No matter the business you operate, modern commerce increasingly takes place online, rarely putting the consumer and your business face-to-face. A recent study revealed that approximately 80% of American consumers buy products online, and 74% of consumers think it is extremely or somewhat important to read online reviews before making a purchasing decision. The average consumer reviews three online sources for information before soliciting a local business, typically: a search engine, the business’s website, and a website containing reviews or testimonials. Small and local businesses are not immune to the internet’s influence, as nearly 40% of consumers seek out online testimonials, ratings, or reviews to evaluate when considering whether to engage a local business for products or services. In fact, consumers cite negative online ratings and reviews as the second greatest reason not to consider a local business for products or services, behind only high prices.
Because consumers consistently turn to online resources to determine whether to do business with you, managing your online reputation is an essential task. You must actively control information about your products, address negative reviews, optimize search engines, and improve your customers’ online experience. In fact, many companies employ full time personnel solely to manage their social media presence.
But monitoring your online reputation becomes even more critical when an anonymous user (aka a “troll”) begins posting harmful or false information. The danger lies in the very nature of the internet, as “any person with a phone line can become a town crier with a voice that resonates farther than it could from any soapbox.” When that voice spreads false information, interferes with your business, or divulges your trade secrets, what can you do to identify the anonymous user and hold them liable for the harm caused?
Understanding The First Amendment and Anonymous Online Speech
To pursue a claim against an anonymous online user, you must first understand the First Amendment protection afforded online speech. Internet speech is generally granted the same protection as traditional offline speech; that is, most types of speech on the internet are protected to some degree.
The right to free speech online also includes a right to remain anonymous. Far from being hostile to such online secrecy, the courts have held that careful safeguards to protect anonymous online speech are important to preserve “the robust exchange of ideas and allows individuals to express themselves freely without fear of economic or official retaliation [or] concern about social ostracism.”
As in the traditional offline arena, some categories of speech, such as fighting words, obscenities, and false statements, are not protected by the First Amendment. Thus, when trolls exploit the anonymous nature of the internet to post false or damaging information about you, they often exceed the First Amendment’s protections for anonymous online speech. For example, anonymous online users may step beyond the boundaries of protected speech by:
• Creating an email account to distribute your CEO’s sensitive personal emails to senior management.
• Creating online accounts to conduct a smear campaign against you with the objective of inducing employees to quit.
• Posting reviews about working for you that disclose confidential or trade secret information.
• Creating a website using your name to complain about your business practices and post negative reviews.
• Posting false reviews of you online by posing as a former customer.
If not for the use of an anonymous online persona, each of these actions could be addressed by filing a lawsuit against the troll. However, anonymity adds a layer of complication as you must either first find a way to unmask the troll’s identity or stop the harmful conduct by some other means.
Strategies to Address Harmful Online Comments Short of Litigation
Before filing a lawsuit to unmask your troll, first consider whether less costly means might stop the conduct or remove the harmful comments. This approach typically depends on the voluntary compliance of companies hosting the content, and thus is not guaranteed to succeed. However, the low cost of this initial step makes it worth considering. Further, pursuing these strategies, whether successful or not, may cause the troll to stop harming you, or to remove the content voluntarily, thereby accomplishing the end goal.
One alternative to litigation is to determine whether the online statements violate the online service provider’s “Terms of Service.” For example, Facebook’s® Terms of Service prohibit users from posting content that “infringes or violates someone else’s rights or otherwise violates the law” and authorizes Facebook to “remove any content or information” posted on Facebook that “violates this Statement or our policies.” Twitter® also requires users to ensure that posts comply “with applicable laws, rules, and regulations” and permits Twitter to remove “any Content.” Large online service providers typically offer reporting platforms where you can report a violation of the terms of service and ask to have the false or harmful content removed. Thus, where a post or comment violates the terms of service, a letter to the internet service provider bringing the issue to its attention may be all that’s needed to get the offending content removed.
Another option is to request that search engines, such as Google® or Bing®, “de-index” the page on which the comments appear. “De-indexing” is a request that the search engine voluntarily remove a website from its index, thereby ensuring it will not appear in response to a search about you. Most search engines retain the right to remove offensive content. For example Google’s ® Terms of Service state that Google “may review content to determine whether it is illegal or violates our policies, and . . . may remove or refuse to display content that we reasonably believe violates our policies or the law.” The result is that, while the website containing the false statement still exists, it can’t be accessed in response to a search. The effectiveness of this step depends on whether the content clearly violates the applicable terms of service or is blatantly unlawful, and a search engine may require a court order finding the content to be unlawful before it will agree to de-index the website.
A final alternative is to address the comments from a public relations perspective. You can choose to simply engage the troll in the online forum itself, to address the falsity of the comments or steer the
discussion in a more beneficial direction. However, this approach carries significant risk that your comments may be used against you, or may even incite a more passionate, negative response. Thus, this approach should be reserved for unique factual situations that justify a public relations response instead of a legal one.
Identifying the Anonymous Online User
If you cannot stop the harmful online comments through one of the strategies above, you should consider filing a lawsuit to identify the troll and assert the appropriate claims against them. First, however, you need to analyze the conduct and determine whether you have a legal claim against the anonymous user. If so, you can file a lawsuit against the troll and attempt to uncover his or her identity.
Step One: Determine Whether the Conduct is Actionable
The types of claims available to combat online misconduct are generally the same as those available in traditional offline situations.
The most common claim pursued against trolls is a claim for defamation. When a person publishes false, harmful statements of fact about your business ethics or financial integrity, they are likely liable for defamation. Libel—defamation in writing—consists of publishing a false written statement, either deliberately or with at least a negligent disregard for the truth.
In evaluating whether you have a claim for defamation, you must candidly consider whether there is any truth to the comments, as truth is an absolute defense. Likewise, opinions are not actionable. So, if the statements are arguably just opinion, as opposed to a statement of fact (or an opinion that could reasonably be interpreted as stating facts), the anonymous speaker will not be liable. Finally, you must evaluate whether you will be deemed a “public figure,” in full or in a limited capacity. If you are a public figure, whether limited or not, you will be required to prove that the speaker acted with “reckless disregard of the truth.” Because this is a higher standard than negligence, there is a greater likelihood that the troll will not ultimately be held liable for defamation.
