Category Archives: security

‘HR Lady’s’ Security Breach

177870130 -- credit card securityI’m imagining you, too, would stop your web browsing for one minute and read an article titled How we tricked your HR lady into giving us access to every customer’s credit card number. I obviously did.

The piece posted by network and security firm Netragard on its website lays out in pretty compelling detail all the steps the company went through to test one of its clients, unbeknownst to the client of course, for its level of vulnerability and/or security through a method it calls penetration testing. For the sake of the anonymity of the large retail corporation being tested, Netragard refers to it as Acme Corp.

What got my attention reading through the piece was just how clever and good hackers have to be, not to mention the companies offering their services to protect them from their covert ways.

Like many a hacker, no doubt, Netragard started out by identifying a job opportunity posted on LinkedIn, in this case for a senior security analyst. Here’s just a small portion of the company’s lengthy description of the ploy:

“Interestingly, the opportunity was not posted on Acme Corp.’s website. When Netragard reviewed the opportunity, it contained a link that redirected Netragard to a job-application portal that contained a resume-builder web form. This form was problematic because it worked against our intention to submit an infected resume to HR. We backtracked and began chatting on LinkedIn with the lady who posted the job opportunity. We told her that the form wasn’t loading for us but that we were interested in applying for the job. Then she asked us if we could email our resume to her directly, and of course we happily obliged.

“Our resume contained a strand of RADON 2.0. RADON is Netragard’s zeroday malware generator, designed specifically with customer well-being and integrity in mind. … Shortly after delivering our infected resume, RADON called home and had successfully infected the desktop belonging to the nice HR lady [who] we chatted with on LinkedIn. Our team covertly took control of her computer and began focusing on privilege escalation.

“RADON was running with the privileges of the HR employee that we infected. We quickly learned that those privileges were limited and would not allow our team to move laterally through the network. To elevate privileges, we impersonated the HR employee [who] we compromised and forwarded our infected resume to an IT security manager. The manager, trusting the source of the resume, opened the resume and was infected.

“In short time, RADON running on the IT security manager’s desktop called home. It was running with the privileges of the IT security manager who also happened to have domain administrative privileges.  Our team ran procdump on his desktop to dump the memory of the LSASS process. This is important because the LSASS process contains copies of credentials that can be extracted from a dump.  The procdump command is ‘safe’ because it is a Microsoft standard program and does not trigger security alerts. However, the process of extracting passwords from the dump often does trigger alerts. To avoid this, we transferred the dump to our test lab where we could safely run mimikatz to extract the credentials.

You with me still? The good folks at Netragard then used those credentials to access all three of Acme Corp.’s domains and extract their respective password databases. They then exfiltrated those databases back to their lab and successfully cracked 93 percent of all the current and historical passwords for all employees at Acme Corp.

The total elapsed time between initial point of entry and password database exfiltration was 28 minutes. Let me repeat that: 28 minutes. That’s less than half an hour. And at that point, the company had reached what it calls “an irrevocable foothold” in Acme Corp.’s network. “With that accomplished,” its post says, “it was time to go after our main target,” the cardholder-data environment.

And this, mind you, was a company whose principals had told Netragard that they were highly confident they could withstand any attempted security breach or inadvertent lapse, and that no vendor (or hacker to their knowledge) had ever breached their corporate domain let alone their CDE.

Thank goodness Netragard was simply trying to protect them by revealing their weakness — a “nice lady” sitting in the HR department. Perhaps, on reading this post, you might want to set up some special communications with all the nice folks in your HR organization (?)

As Netragard’s post implores:

” … the differences between compliance and security are vast. In the past decade we’ve seen countless businesses suffer damaging compromises at the hands of malicious hackers. These hackers get in because they test with more talent, more tenacity and more aggression than nearly all of the penetration-testing vendors operating today. For this reason, we can’t stress enough how important it is that businesses select the right vendor and test at realistic threat levels.”

And self-promoting though it may be, I couldn’t resist including its sign-off:

“It is impossible to build effective defenses without first understanding how a real threat will align with your unique risks. At Netragard, we protect you from people like us.”

Getting Caught in the Drug Screen

There’s an interesting new story in the New York Times today about how employers are struggling to find a key demographic of the workforce: those who are able to pass a drug test.

