Protect trade secrets, avoid the burn

Original story posted by Roy Maurer on Society for Human Resources Management website. 

An appellate court recently struck down a company’s trade secrets misappropriation claims because the company failed to protect its intellectual property (IP) as confidential or proprietary.

The Massachusetts Appeals Court ruled in Head Over Heels Gymnastics Inc. v. Ware that defendant Harriet Ware did not steal her former employer’s trade secrets because the information at issue was never identified as such.

Ware was hired as an at-will employee in 2006 to work with gymnasts at Head Over Heels gymnastics academy in Norwell, Mass. When she accepted the position, Ware acknowledged that she had received and understood the employee handbook, which failed to include a noncompetition covenant or any mention of trade secrets.

Head Over Heels maintained a list of the people who trained at the school, including their names, addresses, telephone numbers and e-mail addresses. The information was available to all employees and was never identified as confidential or proprietary.

When Ware was terminated in 2012, she opened an academy of her own, taking approximately 30 Head Over Heels gymnasts with her.

The company sued, alleging that Ware misappropriated its trade secrets, violated her duty of loyalty by contacting its customers and unfairly competed with it.

The court held that because Ware was an at-will employee, she owed Head Over Heels no particular duty of loyalty and was free to “plan to go into competition with ... her employer and take active steps to do so even while still employed.” Further, absent a noncompetition agreement, Ware’s ability to compete with Head Over Heels was not constrained. Lastly, the court determined that Ware did not misappropriate her employer’s trade secrets because the school’s customer list was not legally considered a trade secret.

The court said that in determining whether information is proprietary to a business, “we look to the conduct of the parties and the nature of the information.” A determination about confidentiality is based on several factors, “including the extent to which the information is known outside of the business, the extent of measures taken by the employer to guard the secrecy of the information and the ease or difficulty with which the information could be properly acquired.”

Head Over Heels argued that everyone at the company understood that its customer list was intended solely for the purpose of the business and was neither publicly known nor available.

Nevertheless, the court ruled that, “as a matter of law, the [customer lists] are not trade secrets or confidential proprietary information. It is undisputed that the [customer lists] were available to all staff and employees and were distributed to Head Over Heels’ gymnasts and their families. The broad dissemination and availability of the [customer lists] indicates that Head Over Heels was not trying to guard the secrecy of the information. Importantly, much of the information found in the [customer lists] was readily available in the public domain and could have been easily obtained.”

The court therefore deemed Head Over Heels’ trade secret claims “unrealistic.”

Employer Takeaways

What can employers do to protect against confidential information being used by a former employee? “For starters, if you have confidential information, let everyone with access to it know that it is confidential, either through a designation in the company handbook, when they are given access to the information for the first time or any other obvious way,” said Shepard Davidson, a partner at Burns & Levinson LLP based in Boston.

Limiting access to the information and keeping it secure are additional ways to preserve confidentiality, he said. Training and reminding departing employees about their confidentiality obligations during exit interviews are also good ideas.

“The good news is that a company’s efforts in this regard are measured by a standard of reasonableness, not perfection. So if you have information that you believe is important, confidential or propriety, take some time to set up reasonable systems to protect that information,” Davidson said.

Follow Roy Maurer on Twitter at @SHRMRoy

The App Will See You Now, But May Not Get The Diagnosis Right

Originally posted by Martha Bebinger on July 9, 2015 on

There’s a warning out today for those who go online or to apps to figure out why they have an upset tummy or nagging cough or occasional chest pain. Symptom checkers, those tools that ask for information and suggest a diagnosis, are accurate only about half of the time.

The finding is from a Harvard Medical School study that reviewed 23 sites, such as WebMD, the Mayo Clinic and DocResponse. One third listed the correct diagnosis as the first option for patients. Half the sites had the right diagnosis among their top three results, and 58 percent listed it in their top 20 suggestions.

Dr. Ateev Mehrotra, one of the study’s authors, urges patients to be cautious when using these tools.“These sites are not a replacement for going to the doctor and getting a full evaluation and diagnosis,” he says. “They are simply providing some information on what might be going on with you.” About a third of U.S. adults use the sites, although not necessarily in place of going to the doctor.

Some of the diagnostic questions are also used by nurse triage phone services and, Mehrotra says, these online tools are about as accurate as the call-in lines offered by many insurers and physician groups. “[They are] better than just a random Internet search,” he said.

