When It Rains, It Pours: The Psychology that Makes Us More Vulnerable During a Crisis

I received the following email alert from a cybersecurity client of mine:

“6x increase in cyber attacks over the last 4 weeks.”

“Information about COVID-19 should only come from a legitamate source. Don’t trust unsolocited emails or open unknown links”

“Really?,” I thought to myself; “We’re on lock-down, stressed about family and friends, not to mention business and jobs, and I’m getting cybersecurity alerts?” Frankly, I usually ignore them when I’m not distracted, but who has time for this now? 

However, the more I thought about it, the more I realized that’s exactly what cybercriminals are thinking too and why people need to stay alert and resist the temptation to click on those compelling links.

The truth is, despite the fancy hardware and software solutions available, most cybersecurity breaches occur due to human error or phishing attacks. Unless you have relatively sophisticated automated solutions, the people IN your organization may represent your greatest internal threat.

While companies see high risks from external threat actors, such as unsophisticated hackers (59%), cyber criminals (57%), and social engineers (44%), the greatest danger, cited by 9 out of 10 firms, lies with untrained general (non-IT) staff. In addition, more than half see data sharing with partners and vendors as their main IT vulnerability. Nonetheless, less than a fifth of firms have made significant progress in training staff and partners on cybersecurity awareness (ESI ThoughtLab/WSJ Pro Cybersecurity, 2018).

And this was before COVID hit us between the eyes. Let’s take a quick look at the psychology at play that makes us even more vulnerable during a crisis.
The Neuroscience of Crisis

As humans, we are prewired for crisis. 

Whether you think of this brain system as the “reptilian brain,” attributed to Paul MacLean and his Triune Theory (Sagan, 1977), or the fight-flight reaction of the sympathetic nervous system (System 1) which is our immediate, emotional reaction (Kahneman, 2011), it is clear that our brain protects us in times of danger. 

This system, which is buried deep in the interior of the human brain, is both evolutionarily older and more immediate than simple cognitive thought; it is pre-cognitive. When the danger is ambiguous, System 2 thinking (which, in contrast with System 1 is slower, more deliberative and more logical) is nice; go through your options, take your time, don’t rush. 

But when there is a perception of crisis, the need to ACT is immediate. 

The fight-flight response makes us want to DO something, and now! From an evolutionary point of view, in times of danger, those who acted first were often safer than those who took their time.

The COVID-19 pandemic is, of course, a crisis. 

Have people noticed how much more tired they are these days, even though we aren’t even leaving the house? It’s because crisis mode requires more energy. During a crisis, the thoughtful, reflective parts of our brain shut down. In other circumstances, we might hover over a suspicious link, while we process whether it seems risky or not. 

But that requires fully functional frontal lobes, or executive functioning, which need time and undivided attention to work properly. In crisis mode, frontal lobe functioning is significantly diminished, or may go offline altogether, in favor of a quick (albeit less considered) action or reaction. 

To make matters worse, cybercriminals know this: They know what emotional buttons to push to make you afraid (just click the link) or try to help (just click the link), or maybe even register your opinion (just click the link). 

But if you do click that unfamiliar or disguised link, you may have just let criminals into your personal computer and, by default, into your company’s IT system. 

Wait, consider, relax. Let System 2 kick in before you commit yourself, your computer, and your company to whatever those “black hat” cybercriminals have in mind.

Motivation During a Crisis

After the fear comes a desire to help. 

This is one of the ways that cybercriminals trick well-meaning people. Whether it’s a donation, or a message of support, or some other activity to help, we are again motivated in ways that leave us open to online criminal behavior. 

McClelland’s Social Motive Theory suggests there are three primary social motives: Achievement, Affiliation, and Power (McClelland, 1987). 

We all have the capacity for all three, and genetics and socialization as well as cognitive choice determine which motive wins the day in a given situation. In times of individual crisis, needs for achievement (e.g., successful social distancing) or needs for power (e.g., controlling the situation) may come to the fore. 

