s

Tag Archives: #gsblaw

Keeping Your Undocumented Employees Authorized for Employment

In today’s post, Gregg Rodgers, Chair of GSB’s Immigration Practice Group and member of our Hospitality, Travel & Tourism practice team, provides us with the latest updates regarding the federal processes that authorize employment for certain undocumented employees.

In my previous blog post, I discussed how recent Presidential Executive Actions had made it possible for certain people who reside in the U.S. without proper documentation to be assigned social security numbers and issued Employment Authorization Documents (EADs).  Today’s post provides important information and updates to help an undocumented individual get and retain legal employment authorization. (An employer should never knowingly hire or continue to employ an unauthorized worker.) Most importantly, you will see that it has become extremely important to apply for renewal of an EAD earlier than the government had previously suggested. Getting the word out to employees affected by this may help keep them on your payroll.

Deferred Action for Childhood Arrivals (DACA)

You have probably heard about the President’s Executive Action on June 15, 2012, in which he authorized a procedure for many undocumented people in the U.S. to become authorized for employment.  Individuals who demonstrate that they meet the guidelines may request consideration of “Deferred Action for Childhood Arrivals” (DACA) for a period of two years, subject to renewal for a period of two years, and may be eligible for employment authorization. By December 31, 2014, 638,897 people who came to the United States as children and who met the guidelines, had been approved for “deferred action” by the government.

DACA has made it possible for hundreds of thousands of undocumented people to become legally employed in the US for the first time, or to get employment authorization that they could present to their current employer to update Form I-9 information.

Many people have already obtained a two-year EAD and have applied for or are now ready to apply for renewal. Employers should know that, for this group of individuals, employment can occur only after the presentation of a valid EAD and cannot continue past its expiration date unless the employee presents another EAD or other documentation from the List of Acceptable Documents.  Having applied for renewal of an EAD or even presenting proof of the approval of an EAD that has not yet been received is not enough to allow continued employment.

But renewing an EAD has become a challenge. Historically, the government discouraged the filing of an Application for renewal of an EAD more than 120 days before its expiration. Most people applied between that date and 90 days before its expiration because, by regulation, the government has 90 days from the date of receipt of the application to adjudicate it, or it is required to grant an EAD for a period not to exceed 240 days. Unfortunately, the government has not met its required adjudication or issuance obligations in most cases over the past several months, resulting in the inability to confirm employment authorization and the subsequent termination of employment for those whose EADs have been delayed. Some employers have treated the termination as temporary, allowing a return to employment for those affected by these delays after the new EAD is presented.

Just this month, the government acknowledged the problem and began to encourage applicants tosubmit renewal requests 150 to 120 days before the current period of DACA and employment authorization is set to expire.   Employers are encouraged to notify DACA-authorized employees of this procedural change.

Implementation of Executive Action of November 20, 2014 Delayed

My January blog post also referenced the President’s Executive Action of November 20, 2014, which had two important issues relevant to this post. However, a temporary injunction was issued on February 16, 2015, that prevents the government from accepting requests as noted below. People interested in understanding more about these issues can read more and register with the federal government to get email updates regarding the status of this important program.

Expanded DACA

The 2014 Executive Action expanded DACA in several ways. If the injunction is lifted, it could apply to applicants of any age who meet the other requirements (whereas DACA applies to only those under the age of 31 on June 15, 2012) and employment authorization would be expanded from two years to three years.

Deferred Action for Parents of Americans and Lawful Permanent Residents (DAPA)

Another significant part of the now-enjoined Executive Action of November 20, 2014 includes authorization for parents of U.S. citizens and lawful permanent residents to request deferred action and employment authorization for three years, provided that they have lived in the United States continuously since January 1, 2010, and pass required background checks. This is known as “Deferred Action for Parents of Americans and Lawful Permanent Residents,” or DAPA.

Where Do We Go From Here?

