Targeting Criteria

Arguably the most significant change to the regulatory landscape affecting an individual’s data privacy is the territorial scope of the GDPR’s Article 3 (2). Generally described as the GDPR’s “targeting criteria,” your business must be GDPR compliant if it engages in processing activities of an EU individual’s data (data subject) related to (1) offering goods or services to data subjects, or (2) monitoring data subjects’ behavior. Although the EDPB’s guidelines state that the targeting criteria is applied on a case-by-case basis, the guidelines provide several examples showing how the targeting criteria can be applied that clarify some basic points, such as:

  1. The data subject’s nationality or citizenship is irrelevant. The GDPR protects data subjects geographically located within the EU, without regard to the data subject’s nationality or citizenship. Conversely, data subjects outside of the EU, including EU citizens, are not protected by the GDPR.
  2. Geographic allocation and timing are critical. For purposes of applying the GDPR, thedata subject’s geographic location is assessed atthe moment when your activity occurs; e.g., when your goods or services are offered, or your monitoring of the datasubject’s behavior begins.
  3. Charging for services is irrelevant. The GDPR protects data subjects regardless of whether your services are free.
  4. Cookies are considered monitoring. TheGDPR protects data subjects that your business profiles or undertakes someanalysis by using cookies or similar technologies.

GDPR Compliance and an EU-based Representative

A significant point clarified by the EDPB’s guidelines is that a non-EU company subject to the GDPR must appoint an EU-based representative, even though the not have a physical location within the EU. A company’s Data Protection Officer, who can be an existing employee of the company under the GDPR, cannot fulfill the requirements for an EU-based representative. The purpose of the requirement is to ensure that a qualified individual or entity is located within the EU to whom regulatory authorities can address compliance issues. The guidelines also make clear that the EU-based representative can even be held liable for any non-compliance, including being fined or otherwise sanctioned.

Consultation Period

The territorial scope and appointment of an EU-based representative poses two of the most critical issues that a non-EU based company faces regarding GDPR compliance. The EDPB’s draft guidelines address several other GDPR issues in addition to these, and a full version of the guidelines can be found here. The EDPB is taking public comments on the draft guidelines until January 18, 2019. Comments should be sent to the EDPB at EDPB@edpb.europa.eu.

Scherzer International Joins the National Wear Red Day Movement

     

 

The Scherzer International offices were bright red on Friday, February 2 to show support in the fight against cardiovascular disease. Employees at SI joined the National Wear Red Day movement to raise awareness about living healthier. The pictures above show Daisy (SI’s mascot) and employees from both the Woodland Hills and Rocky River offices wearing red as a visual reminder to us all to continue the fight against heart disease.

SI’s participation in National Wear Red Day follows on the company-wide fundraiser for the American Heart Association held at SI over the summer. Employees in Woodland Hills and Rocky River competed against each other in a penny drive that raised $1634.48 for the AHA in one month!  Nicole Stevenson, Administrative Assistant at SI, shared her thoughts on SI’s involvement, ” My coworkers know the importance of heart health and we’re more than happy to raise awareness for national heart month. This month we’re taking the steps to be proactive in our everyday lives, whether it has to do with exercise tips, stress relief, or just creating an enjoyable work atmosphere that everyone can benefit from.”

With February being Heart Month, SI employees are staying active throughout the workday by taking walks, opting for the stairs instead of the elevator or joining other SI employees for the 7-minute group workout of the day! Cardiovascular disease is largely preventable and “risks can be lowered by adhering to what we call Life’s Simple 7: not smoking, being physically active, maintaining a healthy body weight, eating a healthy diet, controlling blood pressure, controlling cholesterol and controlling blood sugar.”

National Wear Red Day and fundraisers like the penny drive raise awareness and funds to discover critical advancements in treatment and prevention of cardiovascular disease, teach our nation’s kids how to live healthy lives and train community members on heart attack and stroke detection. Follow SI on our social media accounts throughout the month of February to see how employees at SI, “raise awareness about cardiovascular disease and save lives. Because when we come together, there’s nothing we can’t do.”

 

FFIEC finalizes guidance for social media risk management

The Federal Financial Institutions Examination Council (FFIEC) released on December 11, 2013 final guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by banks, savings associations, and credit unions, as well as nonbank entities supervised by the Consumer Financial Protection Bureau. The guidance provides considerations that financial institutions may find useful in performing risk assessments and developing and evaluating policies and procedures regarding social media. 

New Jersey enacts law for social media password protection

Continuing a nationwide momentum of restricting employers’ access to personal social media content of applicants and employees, in August 2013, New Jersey passed Act 2878 joining eleven other states (Maryland, Illinois, California, Michigan, Utah, New Mexico, Arkansas, Colorado, Washington, Oregon, and Nevada) with similar laws. Dozens more states and the U.S. Congress are considering comparable legislation. New Jersey’s new law, which becomes effective December 1, 2013, prohibits employers from asking or requiring that applicants or employees “provide or disclose any user name or password, or in any way provide the employer access to a personal account through an electronic communications device.”

