Tag Archives: laura zaroski

Will Your Website Get You Sued?

Plaintiffs’ attorneys have discovered a new, rich litigation vein to exploit, potentially yielding a treasure of targets to sue. Using Title III of the Americans with Disabilities Act (ADA) and applying it to a modern societal institution (the internet) that was not in existence or contemplated when that law was enacted, lawyers may have hit pay dirt again by claiming that websites are not accessible to the disabled.

Title III of the ADA requires places that are open to the public to not discriminate against individuals due to their disability or otherwise deny them “the full and equal enjoyment of the goods, services, facilities, privileges, advantages or accommodations of any place of public accommodation.” These rules apply to any company that permits “entry” by the public. Although traditionally Title III of the ADA has been applied to physical structures, recent cases have raised issues as to whether these rules may apply to websites, as well.

To date, the case law addressing these issues is very limited and has been mixed. Case law from the Seventh Circuit has applied the ADA to websites, and the First, Second and Eleventh Circuits have applied the ADA beyond physical structures, providing ground for plaintiffs to argue that the ADA can extend to a virtual space such as websites. Meanwhile, the Third, Fifth and Ninth Circuits have applied the ADA provisions to physical locations only.

See also: Broad Array of Roles for Disability Coverage  

The Department of Justice, which is responsible for interpreting and enforcing Title III of the ADA, says that Title III does apply to websites. However, in typical government fashion, the DOJ has delayed releasing its “accessibility” guidelines for webpages, with an anticipated release date in 2018.

While the regulations and laws on website accessibility may be unclear, a few law firms are nonetheless sending out demand letters targeting specific industry sectors nationwide (for example, private universities and real estate brokerage firms) and demanding compliance with onerous website standards. The letters ask the recipient to hire the plaintiff’s law firm (or their preferred vendor) to help reach an “acceptable level” of compliance. In addition, several national retailers, including Patagonia, Ace Hardware, Aeropostale and Bed Bath & Beyond have been named in lawsuits regarding accessibility to their sites. According to Bloomberg’s BNA reports, 45 of these type of lawsuits were launched in 2015. That number is expected to increase substantially in 2016.

With the law so unclear on this topic, how should businesses navigate these murky waters? First, if you receive one of these demand letters, you should consider contacting an attorney and should avoid engaging in discussions with the plaintiff or their law firm without representation. Then, along with your attorney and an IT representative (in-house or a vendor), develop a strategy to bring your webpage into accessibility compliance. Although there is no “one-size fits all” approach to move toward compliance, depending on what is on your website, businesses can consider providing audible text on each webpage and providing audible captions for pictures. Ultimately, to play it safe you may want to take all reasonable steps to improve navigation and access on your website.

See also: New Products and Combined Approaches

Takeaway

Lawsuits related to website accessibility could likely be next cash cow for plaintiffs’ attorneys. As the early case law on this issue is so mixed, there is little guidance as to who has to be compliant and what exactly compliance would look like. Until the DOJ gets around to issuing guidelines (assuming they provide much guidance), businesses should consider reviewing their websites and documenting reasonable efforts to make the sites accessible to the disabled. Further, companies should consider purchasing a robust employment practices liability (EPL) policy with broad third-party coverage that can potentially pick up the defense of claims related to website access claims.

This article was co-written by Marty Heller.

Demystifying “The Dark Web”

We often hear reference to the “deep” or “dark” web. What exactly is the deep or dark web? Is it as illicit and scary as it is portrayed in the media?

This article will provide a brief overview and explanation of different parts of the web and will discuss why you just might want to go there.

THE SURFACE WEB

The surface web or “Clearnet” is the part of the web that you are most familiar with. Information that passes through the surface web is not encrypted, and users’ movements can be tracked. The surface web is accessed by search engines like Google, Bing or Yahoo. These search engines rely on pages that contain links to find and identify content. Search engine companies were developed so that they can quickly index millions of web pages in a short time and to provide an easy way to find content on the web. However, because these search engines only search links, tons of content is being missed. For example, when a local newspaper publishes an article on its homepage, that article can likely be reached via a surface web search engine like Yahoo. However, days later when the article is no longer featured on the homepage, the article might be moved into the site’s archive format and, therefore, would not be reachable via the Yahoo search engine. The only way to reach the article would be through the search box on the local paper’s web page. At that time, the article has left the surface web and has entered the deep web. Let’s go there now…