But in a social crisis, many of us are “hard-wired” to help, triggering a need for affiliation. 

That desire to help may cause people to act impulsively in what they believe is a pro-social, affiliative manner. Just click the link to make your donation, just click the link to show your support, and on and on, the cybercriminals never stop trying. Like the very best advertisers, they are clever about pushing your emotional (non-cognitive, pre-cognitive) buttons to get you to act in ways that benefit them.

I am assuming everyone reading this has the best of motives. Those very motives make you susceptible to the manipulation of cybercriminals. 

If your current impulse is to put this away, turn to something else, then you have experienced exactly what cybercriminals are counting on. 

Information fatigue, too much bad news, or just a desire to put some positive energy back out into the world, may all leave you vulnerable. 

Don’t click suspicious links, or even links that look well-meaning, without doing some simple checks and reviews first. 

  • Hover over a link and see if the URL is the same as whom the email purports to be from. 
  • Don’t provide any information, on any social media, whether at work or elsewhere, that can be used against you. 
  • Hackers are clever and unscrupulous so check and double-check links that looks suspicious in any way. 
  • Do a bit of research before you agree to anything and certainly before sending money or private information.
What’s Your Story?

Narrative is the final pillar in this little tripartite approach to cybercrime. I have come to believe that personality is a story we tell ourselves (and the world) about ourselves (Bruner, 1985). 

This story comprises our identity, it is who we think we are and often these beliefs about who we are dictate how we behave in the world and how we process information. 

For example, as a psychologist (not to mention a human being), I think of myself as a helpful person. I try to be kind and considerate. I don’t like to walk past beggars without giving them something (yes, yes, I know that would cause me to lose points on the WAIS IQ test but there you go, despite my cognition telling me this could be a trick, he or she will just buy cigarettes and beer, I often give in anyway). 

Cybercriminals will use these ideal images we have of ourselves to manipulate our thoughts, emotions, and purse-strings. 

  • I am good, so I give to the sick and needy. 
  • I love children, so I’ll give to those orphaned by COVID. 
  • I support healthy behaviors, so I’ll do most anything to protect my health. 
  • I’m a good parent, so I will click the link that shows me 10 ways to protect my family from infection. 

Your personal narrative is the core of your personal identity. We sometimes value it more than life itself (think of martyrs). 

If a clever cybercriminal hacks your social media, understands what makes you “tick,” that information can be used against you in a cybercrime.

The threats are real and so are the psychological levers cybercriminals pull to manipulate your fear. 

We are all overwhelmed, trying our best to hang in there, and help each other where we can. Don’t let your best intentions, and fatigue, allow you to be manipulated to behave unsafely online. COVID is real, and so is cybercrime. We must be alert to both.

Written by: Dr. Mark Sirkin, CEO at Sirkin Advisors

References

Bruner, J. (1986). Actual minds, possible worlds. Cambridge, MA: Harvard University Press.

ESI ThoughtLabs/WSJ Pro Cybersecurity (2018). The cybersecurity imperative: Managing cyber risks in a world of rapid digital change. New York: Author.

Kahneman, D. (2011). Thinking, fast and slow. New York: Farrar, Straus and Giroux.

McClelland, D. (1987). Human motivation. New York: University of Cambridge.

Sagan, C. (1977). The dragons of Eden. New York: Penguin Random House.