Researchers entered the symptoms of 45 patients from vignettes used to train medical students. The Mayo Clinic’s first online diagnosis was right only 17 percent of the time, but had the correct diagnosis on a list of 20 in 76 percent of cases.  Dr. John Wilkinson, who works on Mayo’s symptom checker, says the tool directs patients to medical research and prepares them to talk to their doctor.

“We’re always trying to improve but if most of the time the correct diagnosis is included in the list of possibilities, that’s all we’re attempting to do,” he says.

The diagnosis accuracy rate for physicians is 85 to 90 percent. But Jason Maude, who runs a high performing tool called Isabel, says he does not want a Web versus doctor showdown.

“The whole point is not to set the patient against the doctor or replace the doctor, but to make the patient much better informed and to ask the doctor much better questions, and then together they should do a much better job,” he says.

Isabel ranked well in the study, showing the correct answer more than 40 percent of the time in the first diagnosis and 84 percent in the top 20 answers. Those high results, Maude says, may be because the site lets patients type in their own description of symptoms. They might describe a “tummy ache” or “stomach cramps” rather than the more clinical choice of “abdominal pain” used by many online symptom checker tools. And Isabel asks just two or three questions before patients describe their problem, as compared to sites that ask patients to click through 20 questions — steps Maude said may discourage use.

Clarifying how and why patients use these tools is critical, say the study’s authors. They could reduce unnecessary office visits or inform patients as they talk with their doctors.  But for some, the tools may encourage people to seek unnecessary care.

Mehrotra says patients used symptom checkers more than 100 million times last year, a fact that may stun some physicians.

“While most doctors know patients are going to the Internet to search for medical advice, in terms of these symptom checkers, I’ve been surprised that few of my colleagues even knew they existed,” he says.

The Most Dangerous Identity Theft Threat

Originally posted by Adam Levin on August 6, 2015 on

Last weekend, TheUpshot published the most dangerous identity theft threat: the non-expert's tendency to underestimate the magnitude of problem. The piece in question argued that the consequences of most identity theft have been exaggerated (by identity theft experts like me), and that, "only a tiny number of people exposed by leaks end up paying any costs."

The main source for TheUpshot's argument seems to be the 2015 Identity Fraud Report (covering data from 2014) published by Javelin Strategy and Research, which found a dramatic increase in account takeovers (i.e., when a fraudster is able to get through the authentication process on an existing credit account and make charges) but an overall decrease in the amount of money lost to identity-related fraud.

To think that the 2015 Javelin report minimizes the threat of mega data breaches to consumers is to misread it. To suggest that the threat is overstated is both simplistic and harmful to consumers. The article focuses too much on account takeover resulting from big-name hacks like Target (a very common form of identity theft). Meanwhile, it gives nowhere near enough attention to the very real and long-lasting effects of more serious forms of identity theft - the kind that's committed using Social Security numbers - and the equally big-name hacks like Anthem, Premera, and the Office of Personnel Management that exposed millions of records containing that data.

The Buck Doesn't Stop With the Bank

TheUpshot dismisses the consumer cost of most data breaches (beyond lost time and annoyance) because "several laws protect consumers from bearing almost any financial losses related to hackers." TheUpshot continues, "...banks and merchants, like Target, must bear the cost. But even their losses have been dropping in recent years, as data security experts have learned new strategies to prevent intrusions from turning into theft."

First of all, banks do not bear all the costs if they can help it. They pass it along to the company that caused the problem in the form of fines and penalties, and in some cases the company is only alleged to be the cause of the problem. It is very hard for small businesses to fight card companies on these charges. So when it happens, it can be a near extinction-level event, or force price changes. And, of course, that cost often manifests itself at the consumer level.

Additionally, according to at least one recent report, the cost of a data breach to businesses has not been going down, as stated by TheUpshot. On May 27, IBM and the Ponemon Institute jointly reported the cost per breached record had increased by 12% over the preceding year, from $145 to $154, and that the average total cost of a data breach to an enterprise rose a not inconsiderable 23% to $3.79 million.

And it bears repeating: While it's all very populist and fair-weather foppery to say that companies like Target and Home Depot can foot the bill of a breach, the same cannot be said of smaller businesses--after all, breaches are not confined to big companies.