THE DEEP WEB

The deep web is a subset of the Internet and is not indexed by the major search engines. Because the information is not indexed, you have to visit those web addresses directly and then search through their content. Deep web content can be found almost anytime you do a search directly in a website — for example, government databases and libraries contain huge amounts of deep web data. Why does the deep web exist? Simply because the Internet is too large for search engines to cover completely. Experts estimate that the deep web is 400 to 500 times the size of the surface web, accounting for more than 90% of the internet. Now let’s go deeper…

THE DARK WEB

The dark web or “darknet” is a subset of the deep web. The dark web refers to any web page that has been concealed because it has no inbound links, and it cannot be found by users or search engines unless you know the exact address. The dark web is used when you want to control access to a site or need privacy, or often because you are doing something illegal. Virtual private networks (VPNs) are examples of dark web sites that are hidden from public access unless you know the web address and have the correct log-in credentials.

One of the most common ways to access the dark web is through the Tor network. The Tor network can only be accessed with a special web browser, called the Tor browser. Tor stands for “ The onion router” and is referred to as “Onionland.” This “onion routing” was developed in the mid-1990s by a mathematician and computer scientists at the U.S. Naval Research Laboratory with the purpose of protecting U.S. intelligence communications online. This routing encrypts web traffic in layers and bounces it through random computers around the world. Each “bounce” encrypts the data before passing the data on to its next hop in the network. This prevents even those who control one of those computers in the chain from matching the traffic’s origin with its destination. Each server only moves that data to another server, preserving the anonymity of the sender.

Because of the anonymity associated with the Tor network and dark web, this portion of the Internet is most widely known for its illicit activities, and that is why the dark web has such a bad reputation (you might recall the infamous dark web site, Silk Road, an online marketplace and drug bazaar on the dark web). It is true that on the dark web you can buy things such as guns, drugs, pharmaceuticals, child porn, credit cards, medical identities and copyrighted materials. You can hire hackers to steal competitors’ secrets, launch a DDOS (distributed denial of service) attack on a rival, or hack your ex-girlfriend’s Facebook account. However, the dark web accounts for only about .01% of the web.

Some would say that the dark web has a bad rap, as not everything on the dark web is quite so “dark,” nefarious or illegal. Some communities that reside on the dark web are simply pro-privacy or anti-establishment. They want to function anonymously, without oversight, judgment or censorship. There are many legitimate uses for the dark web. People operating within closed, totalitarian societies can use the dark web to communicate with the outside world. Individuals can use the dark web news sites to obtain uncensored new stories from around the world or to connect to sites blocked by their local Internet providers or surface search engines. Sites are used by human rights groups and journalists to share information that could otherwise be tracked. The dark net allows users to publish web sites without the fear that the location of the site will be revealed (think political dissidents). Individuals also use the dark web for socially sensitive communications, such as chat rooms and web forums for sensitive political or personal topics.

Takeaway

Don’t be afraid – dive deeper!

Download the Tor browser at www.torproject.org and access the deep/dark web information you have been missing. Everything you do in the browser goes through the Tor network and doesn’t need any setup or configuration from you. That said, because your data goes through several relays, it can be slow, so you might experience a more sluggish Internet than usual. However, preserving your privacy might be worth the wait. If you are sick of mobile apps that are tracking you and sharing your information with advertisers, storing your search history, or figuring out your interests to serve you targeted ads, give the Tor browser a try.

Ransomware: Your Money or Your Data!

Your client, ABC Corp. is going about its business and then gets this message:

police

The above is a typical ransomware message, according to a recent Symantec Security Response report. What’s next? Pay the “ransom” and move on? Ransomware is a type of malware or malicious software that is designed to block access to a computer or computer system until a sum of money is paid. After executing ransomware, cyber criminals will lock down a specific computer or an entire system and then demand a ransom to unlock the system or release the data. This type of cyber crime is becoming more and more common for two reasons:

1. Cyber criminals are become increasingly organized and well-funded.

2. A novice hacker can easily purchase ransomware on the black market.

According to the FBI, this type of cyber crime is increasingly targeting companies and government agencies, as well as individuals. The most common way that criminals execute their evil mission is by sending attachments to an individual or various personnel at a company. The busy executive opens the file, sees nothing and continues with his work day. However, once the file has been opened, the malware has been executed, and Pandora has been unleashed from the box!

