Hot Issues In Employment Law – 2014
Part II Presented by:
Jason C. Gavejian, Esq. Leslie A. Saint, Esq.
[email protected] [email protected]
David G. Islinger, Esq. Joseph C. Toris, Esq.
[email protected] [email protected]
June 2014
JSAHR
Jackson Lewis P.C.
© 2014 Jackson Lewis P.C.
This presentation provides general information regarding its subject and explicitly may not be
construed as providing any individualized advice concerning particular circumstances. Persons
needing advice concerning particular circumstances must consult counsel concerning those
circumstances. www.jacksonlewis.com
2
Presented by David G. Islinger, Esq.
National Labor Relations Board Policy
Issues Applicable To Union And Non-
Union Employees
© 2014 Jackson Lewis P.C.
This presentation provides general information regarding its subject and explicitly may not be construed as providing any individualized
advice concerning particular circumstances. Persons needing advice concerning particular circumstances must consult counsel
concerning those circumstances. www.jacksonlewis.com
What We Will Discuss Today
• General Overview of the NLRA and NLRB
• Definition and Examples of Protected
Concerted Activity
• Decisions Involving Restrictions of Employees’
Section 7 Rights (Including In The Social Media
Context)
3
The NLRA
• Section 7 of the National Labor Relations Act
(“NLRA”) guarantees employees the right to:
“self-organization to form, join, or assist labor
organizations, to bargain collectively through
representatives of their own choosing, and to
engage in other concerted activities for
purpose of collective bargaining or other
mutual aid or protection”
4
The NLRB’s Section 7 Initiative
In June 2012, the NLRB launched a new
“Protected Concerted Activity” webpage, which
describes “the rights of employees to act
together for their mutual aid and protection,
even if they are not in a union.”
http://www.nlrb.gov/concerted-activity
There is an App for That!
5
Application of the NLRB
into the Non-Union Workforce
• Violation of NLRA for an employer to interfere with
or restrain employees’ Section 7 rights
– The Board has made it very clear that these
protections apply to both union and non-union
employees
• So why now?
– The Board has an initiative seeking to expand the
application of the Act to more workers
– As union organizing decreases, the NLRB’s focus
will continue to be on expanding the NLRA’s
protections to the non-union workforce
6
Protected Concerted Activity
In determining whether employee activity is
entitled to the protections of Section 7, the Board
looks at the following :
whether the activity is “concerted”;
whether the activity is “for mutual aid or
protection”; and
whether the activity has lost the protection of
Section 7 by reasons of (1) its means or (2) its
objectives.
7
“Protected”
• It must be for the purpose of “mutual aid or
protection.”
– For example: seeking improvements in
wages, benefits, safety, overtime,
assignments, staffing or other terms and
conditions of employment.
– This concept has been broadly interpreted to
cover conduct that has only minimal impact
on the “terms and conditions” of an
employee’s employment.
8
“Concerted”
Two or more employees – usually (but not
always)
Class action lawsuits
Calling a government agency about
safety/working conditions
Filing administrative charges to remedy
sexual harassment
Complaining to the news media or
customers about an employer
9
How Do These Claims Arise?
Cases involving employer policies,
statements and rules. The mere
maintenance of an overly broad rule is
unlawful;
Cases involving the discipline or
termination of employees who claim they
have engaged in protected, concerted
activities; and
Social media cases.
10
The NLRB’s Policy Initiative
• It is unlawful to maintain any rule that would “reasonably tend to chill employees in the exercise of their section 7 rights,” even if the rule is not enforced.
• It is also a separate violation to enforce such a rule against an employee.
• Therefore, unlike the discrimination statutes, there is no requirement of an adverse employment action.
11
No Policy, Rule or Statement
is Off Limits
• Social media/electronic
communication rules
• E-mail rules
• Confidentiality of information and
investigations
• Workplace conduct rules
(cooperation, loyalty, etc.)
• Rules about speaking to the
media
12
• “At will” policies
• Class action waivers
• Arbitration provisions
• Chain of command rules
• Rules about off-duty
misconduct
• Rules regulating employee
statements and conduct
• Non-disparagement/gossip
rules
Unlawful Policy, Rules, and
Statements • The Roomstore of Phoenix, LLC, 357 NLRB
No. 143 Written Company-Wide Rules: Example, rules of
conduct prohibit “collusion with another employee in order to violate a company policy.”