In addition to defamation, there are a number of other claims that you may be able to pursue against your troll:
• If the user is directing its harmful comments at a vendor, business partner, or potential customer, the user may be liable to you for tortious interference with a contract or a business expectancy. To succeed, you must have a valid contract or business expectancy; the anonymous user must both know about it and interfere with it, so as to cause its breach or termination; and have no legal justification for doing so.
• If the user publishes false information about your products or services, the user may be liable for trade libel or business/product disparagement. Each of these claims has similar elements, requiring proof that the anonymous user posted a false statement concerning your products or services to dissuade a potential customer from doing business with you.
• If the user is a competitor, and the comments contain false or misleading advertisements about your products or services, the user may also be liable for unfair competition under the Lanham Act.
• If the user posts information containing your trade secrets, the user may be liable under state or federal trade secret laws.
• If the user is a former employee, or had a contractual relationship with you, then the online conduct may violate provisions of that contract, such as nondisclosure or non-compete provisions.
This list is not exhaustive and there may be other potential claims to assert against an anonymous online user.
Step Two: File An Anonymous Lawsuit to Unmask the Troll
Once you identify a viable claim or claims against the anonymous online user, the next step is to file a lawsuit to discover the troll’s identity.
Such a lawsuit is typically filed against an anonymous defendant—John Doe for example—and a subpoena is then issued to the service provider or to the website hosting the content requiring it to identify the user. The service provider or website will likely object, and you will need to ask the Court for an order compelling disclosure of the user’s identity.
There is no universal standard governing when a court will order the disclosure of an anonymous user’s identity. However, most courts apply one of two generally-accepted tests, both of which require a significant showing early in the case that you are likely to succeed on your claims.
The less stringent test requires that you allege facts that—assumed to be true—demonstrate that the anonymous user committed an act giving rise to civil liability. Because the Court is looking only at whether you have sufficiently alleged a valid claim, your initial complaint is the operative document that the court will consider. You must also demonstrate to the Court’s satisfaction that (1) you have identified the anonymous user and the user is subject to personal jurisdiction; (2) you have made a good faith effort to locate and identify the anonymous user; and (3) the discovery sought is sufficiently limited to identify the appropriate user or users. This test, or some variation of the test, is used in some Federal Courts—typically in cases involving less protected forms of speech, like commercial speech—and state courts in Wisconsin, and Illinois.
Most jurisdictions apply the second, more stringent test, which requires you to present facts, in the form of admissible evidence or sworn testimony, establishing that you can prove each element of your claim. This test requires you to provide more than just the pleadings, typically in the form of a statement of facts with supporting documents and testimony. Most states employing this test also require some further steps as well, such as proof that you attempted to notify the anonymous user of the pending proceeding or satisfaction of an additional balancing test to justify unmasking the troll. Federal Courts, and many state courts—including Arizona, Kentucky, Michigan, New York, Pennsylvania, Texas, California, Maryland, New Hampshire, and the District of Columbia—have adopted some version of this more stringent test.
If it is not obvious from the nature of the statements that they are actionable, some courts may also require an evidentiary showing that you can prove a valid claim before they will order the troll’s identity disclosed.
Thus, if you file a lawsuit to identify the anonymous user, you must be prepared to present the facts that support your claim much earlier than in traditional litigation. Since most states apply the more stringent “evidentiary” test, the best practice is to prepare to satisfy that test, even if the less stringent test might be applied.
The factual evidence necessary to compel disclosure of an anonymous user’s identity will likely include, at a minimum: (1) copies of the offending posts; (2) sufficient evidence to demonstrate the posts are false, unlawful, or violate the terms of an agreement; (3) sufficient evidence to show that the comments are directed at you, if necessary; and (4) evidence demonstrating that you have suffered damage as a result of the comments. You should be careful to save copies of the offending posts before alerting the anonymous user that action is being taken, in order to guard against any attempt to edit, delete, or restrict access to the comments.
Step Three: Sue The Troll!
Once you have an order compelling disclosure of the anonymous user’s identity, you can serve that order on the service provider or website and expect a response. However, the response may not always identify the user, but may only give you the user’s IP address or other electronic information. You may need to issue additional subpoenas to service providers in order to identify the user of the IP address and ultimately discover the anonymous user’s identity.
Despite having an order in hand compelling disclosure of the anonymous user’s identity, you may still face obstacles from the service provider or website. Typically, large companies that host comments online resist disclosure of their users’ personal information for as long as possible. Thus, they may raise objections to disclosure, justified or not, ranging from invocation of the Stored Communications Act to the Video Privacy Protection Act. But, with the order in hand, you should be able to dispose of these objections through letter-writing, involving the court only if necessary.
Once you know the identity of the anonymous user, you can now amend the lawsuit to substitute the appropriate person for “John Doe.” With an actual defendant named, you can then begin the lawsuit in earnest to hold the no-longer-anonymous user liable for trolling online.
The prospect of trying to identify an anonymous online user can be daunting. But, armed with an understanding of the First Amendment and the applicable procedure, you can readily evaluate whether an anonymous user has engaged in unlawful conduct and whether you can successfully hunt down the troll to hold him or her liable. Good hunting!
 Pew Research Center, December, 2016, “Online Shopping and E-Commerce.”
 YP Marketing Solutions, 2016, “The Why Before the Buy.”
 Reno v. ACLU, 521 U.S. 844, 897, 117 S. Ct. 2329, 2344 (1997).
 In re Anonymous Online Speakers, 661 F.3d 1168, 1173 (9th Cir. 2011) (citing Meyer v. Grant, 486 U.S. 414, 422, 425, 108 S. Ct. 1886, 100 L. Ed. 2d 425 (1988)).
 McIntyre v. Ohio Elec. Comm’n, 514 U.S. 334, 342, 115 S. Ct. 1511, 1516 (1995) (“[A]n author’s decision to remain anonymous, like other decisions concerning omissions or additions to the content of a publication, is an aspect of the freedom of speech protected by the First Amendment.”); Anonymous Online Speakers, 661 F.3d at 1173 (“Although the Internet is the latest platform for anonymous speech, online speech stands on the same footing as other speech—there is “no basis for qualifying the level of First Amendment scrutiny that should be applied” to online speech.”); Doe v. Reed, 561 U.S. 186, 218, n.4, 130 S. Ct. 2811, 2831 (2010) (recognizing that the freedom of speech “can be burdened by a law that exposes a speaker to harassment, changes the content of his speech, or prejudices others against his message”)
 Anonymous Online Speakers, 661 F.3d at 1173.