 

FLSA: Congressional Intent and Gaming the System

Despite its status as a seemingly antiquated piece of New Deal legislation, the Fair Labor Standards Act (FLSA) has constituted the battleground for a long-running legal conflict over the right of employees to claim overtime. The Supreme Court issued its first major FLSA ruling in A.H. Phillips Inc. v. Walling (1945), a decision which established strict construction of the law’s provisions for exemption (a status that precludes overtime pay) as the legal norm. The case, which involved A.H. Phillips’ decision to deny overtime pay to employees in its warehouse and central office, demonstrated the Court’s determination to vindicate congressional intent. Writing for the majority, Justice Murphy noted that because the act constituted “humanitarian and remedial legislation” and comported with “the announced will of the people,” its provisions for exemption should not be subjected to jurists who might “abuse the interpretative process.”1 The provisions of the law at issue, the Court held, should be applied only to “those plainly and unmistakably within its terms and spirit,” setting the stage for narrow construction of the FLSA’s rules for overtime exemption and affirming the central purpose of the law: to ensure that workers in low-wage industries receive fair pay for the hours they work.2

Ironically, however, there has been a recent rash of otherwise well-off plaintiffs eager to claim non-exemption under the FLSA and obtain additional compensation, a development which surely contradicts the intent of the law’s framers. In fact, as Law360 notes, “almost all of Wall Street’s biggest banks have been hit with lawsuits alleging that they violated the Fair Labor Standards Act by classifying brokers as administrators rather than as sales people,” a classification which would render them exempt from FLSA overtime rules.3 These claims lack merit – especially in light of guidelines published by the Department of Labor that assert that “[e]mployees in the financial services industry generally meet the duties requirements for the administrative exemption.”4 Even in light of the obvious weakness of these assertions, the alarming fact that workers in the financial services industry (a field generally known to be lucrative) lodged such claims at all demonstrated that the intent of the law needed to be clarified again by the nation’s highest court.

The Supreme Court did just that in Encino Motorcars v. Navarro (2018), a landmark FLSA case on par with A.H. Phillips. Writing for the majority, Justice Thomas rejected a claim that “service advisors” employed by an auto dealership met the definition of nonexempt workers under the FLSA.5 Even more importantly, Encino Motorcars signaled the Court’s willingness to apply a broad standard in assessing exemption under the law, rather than a narrow standard that grants exemption only to those employees “plainly and unmistakably within [the FSLA’s] terms and spirit.”1 Although the Court’s recent decision constitutes a departure from precedent, it vindicates both the intent of the FLSA’s drafters and reaffirms the common-sense understanding that employees should be remunerated only in proportion to their willingness to work hard and accomplish the tasks set before them. In other words, both congressional intent and common sense dictate that financial services employees should be paid a salary reflecting the quality of their work product, not merely the hours they work. They are professionals, after all.

  1. A.H. Phillips v. Walling (1945), Murphy, J. Majority opinion.
  2. Ibid.
  3. https://www.law360.com/articles/34738/investment-banks-take-the-offensive-in-flsa-suits?copied=1, para. 2
  4. https://www.dol.gov/whd/overtime/fs17m_financial.pdf, para. 3
  5. Encino Motorcars v. Navarro (2018), Thomas, J. Majority opinion.

Pastore & Dailey Successfully Negotiates Agreement for Former Investment Professional of Hedge Fund

Pastore & Dailey attorneys successfully obtained a favorable agreement on behalf of a client in a dispute with a former hedge fund employer in a private EEOC complaint.  The complaint alleged employment discrimination and sexual harassment.  This favorable settlement prevented litigation in federal court and resulted in considerable compensation to our client.

New York Employers: Anti-Sexual Harassment Training and Best Practices

As evidenced by recent news headlines throughout the country, it is imperative for employers to institute policies and procedures designed to prevent sexual harassment in the workplace and to fully address any complaints regarding such conduct as soon as they arise. How employers handle general allegations and formal complaints is critical to both mitigating the harm caused to the victim of the harassment, as well as the potential liabilities of the employer associated with the conduct. The following summary will discuss certain key aspects of any well crafted set of policies and procedures relating to sexual harassment, as well as note important concepts for every employer to be aware of in addressing claims of misconduct.