Written Rules at a Specific Facility: Example, a memo posted at one of the stores stated: “Absolutely NO confrontations on the floor. Any type of negative energy or attitudes will not be tolerated…if you cannot be a positive part of the team I don’t want you on the team.”
Oral Rules and Threats: Example, a supervisor threatening employees for engaging in “negative” conversations regarding the terms and conditions of employment.
13
Unlawful Policy, Rules, and
Statements • In 2 Sisters Food Group, Inc., 357 NLRB No.
168 (Dec. 29, 2011), the Board found rules
prohibiting “[l]eaving a department or the plant
during a working shift without a supervisor’s
permission” and “[s]topping work before shift
ends or taking unauthorized breaks” were not
impermissibly overbroad because no employee
would construe these rules to restrict concerted
activities such as engaging in a work stoppage.
14
Unlawful Policy, Rules, and
Statements • In Stephens Media, LLC v. NLRB, 677 F.3d 1241 (D.C.
Cir. 2012), the U.S. Court of Appeals for the D.C. Circuit enforced a Board order, holding, inter alia, the Employer enforced an overly-broad ban regarding surreptitious audio recordings. The Employer had suspended three employees for making a recording of a meeting with a supervisor. The Employer argued the making of the secret audio recording was “so fundamentally dishonest and deceitful” that it should be deemed categorically unprotected. The Board disagreed, finding the employees reasonably believed the Employer would violate their rights by refusing to allow them to bring a witness to an interview that would result in disciplinary action. Under these circumstances, the Board held the employees’ decision “to document what they perceived to be a potential violation of employee rights under NLRB v. J. Weingarten” qualified as protected activity. The Court agreed, finding the terminations unlawful.
15
Confidentiality Provisions:
They Come in All Shapes and Sizes • Quicken Loans case: overbroad definition of
“personnel information” in a confidentiality
policy given to mortgage bankers that included:
“all personnel lists, rosters, personal information
of co-workers” and “handbooks, personnel files,
personnel information such as home phone
numbers, cell phone numbers, addresses.’”
• Hyundai Shipping case: “Any unauthorized
disclosure of information from an employee’s
personnel file is a ground for discipline,
including discharge.”
16
Investigations
• Banner Estrella Med. Ctr., 358 NLRB No. 93 (July 2012) HR consultant asked employees interviewed in
connection with an internal investigation to not discuss the matter with their co-workers while the investigation was ongoing.
Board rejected the employer’s argument that the confidentiality rule was justified by its concerns with protecting the “integrity of the investigation.”
Must determine whether in any given investigation “witnesses need protection, evidence [is] in danger of being destroyed, testimony [is] in danger of being fabricated, or there [is] a need to prevent a cover up.”
17
Discipline Cases
The less obvious cases:
Employee is told by a HR representative to
keep a counseling session (not an
investigation) “between us” and then is
disciplined when he discusses it with a co-
worker.
Employee is disciplined for complaining with
her co-workers about her manager’s response
to her concerns about the safety of the
neighborhood in which the workplace is
located.
18
Increase in the Use of Social Media
Employees are talking about their employers online
more frequently.
In response, employers are implementing social
media policies, which outline corporate guidelines
and principles for online communications, including
limitations on release of trade secrets, competitive
information or denigrating the company.
The Board has been closely monitoring cases
involving employee use of social media.
19
NLRB & Social Media In Practice
• Karl Knauz Motors, Inc. (Board Decision).
Board upheld termination because posting photos of an embarrassing and dangerous accident involving a 13 year old with the quote “This is what happens when a sales person…allows a 13 year old boy to get behind the wheel of a 6000 lb. truck…OOOPs!” was not protected.
However, picture mocking hot dog cart at BMW event w/ caption, “No, that’s not champagne or wine, it’s 8 oz. water” was PROTECTED.
Unlawful Policy: “Courtesy is the responsibility of every employee. Everyone is expected to be courteous, polite and friendly to our customers, vendors and suppliers, as well as to their fellow employees. No one should be disrespectful or use profanity or other language which injures the image or reputation of the Dealership.”