 Chaplinsky v. N.H., 315 U.S. 568, 571-72, 62 S. Ct. 766, 769 (1942).
 Mobilisa, Inc. v. Doe, 217 Ariz. 103, 106-7, ¶¶ 2-9, 170 P.3d 712, 715-16 (Ct. App. 2007).
 Anonymous Online Speakers, 661 F.3d at 1173.
 Glassdoor, Inc. v. Superior Court, 9 Cal. App. 5th 623, 626-27, 215 Cal. Rptr. 3d 395, 399-400 (Cal. App. 6th Dist. 2017).
 Salehoo Group, Ltd. v. ABC Co., 722 F. Supp. 2d 1210, 1212-13 (W.D. Wash. 2010)
 Yelp, Inc. v. Hadeed Carpet Cleaning, Inc., 62 Va. App. 678, 686-88, 752 S.E.2d 554, 557-58 (Va. Ct. App. 2014).
 Seitz v. Rheem Mfg. Co., 544 F. Supp. 2d 901, 907 (D. Ariz. 2008) (“Although a corporation may maintain an action for libel, it has no personal reputation and may be libeled only by imputation about its financial soundness or business ethics.”).
 Desert Palm Surgical Group, P.L.C. v. Petta, 236 Ariz. 568, 579, ¶ 26, 343 P.3d 438, 449 (Ct. App. 2015).
 Read v. Phoenix Newspapers, 169 Ariz. 353, 355, 819 P.2d 939, 941 (1991) (“In a civil action for libel, the truth of the contents of the allegedly libelous statement is a complete defense.”)
 Yetman v. English, 168 Ariz. 71, 76, 811 P.2d 323, 328 (1991) (“The key inquiry is whether the challenged expression, however labeled by defendant, would reasonably appear to state or imply assertions of objective fact.”)
 Makaeff v. Trump Univ., LLC, 715 F.3d 254, 270 (9th Cir. 2013) (recognizing that a limited liability company can be an all-purpose public figure or a limited purpose public figure)
 Dube v. Likins, 216 Ariz. 406, 411, ¶ 8, 167 P.3d 93, 98 (Ct. App. June 28, 2007) (citing Miller v. Hehlen, 209 Ariz. 462, 471, ¶ 32, 104 P.3d 193, 202 (App. 2005)).
 W. Tech. v. Sverdrup & Parcel, Inc., 154 Ariz. 1, 4 (Ct. App. 1986)
 POM Wonderful LLC v. Coca-Cola Co., 134 S. Ct. 2228, 2234 (2014) (“The Lanham Act creates a cause of action for unfair competition through misleading advertising or labeling.”)
 18 U.S.C. § 1836; A.R.S. § 44-401, et seq.
 Columbia Ins. Co. v. Seescandy.com, 185 F.R.D. 573, 578-80 (N.D. Cal. 1999); see also Anonymous Online Speakers, 661 F.3d at 1177 (recognizing that “[t]he lowest bar that courts have used is the motion to dismiss or good faith standard.”).
 Id. at 578-80.
 Anonymous Online Speakers, 661 F.3d at 1176-77; Salehoo, 722 F. Supp. 2d at 1216 (finding that “the prima facie standard is appropriate in order to guarantee that the plaintiff has brought viable claims in connection with his or her attempt to unmask the anonymous defendant.”); Lassa v. Rongstad, 294 Wis. 2d 187, 215 (Wis. 2006) (applying the motion to dismiss standard before compelling disclosure of anonymous identity); Hadley v. Doe, 2015 IL 118000, ¶ 27 (Ill. 2015).
 John Doe No. 1 v. Cahill, 884 A.2d 451, 460 (Del. 2005)
 Cahill, 884 A.2d at 460; Mobilisa, 217 Ariz. at 110, ¶ 22; Solers, Inc. v. Doe, 977 A.2d 941, 954 (D.C. 2009); Doe v. Coleman, 497 S.W.3d 740, 747 (Ky. 2016); Ghanam v. Does, 303 Mich. App. 522, 541-42 (2014); Ottinger v. Non-Party The Journal News, 2008 N.Y. Misc. LEXIS 4579, **4-7 (N.Y. Sup. Ct. 2008); Pilchesky v. Gatelli, 12 A.3d 430, 442 (Pa. Super. Ct. 2011); In re Does 1-10, 242 S.W.3d 805, 821-23 (Tex. App. Texarkana 2007); Krinsky v. Doe 6, 159 Cal. App. 4th 1154, 1167-73 (2008); Indep. Newspapers, Inc. v. Brodie, 966 A.2d 432, 457-58 (Md. 2009); Mortgage Specialists v. Implode-Explode Heavy Indus., 999 A.2d 184, 193, ¶ 13 (N.H. 2010).
 Mobilisa, 217 Ariz. at 112, ¶ 28; Coleman, 497 S.W.3d at 747; Ottinger, 2008 N.Y. Misc. LEXIS at **4-7; Brodie, 966 A.2d at 457-58;Mortgage Specialists, 999 A.2d at 193, ¶ 13.
 Mobilisa, 217 Ariz. at 112, ¶ 28; Solers, 977 A.2d at 954; Dendrite Intern., Inc. v. Doe No. 3, 342 N.J. Super. 134, 156-58 (2001); Ghanam, 303 Mich. App. at 541-42; Ottinger, 2008 N.Y. Misc. LEXIS at **4-7; Krinsky, 159 Cal. App. 4th at 1167-73; Brodie, 966 A.2d at 457-58;Mortgage Specialists, 999 A.2d at 193, ¶ 13.
 Glassdoor, 9 Cal. App. 5th at 636, 215 Cal. Rptr. 3d 395, 407.
When The New York Times reports that 110 out of 111 NFL brains (99.09%) have chronic traumatic encephalopathy (CTE), everyone pays attention. Mothers worry about their kids. Some worry about their jobs. Senate subcommittees investigate. The Times article covers Dr. Ann McKee’s recent article in the Journal of the American Medical Association, “Clinicopathological Evaluation of Chronic Traumatic Encephalopathy in Players of American Football” (JAMA. 2017;318(4):360-370) in dramatic fashion, illustrated with pathology slides of tissue samples from the brains of former football players and anecdotal information about them. Such claims are certain to be fuel for CTE litigation and cries to ban tackle football.
Let’s put this in perspective. About 25,000 men have played American professional football. So, 110 is roughly 0.44%. Even if the real number is double, the outcome remains a statistical nonentity.