California limits social media use by employers and educational institutions

Effective January 1, 2013, California will join Maryland and Illinois in significantly restricting employers’ access to their employees’ and job applicants’ social media accounts. Signed into law by Governor Jerry Brown on September 27, 2012 and fittingly announced via Twitter, AB 1844 provides that an employer cannot require or request an employee or applicant to do any of the following:

  • disclose a username or password for the purpose of accessing personal social media;
  • access personal social media in the presence of the employer;
  • divulge any personal social media, except as provided in subdivision.

The law also prohibits an employer from discharging, disciplining, or otherwise retaliating against an employee or applicant for not complying with a request or demand by the employer that violates these provisions. However, an employer is not prohibited from terminating or taking an adverse action against an employee or applicant if otherwise permitted by law.

The law does preserve an employer’s rights and obligations to request that an employee divulge personal social media information reasonably believed to be relevant to an investigation of allegation(s) of employee misconduct or violation of applicable laws and regulations, provided that the information is used solely for purposes of that investigation or a related proceeding. An employer is also not precluded from requiring or requesting that an employee disclose a username or password for the purpose of accessing an employer-issued electronic device.

A companion law, AB 1349 that establishes similar requirements for postsecondary education institutions in regard to their students also goes into effect on January 1, 2013.

Social media evolving as new platform for investment scams

The Securities and Exchange Commission (SEC) today charged an Illinois-based investment adviser with offering to sell fictitious securities through social media sites. According to the SEC’s Division of Enforcement, Anthony Fields of Lyons, IL, offered more than $500 billion in fictitious securities, and in some instances, used LinkedIn discussions to promote fraudulent “bank guarantees” and “medium-term notes.”

The SEC’s order instituting administrative proceedings against Fields charges that he made multiple fraudulent offers through his two sole proprietorships – Anthony Fields & Associates (AFA) and Platinum Securities Brokers. Fields allegedly provided false and misleading information concerning AFA’s assets under management, clients, and operational history to the public through its website and in SEC filings. Fields also failed to maintain required books and records, did not implement adequate compliance policies and procedures, and promoted himself as a broker-dealer while he was not registered with the SEC.
Also today, in recognition that fraudsters are now turning to new and evolving platforms to peddle their scams, the SEC issued two alerts to highlight the risks investors and advisory firms face when using social media.

One of these alerts, a National Examination Risk Alert titled “Investment Adviser Use of Social Media,” provides staff observations based on reviews of investment advisers of varying sizes and strategies that use social media. The bulletin addresses issues that may arise from social media usage by firms and their associated persons, and offers suggestions for managing the antifraud, compliance, and recordkeeping provisions of the federal securities laws. The alert notes that firms need to consider how to implement new compliance programs or revisit their existing ones to align with the rapidly changing technology.

In the SEC’s second bulletin, an Investor Alert titled “Social Media and Investing: Avoiding Fraud” prepared by the Office of Investor Education and Advocacy, the aim is to help investors be aware of fraudulent investment schemes that use social media, and provide tips for checking the backgrounds of advisers and brokers.

More on legal troubles from employer misuse of social media information

Legal experts say that litigation resulting from employer misuse of social media information is likely to rise, at least until more case law is established. And even if the company prevails in such lawsuits, there may be reputational risks as the cases grab national spotlight.

Media sources reported that next week, for example, a National Labor Relations Board judge will rule whether American Medical Response of Connecticut illegally fired a worker after she criticized her boss on
Facebook. In what labor officials and lawyers view as a ground-breaking case involving employees and social media, the NLRB stepped in to argue that workers’ criticisms of their supervisors or companies on social networking sites are generally a protected activity and
that employers are violating the law by punishing workers for such statements. According to media reports, American Medical denied the board’s allegations, stating they are without merit, and that “the
employee was discharged based on multiple, serious complaints about her behavior.” The company added that “the employee was also held accountable for negative personal attacks against a coworker posted publicly on Facebook…”

Media sources reported on another pending case, filed in Georgia against a school district, a former high school teacher is claiming that she was essentially forced to resign over Facebook photos that
showed her drinking alcohol during a European vacation.

And in a case settled in 2009, two workers in New Jersey sued their employer, Hillstone Restaurant Group, after they were fired for violating the company’s core values. According to court documents, their supervisors gained access to postings on a password-protected
Myspace page meant for employees but not managers. The jury found that the employer violated the federal Stored Communications Act and the equivalent New Jersey law, and awarded the employees $3,403 in back pay and $13,600 in punitive damages. Hillstone appealed before the parties reached an undisclosed settlement.

Labor relations pros caution that before taking any adverse action based on social media postings, the employer should consider whether the information could be construed as a complaint or report of inappropriate or unlawful behavior. This includes, but is not limited
to discrimination, harassment, unpaid overtime and other wage violations, or any activities that may trigger an employee’s whistleblower protection.

Go to Top