20
Language To Avoid
• The AGC’s recent report identifies problematic language for policies and rules. Examples:
– Prohibiting employees’ posts discussing non-public information, confidential information, and legal matters of the employer (without any further clarification of the meaning of these terms).
– Prohibiting employees from harming the image and integrity of the company, making statements which are detrimental to the employer, disparaging or defamatory, and prohibiting discussion of dissatisfaction.
– Prohibiting employees from making posts that are inaccurate or misleading; making offensive, demeaning or inappropriate remarks; instructing employees to use a friendly tone and not engage in inflammatory discussions.
21
Language To Avoid
• Requiring employees to secure permission prior to
posting photos, music, videos, and the quotes and
personal information of others.
• Discouraging employees from “friending” co-workers.
• Prohibiting online discussion with government
agencies concerning the company.
• Encouraging employees to solve work problems in the
workplace rather than posting about such problems
online.
• Threatening employees with discipline or criminal
prosecution for failing to report violations of an
unlawful social media policy.
22
Takeaways
• While more decisions are certain to follow, in the interim, there are some general principals to apply to social media issues that arise in the workplace. You should: – Prohibit vulgar or obscene language, but not disparaging
or derogatory language, about the company or its employees.
– Include specific examples of prohibited conduct in a policy, so employees will be less likely to construe the policy as prohibiting or limiting concerted activity.
– Avoid vague or unidentified terms within policies, as any ambiguities will be construed against the employer. The Board noted in the EchoStar decision that an employee should not have to consult a dictionary to understand an employer’s rules.
23
24
Presented by Leslie A. Saint, Esq.
© 2014 Jackson Lewis P.C.
This presentation provides general information regarding its subject and explicitly may not be construed as providing any individualized
advice concerning particular circumstances. Persons needing advice concerning particular circumstances must consult counsel
concerning those circumstances. www.jacksonlewis.com
“Be SPECIFIC ”
8 Best Practices for Workplace
Religious Accommodation Issues
Based on Recent EEOC Guidance
AN OVERVIEW OF RELIGION IN
AMERICA
CHRISTIAN (73%)
JEWISH (1.7%)
BUDDHIST (0.7%)
MUSLIM (0.6%)
HINDU (0.4%)
UNAFFILIATED
(19%)
DON'T
KNOW/REFUSED
(2%)
OTHER FAITHS
(1.20%)
http://religion.pewforum.org/affiliations
Religious
Affiliations in
America
25
RELIGION IN AMERICA
EVANGELICAL
PROTESTANT
CHURCHES (19%)
MAINLINE
PROTESTANT
CHURCHES (15%)
CATHOLICS (22%)
HISTORICALLY
BLACK/MINORITY
CHURCHES (14%)
MORMON (2%)
JEHOVAH'S
WITNESS (1%)
ORTHODOX (1%)
http://religion.pewforum.org/affiliations
Christian
Denominations in
America
26
WHY AN INCREASE IN RELIGIOUS
DISCRIMINATION CLAIMS?
27
0
500
1,000
1,500
2,000
2,500
3,000
3,500
4,000
4,500
4,500
4,000
3,500
3,000
2,500
2,000
1,500
1,000
LEGAL DEFINITIONS OF RELIGION
• Title VII
• State/local civil rights legislation
• Not dependent on belief in Supreme Being
29
WHAT IS RELIGION?
• Membership in established church not required
• Sincere and occupies a place parallel to God
• Beliefs can be controversial and divisive
30
APPLYING THE LEGAL
DEFINITIONS OF RELIGION
• Tread carefully when questioning sincerity
• Evidence of inconsistency
• Reasonable inquiry permitted
31
WHAT IS AN EMPLOYER’S
EXPOSURE?
• Types of claims available to employee alleging religious
discrimination:
– Disparate Treatment
– Harassment: Quid Pro Quo
– Hostile Work Environment
– Retaliation
– Failure to Provide a Reasonable Accommodation
32
THE EMPLOYER’S DUTY TO
PROVIDE A REASONABLE
ACCOMMODATION
• Under Title VII: “More than De Minimis” Standard
– Trans World Airlines v. Hardison, 432 U.S. 63, 67 (1977): U.S.
Supreme Court decision addressing reasonable accommodation
– The Supreme Court provided a definition of "undue hardship"
and determined that under Title VII, requiring an employer to
bear any cost “more than de minimis” would constitute an undue
hardship.