In all fairness, the study points out some of its limitations; for example, “Ascertainment bias associated with participation in this brain donation program.” Inclusion was based entirely on exposure to repetitive head trauma eliminating any form of “control” group, a necessary element of any scientific study. The authors also disclose that “public awareness of a possible link” between head trauma and CTE “may have motivated” some participants. Finally, the authors acknowledge that the study is not representative of the population of all American football participants, as most play only at the youth or high school level, whereas the majority of the donors played at the professional level. The study data somewhat illustrates that point: CTE was found in none of two pre−high school participants and three of 14 high school participants (21%).
Breaking It Down
The 800-pound gorilla in this room is suicide. Suicide among former football players gets major media attention (Junior Seau and Aaron Hernandez) and has spawned a cottage industry of CTE litigation against every level of the sport from NFL down to Pop Warner. The study tries to correlate neuropathology with “clinical observations” − information drawn from “retrospective interviews” with family members of deceased donors. Observations are grouped as cognitive, behavioral or mood or both, and signs of dementia. Suicide was identified as the cause of death in 10% of the study group. “Suicidality” (ideation, attempts or completion) is identified among 33% of the study group. Some might conclude that if you play football you are 33% more likely to contemplate or attempt suicide and 10% more likely to succeed.
In fact, the rate of suicide mortality among retired NFL players is substantially lower than in the general population. An investigation performed at the National Institute for Occupational Safety and Health (NIOSH) and published in 2016 (Lehman, et al.) found that among players retired since 1987, the suicide rate is 6.1 / 100,000. Among players retired since 2005, it’s 12.5 / 100,000. Among average American men, the rate since 2014 is 20.1 / 100,000. One would conclude that since 2005, NFL players are 48% less likely to commit suicide than the general population, and since 1987, 70% less likely. The study covered those who played for five years or more.
Of note, drugs are assessed by standardized mortality ratio – the increase or decrease in mortality with respect to the general population. “If playing in the NFL (for a minimum of five seasons) were treated like taking a drug, it would reduce the standardized mortality (measured 30 years later) by half!” Samadani, Brain Injury and Football, Reality v. Perception. THSCA presentation, 2016.
Similar studies have been done at the college level where the NCAA maintains a robust database. A nine-year study published in October 2015 (Rao, et al.) observed that as against a rate of 12 / 100,000 among 18−22-year-old non-college individuals, the suicide rate among college students was 7.5 / 100,000. Among male NCAA athletes, the suicide rate was 2.25 / 100,000.
Another study dispels the notion that CTE is a path to neurological deficit. Published in Acta Neuropathol, “Histological Evidence of CTE in a Large Series of Neurodegenerative Diseases” (Ling, et al., 2015) observed that (1) CTE prevalence in people with neurodegenerative diseases (11.8%) was the same as in controls (12.8%); (2) patients with CTE died at a mean age of 81 years and “most positive cases [were] likely to be clinically asymptomatic”; and (3) CTE is found under the microscope in equal proportions of healthy, normal, asymptomatic people as it is in people with dementia and other diseases. For those worried about doing the right thing by their kids, a study published in December 2016 in Mayo Clinic Proceedings (Savica, et al., “High School Football and Risk of Neurodegeneration: A Community-Based Study”) found that among 438 football players followed for 50 years, the risk of dementia was the same as for members of the chorus, glee club or band.
Facts and Findings
Fortunately, in court science matters. The notion that football causes CTE has been rejected by at least one United States District Court, the Eastern District of Pennsylvania, and the Third Circuit Court of Appeals. See In re NFL Players Concussion Injury Litig., 307 F.R.D. 351 (EDPA, 2015), aff’d 821 F.3d 410 (3d Cir. 2016). Judge Brody’s key findings, based on current scientific knowledge and affirmed by the appellate court, negate causation: (1) the study of CTE is nascent, and the symptoms of the disease, if any, are unknown; (2) medical research has not reliably determined which events make a person more likely to develop CTE; and (3) research has not determined what symptoms individuals with CTE typically suffer from while they are alive. In re NFL Players Concussion Injury Litig., 821 F.3d at 441.
The point: Media should not lead science. The health and psychosocial benefits of athletic activity at all ages far outweigh any perceived risk. As parents, we should encourage healthy activity. As professionals, we need to peel back what the media pushes, read the literature and understand the fundamentals.
The SEC continues to focus on cybersecurity as an area of concern within the investment management industry.
On August 7, the US Securities and Exchange Commission’s (SEC’s) Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert summarizing its observations from a recent cybersecurity-related examination of 75 firms—including broker-dealers, investment advisers, and investment companies (“funds”) registered with the SEC.
The SEC staff has made it clear that cybersecurity remains a high priority and is likely to be an area of continued scrutiny with the potential for enforcement actions. During a recent interview, the SEC’s co-directors of Enforcement, Stephanie Avakian and Steven Peikin, stated their belief that “[t]he greatest threat to our markets right now is the cyber threat.” This pronouncement follows on the heels of OCIE’s identification of cybersecurity as one of its examination priorities for 2017, OCIE’s release of a Risk Alert on the “WannaCry” ransomware virus, and several significant Regulation S-P enforcement actions involving firms that failed to adequately protect customer information.
This LawFlash details OCIE’s observations from its recent cybersecurity-related examination that were discussed in its Risk Alert.
OCIE’s Examination Identifies Common Issues
OCIE staff observed common issues in a majority of the firms and funds subject to examination. These common issues include the following:
Failure to reasonably tailor policies and procedures. Specifically, the examination found issues with policies and procedures that
incorporated only general guidance;
identified limited examples of safeguards for employees to consider; and
did not articulate specific procedures to implement policies.
Failure to adhere to or enforce policies and procedures. In some cases, policies and procedures were confusing or did not reflect a firm’s actual practices, including in the following areas:
Annual customer protection reviews not actually conducted on an annual basis
Policies providing for ongoing reviews to determine whether supplemental security protocols were appropriate performed only annually, or not at all
Policies and procedures creating contradictory or confusing instructions for employees
Firms not appearing to adequately ensure that cybersecurity awareness training was provided and/or failing to take action where employees did not complete required cybersecurity training
Regulation S-P issues among firms that did not appear to adequately conduct system maintenance. Because Regulation S-P was enacted to safeguard the privacy of customer information, OCIE observed that issues arose where firms failed to install software patches to address security vulnerabilities and other operational safeguards to protect customer records and information.