Maintaining a loyal and stable workforce is important. I fully expect that expanded DACA and DAPA will be authorized in the relatively near future. It can be a good idea to monitor the litigation because, if the injunction is lifted, the government can be expected to move quickly to begin accepting applications for expanded DACA and DAPA. In the meantime, you may want to urge anyone who already has a DACA-based EAD to apply for renewal within the newly announced 150 – 120 day window as the best way to assure the likelihood of continuous employment authorization for them.

Don’t Forget Copiers, Scanners and Fax Machines in Your Data Security Program

Current generation multi-function printer/scanner/copier devices are convenient, inexpensive, very popular and an important part of a data security program. Often overlooked is the fact that most modern printers, copiers, and scanners have many of the same attributes of computers, and are just as vulnerable to the same kind of cyber exploits and attacks as computers. A truly comprehensive data security and privacy risk management approach requires that these commonplace devices be viewed as an integral part of an enterprise’s IT systems, and that device-specific measures be taken to secure them. The National Institute of Standards and Technology (“NIST”) last month published a report on risk management practices for “replication devices,” The NIST report identifies risks associated with such devices, and provides guidance on protecting the confidentiality and integrity of information processed, stored, or transmitted on them.

Risks
Threats include:

  • Default administration/configuration passwords: Many devices have default passwords which can be easily obtained and used to access stored data, or to control the device.
  • Data capture: Unless encrypted, data transmitted or stored, including passwords, configuration settings, and data from stored jobs, is vulnerable to interception or modification.
  • Spam: Unless properly configured and without proper access control, many devices will process any job submitted, which could waste paper, toner, and ink, and tie up the device.
  • Alteration/corruption of data: If passwords or configurations are changed, denials of service for authorized purposes or potential damage to the device could result.
  • Outdated and/or unpatched operating systems and firmware: Many devices run an embedded operating system, making them subject to the same threats as any other computer running those operating systems. Also, older devices may have embedded versions of operating systems no longer supported by the manufacturer, which may leave “unpatched” security issues.
  • Open ports/protocols: For devices that can connect to local networks or the Internet via wireless or ports, open ports and protocols allow data to flow to and from a device. Through open ports, attackers may gain undetected access, and data tampering, unauthorized access, and denial of service can result.

Warning Signs
The Report identified several signs indicating that the security of such a device may be compromised:

  • Display malfunctions or shows incorrect information;
  • Materials (ink, paper, or other supplies) run out faster than usual;
  • Increased number of failed or timed-out jobs;
  • Unexplained/unauthorized changes in configuration settings;
  • Device completes processes slower than expected;
  • Device uses more network time/bandwidth than usual;
  • Time stamps do not align or make logical sense;
  • Communications with unknown IP or email addresses increase; and
  • Markings indicating tampering around key areas of the device (e.g., hard drive or SSD compartment, display area).

Countermeasures
An Appendix to the Report provides a very useful device risk assessment template and checklist. It gives practical guidance on best security practices, across the entire lifecycle of the device. Examples of some countermeasures include:

  • At acquisition, or in third party supply and support contracts, ensure that the device meets common data security standards, is capable of operating in a secure mode, and that the OS is actively supported by the OEM;
  • At deployment, change vendor default passwords, and configure the device to operate in a secure mode;
  • During operation, control device access through PINS and passwords, control physical access to the device itself and its components, such as the SSD or hard drive, and track usage, ensure that stored and transmitted data are encrypted, and timely implement OEM security “patches” and fixes;
  • During operation, control network access using standard organization practices, close unused open ports and protocols, disable wireless identifier broadcasting, and configure the device to prevent communications to and from unknown and unwanted addresses (blacklist/whitelist); and
  • When taking the device out of service, change all passwords and PINS to vendor defaults, and remove or sanitize all hard drives and SSDs on which data may be stored.

Brand Protection in the Era of Exploding Domains

Back in the olden days of last year, there was no particular reason for hospitality industry members to be particularly interested in the administration of brand protection or the Internet unless you were curious. Now, it benefits every brand owner to understand and pay attention to the basics of how new domain names come into being, who selects them and how they become public. Beginning in late 2013 and early 2014, the number and type of domains has exploded, providing brand owners both the opportunity to expand and strengthen their on-line presence and to expand the number of potential infringing domains there are to worry about. Much of the domain name process operates outside the awareness of many brand holders, and many have been caught unaware.