33
THE EMPLOYER’S DUTY TO PROVIDE A
REASONABLE ACCOMMODATION
UNDER NEW JERSEY LAW
• “Undue Hardship” under the New Jersey Law Against Discrimination (NJLAD)
• an accommodation requiring:
– unreasonable expense or difficulty
– unreasonable interference with the safe or efficient operation of the workplace or
– a violation of a bona fide seniority system or
– a violation of a bona fide collective bargaining agreement
• an accommodation that would cause the employee to be unable to perform the essential functions of his or her position
34
STEPS TO ACCOMMODATION
1. What is the employee obligated to do?
*sufficient notice
2. What is the employer obligated to do in response?
*engage in interactive dialogue
35
INTERACTIVE PROCESS
• Rescheduling shifts
• Accommodating religious clothing requirements
• Accommodating religious hair styles and facial hair
requirements
36
INTERACTIVE PROCESS CON’T
• Modification of duties
• Creating spaces within the workplace for
worship/prayer
• Workplace safety, security concerns
37
STEPS TO ACCOMMODATION
3. What factors should the employer consider in
determining whether to provide the requested
accommodation?
4. When may the employer refuse a request for an
accommodation?
38
WHAT IS AN UNDUE BURDEN?
• Requires more than ordinary administrative costs
• Diminishes efficiency
• Impacts reasonable policies and procedures
• Workplace safety jeopardized
• Conflict with union contract
39
THE DO’S AND DON’T’S OF
RELIGIOUS ACCOMMODATION
DO
• Adopt an inclusive diversity policy
• Communicate and be flexible
• Regulate conduct, not beliefs
• Take steps to prevent religious harassment
DON’T
• Leave anyone out
• Take a hard line position
• Deny accommodation before investigating whether it can be provided without undue hardship
• Force employees to participate in religious activities
40
Be…..SPECIFIC
• Serious Interactive Process
• Proactive
• Engage in becoming knowledgeable
• Complaint Procedure
• Investigation Procedure
• Flexible with complaining/requesting employees
• Inform and Train
• Consider and Comply (company handbook/policies)
42
Recent Decisions Under
Sarbanes Oxley Act And
Other Retaliation Statutes
Such As CEPA
43
Presented by Joseph C. Toris, Esq.
© 2014 Jackson Lewis P.C.
This presentation provides general information regarding its subject and explicitly may not be construed as providing any individualized
advice concerning particular circumstances. Persons needing advice concerning particular circumstances must consult counsel
concerning those circumstances. www.jacksonlewis.com
• Section 806 of SOX provides that:
(1) no covered entity, or any officer, employee, contractor, subcontractor, or agent of any such company;
(2) may discharge, demote, suspend, threaten, harass, or in any other manner discriminate against an employee in the terms and conditions of employment;
(3) because the employee provided information, or caused information to be provided, or otherwise assisted in an investigation regarding any conduct the employee reasonably believed violated:
- 18 U.S.C. § 1341 (fraud and swindles),
- 18 U.S.C. § 1343 (wire, radio, and television fraud),
- 18 U.S.C. § 1344 (bank fraud),
- 18 U.S.C. § 1348 (securities fraud),
- any SEC rule or regulation,
- or any federal law regarding fraud against shareholders.
• Must first file with OSHA
Sarbanes-Oxly Act (SOX)
Civil Whistleblower Protections
47
• In March 2014, the United States Supreme Court held that the SOX
whistleblower provisions of Section 806 apply to employees of privately-held contractors and subcontractors who perform work for public companies.
• The defendant publicly-traded company mutual fund company had no employees and was staffed entirely by contractors provided by privately-owned staffing companies to provide management, investment advisor and accounting functions.
• The plaintiffs were non-employee contractors of the publicly-traded company who alleged their employer retaliated against them for reporting alleged fraud in the publicly-traded company’s financial reports.
• The Supreme Court specifically stated the decision was not limited to the company’s unique staffing model or to allegations of fraud relating to services provided by privately-held company to publicly-held company.
Recent Developments Under SOX
48
• In March 2013, the Third Circuit denied an employer’s petition for
en banc review of the previous panel decision which found that a whistleblower under SOX need only possess a “reasonable belief” that his or her employer violated or may violate the law or Securities and Exchange Commission rules.