From the NYT story:

All over the country, employers say they see a disturbing downside of tighter labor markets as they try to rebuild from the worst recession since the Depression: They are struggling to find workers who can pass a pre-employment drug test.

The hurdle, according to the story, “partly stems from the growing ubiquity of drug testing, at corporations with big human resources departments, in industries like trucking where testing is mandated by federal law for safety reasons, and increasingly at smaller companies.”

Data suggest employers’ difficulties “also reflect an increase in the use of drugs, especially marijuana — employers’ main gripe — and also heroin and other opioid drugs much in the news.”

Indeed, Quest Diagnostics, a national drug-testing service, documented an increase for a second consecutive year in the percentage of Americans who tested positive for illicit drugs — to 4.7 percent in 2014 from 4.3 percent in 2013. And 2013 was the first year in a decade to show an increase, the story notes.

But data on the scope of the problem is “sketchy,” the NYT notes, “because figures on job applicants who test positive for drugs miss the many people who simply skip tests they cannot pass.”

The story gets at an interesting question, but one that doesn’t necessarily get enough attention these days, likely due to all the other debates raging in the workplace: When does drug testing become more onerous than advantageous for an organization?

Scam Artists’ Latest Target: HR!

A story appearing earlier this week on the Milwaukee Journal Sentinel website—about a series of phishing incidents that targeted and successfully scammed corporate HR departments into sharing confidential personnel information—recently caught my attention.ThinkstockPhotos-487606535

It serves as a  reminder, in the event one is required, that HR departments need to be much more vigilant in their efforts to protect against such attacks—which continue to become more frequent and sophisticated—or suffer the consequences.

As the MJS story explains, the scam, involving fake emails purportedly sent by top company officials, convinced HR staffers to “send out W-2 tax forms that are ideal for identity theft.” Among the employers featured in the story falling victim: disk-drive-maker Seagate Technology and messaging-service Snapchat.

On March 1, the Internal Revenue issued an alert to payroll and HR professionals to beware of an emerging phishing email scheme that purports to be from company executives and requests personal information on employees.

“The IRS has learned this scheme—part of the surge in phishing emails seen this year—already has claimed several victims as payroll and human resources offices mistakenly email payroll data including Forms W-2 that contain Social Security numbers and other personally identifiable information to cybercriminals posing as company executives,” the alert said.

IRS Commissioner John Koskinen noted that …

“This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments. If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”

The IRS alert explained that this “phishing variation is known as a ‘spoofing’ email. It will contain, for example, the actual name of the company chief executive officer. In this variation, the ‘CEO’ sends an email to a company payroll-office employee and requests a list of employees and information including SSNs.”

The MJS article reports that both Snapchat and Seagate have “notified federal authorities” about the incidents and are offering affected workers two years of free credit monitoring.

Risa Boerner, a partner in Fisher & Phillips’ Radnor, Pa., office and the chair of its Data Security and Workplace Privacy Practice Group, told me yesterday that scam artists are becoming much more sophisticated in their efforts.

Today, she explained, they can clone a CEO’s email account and make it look like it’s coming from him or her, as was the case here. While that was possible 10 years ago, she added, it wasn’t very common for the messages to look as polished and believable as they often do today.

She noted that these incidents speak to the need for employers to not only thoroughly train their employees, but also update their training regularly to keep up with changing tactics. “What was current two years ago may not be current now,” she said.

Prudent advice, I’d say, considering the level of sophistication of the perpetrators. I’m sure no one reading this would like to see his or her company join the ranks of those falling victim to such a ploy—and then having to deal with the aftermath.

Restraining Orders as Legal Arsenal

When an email came my way recently, touting yet another approach to keeping employers safe from liability — restraining orders — I restraining order -- 473612428nearly discarded it, thinking it was surely common knowledge among HR leaders.

But something about the wording, and the invitation to interview a Los Angeles judge who thinks employers and their HR departments must not be privy to this technique, compelled me to look further. So I called him.

Herbert Dodell, Judge Pro Tempore for the Los Angeles Superior Court, thinks if employers really understood how much legal protection they’d be cloaking themselves in by filing restraining orders against potentially dangerous employees and ex-employees, more would be taking this approach. As it is, “maybe 5 percent to 10 percent are doing it today, tops,” he says. He goes on:

“Think about it, if there is an unruly employee or someone who is a credible threat of violence, the fact that [an employer] got a restraining order allows [that employer] to argue it did the prudent thing when confronted with a situation.