Failure to fully remediate some of the high-risk observations that firms discovered when they conducted penetration tests and vulnerability scans.
Cyber Best Practices and Other Observations
OCIE identified elements of what it viewed as “robust” cybersecurity policies and procedures from its examinations. Such elements should be considered as best practices and instructive for broker-dealers, investment advisers, and funds in implementing, assessing, and/or enhancing existing cybersecurity-related policies and procedures. Such elements are as follows:
Maintenance of data, information, and vendor inventory, including risk classifications
Detailed cybersecurity-related instructions, including instructions related to penetration tests, access rights, and reporting guidelines for lost, stolen, or unintentionally disclosed sensitive information
Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities, including patch management policies
Access controls for data and systems
Mandatory employee training upon onboarding and periodically thereafter
Engaged senior management
OCIE staff noted an overall improvement in firms’ awareness of cyber-related risks and the implementation of certain cybersecurity practices since its previous Cybersecurity 1 Initiative. Most notably, all broker-dealers, all funds, and nearly all investment advisers in the more recent examinations maintain written policies and procedures related to cybersecurity that address the protection of customer/shareholder records and information. This finding is in contrast to the Cybersecurity 1 Initiative, where OCIE found that comparatively fewer broker-dealers and investment advisers had adopted this type of written policies and procedures.
OCIE staff also noted the following:
Nearly all broker-dealers and many investment advisers and funds conducted periodic risk assessments, penetration tests, and vulnerability scans.
All broker-dealers and nearly all investment advisers and funds had a process in place for ensuring regular system maintenance.
All firms utilized some form of system, utility, or tool to prevent, detect, and monitor data loss as it relates to personally identifiable information.
All broker-dealers and a majority of investment advisers and funds maintained cybersecurity organizational charts and/or identified and described cybersecurity roles and responsibilities for the firms’ workforces.
Almost all firms either conducted vendor risk assessments or required that vendors provide the firms with risk management and performance reports (i.e., internal and/or external audit reports) and security reviews or certification reports.
Information protection programs at the firms typically included relevant cyber-related policies and procedures as well as incident response plans.
SEC-registered broker-dealers, investment advisers, and funds should evaluate their policies and procedures to determine whether there are gaps or areas that could be improved based on OCIE’s articulation of best practices. Firms and funds should further evaluate their policies and procedures to ensure that they reflect actual practices and are reasonably tailored to the particular firm’s business. As OCIE notes, effective cybersecurity requires a tailored and risk-based approach to safeguard information and systems.
Read more legal analysis at The National Law Review.
 Sarah Lynch, Exclusive: New SEC Enforcement Chiefs See Cyber Crime as Biggest Market Threat, Reuters.com (Jun. 8, 2017).
 OCIE, Examination Priorities for 2017 (Jan. 12, 2017).
 National Exam Program Risk Alert, Cybersecurity: Ransomware Alert (May 17, 2017).
 In re Morgan Stanley Smith Barney LLC, Exchange Act Release No. 78021, Advisers Act Release No. 4415 (Jun. 8, 2016); In re R.T. Jones Capital Equities Management Inc., Advisers Act Release No. 4204 (Sept. 22, 2015); and In re Craig Scott Capital LLC, Exchange Act Release No. 77595 (Apr. 12, 2016).
 OCIE provides an example of confusing policies regarding remote customer access that appeared to be inconsistent with those for investor fund transfers, making it unclear to employees whether certain activity was permissible based on the policies.
 See, e.g., OCIE Cybersecurity Initiative (Apr. 15, 2014); see also National Exam Program Risk Alert, Cybersecurity Examination Sweep Summary (Feb. 3, 2015).
 For example, the National Institute of Standards and Technology Cybersecurity Framework 1.0 (Feb. 12, 2014) provides a useful flexible approach to assess and manage cybersecurity risk.
In 2011, the United States Supreme Court issued its landmark decision in Wal-Mart Stores, Inc., v. Betty Dukes, et al., decertifying a putative class of approximately 1.6 million current and former female Wal-Mart employees who claimed gender discrimination in wages and promotions in violation of Title VII. 564 U.S. 338 (2011). The Court reversed the Ninth Circuit’s affirmation of class certification and determined the plaintiffs failed to meet the class “commonality” standard set out in Federal Rule of Civil Procedure 23. Id. at 349-60. The Dukes decision set in motion a number of spinoff regional cases, one of which – barring another grant of certiorari to the high court – met its end somewhat anticlimactically, when the Eleventh Circuit issued its August 3, 2017 order in Love, et. al. v. Wal-Mart Stores, Inc. No. 15-15260.
The Love plaintiffs included a sub-group of the Dukes plaintiffs who worked in the southeastern United States. These holdover Dukes plaintiffs were able to refile their claims because of the requirement that federal court discrimination plaintiffs first file with the Equal Employment Opportunity Commission. This rule effectively tolled the statute of limitations during the pendency of Dukes. But critically, under the Eleventh Circuit’s “no piggybacking rule”, tolling is limited to individual claims only, not class claims, which has also been adopted by the Fifth and Sixth Circuits. The Love court previously left little room for argument when it noted in a 2013 order that “[t]he Eleventh Circuit categorically refuses to toll the limitations period for subsequent class actions by members of the original class once class certification is denied in the original suit.” Thus, on October 16, 2015 the individual named plaintiffs and Wal-Mart settled and jointly filed a “stipulation of voluntary dismissal.”
On November 6, 2015, the Love appellants, made up of unnamed members of the would-be class, filed a motion to intervene solely to appeal the dismissal of class claims. This motion was denied 13 days later as moot, which, to make matters worse for the appellants, took them outside of their 30-day deadline to appeal the October 16 stipulated dismissal. The Eleventh Circuit thus found the appeal jurisdictionally barred, providing a rather sudden end to the winding multi-year litigation.
In light of this tangled and technical history, employers and their counsel should be sure to understand the differences in treatment of class actions and individuals under the relevant rules, regulations, and statutes. Though it can be tempting to move immediately to the standard substantive arguments against numerosity, commonality, typicality, and adequacy of the proposed class, the Wal-Mart cases show that knowing your way around the procedural thicket is another useful skill in avoiding or minimizing the cost of class litigation.
