As featured in her previous blog posts regarding the battle over negative online reviews, Hospitality, Travel and Tourism practice team member, Judy Endejan, updates us on the results of Yelps! latest case. Thank you, Judy! – Greg
In the past twelve months we have reported on a Virginia case, Yelp!, Inc., v. Hadeed Carpet Cleaning, Inc., (“Hadeed”) that was closely watched because the case dealt with whether a business owner could unmask an anonymous blogger that posted specific critical reviews on Yelp! of his carpet cleaning company. This week the Virginia Supreme Court said, “No”. Hadeed had subpoenaed Yelp! to provide information in Virginia that would identify the authors of the reviews under a new Virginia statute, that requires only that a business prove that a negative review is, or “may be defamatory” or that it has a legitimate good-faith basis for believing that the review is defamatory in order to learn the identity of the reviewer. Hadeed presented evidence that could prove that the seven negative reviewers were not actual customers of the carpet cleaners, which a lower court found could mean that the reviews could be defamatory.
The Virginia Supreme Court in a fairly short, succinct opinion, held that the lower courts were wrong because Virginia courts do not have subpoena authority over nonresident non-parties like Yelp!. Even though it was registered to do business in Virginia, that is not enough for a court to require Yelp!, a non-resident, to respond to a Virginia subpoena. Yelp!, a Delaware corporation, has its primary headquarters in California. Thus, Hadeed might be able to subpoena Yelp! to produce documents in California but the business could not require Yelp! to respond in Virginia. The Uniform Depositions and Discovery Act allows litigants to get discovery from non-parties in the states where the non-parties reside.
In today's post, Gregg Rodgers, Chair of GSB’s Immigration Practice Group and member of our Hospitality, Travel & Tourism practice team, provides us with the latest updates regarding the federal processes that authorize employment for certain undocumented persons. Thank you, Gregg! – Greg
In my previous blog post, I discussed how recent Presidential Executive Actions had made it possible for certain people who reside in the U.S. without proper documentation to be assigned social security numbers and issued Employment Authorization Documents (EADs). Today’s post provides important information and updates to help an undocumented individual get and retain legal employment authorization. (An employer should never knowingly hire or continue to employ an unauthorized worker.) Most importantly, you will see that it has become extremely important to apply for renewal of an EAD earlier than the government had previously suggested. Getting the word out to employees affected by this may help keep them on your payroll.
Deferred Action for Childhood Arrivals (DACA)
You have probably heard about the President’s Executive Action on June 15, 2012, in which he authorized a procedure for many undocumented people in the U.S. to become authorized for employment. Individuals who demonstrate that they meet the guidelines may request consideration of “Deferred Action for Childhood Arrivals” (DACA) for a period of two years, subject to renewal for a period of two years, and may be eligible for employment authorization. By December 31, 2014, 638,897 people who came to the United States as children and who met the guidelines, had been approved for “deferred action” by the government.
DACA has made it possible for hundreds of thousands of undocumented people to become legally employed in the US for the first time, or to get employment authorization that they could present to their current employer to update Form I-9 information.
Many people have already obtained a two-year EAD and have applied for or are now ready to apply for renewal. Employers should know that, for this group of individuals, employment can occur only after the presentation of a valid EAD and cannot continue past its expiration date unless the employee presents another EAD or other documentation from the List of Acceptable Documents. Having applied for renewal of an EAD or even presenting proof of the approval of an EAD that has not yet been received is not enough to allow continued employment.
But renewing an EAD has become a challenge. Historically, the government discouraged the filing of an Application for renewal of an EAD more than 120 days before its expiration. Most people applied between that date and 90 days before its expiration because, by regulation, the government has 90 days from the date of receipt of the application to adjudicate it, or it is required to grant an EAD for a period not to exceed 240 days. Unfortunately, the government has not met its required adjudication or issuance obligations in most cases over the past several months, resulting in the inability to confirm employment authorization and the subsequent termination of employment for those whose EADs have been delayed. Some employers have treated the termination as temporary, allowing a return to employment for those affected by these delays after the new EAD is presented.
Just this month, the government acknowledged the problem and began to encourage applicants to submit renewal requests 150 to 120 days before the current period of DACA and employment authorization is set to expire. Employers are encouraged to notify DACA-authorized employees of this procedural change.
Implementation of Executive Action of November 20, 2014 Delayed
My January blog post also referenced the President’s Executive Action of November 20, 2014, which had two important issues relevant to this post. However, a temporary injunction was issued on February 16, 2015, that prevents the government from accepting requests as noted below. People interested in understanding more about these issues can read more and register with the federal government to get email updates regarding the status of this important program.
The 2014 Executive Action expanded DACA in several ways. If the injunction is lifted, it could apply to applicants of any age who meet the other requirements (whereas DACA applies to only those under the age of 31 on June 15, 2012) and employment authorization would be expanded from two years to three years.
Deferred Action for Parents of Americans and Lawful Permanent Residents (DAPA)
Another significant part of the now-enjoined Executive Action of November 20, 2014 includes authorization for parents of U.S. citizens and lawful permanent residents to request deferred action and employment authorization for three years, provided that they have lived in the United States continuously since January 1, 2010, and pass required background checks. This is known as “Deferred Action for Parents of Americans and Lawful Permanent Residents,” or DAPA.
Where Do We Go From Here?