“If the employer doesn’t do it, and that employee shoots up the place, that employer will be faced with an argument that it didn’t do anything to protect the other employees or the work environment. In other words, it had notice and was negligent about doing something about it. It is no guarantee, but allows for an argument on liability issues.

“With the proliferation of lawsuits against employers for wrongful termination, discrimination, retaliation, you name it — all seeking damages, large and small — employers should be looking for ways to defend their actions and minimize damage claims. Restraining orders [can be] valuable tools in that regard.”

Dodell has a pretty good frame of reference for this. Not only has he heard hundreds of retraining-order cases in his judge’s robe, he also has experience as a transactional and trial lawyer, and mediator and arbitrator. So he’s represented people on both sides of these cases and decides them now, too.

Granted, he says, it won’t stop the violence (although it could deter it). “If someone has it in his or her mind to shoot up the place, he or she will shoot up the place,” he says. While such incidents were rare decades ago, he adds, they have been on the rise in recent years — perhaps the most recent being the February shooting at a Moorestown, N.J. security company that left one man dead and another injured.

Hard to say just how much they’re going up. Here‘s the Centers for Disease Control and Prevention’s word on that. But as a legal record of steps an employer takes, and as proof in a court of law that “the employers had some concerns and took action, that employer would be far more protected from liability than most are,” says Dodell.

“I’m convinced HR people and employers don’t understand how this works or far more would be doing it,” he says. (He’s not even sure enough risk managers know how effective and simple this is.)

Filing a restraining order, he says, is not a difficult procedure — “basically, a six-page form [that entails mostly] checking the boxes.” Judges like himself “don’t even come out of chambers for temporary restraining orders; then you have a hearing in 21 days; then, if it’s issued, it’s good for three years.”

The thing to remember, he says, is you don’t have to be right about a perceived threat. You simply need to present your concerns to the court in the form of a fact pattern — “this is what happened and this is what we think might happen.” If the judge concurs, you are, in essence, right, and you — and possibly your employees (if the order does serve to dissuade the violent behavior) are protected for three years.

These documents are not complicated and they’re not expensive, says Dodell, and they make a whole lot more sense than what he’s sadly seen far more often, “where companies simply transfer unruly employees to other departments” to the detriment — and sometimes injuries or murders — of other employees. What’s more, he adds:

“The terms of the restraining order can be ‘manuscripted’ for the court to approve.  I often tailor the relief to the need. In wrongful termination cases, it is invaluable to have a finding made by a judicial officer that there was a reason for the termination or conduct by the employer to refute arguments of discrimination, etc.

“In cases where an employee or former employee disrupts the operation of the business or causes damages such as a shooting at the place of business, the obtaining of a restraining order, before something happens, shows due diligence and goes directly against allegations of negligence. Insurance companies should love it when there is a restraining order in place.  It can then be shown that a neutral judicial officer found a sufficient basis, by the applicable standard, that the employee or former employee was unstable and that the employer sought to do something about it.”

So there you have it: When in doubt (or concern), file those restraining orders.

I don’t usually take over someone else’s soapbox here, but thought I’d err on the side of safety.

Protecting Black Friday Workers

The Occupational Safety and Health Administration wrote to the nation’s largest retailers this week reminding them about the potential hazards presented by the upcoming Black Friday sales events and offering recommendations on how to keep their employees safe during the shopping blitz, according to The Hill.

The agency is recommending the nation’s largest retailers take precautions via a crowd-management plan on Black Friday (and other busy shopping days) to protect workers from being trampled by customers:

“During the hectic shopping season, retail workers should not be put at risk of injury of death,” says David Michaels, assistant labor secretary. “OSHA urges retailers to take the time to adopt a crowd-management plan and follow a few simple guidelines to prevent unnecessary harm to retail employees.”

The Black Friday safety measures, the Hill reports, come in response to dangerous workplace hazards at retail stores that have increased in recent years as customers push and shove through packed crowds to shop for Christmas gifts.

According to OSHA, one retailer worker was even trampled to death by customers who were rushing through the store in 2008.

Best to Shy Away from Ukraine Relocations or Trips

This report Friday from the BBC about the escalating crisis in the Ukraine certainly underscores alerts and cautions released days and weeks earlier about not doing business there right now. Though business travel doesn’t fall completely under the purview of human resources, this earlier alert  — which contains a link to this article — from the Incident Management Group Inc. is 177725008 -- ukraineworth a look. Relocation and expatriate considerations are tied in to this as well.

