Q: What are the pay requirements when a non-exempt employee is on-call by cell phone 24 hours a day?

A: There are two basic types of on-call time: controlled and uncontrolled.Employees are on uncontrolled on-call time if they are completely free to use the time for their own purposes. Such “free” on-call time is not under the control of the employer and, thus, need not be paid.Employees are on controlled on-call time if they are restricted in a way that means they cannot reasonably pursue personal activities and come and go as they please. Employees on controlled on-call time must be paid for all on-call hours, but they can be paid at a different hourly rate than the employee’s usual rate—provided that this rate is not less than the applicable minimum wage.

The California Division of Labor Standards Enforcement DLSE and California courts apply what is called the “Madera Test” to assess the extent of an employer’s control over an on-call employee. The test measures whether any restrictions placed on the employee during the standby time are primarily intended to benefit the employer, and if the employee is so restricted that he or she can’t attend to personal activities.While this test is applied on a case-by-case basis, the DLSE and the courts consider the following five factors in each case:

1 geographic restrictions on the employee’s  movements;

2 required response time;

3 the nature of the employment e.g., emergency or health care services;

4 whether the on-call employee can easily trade his or her on-call responsibilities with another employee; and

5 the extent the employer’s policy would affect personal activities during on-call time, depending on the personal activities that the employee engages in.

The bottom line is the amount of “control” exercised by the employer over the activities of the employee. The greater the control, the greater the likelihood a court or the DLSE would rule that you should be paying for that time.To avoid having to pay for on-call time, make sure you're adequately staffed to call on more than one employee if needed. Also, if applicable, your on-call policy should inform employees that they are not restricted in their movements or the kinds of activities they can pursue.

via From the CEA Mailbag: Paying Employees for On-Call Time.

Check out this unsolicited fax ad we received today:

This purportedly is from the “Yellow Pages” and nefariously shows a logo which looks suspiciously like the real “Yellow Pages” logo but upside down.  The idea here is to get you to fill out your information and fax it back to them.  They encourage you by promising to actually submit your information to Google!  But beware, because if you do that you will have agreed to pay them $89.00 per month for a two year term (that’s over $2100!) with the first year payable in advance.   If you were to send this back to them, they would no doubt send you an invoice, followed by a nasty-gram that if you don’t pay they will sue you.  When you finally wake up to what you have done, they will have filed a lawsuit against you in New York. What, you don’t live in New York?  Tough, you have agreed to be sued there (it’s in the terms and conditions). And you will have to pay their attorneys’ fees as well. 

And what is it that Yellow Publishing Ltd. has agreed to do for you in exchange for paying them over $2,100?  Well hold onto your hat, because they will list your business on their website, which probably gets just about no traffic at all except for people like me researching scams  like this.  The so-called publisher, Yellow Publishing Ltd. is listed as having an address at 111 Picadilly, Manchester, M1  2HY, UK.  So you will need to hire a lawyer in England to get your money back from them. 

I feel very sorry for people who unwittingly send back a form like this.  This just underlines the importance of reading everything carefully before you sign it.  Scams like these are unfortunately becoming more and more prevalent, and with the Internet the transaction costs are practically zero for the fraudsters. 

This fax will forwarded to the California Attorney General. Maybe they will do something about these unscrupulous scoundrels.

“The settlement with the National Arbitration Forum comes after the Minnesota AG sued the firm on July 14 for consumer fraud, deceptive trade practices, and false advertising. The civil suit, filed in state district court in Minneapolis, alleged conflicting ties between the NAF and debt-collection law firms that represented major credit-card companies. The suit also alleged that New York hedge fund Accretive LLC owned stakes in such collection law firms and the NAF, sending arbitration business between the two.”

via Wall Street News Blog – BusinessWeek.

“Plaintiffs’ lawyers, they fear, are scouring these sites, looking for evidence to dispute firings, as most LinkedIn recommendations are positive. So if a supervisor claims that an employee was let go due to performance problems but gave a rave review about him or her on LinkedIn — that, the lawyers stress, won’t look so good.

via Lawyers warn employers against giving glowing reviews on LinkedIn.

The settlement underscores the importance of good data security measures.  Businesses handling personally identifiable information should review and update their data security procedures regularly.

The EU Data Protection Supervisor – the independent EU supervisory authority responsible for protecting personal data within the EU – recently pushed for the EU ePrivacy directive to be amended to provide for a pan-European data breach notification requirement. In parallel, the UK Information Commissioner, who is charged with enforcing the Act in the UK, has been given powers to levy ‘substantial’ fines in cases where the UK’s Data Protection Act has been ‘recklessly’ disregarded.

Changes to data security regulation are inevitable after twelve months of increasingly dramatic press headlines about failures to safeguard personal data records, including the UK’s HMRC CD-Rom fiasco, the prolonged theft of TJX credit card records, and incidents such as the hacker infiltration of the customer database of a Berlin Best Western Hotel.

