The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Employee Use of Peer-to-Peer Software Presents Data Security Concerns

The data security risks involved in the installation of peer-to-peer file-sharing software on corporate computers were demonstrated by a recent security breach incident at a major pharmaceutical company that was traced to the use of unauthorized P2P software on a company laptop. The data security breach occurred when an employee’s spouse installed the software on a laptop provided by the company for the employee’s use at home. According to the company’s letter notification to its affected employees, the names, social security numbers, and, in some cases, addresses and bonus information of some 17,000 present and former employees could have been accessed and copied by third parties via the P2P software. Now the company is being sued by its employees in a putative class action.

At about the same time, Rep. Henry Waxman held hearings in Washington on July 24, and concluded that the use of such software in government and corporate environments is a "national security threat." Tests conducted by his staff using popular P2P applications revealed that a multitude of varieties of sensitive corporate information is inadvertently made available on P2P file-sharing networks.

The security breach incident, and the results of Rep. Waxman’s tests, underscore the importance of having, and enforcing, data security policies in the corporate environment. A properly drafted security policy should include the following:

  • Provisions prohibiting the installation of unauthorized software on all company computers, specifically including laptops and other computers provided by the company for use in the home environment.
  • Provisions prohibiting the use of company-provided computer equipment by anyone other than the company employee.

Leave a comment

New Rule Regarding SSA’s “No-Match” letters

New federal regulations will impose requirements for how a company’s HR department must handle "No-Match" letters received from the Social Security Administration (SSA) in response to SSA’s review of the W-2 forms they issue and file. 

The Department of Homeland Security (DHS) recently-issued regulations (72 Fed. Reg. 45611, 8/15/07), which would require an employer to follow certain procedures when it receives a "No-Match" letter from the SSA. The new regulations were scheduled to go into effect on September 14, 2007, but a federal court stayed their implementation temporarily. Under the regulations, if an employer does not comply with certain requirements, the DHS may use such noncompliance as evidence of the employer’s "constructive knowledge" of a violation of immigration law, and the employer may face criminal and civil penalties.

It has been common practice for the SSA to send an "Employer Correction Request" (commonly known as a "No-Match" letter) to employers when employee information (including name and Social Security number) received by the SSA from such employer in a W-2 form does not match the information maintained by the SSA. In the past, "No-Match" letters played a merely informative role, identifying such mismatches to the employer, so that the employer could respond appropriately. Now, because of this new regulation, "No-Match" letters will be accompanied by a notice from the DHS outlining specific obligations and procedures the employer must follow in response to the letter.

Through this regulation, the DHS has expanded its definition of what it means for an employer to have "constructive knowledge." Under the new definition, an employer’s failure to take certain proscribed actions after it receives a "No-Match" letter from the SSA constitutes its "constructive knowledge" that an identified employee is an "unauthorized alien." However, if the employer complies with the DHS’s procedures, the regulations provide that "receipt of the written notice will therefore not be used as evidence of constructive knowledge." Compliance with such procedures would establish a "safe harbor" for the employer, shielding it from potential criminal and civil liability and, as long as the procedures are applied uniformly to all employees, protecting the employer from employee claims of unlawful discrimination.

This regulation is being challenged, and, as mentioned above, a temporary restraining order has been issued against the DHS and SSA by the U.S. District Court for the Northern District of California, enjoining and restraining the two agencies from implementing the regulation.

Leave a comment

ISP Entitled To Rely Upon Spamming Complaints In Terminating Contract

An Internet Service Provider (ISP) acted in good faith in terminating a customer agreement for violation of the ISP’s Acceptable Use Policy, where the ISP relied upon complaints by other customers that the plaintiff had engaged in spamming activities.  Asch Webhosting, Inc. v. Adelphia Business Solutions Investment, No. 04-2593, 2007 U.S. Dist. LEXIS 52932 (D. N.J. July 23, 2007) (unpublished). The court granted the ISP’s motion to preclude the recovery of consequential damages pursuant to the exculpatory clause in the contract, rejecting the plaintiff’s argument that the spamming complaints were false, demonstrating bad faith on the part of the ISP and thereby voiding the exculpatory clause. The court concluded that the ISP’s good faith in terminating the agreement was demonstrated on the record, and that the ultimate accuracy or veracity of the spamming complaints was immaterial so long as the ISP relied upon them in good faith.


Leave a comment

‘Assisting’ In The Transmission Of Spam May Constitute ‘Initiating’ The Transmission Of Unlawful Messages Under The CAN-SPAM Act

A corporate officer that "assists" in the transmission of allegedly misleading and deceptive commercial e-mail messages may be deemed to have "initiated" the transmission of spam under the federal CAN-SPAM Act.  Omni Innovations, LLC v. Impulse Marketing Group, Inc., No. C06-1469, 2007 U.S. Dist. LEXIS 51867 (W.D. Wash. July 18, 2007). In denying the motion to dismiss CAN-SPAM Act claims against the corporate officer, the court found that more than one person may be considered to have initiated an e-mail message under the Act.  The court found that the defendant corporate officer who allegedly "assisted" with the spam may be considered to have "initiated" the unlawful messages, that is, to "originate or transmit the message oneself or to procure such action by inducing another person to transmit the message."