• This decision adopted the worker-friendly “reasonable belief” standard first articulated by the Department of Labor’s Administrative Review Board in May 2011.
• The Third Circuit effectively relaxed the pleading standards and rejected a prior standard which held an employee had to show his/her disclosures to supervisors “definitely and specifically” related to an existing violation of the laws under Section 806.
Recent Developments Under SOX
(cont’d)
49
Section 922 of the DFA provides that:
No employer may discharge, demote, suspend, threaten, harass, directly or indirectly, or in any other manner discriminate against, a whistleblower in the terms and conditions of employment because of any lawful act done by the whistleblower:
1. In providing information to the SEC in accordance with Section 922;
2. In initiating, testifying in or assisting in any investigation or judicial or administrative action of the SEC based upon or related to such information; or
3. In making disclosures that are required or protected under SOX, the ’34 Act, 18 U.S.C. 1513(e) [Retaliating against a witness, victim, or an informant] or any other law, rule, or regulation subject to the jurisdiction of the SEC.
• Can file directly in federal court.
The Dodd-Frank Act of 2010 (DFA)
50
• In July 2013, the Fifth Circuit Court of Appeals limited the scope of
the term “whistleblower” under the anti-retaliation provisions of the DFA to apply only to employees who actually report information relating to a violation of securities laws to the U.S. Securities and Exchange Commission.
• The court concluded that the plain language and structure of the statute compelled the conclusion that internal communications alone were not protected.
• This is the first time a federal appeals court has ruled on the issue.
• The ruling is contrary to a number of district court decisions that have held reports to the SEC are not required under the DFA.
Recent Developments Under
Dodd-Frank
51
Under CEPA, a Whistleblower must generally show:
• (1) he/she engaged in a protected activity or conduct;
• (2) the employer knew or should have known of the protected activity;
• (3) the employee suffered an unfavorable personnel action; and
• (4) The protected activity was a contributing factor in the unfavorable action.
Conscientious Employee
Protection Act (CEPA)
52
• Last year, the New Jersey Appellate Division, reversed a trial
court’s decision granting the employer’s motion for summary judgment, holding that that an employee’s job title or employment responsibilities should not be considered outcome determinative in deciding whether the employee has presented a cognizable cause of action under the CEPA.
• The employer had argued based on a 2008 Appellate Division decision that when a plaintiff’s job was to identify safety issues, he could not show he engaged in whistleblowing activity simply by doing his job.
• The Appellate Division, however, disagreed with this analysis noting that this reasoning is inconsistent with CEPA’s broad remedial purposes and did not correctly apply the New Jersey Supreme Court’s construction of the protections afforded under CEPA.
• The New Jersey Supreme Court granted certification in March 2014, and will review this issue.
Recent Developments Under CEPA
53
• In December 2013, the Appellate Division held that an employee who removes or copies the employer’s documents for use in a whistleblower or discrimination case can be prosecuted criminally for theft.
• The plaintiff had filed a complaint against her employer and others alleging various claims, including retaliatory discharge in violation of CEPA.
• During discovery, the employer learned the plaintiff had possession of hundreds of documents, including originals, which contained highly sensitive information, which plaintiff evidently had removed or copied without permission.
• In May 2012, the grand jury indicted plaintiff, charging her with crimes of official misconduct and theft.
• Plaintiff moved to dismiss the indictment arguing she took the documents for a lawful use and that a 2010 New Jersey Supreme Court CEPA case held taking confidential documents to support a civil suit was lawful. The trial court denied the motion.
• On appeal, the Appellate Division upheld the denial of dismissal finding that the decision upon which the plaintiff relied did was not binding on the criminal court.
Recent Developments Under CEPA
(cont’d)
54
• Update and revise compliance policies, procedures, codes of conduct, training programs and related corporate governance structures.
• Establish an anti-retaliation review to mitigate whistleblower claims.
• Document, document, document
What Do We Do?!?
55
Presented by Jason C. Gavejian, Esq., CIPP/US
Data Breach
56
© 2014 Jackson Lewis P.C.
