The security breach announced by Equifax Inc. on September 7, 2017, grabbed headlines around the world as Equifax revealed that personal data of roughly 143 million consumers in the United States and certain UK and Canadian residents had been compromised. By exploiting a website application vulnerability, hackers gained access to certain information such as names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers and credit card numbers. While this latest breach will force consumers to remain vigilant about monitoring unauthorized use of personal information and cause companies to revisit security practices and protocols, had this event occurred under the Global Data Protection Regulation (GDPR) (set to take effect May 25, 2018), the implications would be significant. This security event should serve as a sobering wake up call to multinational organizations and any other organization collecting, processing, storing, or transmitting personal data of EU citizens of the protocols they must have in place to respond to security breaches under GDPR requirements.
Data Breach Notification Obligations
Notification obligations for security breaches that affect U.S. residents are governed by a patchwork set of state laws. The timing of the notification varies from state to state with some requiring that notification be made in the “most expeditious time possible,” while others set forth a specific timeframe such as within 30, 45, or 60 days. The United States does not currently have a federal law setting forth notification requirements, although one was proposed by the government in 2015 setting a 30-day deadline, but the law never received any support.
While the majority of the affected individuals appear to be U.S. residents, Equifax stated that some Canadian and UK residents were also affected. Given Equifax’s statement, the notification obligations under GDPR would apply, even post-Brexit, as evidenced by a recent statement of intent maintaining that the United Kingdom will adopt the GDPR once it leaves the EU. Under the GDPR, in the event of a personal data breach, data controllers must notify the supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay. A notification to the authority must at least: 1) describe the nature of the personal data breach, including the number and categories of data subject and personal data records affected, 2) provide the data protection officer’s contact information, 3) describe the likely consequences of the personal data breach, and 4) describe how the controller proposes to address the breach, including any mitigation efforts. If it is not possible to provide the information at the same time, the information may be provided in phases “without undue further delay.”
According to Equifax’s notification to individuals, it learned of the event on July 29, 2017. If GDPR were in effect, notification would have been required much earlier than September 7, 2017. Non-compliance with the notification requirements could lead to an administrative fine of up to 10 million Euros or up to two percent of the total worldwide annual turnover.
Preparing for Breach Obligations Under GDPR
With a security breach of this magnitude, it is easy to imagine the difficulties organizations will face in mobilizing an incident response plan in time to meet the 72-hour notice under GDPR. However, there are still nearly eight months until GDPR goes into effect on May 25, 2018. Now is a good time for organizations to implement, test, retest, and validate the policies and procedures they have in place for incident response and ensure that employees are aware of their roles and responsibilities in the event of a breach. Organizations should consider all of the following in crafting a GDPR incident response readiness plan:
In Surdu v. Madison Global, LLC, the Court approved a $342,500 settlement on behalf of approximately 82 current and former employees of Nello Restaurant, who had worked as servers, bussers, runners and bartenders. See No. 15-CIV-6567 (HBP) (S.D.N.Y. Sept. 1, 2017). The plaintiffs alleged violations of the FLSA and NYLL arising from allegedly unpaid minimum wages, misappropriated gratuities, uniform purchase and maintenance costs, and inaccurate wage statements.
After conditionally certifying a Rule 23 class for purposes of settlement, the Court addressed the “Grinnell” factors to assess whether the settlement was substantively fair, reasonable and adequate. Thus, the Court considered: (1) the complexity, expense and likely duration of the litigation; (2) the reaction of the class to the settlement; (3) the stage of the proceedings and the amount of discovery completed; (4) the risks of establishing liability; (5) the risks of establishing damages; (6) the risks of maintaining the class action through the trial; (7) the ability of the defendants to withstand a greater judgment; (8) the range of reasonableness of the settlement fund in light of the best possible recovery; (9) the range of reasonableness of the settlement fund to a possible recovery in light of all the attendant risks of litigation.
The Court found each of these factors satisfied. Of note, the Court found that it was reasonable for the class members to receive approximately 50% of their claimed misappropriated tips after service awards, attorneys’ fees, and costs were deduced from the gross settlement amount. The Court also found service awards in the amount $8,500 for each Named Plaintiff and attorneys’ fees in the amount of $114,166.66 to be reasonable.