Be Informed

Harassment can include unwelcome sexual advances and any verbal or physical harassment of a sexual nature. However, sexual harassment does not have to be of a sexual nature – it can include any offensive remarks about a person’s sex. For example, it is illegal to harass a woman by making offensive comments about women in general.[1] Both the victim and the harasser can be either a woman or a man, and the victim and harasser can be the same sex. Even simple teasing, offhand comments, or isolated incidents that may not seem very serious, can be illegal especially when they are frequent, severe, create a hostile or offensive work environment or when it results in an adverse employment decision (such as the victim being fired or demoted). The harasser can be the victim’s supervisor, a supervisor in another area, a co-worker, or someone who is not an employee of the employer, such as a client or customer.[2] While many of these concepts may seem obvious to management, it is never wise to assume that the general work force is cognizant of the totality of circumstances that can (and do) give rise to harassment complaints. For this reason, as further discussed below, proper employee training is an absolute necessity to protecting your employees from harassment, and your company from related liabilities.

Best Practices

There is no requirement under New York law that employers provide sexual harassment training, which is in contrast to other states like Connecticut that requires all employers with fifty or more employees to provide two hours of sexual harassment training for supervisors within six months of the start of each supervisor’s employment.[3] However, to prevent sexual harassment in the workplace and, as much as possible, mitigate liability for the employer, we recommend the following best practices be embraced and implemented by New York employers.

  • Implement a strong anti-sexual harassment policy and train all employees on its contents.
  • Enforce your policy and hold employees accountable.
  • Promote an inclusive culture in the workplace by fostering an environment of professionalism and respect for personal differences.
  • Foster open communication and early dispute resolution, particularly with respect to establishing a procedure through which employees can report instances of sexual harassment without fear of repercussions from either the harasser or the company in general. This may minimize the chance of misunderstandings escalating into legally actionable problems.
  • Establish neutral and objective criteria to avoid subjective employment decisions based on personal sterotypes or hidden biases.
  • Take advantage of and implement alternative dispute-resolution practices in firm policies and employee contracts.
Recommended Content of Your Policy

At a minimum, an anti-harassment policy should contain the following statements:

  • The employer is committed to maintaining a workplace free from sexual harassment.
  • Sexual harassment is unlawful and subjects the employer to liability.
  • Any possible sexual harassment will be investigated whenever management receives a complaint or otherwise knows of possible sexual harassment occurring.
  • Those who engage in sexual harassment will be subject to disciplinary action.
  • Explain and define sexual harassment, so that employees will know what actions are prohibited.
  • Encourage employees to complain of sexual harassment that they experience or learned was (or may have been) experienced by another employee.
  • Indicate to whom employees can complain about sexual harassment (this should, particularly with smaller employers, include all owners and managers, or otherwise provide open access for employee complaints).
  • Require employees to cooperate with management during any investigation of sexual harassment .
  • Require all supervisory and management staff to report any complaint that they receive, or any harassment that they observe, to a specifically designated point person for intaking such complaints. This is particularly important given that a supervisor’s or manager’s knowledge of sexual harassment may create liability for the employer.[4]
The Faragher-Ellerth Defense

The Faragher-Ellerth defense, outlined by the Supreme Court in the companion cases of Faragher v. City of Boca Raton, 524 U.S. 775 (1998) and Burlington Industries, Inc. v. Ellerth, 24 U.S. 742 (1998), is an affirmative defense employers may use to defend against claims of harassment where:

  • no tangible adverse employment action was taken against the plaintiff (for example, discharge, demotion, or undesirable reassignment);
  • the employer exercised reasonable care to prevent and promptly correct the harassing behavior; and
  • the plaintiff employee unreasonably failed to take advantage of any preventative or corrective opportunities provided by the employer or to otherwise avoid harm (for example, by not taking advantage of reporting procedures outlined in an anti-harassment policy).

Thus, if a company maintains and implements effective anti-harassment policies and the employee fails to follow such policies by failing to report any harassing conduct to the company, the company may be entitled to avoid liability through the Faragher/Ellerth defense.  As well, where an employee follows the policy and complains to the company regarding sexual harassment, if the Company promptly investigates and remedies the issue, the company may also be entitled to avoid liability through the Faragher/Ellerth defense.