According to the alert, you’d better not only keep your employees and executive leaders out of the Ukraine and Moldova for the time being, you’d better keep a keen eye on Eastern Europe in general if your organization does business there.

The ousting of Ukraine’s pro-Russian prime minister in February, resulting in the annexation of the Crimea and continued Russian provocations, the alert says, “have caused alarm and unease in many countries in the region [and] many corporate travel managers are concerned that the security situation could deteriorate … .”

Some analysts, the IMG article says, “believe that Russian aggression could go even further [a prescient warning indeed], fearing that Russian forces massed along Ukraine’s eastern border could be preparing for an invasion.”

It goes on to offer this perspective for businesses doing business there:

Employee travel security in Eastern Europe is normally not a large safety concern. Ukraine and Moldova are at an elevated risk, but most of the countries in the region are roughly comparable to other EU nations in terms of security. For example, the countries of Poland, Czech Republic, Romania, Bulgaria, Slovakia and the Baltic States are generally pretty safe. Visitors should be concerned about the potential for scams and petty theft, but violent crime directed against visitors is generally uncommon.

However, an escalation of Russian aggression could have negative implications for employee travel security [throughout] Eastern Europe. For example, increased tensions could lead to more cyber attacks on Western organizations based in the region. These attacks could be carried out by the Russian government or by rogue pro-Russian elements. One such organization, dubbed ‘Cyber Berkut,’ has already claimed credit for an attack against NATO’s website, and may seek out other pro-Western targets.

Additionally, an escalation of tensions could lead to a Russian energy embargo. After all, much of Europe is dependent on Russian oil and gas. An embargo could lead to shortages and civil disorder in the region, especially if such an embargo took place in winter when demand for natural gas is at its highest. Furthermore, an energy crisis could affect the operations of companies doing business in the region, especially those that rely on fuel to conduct their day-to-day operations.”

From the looks of things geopolitically, there’s no settling down going on, now or anytime soon. This report last Monday from ABC News notes 15 more Russian officials have been added to the European Union’s list of sanctions protesting Moscow’s meddling in the Ukraine — bringing the total number of EU sanctions to 48.

Best advice? According to IMG, get with a professional security consultant if you haven’t already and make sure your organization is developing or updating an evacuation plan. And if an employee or relocatee doesn’t have to be there, by all means don’t send him or her.

 

Service-Dog ‘Fakers’: Could It Happen at Work?

464734925 -- guide dogsThis was certainly intriguing: a release from KCRA in Sacramento, Calif., about a hearing before the California State Senate examining what appears to be a real problem out there: people masquerading their dogs as guide dogs for the disabled so they can bring them along to wherever they’re going.

I guess they would miss them that much, which says something about the kind of person who would conjure up such a scheme. Worse yet, what kind of person would actually then “play act” a disability, namely blindness?

“This is a big issue in California,” Phyllis Cheng, the executive director of the Fair Employment and Housing department, says in testimony. In fact, here is the entire senate-hearing report:

Here, too, is the Fox 45 news report on the problem:

So I’m wondering, could this become a problem in the workplace? I asked two employment attorneys — Keisha-Ann Gray at Proskauer (HREOnline‘s “Legal Clinic” columnist) and James McDonald, managing partner of the Irvine, Calif., office of Fisher & Phillips — for their takes on this.

They tell me that, although there is no hard-and-fast rule under the Americans with Disabilities Act requiring employers to allow guide dogs to accompany disabled employees, every employer with 15 or more employees is required to try and make a reasonable accommodation if the request is made, unless that accommodation would cause an undue hardship to the business or present a direct threat to health and safety.

Could this kind of cheating actually lead to workplace “dog parks” though? Well, maybe not dog parks, but both say yes, they could see this kind of problem occurring at work. Such widespread scheming is definitely humanely possible, they say. “I know of people personally who claim their pets are service animals and they put a little vest on the animal so they can go in restaurants, etc.,” McDonald says.

Neither attorney gave much credence to this getting out of hand, necessarily, in corporate America. Thinking realistically, if you consider the fact that employees bringing dogs to work would then have to care for them for the entire day (and we’re talking food, exercise and potty breaks), “that might mitigate this a little bit,” McDonald says.