Salary Test for Exempt Status Invalidated
Under the prior administration the DOL had issued amendments to certain exemptions from the overtime requirements of the Fair Labor Standards Act (“FLSA”), which would have dramatically increased the number of employees eligible for overtime pay to over 4 million workers within the first year of implementation. The amendments were to be effective on December 1, 2016, however their implementation was stayed by a federal judge last November, as reported in our November 2016 Client Alert.
The new regulations were to essentially double the salary threshold for employees who would be exempt from overtime payments, assuming they met one of the three exemptions, from $455 per week or $23,660 per year, to $913 per week or $47,476 per year. Under these regulations, even if employees performed duties that would otherwise indicate they were exempt from overtime, if they made less than $47,476 per year, their employers would have to pay them overtime regardless of their duties. Just last week, a federal judge in Texas invalidated the new regulations, and specifically found that, while a salary test was permissible, the minimum threshold of over 47K per year was too high, and in fact obviated the need for any other duties based analysis, which has always been at the heart of the executive, administrative, or professional exemptions.
For the time being, employers can feel comfortable relying on the duties test to determine eligibility for overtime, however, the DOL has indicated that it is still looking at the minimum salary threshold, and employers should expect that threshold to increase from the current number of $23,660. Employers would be well advised to take a look at their currently classified exempt employees making between 24-35K per year to determine whether such employees truly meet the duties test, and whether such employees are being paid at appropriate levels.
EEO-1 Salary Reporting Requirements Blocked
The new EEO-1 forms with reporting information for 2017 were to have included salary information in addition to the usual reporting requirements. The EEOC was presumably intending to use such information to target companies for Equal Pay investigations and complaints. Reporting is still due using the EEO-1 forms in March 2018, but the OMB has just announced that the forms are not going to require the reporting of salary information by gender and other protected characteristics, so employers have a reprieve with respect to federal reporting requirements.
Employers should be mindful that the state and federal equal pay laws are still applicable, and it is always a good idea to do a self-audit of comparative pay data based on gender, race, and other protected characteristics in order to ensure compliance with such laws. Please also refer back to our April 2017 Client Alert with respect to NY pay equity laws and the salary history ban that goes into effect next month for NY employers.
New I-9 Form in Effect September 18, 2017
Employers should be aware that a new I-9 form is going into effect on September 18th. The link to the new form can be found here.
The ABA presents the International Human Rights Law Sourcebook.
This extensive volume (alone or as a companion volume with The International Humanitarian Law Sourcebook) is your single-source location for this increasingly important body of law, these volumes will be useful for government, academic, corporate, and legal readers with an interest in the legal regime governing human rights litigation and policy.
Bitcoin, the most popular form of digital or crypto-currency, is gaining traction as an investment vehicle and a way to pay for goods and services. More than 100,000 merchants worldwide now accept Bitcoin, allowing consumers to book a hotel stay, take a taxi, or buy a car. The buzz around crypto-currency continues to grow as Bitcoin options will likely soon be traded on the futures exchange and regulators consider how to monitor Bitcoin transactions.
So what about paying employees in Bitcoin? Here are some things to consider before diving into the digital currency market.
What is Crypto-currency?
Virtual or digital currency is a digital representation of value that has no paper or coin equivalent. Crypto-currency such as Bitcoin uses encryption to control its creation. Virtual currency is electronically created and stored and does not have the backing of a commodity, bank, or government authority. Additionally, virtual currency does not have the status of legal tender. This means that a creditor can refuse virtual currency as payment for a debt.
Convertible virtual currency is a class of virtual currency that can be substituted for real currency. As of this week, 1 Bitcoin could be converted into to approximately $4,594.69 USD.
How Do I Get and Use Bitcoin?
Bitcoin is available online and may be purchased with cash, credit card, or wire transfer. A Bitcoin user would set up an online “wallet” that manages his or her transactions. Each user has a unique address that is identified by a series of letters and numbers and each transaction in Bitcoin is also identified by a series of letters and numbers that can be viewed on a public ledger blockchain.info and shared with other devices on the Bitcoin network.
Due to the encryption of the transactions, the users have a certain level of anonymity, but the transactions are public. One of the advantages of Bitcoin is that there are no intermediaries, which gives user’s control to send payments from one party directly to another without a financial institution making fees lower.