Addressing Legal Concerns

If an employee or other person suffers sexual harassment, the first step they should take is to follow their employer’s guidelines for reporting it (which is why it is critical to have these policies in place!). There are also laws that protect against any retaliation by employers against an employee who has reported incidents of sexual harassment, and having a robust anti-harassment program in place will help an employer ensure that the employee’s complaint is not only being seriously addressed, but give the employer an opportunity to discuss anti-retaliation laws with the relevant employees to mitigate any possibility that retaliation (and thus, increased employer liability) will result from a complaint.[5]. Only if employers implement strong anti-harassment policies, take sexual harassment allegations seriously and adhere to the aforementioned preventative steps, will the employer be able to create a safe workplace for its employees and avoid the potential pitfalls associated with sexual harassment claims.

If you have any questions regarding these issues, would like assistance drafting or restructuring existing policies, or need an employment law professional to conduct on-site workplace training, please contact Christina Volpe at (203) 658-8460 or (646) 665-2202, Michele Martin at (352) 316-6955, or Pastore & Dailey LLC generally at (203) 658-8454.

____________________________________________________________________________________

[1] U.S. Equal Employment Opportunity Commission, Sexual Harassment

https://www.eeoc.gov/laws/types/sexual_harassment.cfm

[2] Id.

[3] See Conn. Gen. Stat. § 46a-54(15)(B)); Conn. Agencies Regs. § 46a-54-204.

[4] See Guidance on Sexual Harassment For All Employers in New York State NY Division of Human Rights https://dhr.ny.gov/sites/default/files/pdf/guidance-sexual-harassment-employers.pdf

[5] See The Fair Labor Standard Act; New York Fair Labor Standards Act.

Wrongful Termination Settlement

Pastore & Dailey has successfully represented a multi-billion dollar municipal bond trader in connection with his wrongful termination from a large multinational bank. This termination was based on allegations of violation of the Bank Secrecy Act. Pastore & Dailey settled a FINRA arbitration brought against the trader arising from these claims.

Pastore & Dailey Successfully Represents Proprietary Trading Firm

Pastore & Dailey attorneys successfully obtained emergency injunctive relief on behalf of a Manhattan-based proprietary trading firm in a dispute with a former C-level executive in New York State Court.  After securing the injunctive relief, Pastore & Dailey successfully invoked an employment agreement provision to stay the court case and compel arbitration in AAA.  The case settled on favorable terms shortly thereafter.

Pastore & Dailey Successfully Represents Proprietary Trading Firm

Pastore & Dailey attorneys successfully obtained emergency injunctive relief on behalf of a Manhattan-based proprietary trading firm in a dispute with a former C-level executive in New York State Court.  After securing the injunctive relief, Pastore & Dailey successfully invoked an employment agreement provision to stay the court case and compel arbitration in AAA.  The case settled on favorable terms shortly thereafter. 

 

NY State Court Win

Pastore & Dailey LLC is pleased to announce another victory in a New York State Court case regarding the employment of a high-level individual in the financial industry. In a recent decision, Pastore & Dailey successfully argued that an employee was entitled to proceed in arbitration against his former employer, as bargained for under his employment agreement. This decision exemplifies Pastore & Dailey’s skill and unyielding desire to seek the best, most efficient, and most beneficial result for our clients.

Defeated Motion to Stay

On behalf of its sophisticated financial services client, Pastore & Dailey LLC recently defeated a Motion to Stay a New York Supreme Court action pending resolution of an ongoing arbitration.  In denying the defendants’ motion for a stay, the court agreed with P&D’s arguments that the corporate defendants’ conduct in choosing not to participate in the arbitration, thus creating a complete separation of identity between the defendants in the court case and the respondents in the arbitration, could not be used as an excuse to stop the court proceedings until the arbitration was resolved.