 Salazar–Calderon v. Presido Valley Farmers Ass’n, 765 F.2d 1334 (5th Cir.1985) and Andrews v. Orr, 851 F.2d 146 (6th Cir.1988)
 2013 WL 5434565, at *2.
Yes, you read the title of this post correctly. Under the False Claims Act, a whistleblower is not required to report compliance concerns internally through a company’s internal reporting system before filing a “qui tam” court action. Indeed, the False Claims Act — with its potential “bounty” of 15 to 30 percent of the government’s recovery — may actually encourage employees to file suit in the first instance, to qualify as an “original source,” and bypass the organization’s reporting system altogether, thereby frustrating a key component of an effective compliance program. Whistleblower organizations have recently gone so far as to discourage individuals employed by health care providers from bringing compliance concerns directly to their employer so that they can get a share of the government’s recovery.
A provider or other entity participating in the Medicare or Medicaid programs, however, can mitigate that risk through, among other things, employee training and disciplinary policies encouraging good-faith reporting and the promotion of a culture of compliance, including setting the right “tone from the top.”
Internal Reporting System. The cornerstone of any effective compliance program is developing and implementing a robust internal reporting system that employees can use to raise any compliance concerns on an anonymous basis. Among other things, when compliance concerns are brought to the attention of the organization’s compliance personnel, the organization can investigate the issue and take appropriate steps to prevent or remediate any continued potential misconduct. Likewise, having such a system in place may serve as a defense to liability under the False Claims Act. Even if improper billing is found to have taken place, evidence that the organization has an effective, anonymous internal compliance reporting system may show that the improprieties were not the result of deliberate indifference or reckless disregard for such practices.
False Claims Act. Plainly, the risk of treble damages and per claim penalties under the False Claims Act is a powerful incentive for a health care organization to implement an effective compliance program. What is more, the provision for whistleblower awards under the False Claims Act can be an effective tool to aid the government in detecting and preventing overpayments by Medicare and Medicaid to fraudulent operators and other bad actors. By allowing whistleblowers to file relator actions under seal and potentially share in any of the government’s recovery — as well as to seek damages for any retaliatory employment action — the False Claims incentivizes employees in the health care industry to come forward with information about fraudulent billing, without the fear of reprisal.
The Tension Between The Two. At the same time, a whistleblower’s potential recovery can operate as a countervailing disincentive for an employee to report compliance concerns internally. That is because under the False Claims Act, a qui tam relator is entitled to a “bounty” only if the individual is the “original source” of information to the government about the improper billing practices that are the subject of the relator’s action. On the other hand, if an employee does dutifully report a compliance concern internally through the organization’s reporting system, and the organization itself reports any overpayments to the government or remediates the misconduct itself, the whistleblower may be unable to sue and recover any “bounty.” As noted earlier, this point is not lost on the relator bar.
Overcoming The Tension. How does a provider overcome the entreaties of the relator bar, along with the incentives under the False Claims Act whistleblower provisions, to convince employees with compliance concerns to avail themselves of the company’s internal reporting system? At the outset, the reporting system may be both effective and credible to instill confidence in the system so that employees will take full advantage of it – that is, the organization must deliver on its promise of anonymity and protection of good-faith reporting and must follow through on a timely basis with a thorough investigation and meaningful corrective action, if indicated. Further, a robust reporting system, standing alone, will not be effective unless all other elements of an organization’s compliance program are working effectively as well, starting with a “culture of compliance,” reinforced by the executive team and management, and continuing with inservice compliance training, underscoring the importance of timely reporting and the anonymity and other protections afforded to reporting employees.
Likewise, the organization must have personnel and disciplinary policies that reward good-faith reporting and punish compliance lapses, both for engaging in unlawful conduct as well as for failing to report it. That said, taking any disciplinary action against an employee who files suit as a relator, without ever having reported the compliance concerns in breach of the employee’s duties, is fraught with the risk that the termination or other action will be challenged as retaliation for filing the False Claims Act action, and that the cited ground — failing to report — is allegedly merely pretextual.
However, with the proper messaging and training, coupled with a robust anonymous reporting system, the company can give its employees good reason to “do the right thing” and report compliance concerns to the company in the first instance, despite the lure of a False Claims Act bounty.
Share Recent Eighth Circuit Case Illustrates the Need for Newest Members of the NLRB to Be Confirmed Sooner Rather Than Later
In another example of a federal circuit court taking the National Labor Relations Board (NLRB) to task for stretching federal labor law past the point of recognition, the Eight Circuit Court of Appeals recently refused to enforce a NLRB order reinstating several former employees. The former employees were discharged after they posted flyers around town insinuating their employer was selling unsafe, germ-laden sandwiches as part of a campaign to enhance their sick leave. MikLin Enterprises, Inc. v. NLRB, No. 14-3099 (July 3, 2017).
In its decision, the Eight Circuit upbraided the NLRB for abandoning and ignoring the Supreme Court of the United States’ precedent regarding when an employee can be disciplined for “disloyalty” in the midst of a union organizing drive. The Eighth Circuit took particular issue with the NLRB’s interpretation of the seminal Supreme Court case NLRB v. Local Union No. 1229, IBEW (Jefferson Standard) and found that the NLRB’s reasoning effectively overruled Jefferson Standard.
MikLin is a family business that owns and operates 10 Jimmy John’s sandwich shop franchises in the Minneapolis-St.Paul area. In 2007, several MikLin workers began an organizing campaign seeking representation by the Industrial Workers of the World (IWW) union.
In an attempt to garner more support for a rerun election, union supporters began a sick leave campaign in early 2011. They posted a flyer on community bulletin boards in MikLin stores with two identical images of a Jimmy John’s sandwich. Above the first image were the words, “YOUR SANDWICH MADE BY A HEALTHY JIMMY JOHN’S WORKER.” The text above the second image said, “YOUR SANDWICH MADE BY A SICK JIMMY JOHN’S WORKER.” Below the pictures, the white text asked: “CAN’T TELL THE DIFFERENCE?” The response, in red and slightly smaller, said: “THAT’S TOO BAD BECAUSE JIMMY JOHN’S WORKERS DON’T GET PAID SICK DAYS. SHOOT, WE CAN’T EVEN CALL IN SICK.” Below, in slightly smaller white text, was the warning, “WE HOPE YOUR IMMUNE SYSTEM IS READY BECAUSE YOU’RE ABOUT TO TAKE THE SANDWICH TEST.” The text at the bottom of the poster asked readers to help the workers win paid sick days by going to their website.