The bottom line to keep in mind, says Gray, is that this is the very type of situation that could get you in legal trouble if not handled properly. Faking questions aside, “once the employer is aware they have someone who can perform essential functions of the job, but would need help to perform the job based on a disability,” that employer must engage in a reasonable-accommodation dialogue.

And although “reasonable” does mean it does not create undue hardship or safety hazards, proving that a particular dog might bite or “seems irritable” could get dicey.

I’m thinking trying to nail someone for faking a disability or service-dog credentials could get dicey, too.

Best advice, from Gray: “If you’re thinking of denying a person a request for a reasonable accommodation, for whatever reason, get counsel involved.”

Watching Them … Watching You … Watching Them

CC000736Steve Lovell says that when an HR staffer walks into a potentially difficult meeting with an employee, they should be wearing something extra: a camera.

Lovell is president of Vievu, which sells “wearable cameras” to police departments and security firms throughout the world. Its latest product is a wearable Wi-Fi camera that’s designed to be worn on a belt, lapel, pocket or other places that bulkier cameras won’t fit. The company also says it’s waterproof and bump resistant, should you have need of such features.

Why would HR need this?

“Companies get accused of wrongful terminations on a daily basis,” Lovell said in an email interview. “With video recording interactions between HR personnel and employees, the long chain of events can settle any false claims for wrongful termination or hostile work environment complaints. This is a valid usage whether a company is hiring, firing or just a simple employee performance evaluation.”

But why, I asked Lovell, would an HR staffer need a wearable video camera for these important meetings–why not just use a regular video camera?

He replied that the camera is unique in that it provides “egocentric video” — that is, video shot from the perspective of a person. Additionally, Lovell said, employees will immediately know when they’re being recorded — a green lens is displayed when the camera-wearer activates the device. “It is a proven fact that when someone knows they are being recorded, their behavior is improved,” he said. “This alone can offset conflict and is a benefit our law enforcement customers experience daily.”

Will Vievu crack the HR market? I have no idea. But Lovell’s last point — that people behave better when they know they’re under surveillance — is amply confirmed by Mark McGraw’s recent news story, which finds that surveilled employees are not only better behaved but more productive. None of this is, of course, good news for folks concerned about privacy — but then again, it’s a brave new world, isn’t it?

HR and Risk Management

How often do you collaborate with your risk-management counterparts at your organization? You should be doing so on a regular basis, according to Lowers Risk Group, a consulting firm with about 1,000 global clients. We’ve covered the issue of risk and human capital before, including this byline and this cover story. Now, a new whitepaper from Lowers highlights what it believes are key trends “driving the expanding role of human resources in enterprise risk management.”

Vince Pascarella, who has an SPHR and is vice president of Lowers Risk Group, has this to say:

Executives tend to rank human capital very high in terms of the potential impact on business results — often ahead of financial risks — but few believethey are managing human capital risk effectively. Most risks begin and end with people, so it’s not surprising to find that human resources is increasingly being called to the table to help mitigate risk.”

The whitepaper is free but requires registration, so I’ll summarize some of the key points and then you can decide whether to delve deeper. First, it cites a Deloitte report that finds a number of trends are leading to a greater focus on human capital risk management: “Black swans,” or low-probability events that have far-reaching impact (including the Euro crisis, the Gulf of Mexico oil spill, the tsunami in Japan, the Middle East uprisings) and “people risks” such as fraud, theft and security breaches that end up making headlines. The view of what constitutes human capital risks is expanding, the whitepaper notes, and now includes four “manageable areas of HCM”:

1. regulatory compliance

2. position risk level

3. management risk tolerance levels, and

4. onboarding issues “that may allow individuals to fall through the cracks.”

This new awareness of risk is, according to the whitepaper, leading HR to collaborate more closely with their risk-management brethren and create a “risk mindset” for day-to-day HR activities. HR must also “make the most of its existing data” to help identify potential risks.

Mulling (Some Testy) Background-Check Testimony

The U.S. Commission on Civil Rights is still wading through testimony gathered Friday during its briefing to determine what impact the U.S. Equal Employment Opportunity Commission’s guidance on criminal-background checks is having or may have on the employment of black and Hispanic workers.

