It is tax season once again, and with it comes an increased threat of phishing scams targeting human resources and payroll personnel. In 2016, the IRS alerted employers to a then-emerging email phishing scheme in which messages purporting to come from company executives requested the release of personal information relating to employees, including W-2 tax forms. Since then, the scam has evolved into a significant threat facing employers in multiple industries, from small and large businesses to public schools and universities, hospitals, tribal governments and charities. According to the IRS, in 2017 alone, more than 200 employers reported falling victim to the scam, with hundreds of thousands of employees impacted.
As we are early into the new year, for many, hope springs eternal to get in shape during 2018. Many of us wear some kind of fitness activity tracker that monitors steps, heart rate, calories, sleep patterns, etc. Recent news coverage of Strava, the running and cycling fitness tracking app, has caused concern for the United States military. But might it cause concerns for some businesses that operate under high levels of security, as well?
The EU’s General Data Protective Regulation (“GDPR”) goes into effect on May 25, 2018. It is a mammoth regulation and perhaps the most significant European data protection legislation in more than 20 years. In fact, the European Commission just released a new website to help stakeholders, including businesses, with implementation. With its global reach, applying to any organization that processes the personal data of individuals within the EU regardless of where the data lands, GDPR compliance is top-of-mind for executives of multinationals. Despite U.S.-based multinationals spending millions of dollars and thousands of hours preparing for GDPR since it was announced two years ago, a recent survey by MediaPro reveals that more than half of U.S. employees have never heard of the regulation.
A bi-partisan privacy and data security bill, which will significantly impact companies with North Carolina employees, is in the works. North Carolina State Representative Jason Saine (R), Appropriations Chairman of Information Technology, has joined with North Carolina Attorney General Josh Stein (D) to strengthen protections against identity theft in North Carolina. The unique pair are co-authoring a bill titled, “The Act to Strengthen Identity Theft Protections” (the “Bill”). Through the Bill, the authors desire to provide stronger protections, while at the same time avoid hampering innovation in the private sector.
Continuing a trend in the last few years, in 2017, eight states amended their security breach notification laws to expand definitions of “personal information”, specify the timeframe in which notification must be provided, and require businesses to implement adequate security practices to protect personal information in their possession, among other things. New Mexico also enacted a data breach notification statute of its own, leaving only two states without specific legislation relating to data breach notification requirements. A summary of the highlights of the new law and other amendments enacted in 2017 follows:
In today’s world, where lots of sensitive data are stored electronically, prudent companies utilize sophisticated computer cyber security systems to prevent the hacking of such data. They likely also require employees to password-protect their phones and, perhaps, even download security software applications on them for added protection. But how many companies have considered and addressed potential data vulnerabilities posed by company and employee cars? Likely not many, but it appears many should.
No! It is a common misconception among the general public that someone always has to pay when there is a data breach. It is understandable that individuals affected by a data breach will be upset, distraught, and even angry. In light of recent large-scale data breaches, it is safe to say we have all been there, with our personal information that we entrusted to particular companies or employers now out there in the hands of cyber thieves.
Citing a sixty percent increase in data breach notifications from 2015 to 2016, New York Attorney General Eric Schneiderman recently introduced the Stop Hacks and Improve Data Electronic Security Act (SHIELD) bill. The legislation would require companies that handle sensitive date of New York residents to adopt “reasonable administrative, technical and physical protections for data.”
On May 16, 2016, the Equal Employment Opportunity Commission (“EEOC”) issued regulations governing the treatment of wellness programs under the Genetic Information Nondiscrimination Act (“GINA”), as well as under the Americans with Disabilities Act (“ADA”). The rules regarding financial inducements began applying to employer-sponsored wellness programs as of the first day of the first plan year that began on or after January 1, 2017. This move led to a legal challenge by the AARP regarding whether the financial incentives provided for in both laws was consistent with the notion of voluntary participation. The United States District Court for the District of Columbia agreed with the AARP, and on August 22, 2017, just a little over a year after the regulations went into place, the court held in AARP v. United States Equal Employment Opportunity Commission that incentives and penalties up to 30% of employee health care costs are inconsistent with the “voluntary participation” requirement under both the ADA and GINA.
A decade ago, I litigated a trade secret/unfair competition dispute between two large plastics manufacturers. The Plaintiff was based in southwest Florida, the Defendant in southern Alabama. The factual dispute is interesting, though not necessarily particularly pertinent to the subject I want to address in this post.