The day before the IWW could request a rerun election, its supporters distributed a press release, letter, and the sandwich poster to more than 100 media contacts. The press release highlighted discussed the employees’ need for sick leave and ended with a threat: If MikLin would not talk with the IWW about their demands for paid sick leave, they would proceed with “dramatic action” by “plastering the city with thousands of Sick Day posters.”
Days later, IWW supporters implemented their threat to plaster the city with posters. However, in the new version of the poster, rather than asking for support of the employees’ request for paid sick leave, the public posters listed the MikLin CEO’s personal telephone number and instructed customers to call him to “LET HIM KNOW YOU WANT HEALTHY WORKERS MAKING YOUR SANDWICH!” Two days later, MikLin fired six employees who coordinated the attack and issued written warnings to three others who assisted in it.
The NLRB Proceedings
The Board’s administrative law judge (ALJ) determined that MikLin violated the National Labor Relations Act by discharging the employees. Citing prior Board decisions, the ALJ ruled that the NLRA “protects employee communications to the public that are part of and related to an ongoing labor dispute” unless they are “so disloyal, reckless, or maliciously untrue as to lose the Act’s protections.” The ALJ found that to lose the act’s protections “an employee’s public criticism . . . must evidence ‘a malicious motive’ or be made with knowledge of the statements’ falsity or with reckless disregard for their truth or falsity.”
The ALJ found that the posters in question were not maliciously untrue. “While ‘it is not literally true that employees could not call in sick,’ the ALJ observed, employees ‘are subject to discipline if they call in sick without finding a replacement,’” and thus—according to the ALJ—the assertion that employees were required to work when sick was protected hyperbole. Though MikLin had a strong track record with the health department, the ALJ found that “it is at least arguable that [MikLin’s] sick leave policy subjects the public to an increased risk of food borne disease.”
A divided panel of the Board affirmed the ALJ’s findings and conclusions. The majority found “that neither the posters nor the press release were shown to be so disloyal, reckless, or maliciously untrue as to lose the Act’s protection.” The public communications “were clearly related to the ongoing labor dispute concerning the employees’ desire for paid sick leave. . . . Indeed, any person viewing the posters and press release would reasonably understand that the motive for the communications was to garner support for the campaign to improve the employees’ terms and conditions of employment by obtaining paid sick leave rather than to disparage [MikLin] or its product.”
MikLin appealed the Board’s order reinstating the employees to the Eighth Circuit Court of Appeals. On appeal, a three-judge panel upheld the NLRB’s ruling, but upon rehearing en banc by the full court, the ruling was overturned.
The Eighth Circuit’s Analysis
In its full court hearing, the Eighth Circuit took the NLRB to task for significantly misreading the Supreme Court’s decision in Jefferson Standard. First, the majority focused on the Board’s interpretation that no act of employee disparagement is unprotected disloyalty unless it is “maliciously motivated to harm the employer.” They found this additional requirement impermissibly overruled Jefferson Standard.
Second the court balked at the Board’s definition of “malicious motive.” The Board excluded from Jefferson Standard’s interpretation of Section 10(c) of the NLRA all employee disparagement that is part of or directly related to an ongoing labor dispute as improper. In other words, the Board refused to treat as “disloyal” any public communication intended to advance employees’ aims in a labor dispute, regardless of the manner in which, and the extent to which, it harms the employer.
The court rejected that idea:
By requiring an employer to show that employees had a subjective intent to harm, and burdening that requirement with an overly restrictive need to show “malicious motive,” the Board has effectively removed from the Jefferson Standard inquiry the central Section 10(c) issue as defined by the Supreme Court — whether the means used reflect indefensible employee disloyalty. This is an error of law.
Rather than employee motive, the Eighth Circuit explained that critical question in the Jefferson Standard disloyalty inquiry is whether the employees’ public communications reasonably targeted the employer’s labor practices or indefensibly disparaged the quality of the employer’s products or services. The Eight Circuit found that when employees convince customers not to patronize an employer because its labor practices are unfair, subsequent settlement of the labor dispute brings the customers back—to the benefit of both employer and employee. By contrast, the court found, sharply disparaging the employer’s products or services as unsafe, unhealthy, or of shoddy quality causes harm that outlasts the labor dispute to the detriment of employees, as well as the employer.
While the Eighth Circuit’s decision is heartening, its effect will be limited for the time being as the NLRB is under no obligation to recognize the court’s interpretation of federal labor law. Further, the decision highlights the cost of fighting incorrect NLRB decisions for employers; MikLin had to appeal the ALJ’s decision to the NLRB, then appeal that decision to the Eighth Circuit, and then request a rehearing after the three-judge panel wrongly decided the appeal. Many employers simply do not have the resources to see a fight like this through to the end.
With President Trump’s selections to the NLRB being vetted by Congress this week, we can hope for a light at the end of this long, dark tunnel for employers.
Sign of Future Changes? DOL Proposes 18-Month Extension of Transition Period for Compliance With ERISA “Fiduciary Investment Advice” Rule
On August 9, the US Department of Labor (DOL) announced in a court filing that it has proposed an 18-month extension of the full implementation of the Best Interest Contract Exemption (the “BIC Exemption”) under the ERISA fiduciary investment advice rule. The Proposed Extension would also apply to the Principal Transaction Exemption and Prohibited Transaction Exemption 84-24 (together with the BIC Exemption, the “Exemptions”). In April of this year, the DOL extended the effective date of the Rule until June 9 and limited the requirements of the Exemptions to only require compliance with the “impartial conduct standards” (ICS) through December 31 (the “Transition Period”). If the Proposed Extension is approved, full compliance with the Exemptions will not be required until July 1, 2019.
As described in our earlier advisory, “Compliance With the ERISA Fiduciary Advice Rule for Private Investment Fund Managers and Sponsors and Managed Account Advisers: Beginning June 9, 2017,” compliance with the ICS generally requires that an investment advice fiduciary (1) act in the “best interest” of plan participants and IRA owners; (2) receive no more than “reasonable compensation” (as defined under ERISA and the Internal Revenue Code); and (3) make no materially misleading statements about recommended transactions, fees, compensation and conflicts of interest.
The Proposed Extension was submitted to the Office of Management and Budget (OMB) in the form of an amendment to each of the Exemptions.