This presentation provides general information regarding its subject and explicitly may not be construed as providing any individualized
advice concerning particular circumstances. Persons needing advice concerning particular circumstances must consult counsel
concerning those circumstances. www.jacksonlewis.com
Overview of Data Security Laws
There is currently no broadly applicable federal law
in the U.S. - we follow a piecemeal approach: • HIPAA, GLBA, FCRA, ECPA, SCA, CFAA, ADA/GINA/FMLA,
COPPA, FERPA
• POTUS’ Executive Order on Cybersecurity may change this.
States generally have one or more of the following:
– Affirmative obligations to safeguard (e.g., CA, CT, IL
(biometric information), MA, MI, TX, others)
– Various Social Security number protections
– Data destruction requirements
– Data breach notification (47 states plus some cities)
58
Key Driver of Laws Continues
• Identity Theft Tops 2013 FTC Consumer
Complaint List
– 14th Year in a row
– Consumers lost $1.6 billion to fraud in 2013
– Most complaints: Age 20-29
• Most familiar with technology and most at risk
59
• Unauthorized use of, or access to, records or
data containing personal information
– Personal Information (PI) typically includes
• First name (or first initial) and last name in combination with:
– Social Security Number
– Drivers License or State identification number
– Account number or credit or debit card number in combination with
access or security code
– Biometric Information (e.g. NC, NE, IA, WI)
– Medical Information (e.g. AR, CA, DE, MO, TX, VA)
– PI typically maintained where?
– Employees (HR, Accounting, Benefits)
– Customers (CC)
– Vendors
60
What Is a Data Breach?
• How does a “Data Breach” occur? – Loss, Theft, Improper Access, Inadvertent Disclosure
• The lost laptop/bag
• Inadvertent access
• Data inadvertently put in the “garbage”
• Theft/intentional acts
• Inadvertent email attachment
• Stressed software applications
• Rogue employees
• Remote access
• Wireless networks
• Vendors
61
Handling Data Breaches
• 3 Critical Phases
– Discovery
– Notification and response process (if needed)
– Review and evaluate to avoid future incidents
62
Handling Data Breaches
* Watch out for unreasonable delays
• Discovery: stop the bleeding…first steps – Immediately inform persons responsible for handling
breach
– Take steps to secure company information systems,
including any and all files containing customer,
employee and other individuals' personal information
that may be at risk
– Key person monitors and drives progress
– Involve top management, public relations
– Make some preliminary assessments and consider
preliminary actions, notices
63
Handling Data Breaches
• Discovery: did a breach occur? – Conduct investigation, interviews, forensics (nature, dates,
etc.)
– Identify affected individuals and states of residence
– Identify format and name types of personal information
affected
• Where is this information available? • Review of activity logs or backup tapes related employee
• Conducting a formal interview with the employee/others to
learn more about information saved on the device
• Consider also: The projects the employee worked on, the
life of the device, how long the employee has been with
the company.
64
Handling Data Breaches
• Discovery: did a breach occur?
– Review applicable state and local laws (residency is key)
– HIPAA considerations
– Police investigation
– Who “owns” the data
– Contact your insurance carrier
– Risk of harm trigger (is this reportable) • Examples: AK, AZ, AR, CO, CT, DE, FL, HI, ID, IN, IA, KS,
KY, LA, MD, MI, MS, MO, MT, NH, NJ, NC, OH, OK, OR, PA,
PR, RI, SC, UT, VA, WV, WI
65
Handling Data Breaches
• Notification and response
– Who must be notified?
– State Agencies (State Police, AG, HHS, etc.)
– Children
– What should notice say/who approves?
– Monitoring services not required, but… peace of mind and
company image. Protection?
– How to deliver? Good contact information.
– Call center/script (lead time)
– Returned mail
– Substitute notice provisions
– Coordinate with vendors
– Responding to inquiries
– Document process
66
Handling Data Breaches
• Review and assess
– Why did the breach occur?
– Amend policies and procedures as appropriate
– Document why breach not reported (see, e.g., FL, HIPAA)
67
Handling Data Breaches
• Kentucky – Becomes 47th state to enact law
• California –
– “personal information” amended to include any user name or
email address, in combination with a password or security
question and answer that would permit access to an online
account. Effective Jan. 1, 2014.
– Notice to CA Attorney General required if breach affects
more than 500 Californians. Effective Jan. 1, 2012.
