Archive for September, 2010

Google Engineer Fired for Accessing User Accounts

Posted by fgilbert on September 17th, 2010

Google fired a software engineer because he allegedly took advantage of his position as a member of an elite technical group at the company to access user accounts in violation of the company policy.  Accounts accessed included those of four minors whom he had encountered through a technology group, according to reports by CNN and Gawker.

While there is no allegation of sexual predatory behavior, the engineer appears to have spied on minors’ accounts, accessed their contact lists and chats transcripts.

Given Google’s size it is almost predictable that an incident such as this would happen. When a company has thousands of employees, it is just a matter of statistics and probability. If X% of the country’s population is immature, emotionally unstable or has other personal problems, it is likely that these same characteristics will appear in the workforce of companies, despite the employers’ attempts at identifying the problem employee and prevent the occurrence of any mishap.

Events similar to the Google firing have occurred in hospitals where employees have taken advantage of their access privileges to snoop into celebrities’ health records.  In this case patients records were copies or stolen for the purpose of selling them to the press. As a result, California enacted a law – California Health & Safety Code Section 1280.15 that requires hospitals and clinics to prevent the unlawful or unauthorized access to patient’s medical information and to report these incidents. The law provides for significant fines for hospitals and clinics who fail to provide adequate protection for patients’ records.  Since the enactment of the law, several hospitals have been fined.

It is very difficult to predict and anticipate incidents such as the one that occurred at Google. Human behavior is too unpredictable. There are, however, a few things that a company can do to attempt to prevent this type of situation, or reduce the probability of their occurrence.

Reference checks

Before hiring or promoting an employee, adequate reference and background checks should be conducted. While most companies conduct a reference check when hiring a new employee, in many cases, the investigation is informal, and is limited to acquiring a better understanding of the person’s skills. These reference checks should be adapted to the nature of the position and the rights and responsibilities that the new hire will have.

Background checks

When an applicant’s responsibilities will give him access to sensitive information, such as personal data or company trade secrets, his background should be checked extensively. An in-depth evaluation might include conducting a criminal record investigation and interviewing character witnesses. This type of investigation is highly regulated, and requires significant precautions. While the administrative burden and financial cost of conducting these in-depth investigations are substantial, the cost is negligible when compared to the potential effect on the company’s reputation and market capitalization that a security or privacy incident might have.

Training

It is also crucial to train the employee (or contractor) appropriately. Initial and ongoing training, periodic reminders, and other education regarding privacy and awareness are essential to help reduce the probability of these occurrences. Young or immature employees, in particular, need appropriate, focused, education and awareness sessions for them to acquire the right reflexes when confronted with the temptation to “play God” with a database.

Monitoring

In addition to education and awareness, it is important to ensure that the lessons learned during the training sessions are actually applied in practice.  In other words, the company should regularly monitor the employees’ activities. Companies have a responsibility to their clients and the other employees to ensure that the workforce abides by its rules of ethics and behaviors. They also have an obligation to their shareholders to ensure that the company’s assets (including its intellectual property assets and its reputation) or market value are not jeopardized through the negligence, immaturity or other behavior of their employees. To this end, employee supervision and periodic monitoring of their activities are crucial for identifying derailments while they are still manageable. Many technologies are available for this purpose.

Hotlines

Companies can also supplement their monitoring through the use of whistle blowing hotlines and customer hotlines that allow employees and customers to report problems that they identify.  These hotlines must be administered in such a way as to ensure anonymity, when needed.  The information collected must be reviewed and the matter investigated promptly and with appropriate discretion to protect the individuals concerned.

A company or a group is only as good as its weakest link.  It is a daunting task – but a necessary one – to ensure at all times that all employees understand and abide by the rules.

No Attorney Client Privilege for In-house Lawyers Under EU Law

Posted by fgilbert on September 17th, 2010

On September 14, 2010 the European Court of Justice (ECJ) confirmed that there is no attorney-client privilege under EU law for communications with in-house counsel when a company is under investigation by the European Commission.

In its ruling in the case of Akzo Nobel Chemicals Ltd and Akcros Chemicals Ltd v European Commission, the European Court of Justice affirmed a prior decision of the European General Court that had rejected a claim for legal professional privilege over the company’s communications with its in-house lawyer. The court reasoned that in-house lawyers are economically dependent on their employers, and thus cannot be regarded as independent.

For communications to be privileged, they must be made for the purposes and in the interests of the client’s rights of defense, and with an independent lawyer who is not an employee of the company.  In addition, the lawyer must be admitted to practice in an EU member state

While the rule above applies to matters before European Union institutions, the rule of an EU Member State will apply to matters reviewed at the country level.  Some European countries, such as Ireland, Netherlands, and the United Kingdom, recognize a privilege for communications with in-house counsel when the in-house counsel is a regulated legal professional acting as a lawyer.

Press release of the Court of Justice of the European Union:

http://curia.europa.eu/jcms/upload/docs/application/pdf/2010-09/cp100090en.pdf