Now that the malware has been unleashed, a hacker can take over the company’s computer system or decide to steal or lock up key information. The criminals then make a “ransom”demand on the company. The ransom is usually requested in bitcoins, a digital currency also referred to as crypto-currency that is not backed by any bank or government but can be used on the Internet to trade for goods or services worldwide. One bitcoin is worth about $298 at the moment. Surprisingly, the amounts are generally not exorbitant (sometimes as nominal as $500 to $5,000 dollars). The company then has the choice to pay the sum or to hire a forensics expert to attempt to unlock the system.

The best way companies can attempt to guard against such cyber crime attacks is by educating employees on the prevalence and purpose of malware and the danger of opening suspicious attachments. Employees should be advised not to click on unfamiliar attachments and to advise IT in the event they have opened something that they suspect could have contained malware. Organizations should also consider backing up their data OFF the main network so that, if critical data is held hostage, they have a way to access most of what was kidnapped. Best practices also dictate that company systems (as well as individual personal devices) be patched and updated as soon as upgrades are available.

Finally, in the event you are a victim of a ransom attack, you would need to evaluate it constitutes a data breach incident. If the data hijacked is encrypted, notification is likely not necessary (as the data would be unreadable by the hacker). However, if the data was not encrypted, or you cannot prove to the authorities that it was, notification to clients or individuals is likely necessary.

Takeaway

Cyber extortion is more prevalent than most people realize because such events are not generally publicly reported. To protect against this risk, we recommend that companies employ best practices with respect to cyber security and that they consider purchasing a well-tailored cyber policy that contains cyber extortion coverage. Such coverage would provide assistance in the event a cyber extortion threat is made against the company, as well as finance the ransom amount in the event a payment is made.

How to Start Managing Cyber Risk

Hardly a day goes by without a news flash about another cyber breach. Since security breaches have become a daily occurrence, I sat down with Jeremy Henley at ID Experts to discuss the most common ways that companies are being breached and how companies can start to assess their cyber risk profile.

Question: Jeremy, what are the most common ways that you are seeing small to mid-size companies being breached?

Answer: One of the common ways that companies are being breached by hackers is that the hackers exploit vulnerabilities in the company’s security network. This includes the company’s failure to update software or upgrade their systems, as well as the failure to have the appropriate checks and balances in place. Small to mid-sized businesses are particularly vulnerable as they often don’t have the IT staff or budget to continually upgrade and update their systems as their organizations change and grow.

The second most common way companies are breached is through simple employee negligence. This would include a company’s failure to train and educate their employees on basic cyber security. For example, the failure to educate employees on the risks of downloading private data onto a portable device that is not encrypted as well as the failure to educate employees as to how to identify scams that ask them to open suspect emails or attachments. Companies need to educate their employees about the dangers of connecting to unsecured Wi-Fi connections at the airport or Starbucks when they are doing work that includes logging in to sensitive company systems. If someone is spoofing the airport Wi-Fi, you are essentially sharing everything you are doing online with that attacker.

Question: Once clients realize the security risks they face in today’s world, clients often ask where they should start with respect to updating their network security. Do you have any guidance for them?

Answer: I advise our clients to start by asking themselves three questions: 1) What data are we collecting? This is important as it will help them determine what regulations they may need to comply with (HIPAA /HITECH, PCI and 47 state breach notification laws, etc.), 2) How are they managing the data that they have? This includes examining what technology the company is using, if it is creating multiple layers to its security with firewalls and antivirus and if it is creating policies and procedures and training employees as to security safeguards and 3) I would ask the company to examine who they are sharing the data with. Specifically, which vendors or clients have access to its systems, and ask those vendors what security and privacy policies they have in place (if any)? You might consider requiring your vendors to provide proof of a security audit or insurance in the event they are the cause of a breach of info that you were trusted with.

Question: What role does cyber insurance play with your clients?