5% Is a Huge Number

TheUpshot's big reveal: "The more troubling identity theft, in which new accounts are opened in an unsuspecting person's name, make up only 5 percent of the total figure given by Javelin."

To the uninitiated eye, 5% sounds like a small number. But it's missing context.

"Although we have no data to support what percentage of breaches turn into identity theft cases," according to Brent Montgomery, Fraud Operations Manager at my company IDT911, "5% is a lot."

In 2014 there were 12.7 million identity fraud victims, according to Javelin. Just 5% of that total is 635,000 consumers--hardly a negligible number.

Montgomery then highlighted the essence of the problem here: "There are so many breaches on a daily basis that information can be pieced together from one breach to another giving a criminal all they need to complete the puzzle."

TheUpshot fails to account for the long tail of identity theft--the fact that scams are pieced together using data harvested from countless individual and corporate compromises oftentimes sold and resold on the data black market. A scam that happens today may use data that was compromised three years ago--especially when Social Security numbers are involved since their only expiration date is when the holder of those nine digits expires.

Another problem with using the Javelin report is that the data is extrapolated from a relatively small sample of the population, whereas the Federal Trade Commission's Consumer Sentinel Network Data Book for January-December 2014 is driven by hundreds of thousands of pieces of consumer-reported data. That matters here because on page 13 of the Sentinel report, you will find a higher incidence of new account creation (12.5%) than fraud on existing accounts (4.9%).

There Are Very Serious Identity Theft Threats

While instances of new account fraud and some signs of existing account takeover can show up on your credit reports (you can get them for free once a year on, other types of identity theft are less detectable - until they really cause damage. Of greater concern is what does happen to consumers whose information falls into the wrong hands--specifically their most sensitive information. Mentioned nowhere in the article is tax fraud, a crime that is most definitely on the rise and cannot be resolved easily or quickly (think: 6-12 months). Equally absent in this Panglossian take on what really is an identity theft epidemic: medical identity theft, which is extremely difficult to detect, equally difficult to resolve and can have potentially life-threatening consequences.

The bottom line is that while it's easy to dismiss identity theft experts as being the equivalent of "the soap company that advertises how many different types of bacteria are on a subway pole without mentioning how unlikely it is that any of those bacteria would make you sick," it is irresponsible to downplay the various serious risks now facing millions of Americans whose most sensitive personal information has been exposed in the breaches of Anthem, Premera, Sony Pictures and the Office of Personnel Management, to name a few. The threat for them is very real, and long-term--perhaps a lifetime.

Can your smartphone tell you if you have depression?

Originally posted by Carina Storrs on on July 15, 2015.

Getting a diagnosis of depression usually involves filling out questionnaires about your mood and undergoing lengthy interviews with a psychiatrist. But smartphone apps might be able to handle some of that work, and at least tell you if you are at risk of depression, simply by collecting GPS and other data, according to a new study.

Researchers at Northwestern University in Illinois tested an app they developed called Purple Robot. It uses data from a number of sensors in the smartphone that detect location, movement, phone usage and other activities to assess if a user is likely to have depression.

"The main reason for the development of the app is to see if we can objectively and passively identify if people are depressed," said Sohrob Saeb, a postdoctoral research fellow at the Feinberg School of Medicine at Northwestern University who is one of the developers of Purple Robot.

In the study of Purple Robot, Saeb and his colleagues at Northwestern and Michigan State University looked at GPS or phone usage data among 28 participants for two weeks.

They found that Purple Robot could identify 87% of the participants in the group who were determined to be at risk of depression according to PHQ-9, a nine-question test for depression, based only on GPS data on how much users moved between their regular locations. The more users moved around, the less likely they were to fall into the at-risk category.

In addition, by identifying the participants who used their phone the most, including everything from texting and playing games but not talking on the phone, Purple Robot could detect 74% of those in the at-risk group. Data on both GPS and phone usage were not available for enough participants to let the researchers see how well Purple Robot performed when both data sets were available, Saeb said.

However, PHQ-9 is only a screening tool that tells you if you have an above-average chance of having depression and is not enough to diagnose depression, said Dr. Scott Monteith, clinical assistant professor of psychiatry at Michigan State University, who has not been involved in developing or researching Purple Robot or other smartphone apps.