At this point, there doesn’t seem to be a precise timetable for an ensuing report and/or recommendation from the civil rights commission, or specific plan for the guidance, which the EEOC issued on April 25. But safe to say, one overriding theme of the Dec. 7 testimony — taken from 17 different individuals, representing employer groups, advocacy organizations, screening groups and providers, and employment sectors across the country — came in loud and clear: Businesses need to continue screening for criminal histories and they need some clarifications on portions of the guidance or they will remain, as one testified, “between a rock and a hard place.”

In the words of the USCCR, in its announcement about the Friday briefing, “the commission has initiated this investigation to determine whether the new EEOC guidance policy or other prohibitions or limitations on the use of criminal background checks results in lower job opportunities and reduced employment overall among minorities, including non-offenders.”

In other words, the commision’s concern — as raised over the past year by one of its commissioners, Peter Kirsanow — is that, for employers to either remove or not rely so heavily on the criminal-conviction question in a job application, as the EEOC has recommended, they might be creating a hiring system that, in turn, encourages discrimination of black and Hispanic males due to the sheer larger incarcertaion rates for these minorities.

As Rich Mellor — vice president of loss prevention for the Washington-based National Retail Federation and one of those testifying — told me in a follow-up phone call, “without that confirmation that an applicant does not have a criminal background,” an employer might be prone to try that much harder to hire a non-minority.

Even with such a confirmation, or disclosure of a criminal record and the chance to explain, minority job applicants are often hobbled by still-pervasive racial bias in hiring, according to testimony from Glenn E. Martin, vice president of development and public affairs for The Fortune Society, based in New York. He cited a Princeton University study of the low-wage labor market in New York that showed black and Latino applicants with clean backgrounds fared no better than white applicants just released from prison.

“Moreover,” Martin testified, “the positive outcomes for black applicants, when presenting evidence of a criminal record, were reduced by 57 percent.”

Mellor, in his testimony, raised an additional red flag about the transparency of this crucial criminal-background conversation. The EEOC guidelines, he said, “were enacted without giving retailers or other employers a chance for input,” according to an NRF release issued just after the briefing. “Hearings,” it says, quoting Mellor, “were held only with a ‘select group of predetermined stakeholders’ and actual text of the guidelines was released only the same morning that they were approved and implemented by the EEOC.”

The EEOC gave me this response today to the NRF’s release:

The NRF and other business groups communicated their views to the EEOC, and we considered them during the development of the guidance. Representatives of employers, individuals with criminal records, and other federal agencies testified at public EEOC meetings in November 2008 and July 2011.  The [EEOC] also received and reviewed approximately 300 written comments from members of the general public and stakeholder groups that responded to topics discussed during the July 2011 meeting.

The stakeholders that provided statements to express their interests and concerns include prominent organizations such as the Retail Industry Leaders Association, the U.S. Chamber of Commerce, the Society for Human Resource Management, the American Insurance Association, the National Association of Professional Background Screeners, the NAACP, Leadership Conference on Civil and Human Rights, the Public Defender Service for the District of Columbia, and the D.C. Prisoners’ Project, among others. Additionally, throughout the process of drafting the guidance, individual commissioners and staff met with representatives from various stakeholder groups such as the U.S. Chamber of Commerce, SHRM, HR Policy Association, College and University Professional Association for Human Resources, the National Employment Law Project and the Equal Employment Advisory Council to obtain more focused feedback on discrete and complex issues.

Many of those organizations listed above had people testifying Friday before the USCCR as well, in addition to employment lawyers Jackson Lewis and Duane Morris, screening provider EmployeeScreenIQ, the U.S. Bureau of Justice Statistics and many more.

Duane Morris’ Jonathan Segal, who testified Friday on behalf of SHRM, told the commissioners that some state and federal laws require employers to conduct background checks for positions such as daycare providers and firefighters. EEOC guidance, he said, puts employers in the tenuous position of “losing their state license if they don’t comply with a state law mandating criminal background checks and risking a class-action lawsuit if they go forward with criminal background checks and base hiring on the results.”

In addition, he said, the guidance’s interpretation of disparate impact appears to make employers “vulnerable to an EEOC investigation any time they take an adverse employment action against individuals of certain races or national origins based on criminal background checks regardless of whether they have conducted a valid individualized assessment — seemingly making criminal convictions a new protected status.”

Rest assured I will be following this and will report developments as I catch wind of them. Pretty packed with pressing issues for employers, I’d say.