Maintaining a loyal and stable workforce is important. I fully expect that expanded DACA and DAPA will be authorized in the relatively near future. It can be a good idea to monitor the litigation because, if the injunction is lifted, the government can be expected to move quickly to begin accepting applications for expanded DACA and DAPA. In the meantime, you may want to urge anyone who already has a DACA-based EAD to apply for renewal within the newly announced 150 – 120 day window as the best way to assure the likelihood of continuous employment authorization for them.
Benjamin Lambiotte, technology and data privacy attorney in Garvey Schubert Barer’s D.C. office, shares key points from two significant survey reports analyzing trends in data security breaches during 2014 that were released this week; one from Verizon, and the other from IBM and the Poneman Institute. It should come as no surprise to anyone that once again, the hospitality industry is featured prominently in both reports. Thank you, Ben! – Greg
The Verizon report studies in depth the industry sectors most frequently targeted and affected, the nature of current threats, and causes and consequences of actual data breaches. The Poneman report focuses on costs associated with successful attacks. Both are worth a close read. Together, the reports starkly illustrate the increasing pervasiveness, complexity and costs associated with preventing and responding to data breaches. The good news is that they also provide guidance on effective preventive and cost control measures.
Here are some of our key takeaways and observations from these fascinating reports:
No Organization or Business is Immune from Attack, but Some are More Frequent Targets Than Others
- In terms of volume of security incidents by sector, the top ten (in order) were government entities, information, financial services, manufacturing, retail, hospitality, professional services, health care, and other services.
- Actual data breaches (attack succeeds; data lost or compromised) occurred most frequently (in order, by sector) in: government, financial services, manufacturing, hospitality, retail, professional services, health care, information, education, and other services.
- In certain industry sectors, cyber criminals more frequently breach smaller businesses. Smaller hospitality businesses, by far and away, ranked number one, with retail second. Financial services remains the number one large business target, followed by large retail, and health care.
- Certain industry sectors are more frequent targets of certain types of threats. For example, the hospitality industry is particularly susceptible to Point of Sale (POS) intrusions. Verizon reports that 91% of data breaches in that sector were POS intrusions. The POS credit card systems used in that industry have of late been plagued by a new breed of malware (including POSeidon) that burrows deep into the system and “scrapes” card data momentarily stored in RAM. “Insider” threats (errors and abuse of access privileges) are more prevalent in health care than other industries. Financial institutions are particularly vulnerable to “crimeware” and web application hacks. Businesses should calibrate their risk management approaches to the specific types of threats they face.
Dealing With a Data Breach is Expensive -- the More Records Compromised, the More it Costs
- Poneman predicts that the average per record mean cost of a data breach will be $201 per record, an increase over the past two years. Such costs include lost customers, and expenses of dealing with the breach. Relative costs depend on the scale of the breach. Verizon predicts that breaches of 1,000 records will result in losses between $52,000 and $87,000, and that breaches of 10 million records will result in losses of between $2.1 to $5.2 million.
- Certain industries have higher data breach costs than others, with regulated industries having a higher per capita record costs than non-regulated businesses. The highest relative per capita data breach costs (in order) are in the health care, transportation, education, energy and financial sectors.
The Most Frequent Ways Cybercriminals Gain Access is Through Dumb Stuff We Do or Don’t Do
- In order to steal or compromise sensitive data, cybercriminals have to get at it. The most common way they breach the castle continues to be “phishing” and “spearphishing.” “Phishing” involves baiting a system user to respond to an official-looking e-mail asking for a reply “verifying” a password or account number. “Spearphishing” is a variation where the e-mail also resembles a routine communication from a trusted sender, but invites the recipient to click on a web link or open an attachment whose payload is malware The stats are sobering. Fully 23% of e-mail recipients open phishing e-mails, and 11% click on the malware payload. 50% of the time, this happens within an hour after the “seafood” e-mail arrives. A phisher who sends out this kind of chum generally only has to wait 1.22 seconds before some sucker somewhere takes the bait.
- Another prevalent way cybercriminals get at sensitive data is an organization’s failure to install “patches” for known security vulnerabilities. The stats here are also depressing. In 2014, half of exploited vulnerabilities were defeated within less than a month after becoming known. But in 99% of the cases where a known vulnerability was exploited, a patch had been available for a year or more! Due to failure to implement available fixes, hackers continue to be able to exploit well-known “oldie but goodie” vulnerabilities.
- Plain old human error is another major inroad for hackers. 60% of incidents were caused by internal staff sending sensitive information to the wrong person, putting sensitive data on publicly accessible servers, or disposing of sensitive medical or personal data in insecure ways. Also, people forget or lose mobile devices containing sensitive data in an insecure environment all too frequently.
- While technological countermeasures are necessary, a focus on human factors – the loose nut behind the keyboard – is at least as important. Training and awareness, and practices designed to mitigate our natural tendencies to make the type of mistakes that frequently give hackers keys to the castle, are a key part of any data breach risk management strategy.
Certain Specific Measures Can Reduce the Cost of a Data Breach When it Occurs
- The Poneman report documents that certain types of expenditures can reduce the overall cost of data breach. Having in place before the breach a strong security posture, a Chief Information Security Officer with responsibility for data protection, and a defined incident response plan all reduce the per capita record cost of a breach. It makes sense that planning and investing resources before an incident occurs can save money when it happens.
Greg Duff, Editor
Greg Duff founded and chairs GSB’s national Hospitality, Travel & Tourism group. His practice largely focuses on operations-oriented matters faced by hospitality industry members, including sales and marketing, distribution and e-commerce, procurement and technology. Greg also serves as counsel and legal advisor to many of the hospitality industry’s associations and trade groups, including AH&LA, HFTP and HSMAI.