The way the test was used in the study, with a low cutoff score, it probably incorrectly identified many of the participants as being at risk of depression who were not, he added.

To get a better idea of the effectiveness of Purple Robot, the researchers are going to do a study involving more participants over a longer period to see if the app can detect changes in behavior over time, Saeb said. In addition, the group will see if they can improve Purple Robot's ability to spot depression by including additional data, such as how long people talk on the phone and who they talk to.

Depression is a debilitating illness that affects about 17% of people at some point in their lives. Meanwhile, it is estimated that by 2025 more than 5 billion people in the world will have a smartphone, and their sensing capability will be above and beyond that of today's iPhones, Androids and Blackberries.

There are probably hundreds of apps that promise to improve your mental health, from offering tests to gauge your depression risk to providing information about depression treatments. Others, like Purple Robot, are in the development stage.

Optimism and DBSA Wellness Tracker are two of the apps on the market that track your mood. goes further and analyzes data such as how much users move around on the weekends and how long they talk on the phone, as well as users' reports of their health, to alert them and their health care providers about concerns with their behavior and mental health., which is in use at about 30 medical centers, is available through health care providers and as part of research studies.

However the problem with all the apps that are designed to warn about depression risk is that their effectiveness has not been demonstrated, Monteith said.

It is not clear how good these apps are at picking out people who have depression, Monteith said. What's more, it is not clear how these apps would be "embedded into a broader continuum of care" to ensure that a person or their doctor went from getting an alert from the app, for example, to that person getting a diagnosis of depression and getting proper care, he added.

Even if researchers can get a better handle on the effectiveness of these apps, there are still numerous questions regarding risks, especially about the data they collect not being secure and private, Monteith said.

"The data from these types of apps could potentially end up in anyone's hands, if the data are moved offshore, which a lot are," said Monteith, who co-wrote a recent article on health care data privacy. Another way data security could be compromised is that when a company is bought, the buyer may not have to adhere to the original terms and conditions about how the data are used, he added.

Experts including Monteith worry that once data get into the wrong hands, that could potentially jeopardize a person's ability to get a job, get life insurance or get a loan.

The best way to keep data secure, at least from hackers and thieves, would be to make sure the users control their data, such as by keeping it stored encrypted on their phone, and have apps analyze the data on phones, and never have it sent back to the app developers or other companies, according to Dr. Deborah C. Peel, leader of Patient Privacy Rights, a nonprofit advocacy organization. Monteith is on the advisory board of Patient Privacy Rights.

As for Purple Robot, some of these concerns may not apply for now. Saeb and his colleagues work with encrypted data. However if they eventually make the app public, if they can demonstrate its effectiveness, they would have all the data on secure servers at Northwestern. This type of data centralization, even on secure servers, is a "honeypot" for hackers, Peel said.

So far, the analyses that Purple Robot is doing are really only for research purposes, Saeb stressed. In addition to the work he is involved in, there is also research on whether the app can pick up signs of bipolar disorder among users.

The app gets its name because the color of Northwestern University is purple, and because the developers hope the app can act like a robot and automatically alert a user of his or her mental health risk and also make recommendations to possibly mitigate the risk, such as using the phone less or getting out of the house, Saeb said.

Despite concerns surrounding these apps, Monteith said he is "totally in favor of research [on them], that's what we need to do." However, he urged that researchers consider both effectiveness and risks in their studies. "We need to look at what the FDA looks at" when deciding whether to approve medical treatments and devices, Monteith said.

Communicating With Your Doctor On Facebook May Be The Future Of Healthcare

Originally posted by Carolyn Gregoire on June 20, 2015 on

We communicate with our friends, our families and our coworkers via email and Facebook, and apparently, most Americans also wish that they could keep in touch with their health care providers this way.

A national survey of 2,252 pharmacy customers conducted by Johns Hopkins University's Bloomberg School of Public Health highlights the gap between what patients want from their health care providers in terms of communication and engagement, and what they're actually getting.

"This study tells us that for most patients, healthcare isn’t quite ready for the future," Joy Lee, a post-doctoral fellow at the university, told The Huffington Post.

In fact, there's something of a patient engagement paradox in healthcare, Lee said.