Following through on its April 3, 2017, announcement that it was considering changes to the Labor Condition Application (LCA), the Department of Labor (DOL) published a notice in the Federal Register on August 3, 2017, of its proposed revisions to the ETA 9035 or LCA. A certified LCA must be included with every H-1B petition filed with the U.S. Citizenship and Immigration Services. DOL’s Employment and Training Administration posted the proposed LCA on its website saying the changes would “better protect American workers, confront fraud, and increase transparency.” DOL said it would accept comments until Oct. 2, 2017.
The revisions in the form reflect the focus of the Trump Administration on increased enforcement of third-party placement and on H-1B dependent employers. The new LCA asks whether the sponsored worker will be “placed with a secondary employer” and, if yes, asks for the legal name of the secondary employer. The new LCA also requires H-1B dependent employers to complete an additional list of questions set out in an appendix if the sponsored worker is exempt from H-1B dependency obligations. In addition, the attestation language in the form is more expansive. For example, the wage attestation in the new LCA specifies that employers may not deduct attorneys’ fees or costs in connection with a visa petition.
At the same time it released its new LCA form, the DOL also posted its revised WH-4, Nonimmigrant Worker Information Form, which is the form individuals may use to submit complaints to DOL about fraud or misconduct in H-1B, H-1B1 or E-3 visa programs. This form is utilized by DOL’s Wage and Hour Division, which is the office that conducts LCA audits.
From the time Congress passed the Civil Rights Act of 1964 until earlier this year, federal courts have consistently held that the Act’s protections against employment discrimination did not apply to discrimination on the basis of sexual orientation. However, in March, the Seventh Circuit Court of Appeals (which covers Wisconsin, Illinois, and Indiana) became the first court to rule the other way, holding that Title VII of the Civil Rights Act’s prohibition against discrimination on the basis of sex includes discrimination based on sexual orientation. What has occurred in federal courts in the wake of that decision, however, has only muddied the waters.
Title VII prohibits employment discrimination based on race, color, religion, sex, and national origin. Prior to the Seventh Circuit’s notable decision, courts had only permitted gay employees to make claims of sex discrimination if the employee could show the discrimination occurred because the employee did not conform to gender stereotypes, not simply because of the employee’s sexual orientation. The Seventh Circuit found that the gender stereotype argument is unnecessary, stating “it is . . . impossible to discriminate on the basis of sexual orientation without discriminating on the basis of sex.”
The question is far from settled. In April, in a case involving a gay skydiving instructor who claims he was fired because of his sexual orientation, a three-judge panel of the Second Circuit ruled that it could not follow the Seventh Circuit’s decision. It held that a three-judge panel could not overturn precedential decisions regarding Title VII’s application to sexual orientation discrimination. Such a ruling would require a review by the entire panel of judges. The Second Circuit has granted such a review (an en bancreview), indicating that perhaps the full panel of judges may be willing to follow the lead of the Seventh Circuit.
The picture becomes fuzzier still because of conflicting input from two government agencies. In preparation for its en banc review, the Second Circuit invited the EEOC to offer an opinion on the matter. The EEOC restated a stance it has held since 2012, saying sexual orientation discrimination is inextricably linked to gender and gender stereotypes and should fall under the protection of Title VII. However, on July 26, 2017, the Department of Justice filed a brief taking the opposite position. The DOJ argued Congress did not intend Title VII to apply to sexual orientation, and that expansion of the protection should be left to Congress, not implemented by the courts. The DOJ also says that the court owes no deference to the EEOC.
Because the federal circuits are now split on the issue, the question may eventually be decided by the United States Supreme Court. The Court has already been asked to review a case in which a former security guard at a Georgia hospital claims she was forced to quit because she was gay. The Court has not yet said whether it will hear the case. Ultimately, as the DOJ suggests, Congress could pass legislation to decide the issue one way or the other.
The takeaway from this flurry of activity is that this is an area of law that is very much in flux. For decades, the position of federal courts in regards to sexual orientation discrimination under Title VII was clear. Now, the landscape has shifted, and the ground is still settling. Employers should be aware that changes are happening quickly in this area and proceed cautiously when a situation potentially involving a sexual orientation discrimination claim arises.
As loyal readers of our blog are aware, in February 2016, the EEOC released a rule to amend the Form EEO-1. The new rule requires private employers (including federal contractors) with 100 or more employees to submit pay data with their EEO-1 reports. Employers with fewer than 100 employees will still not need to file an EEO-1. Federal contractors with 50-99 employees are still required to file an EEO-1, but are not required to submit the new pay data. The rule is slated to go into effect on March 31, 2018.
Since the election of President Trump, employers have been watching anxiously to see if the new form and the burdens it places on them will be modified or ideally repealed. Although employers are not required to submit the new form until March 2018, the addition of compensation information has dramatically increased the complexity of preparing EEO-1 submissions. As a consequence, if the new EEO-1 form is to remain in effect, employers should start preparing for this new requirement immediately (if they have not already begun).
Efforts have been underway to rescind the new EEO-1 form – including efforts in Congress. The Chamber of Commerce requested that the Office of Management and Budget (“OMB”) rescind the new form because it violates the Paperwork Reduction Act (“PRA”), arguing that the EEOC’s revised EEO-1 does not “(1) minimize the burden on those required to comply with government requests; (2) maximize the utility of the information being sought; and/or (3) ensure that the information provided is subject to appropriate confidentiality and privacy protections” as required by the PRA.
On August 3, 2017, Acting Chair of the Equal Employment Opportunity Commission (“EEOC”), Victoria Lipnic, speaking at the Industry National Liaison Group’s Annual Conference in San Antonio, Texas, discussed the fate of the revised Form EEO-1. Speech provided new information about the EEO-1 and her efforts to have the revised form rescinded.
Chair Lipnic noted that the Office of Information and Regulatory Affairs (“OIRA”), which is housed within the OMB, would be the entity deciding Chamber of Commerce’s challenge. Chair Lipnic informed the gathering that the Administrator of OIRA, Neomi Rao, had only recently been confirmed to the post, but that she (Chair Lipnic) had already reached out to discuss the issues raised by the new EEO-1 form.
Chair Lipnic shared that she has sent Administrator Rao a memorandum, asking OIRA to decide by the end of this month (August 2017) whether to implement or discard the wage data collection portion of the revised EEO-1. Recognizing the burden posed by the new compensation data requirements, Chair Lipnic expressed that it was important to provide employers with information about the fate of the revised EEO-1 sooner rather than later, so employers can prepare to comply. In Chair Lipnic’s words, “time is of the essence.”