– California AG Announces Heightened Enforcement
Concerning Data Breaches.
– Must report to AG online
https://oag.ca.gov/ecrime/databreach/report-a-breach
68
Data Breach Developments
• California – – Issues Guide for California Businesses (General
Principles/Best Practices) (https://oag.ca.gov/cybersecurity)
• Assume you are a target and develop an incident response plan now.
• Review the data your business stores and shares with third parties including backup storage and cloud computing. Get rid of what is not necessary.
• Encrypt the data you need to keep.
• Follow safe online practices such as regularly updating firewall and antivirus software on all devices, using strong passwords, avoiding downloading software from unknown sources and practicing safe online banking by only using a secure browser connection.
• Industry Guidance
69
Data Breach Developments
• Connecticut –
– Notice to the Attorney General required within the same time
frame as notice to affected individuals. Email:
[email protected] Effective October 1, 2012.
– Nutmeg state establishes privacy task force.
http://www.workplaceprivacyreport.com/2011/09/articles/writt
en-information-security-program/connecticut-attorney-
general-establishes-privacy-task-force/
70
Data Breach Developments
• Illinois –
– New information must be included in breach notifications:
• the toll-free numbers and addresses for consumer reporting
agencies,
• the toll-free number, address, and website address for the
Federal Trade Commission, and
• a statement that the individual can obtain information from
these sources about fraud alerts and security freezes.
– Information that may not be included in breach notifications:
• information concerning the number of Illinois residents affected
by the breach.
– Effective January 1, 2012.
71
Data Breach Developments
• Indiana –
– Requires standard form for notifying AG
(http://www.in.gov/attorneygeneral/files/Form_1079_Security
_Breach_Reporting_Form_-_Fillable_Version.pdf)
– Recent enforcement activity – requested timeline to
substantiate time between discovery and notification.
• New York –
– Requires standard form for notifying AG
http://www.dhses.ny.gov/ocs/breach-
notification/documents/Business-Data-Breach-Form.pdf
72
Data Breach Developments
• North Carolina –
– Requires standard form for notifying AG
http://www.ncdoj.com/getdoc/50dc89a8-8b26-48b6-88f2-
3e30cd19f09f/NC-Security-Breach-Reporting-Form-
2009.aspx
• North Dakota –
– “Personal information” definition amended to include “health
information” and “medical information.” Effective August 1,
2013.
73
Data Breach Developments
• Texas –
– For residents of a state other than Texas, company subject
to Texas law can notify pursuant to Texas law or law of the
state of residence. Effective June 14, 2013.
– Companies subject to Texas law must notify residents of
states that had not enacted their own law requiring such
notification. Effective September 1, 2012.
74
Data Breach Developments
• Private Cause of Action
– Some states permit – AK, CA, LA, MD, MN, NH, NC, SC,
TN, VA, WA
• Fines, Penalties, Settlements:
– State Attorney Generals
• Vary By State
– Multipliers: Michigan permits civil fines of not more than $250 per
failure (each person), with a maximum of $750,000.
– Length of notification delay: Florida imposes fines when
notification is not provided within the statute’s mandated time
frame (45 days). Calculate the fine as $1,000 per day for the first
30 days, and $50,000 for each 30 day period thereafter with a
maximum fine of $500,000.
– Health and Human Services
• Penalties and settlements in the millions of dollars
75
Other Key Factors
• Some states publish notices
– Maryland -
http://www.oag.state.md.us/idtheft/breacheNotices.htm
– New Hampshire - http://www.doj.nh.gov/consumer/security-
breaches/index.htm
76
Other Key Factors
Emerging Risks
• “Recycled” Hardware - National Association for
Information Destruction (NAID)—15 of 52 hard drives
randomly purchased on e-Bay contained highly
confidential personal information
• BYOD - Addressing personal and company data
maintained on employees’ personal devices (iPhone,
iPad, Android, etc.)
• Google Glass, more advanced cameras, more
extensive storage, etc.
77
• Recognize “information risk” exists and is increasing
• Understand your business AND your workplace, and
conduct and analyze “risk assessment”
• Develop policies and procedure to address gaps and
breach incidents – written information security
program
• Implement: train, document, evaluate
• Monitor Legal Developments
• Don’t Be Left Without A Good Story to Tell!
78
Take Aways