Answer: Cyber insurance has been invaluable to many of our clients, as most cyber policies include pre-breach education tools and employee training information as well as sample security policies or an incident response plan. Some carriers also work with us to provide risk assessment and penetration testing so that weaknesses can be identified and corrected prior to a breach incident. In my experience, the most valuable part that insurance plays is that the insured is able to fund an appropriate response in the wake of a breach. Clients that do not have cyber insurance usually do not have a budget set aside to deal with this unfortunate event, and after a breach do not have the funding to adequately fund the most appropriate response, therefore limiting their ability to respond to the significant reputational, financial and legal ramifications that such an incident can cause to their organization.

When Are Background Checks Not Allowed?

The Equal Employment Opportunity Commission (EEOC) has been quite active in challenging employers’ use of criminal background and credit history checks during hiring. There is still significant uncertainty as to the current standards and law about the checks of criminal and credit history. The lack solid guidance makes it difficult for employers to determine how to evaluate their current use of this information, as well as to understand the legal pitfalls and hurdles that the EEOC has placed in front of them.

EEOC Directives

The recent activity emanates from the EEOC’s recent directive and key priority (as per its December 2012 Strategic Enforcement Plan (SEP)) to eliminate hiring barriers. This priority includes challenges to policies and practices that exclude applicants based on criminal history or credit check. The EEOC has a keen interest in this area, as it believes that criminal/credit checks have a disparate impact on African American and Hispanic applicants. As the EEOC pursues the directive, expect the EEOC to scrutinize failure-to-hire claims where a criminal history or background check was conducted. Even if the background check was “facially neutral” and was uniformly given to all applicants, the EEOC may investigate to determine if the check had a “discriminatory effect” on certain applicant(s).

The EEOC asserts that criminal background checks must be “job-related” and “consistent with business necessity.” Employers are advised to consider: (1) the nature and gravity of the offense or conduct; (2) the time that has passed since the offense, conduct or completion of the sentence; and (3) the nature of the job held or sought. The EEOC stresses the need for an “individualized assessment” before excluding an applicant based on a criminal or credit record.

Local/State/Federal Laws

Employers face additional legal hurdles regarding hiring practices because of recent local and state legislative developments. These laws are commonly referred to as “ban the box” (i.e., restrictions on the use of criminal history in hiring and employment decisions). Making matters even more difficult, employers have also been subject to a surge in class action litigation under the Fair Credit Reporting Act (FCRA). The FCRA regulates the use of and gathering of criminal histories through third-party consumer reporting agencies with respect to conducting background checks on applicants or employees.

Legal Actions

In pursuit of its directive, the EEOC has filed several large-scale lawsuits against employers. We expect that the EEOC will continue to file similar lawsuits throughout 2015 and beyond. Most have been brought as failure-to-hire claims. For example, an African-American woman brought a claim alleging that she was discriminated against based on her credit history. This claim started out as a single plaintiff action, but, after the EEOC conducted its initial investigation, the EEOC dramatically expanded the scope of the initial charge, alleging that the employer was engaging in a “pattern and practice of unlawful discrimination” against: (1) African-American applicants by using poor credit history as a hiring criterion and (2) African-American, Hispanic and white male applicants by using criminal history as a hiring criterion.

Reasonable employers complain that the EEOC has placed employers in a Catch 22. Employers have to choose between ignoring criminal history and credit background, exposing themselves to potential liability for criminal and fraudulent acts committed by employees or to an EEOC lawsuit for having used this information in a discriminatory way.

Takeaway for Employers

Claims involving criminal background checks and credit checks are an EEOC priority. At this time, employers have little guidance from the courts or the EEOC as to exactly what “job-related” and “consistent with business necessity” mean and just how closely a past criminal conviction has to correspond with the duties of a particular job for an employer to legally deny employment to an applicant. Moreover, employers continue to witness expanding restrictions dealing with criminal history at the state and local level based on ban-the-box legislation, as well as with an increasing number of class action lawsuits involving background checks as required under the Fair Credit Reporting Act.

Employers are encouraged to work closely with legal counsel as to what they should and should not ask on applicants as well as how and when they can use background information they obtain. Based on this evolving area of the law, we additionally recommend that employers purchase a robust EPL policy that will defend them in the event that the EEOC or a well-skilled plaintiff’s counsel pursues a claim against them for discrimination, or for failure to hire based on criminal or credit background checks.