In France, Germany, Spain the national data protection commissioners have been stepping up their enforcement activity, which includes increasingly substantial fines for non-compliance. Organisations now urgently need to assess the size of the issue, the potential impact on their organisation of a data breach, and the best practice steps for mitigating the data breach risk.

Last Year’s IT Governance Data Breaches Report stated that spectacular data breaches are not caused by the misdemeanour of a junior employee but arise, rather, from systemically inadequate information security arrangements at the organizations where the incident occurs.

A data breach is ‘the unauthorised disclosure by an organization of personally identifiable information, where that disclosure compromises the security, confidentiality, or integrity of the data that has been disclosed.’ which can come about via employee caused Data Leakage, Hacking caused by a lack of, or ineffective, penetration testing or ethical hacking activities, or deliberate theft or disclosure.

The Attritiondatabase shows a ten-fold increase in the number of reported data breaches – in the US, the UK and across Europe – since 2004. The peaks in reported data breaches following the disclosure of nationally significant breaches such as the UK’s HMRC data loss, suggests that there were – and probably still are – many data breaches that go unreported and research suggests that organizations are reluctant to officially report data breaches unless they have already been exposed. The evidence suggests that waiting to be found out is not the best strategy

Data protection is receiving so much attention for three reasons:

1. Identify theft is a low-risk, high return option for organized crime. Traditional crime, including violent robbery and theft, has clearly identifiable risks. It is easy to be recorded on video by CCTV, seen by witnesses or caught by means of DNA, and the returns are relatively low. High-tech crime, on the other hand, creates real problems for the police force[3] and is, conversely, relatively low-risk for the criminal. Contributing factors include the perpetrator’s anonymity, the speed at which crimes can be committed, the volatility or transience of evidence, the trans-jurisdictional nature of cybercrime and the high costs of investigation.
2. Legal and regulatory compliance initiatives, such as the EU Data Protection directive and California’s data breach disclosure law, SB1386, have both formalised the concept that personal data must be legally protected, and introduced penalties for failing to do so. The recent amendments to the UK Data Protection Act (DPA), and changes to regulatory activity across the EU that are introducing significant financial penalties for non-compliance with the Directive, make this a particularly urgent issue for UK organisations.
3. The proliferation of mobile data storage devices – laptops, USB sticks, PDAs – has changed the boundaries of where we store our data and effectively eliminated “fixed fortifications” as an effective tool for preventing data breaches.

The last Ponemonreport commented that “the investment required to prevent a data breach is dwarfed by the resulting costs of a breach” and ” the return on investment (ROI) and justification for preventative measures is clear”.

Costs of data breaches – legal costs, the costs of restitution, brand damage, lost customers and so on – are significant; for financial services organisations, it was about £55 per compromised record.

Whilst not involving legal compliance, if an organisation has a credit card-related data breach and is found not in compliance with the Payment Card Industry Data Security Standard (PCI DSS), there are potentially severe contractual and financial penalties, including a bar on the business accepting payment cards.

All these factors make the protection of personal data a key business and compliance responsibility. There are nine key steps that every organization should take:

1. Encrypt all personal data on laptops; whole disk encryption is a more secure solution than folder or file level encryption, and FIPS 140-2 is the recognised standard for encryption engines.
2. Encrypt all removable and portable media that might contain personal data, including USB drives, CD-Roms and magnetic backup tapes.
3. Establish rigorous procedures to ensure the physical destruction of redundant computer drives, magnetic media and paper records prior to disposal, and ensure that disposals are made in line with a formal data retention timetable.
4. Organizations that accept credit and other payment cards should also comply with the PCI DSS.
5. Provide regular training and awareness on legal responsibilities for all staff that deal with personal data.
6. Deploy outward-bound channel (email, instant messenger) filtering software with customised dictionaries for relevant legislation such as Data Protection Directive, PCI, etc
7. Establish a vulnerability patching programme and implement anti-malware software.
8. Implement a business-driven access control policy, combined with effective authentication.
9. Develop an incident management plan that enables the organization to respond

Article Source: http://www.articlesbase.com/security-articles/business-risks-associated-with-data-breaches-961225.html

About the Author:

James Tanner is an analyst at Orthus limited (http://www.orthus.com). Orthus is a leading provider of information risk professional services, helping orgnisations globally to measure, minimise and manage the information risks they face. Orthus provide end to end services for clients to comprehensivly address risk in their environments including Insider Threats, addressing issues including data leakage, sabotage and fraud; External Threats including penetration testing, virtualisation security, vulnerability management and Secure Software Development Life-Cycle; Supply Chain Threats including securing cloud services and data processed by third parties; and Legal and Regulatory challenges (http://www.orthus.com/grc_overview.htm) including Payment Card Industry (PCI) Data Security Standard (DSS).

via Protecting The Keys To The Castle: Obama Administration’s.

NEW YORK (AP) – When the economic recovery finally arrives, many small business owners won’t try to rebuild their shrunken stock portfolios. They’ll be putting their money in what looks like a better bet: their companies.

via Business owners invest in their firms, not stocks.