The Internet is administered by a non-profit corporation called the Internet Corporation for Net Names and Numbers (ICANN). It is this entity that decides, among other things, what letter strings go after the dot. Beginning in 2012, ICANN began its New Generic Top-Level Domains Program to “increase competition and choice in the domain name space.” ICANN accepts applications for new letter strings and then evaluates them and delegates them to the applicant registry (not registrar, which is the entity in this process most familiar to brand owners and the public—like Register.com, GoDaddy, or Network Solutions).  Eventually, the registry works with ICANN-approved registrars and the new strings are available to the public for registration.

Some terminology: the letter strings after the dot are called top-level domains (TLDs) and are divided into two main categories—generic top-level domains (gTLDs) and country-code top level domains (ccTLDs). gTLDs are further divided into two sub-categories “unsponsored” gTLDs (uTLDs) which anyone can register (like .com, .net, .biz and .info) and sponsored gTLDs (sTLDs) which can only be registered by members of a “sponsored community” (like .gov, .edu, .aero)

The huge push in adding TLDs in the last year or so has focused on gTLDs and the addition of a third category of domains, the Internationalized Domain Name (IDNs) which allow TLDs in characters that are not US-ASCII, such as Chinese, Arabic or Cyrillic. These may be representations of existing TLDs, like .com, in the applicable characters or new TLDs or both.

Any brand owner can see the potential problems here. The number of TLDs to worry about has gone from a handful to, over the next few years, possibly more than 1300. That makes more than 1300 opportunities for a cybersquatter to register [your brand] in connection with a new domain and possibly several opportunities missed to register useful new TLDs, such as .review, .hotel, .restaurant or, depending on how you feel about things, .wtf. There is also the possibility that the new TLD itself may infringe a trademark, and ICANN has accounted for that possibility in its review and the provision of a post-delegation dispute resolution process.

Trademark Clearinghouse

The more likely scenario is that the second-level domain (the bit right before the dot) will be the infringing piece. ICANN has responded to the significant concerns of brand owners in this regard by introducing a new rights policing mechanism called the Trademark Clearinghouse, participation in which is mandatory for all new gTLD registries. Rather than requiring brand owners to rely on the Uniform Domain Name Dispute Resolution Policy process, requiring brand owners to proceed only after a potential infringing name is registered, the Clearinghouse allows for some pre-registration enforcement. Successful registration of valid trademarks with the Clearinghouse permits those trademark owners—for a fee, of course—to:

  •  Apply before the general public for the domain names in which the second-level domains; and
  •  Receive notice of any third-party registrations for domain names containing an exact match to the registered mark(s) for as long as the records are maintained at the Clearinghouse. The potential registrant of an infringing domain name also receives a warning when attempting to register a domain name during the 90 days after the close of the sunrise period, which is called the “Trademark Claim” period.

Registering with the Clearinghouse, if possible, has obvious benefits. In addition, brand owners can track the opening and closing of sunrise periods on both the Clearinghouse and ICANN websites (ICANN’s site includes sunrise periods out into 2015; the Clearinghouse site is more limited).

Blocking Mechanisms

The Clearinghouse in turn works with a variety of registrars who provide what are called “blocking mechanisms” for the new gTLDs. In very brief, the owner of a trademark registered at the Clearinghouse can purchase blocking services to block third-party registrations of domain names containing that trademark (and, possibly, similar marks) without having to go to the trouble of defensively registering [your brand].[gTLD] 70 or 80 times.

Uniform Rapid Suspension System

If  blocking, defensive registration and notification still don’t work (which is entirely possible, given the nature of the Internet) ICANN has also instituted the URS which creates a more streamlined process for shutting down infringing domain names than even the UDRP provides.

As we have written before in many circumstances, the Internet is a tough place for brand owners and, in some ways, it has gotten tougher. Fortunately, there are mechanisms that exist to help brand owners keep control of their good names on the Internet and also to explore new opportunities for expanding their on-line presences.