"On the one hand, doctors, policymakers, and researchers often talk about the need to engage patients," she explained. On the other hand, many patients are already engaged -- in Facebook and other online communities. Yet instead of embracing this connection, medicine is preoccupied with confidentiality and drawing professional boundaries.

Fifty-seven percent of respondents -- who were generally educated, healthy and regular users of Facebook -- said that they were very interested in using Facebook and email to communicate with their physicians and to manage their health. More than half of respondents also said that they wanted to use their physicians' websites to access health information.

More than a third said that they already communicated with their doctors via email, and 18 percent said they connected with their doctors on Facebook, a surprising finding considering that many health care providers have rules barring this mode of interaction with patients due to privacy concerns and ethical guidelines for physicians.

Young adults -- as well as caregivers, patients with chronic conditions, and regular Facebook users -- were more likely to communicate with their doctors via email and Facebook.

Lee emphasized that of course, it's critical to safeguard patient information. But "Health care organizations need to figure out how to take advantage of resources like Facebook," she added.

They're already on the way. As part of the growing telehealth movement, many doctors and health care organizations have electronic systems that patients can use for things like messaging, accessing test results and personal information, and health tracking.

"Many patients are interested in [these services] but few are actually using them -- possibly because patients don’t know they’re available," Lee said. "Doctors and health care organizations should take steps to publicize and educate patients of these opportunities. Either way, it starts with a conversation between patients and doctors on how they prefer to communicate online."

The study was published this month in the Journal of General Internal Medicine.

Anatomy of a Hack

Originally posted by Zurich American Insurance Company.

Once hackers set their sights on a target with access to sensitive company information, attacks may ensue from multiple directions – in the office, at home or on the move. Anatomy of a Hack describes what you and your company can do to help limit exposures.

The risk of having sensitive company data lost and stolen has grown exponentially over the last few years, largely due to the increased use of the Internet and the interconnectedness of everything we do. As the likelihood of a data breach continually escalates, so does the cost.

Read more here.

Check out the “Anatomy of a Hack” infographic here.

 Copyright © 2015 Zurich American Insurance Company

Technology plays growing role in benefits

Originally posted January 27, 2015 by Mike Nesper on

Employers of all sizes are increasingly shifting toward using technology for enrolling in and managing their employee benefits. The market for technology-based platforms has been “growing leaps and bounds over past the five-plus years,” says Mark Rieder, an Austin-based senior vice president at NFP.

Ten to 15 years ago, he says, only large groups were focused on technology. Today, “they’re all very much interested in becoming more efficient,” Rieder says. “Technology has become affordable enough to [deploy] regardless of size.”

Offering a variety of support tools is important to help employees make the best selections, Rieder says. Employees want to be able to compare the cost of a procedure at various providers, he says. “Transparency tools are becoming more and more of a hot topic,” Rieder says. “Folks want to know what they’re buying.”

Employees also want to manage all of their needs — payroll, HR, benefits — in one location, Rieder says. The goal is to have a useful platform when it’s needed but not be in the employee’s face when they don’t, says Michael Askin, senior consultant with Mind Over Machines, a Maryland-based software development technology company.

The fact that many employers are still using paper isn’t necessarily a bad thing, Askin says. “There are lessons to be learned from other industries,” he says. Perhaps more importantly, paper protects employee information from hackers, Askin says. Ultimately, the goal of a technology-based platform is to increase employee engagement without increasing security exposure, he says.

A common misconception about security breaches is where the vulnerability lies, Askin says. “Most security issues are actually internal,” he says. For consumers, Askin recommends having a credit card for Internet-only purchases.

Undercover investigators score PPACA subsidies

Originally posted July 23, 2014 by Kathryn Mayer on

Undercover investigators using fake identities were able to get health insurance and tax subsidies through the federal exchange under the Patient Protection and Affordable Care Act, underscoring ongoing problems and security issues plaguing the health care law, officials said Wednesday.

The nonpartisan Government Accountability Office said they created 12 identities with fake citizenship and immigration statuses and phony income documents to test how easy (or difficult) it would be to get coverage and subsidies under the law.

The agency said 11 of the fake applicants were accepted, and the HHS-run exchanges rejected just one applicant because it lacked a Social Security number.

Though flagged some attempts as problematic, the fake applicants found more success on phone calls to call centers handling applications.

“For its 11 approved applications, GAO was directed to submit supporting documents, such as proof of income or citizenship; but, GAO found the document submission and review process to be inconsistent among these applications,” the agency said. “As of July 2014, GAO had received notification that portions of the fake documentation sent for two enrollees had been verified.”

Republicans jumped on the latest news, saying it was yet one more flaw in the faulty law.

“Ironically, the GAO has found Obamacare is working really well — for those who don’t exist,” said Senate Finance Committee Ranking Member Orrin Hatch, R-Utah.

The Obama administration said it was taking the report seriously and would work to strengthen the law’s verification process.

The GAO remarked that findings were “preliminary” and they weren’t jumping to any conclusions yet. The agency said it would release a more detailed report in the coming months.

Eight million people signed up for health plans using the exchanges under PPACA.

The GAO report follows PPACA’s latest hurdle: two conflicting court rulings out Tuesday regarding the legality of PPACA subsidies issued to enrollees in the federal exchange.

Feds add exchange employer site

Originally posted August 2, 2013 by Allison Bell on

Three federal agencies have joined to set up a Patient Protection and Affordable Care Act website for small businesses. offers a "wizard," or interactive tool, that offers to help business owners understand what they need to know about the new PPACA insurance options in a few quick steps.

The Small Business Administration worked with the U.S. Department of Health and Human Services and the U.S. Treasury Department to set up the site.

The wizard starts by asking visitors about their companies' location and size.

On the size menu, for example, the wizard asks whether the user is self-employed with no employees, has fewer than 25 employees, has up to 50 employees, or has 50 or more employees.

The site includes an explanation of how an employer can determine whether it has 50 or more full-time or full-time equivalent employees.

Users who, say, might want to set up group health plans will see information about the new PPACA Small Business Health Options Program small-group exchange program.

In most states, in the pages of information for employers interested in setting up health plans, the SBA gives an answer to the question, "Can I use an agent or broker to buy health insurance in the marketplace?"

"You will be able to use a licensed agent or broker to provide help or handle your SHOP business," the SBA says. "You won't pay more if you use a SHOP agent or broker."

For users in Vermont, a state that is trying to eliminate small-group market broker commissions, the SBA makes no mention of agents and brokers.


Just Over Half of Employers Using Social Media Tools for Internal Communication

Original article

Flash survey reveals little consensus on effectiveness

NEW YORK, May 23, 2013 — Despite the explosion of social media in the personal lives of many people, a new survey by global professional services company Towers Watson (NYSE, NASDAQ: TW) shows that just over half of employers are using social media tools to communicate and build community with employees. Further, among those employers that have embraced social media technology, there is little consensus as to which ones are most effective.

The 2013 Towers Watson Change and Communication ROI Survey found that 56% of the employers surveyed currently use various social media tools as part of their internal communication initiatives to build community — creating a sense that employees and leaders are in it together, and sharing both the challenges and rewards of work. However, when asked how they would rate the effectiveness of social media tools, only 30% to 40% of respondents rated most of the tools as highly effective. And only four in 10 (40%) rated the use of social media technology as cost effective.




Instant messaging



Streaming audio or video



HR or other function journal or blog



Enhanced online employee profiles



Social networks



Employee journals or blogs



SMS messaging



Leadership journal or blog



Collaboration sites



Video-sharing site



Apps or other mobile approaches



"We believe that social media can be a great tool for communicating with employees in the workplace," said Kathryn Yates, global leader of communication consulting at Towers Watson. "By its nature, social media is designed to build community and could help engage employees on key topics such as performance, collaboration, culture and values. As the need for global collaboration increases, we expect more companies will join those already leveraging social media to creatively communicate those messages."

The Towers Watson survey also found that while four in 10 employers (41%) say they are effective at building a shared experience with their employees as a whole, the percentage drops by roughly half (to 23%) when it comes to building community with remote workers.

"As today's workforce evolves, we know from our research that the growing number of remote workers are looking for clear communication, to be treated with integrity, and want coaching and support from afar. For employers to effectively engage and retain remote workers, they will need to connect them with their leaders, managers and colleagues. We think social media tools can be a real help in making this connection," said Yates.


The 2013 Towers Watson Change and Communication ROI Survey was conducted in April 2013. A total of 290 large and midsize organizations from across North America, Europe and Asia participated in the survey.