To prevent paying twice with the same Bitcoin, each user has its own private key and a public key. Once a transfer is initiated, the transfer is submitted to the network encoded by the public key. The acceptance occurs when the person accepts the amount on his or her private key. The sender signs the transaction with the private key. This log of transactions is continually downloaded by users on the network removing the need for a third-party clearinghouse to monitor the transactions.
Theoretically, paying an employee in Bitcoins would go through the same process. However, to comply with payroll deductions and filings, employers most commonly engage a payroll service experienced in Bitcoin that handles payroll deductions and filings.
What are the withholding implications of using Bitcoins as wages?
Just like wages paid in non-virtual currency, Bitcoin compensation would be considered W-2 wages for employees. Bitcoin is also subject to federal income tax withholding, FICA, FUTA, and the self-employment tax based on the fair market value of the Bitcoin on the date it was received.
Do Bitcoin payments meet an employer’s minimum wage and overtime requirements?
Regulations under the Fair Labor Standards Act (FLSA) require that wage payments be in “cash or a negotiable instrument payable at par,” meaning that Bitcoin payments may not satisfy an employer’s minimum wage and overtime requirements under the FSLA. An employer could pay in a hybrid of U.S. currency and Bitcoin to meet the federal requirements and pay anything above that amount in Bitcoin. Several state wage and hour laws also require that wages be paid in U.S. currency so it is important to check both federal and state laws before paying employees in crypto-currency.
What about exempt employees?
Most exempt employees have minimum salary requirements under federal law. The minimum salary requirement under the FLSA salary basis test must be paid in U.S. currency or a negotiable instrument. Like the minimum wage and overtime requirements, once that threshold is met, employers may pay employees the rest of the amount in Bitcoin.
For nonexempt employees, there is some gray area as to how to value Bitcoins for the regular rate calculation for overtime purposes. The timing of the valuation may have a significant economic impact due to Bitcoin’s somewhat volatile nature. Bitcoin valuation may also be a problem when calculating the regular and back pay if an employee is misclassified as exempt. There may also be other issues tied to Bitcoin’s volatility, the administrative cost of converting wages to Bitcoin and security of Bitcoin wallets. Before diving into the digital currency world, it is recommended that an employer consult with legal counsel to avoid any potential pitfalls.
Today, the Trump Administration announced rescission of the Obama Administration’s 2012 Executive Order which created the Deferred Action for Childhood Arrivals (DACA) program. As of March 5, 2018, DACA will fully end with many questions yet to be answered.
DACA has benefitted approximately 800,000 recipients, who came to the U.S. before the age of sixteen and hold no valid immigration status, by granting them temporary work authorization and relief from deportation. Through the program, beneficiaries have gone on to become productive members of communities, contributing to the economy by attending college, buying houses and cars, and obtaining better paying jobs.
What We Know:
The U.S. Citizenship & Immigration Services (USCIS) will immediately halt acceptance of new DACA applications while “orderly winding down” the program for existing DACA recipients.
Current DACA recipients with permits that expire before March 5, 2018 may apply for a renewal by October 5, 2017.
Some DACA recipients could lose work authorization as early as March 6, 2018, while others may continue to use the program over the next two years.
No specific guidance will be issued to DHS agents to shield young undocumented immigrants from deportation.
What Is Unclear:
Whether and how quickly Immigration & Customs Enforcement will take enforcement action to remove DACA recipients who have disclosed personal information in order to obtain a DACA benefit.
Whether Congress will be able to pass a legislative solution within the next six months. Much will depend on DACA proponents’ ability to mobilize and advocate some form of relief.
Whether those granted Advance Parole pursuant to DACA will be permitted to return to the U.S. once DACA ends. Having Advance Parole does not guarantee admission to the U.S., and the U.S. Department of Homeland Security may revoke or terminate it at any time.
Other Possible Forms of Relief:
In lieu of federal legislation, other forms of relief may be available. Current DACA recipients and undocumented immigrants may want to explore eligibility for:
A temporary visa as a victim of a specific crime;
Proof of existing U.S. citizenship or noncitizen nationality; and
Lawful permanent residence. Potential applicants include:
Individuals whose last entry to the US was after inspection and admission or parole by U.S. Customs & Border Protection (CBP) and who have an immigrant visa immediately available;
Certain individuals who are beneficiaries of visa petitions filed by family members or employers on or before April 30, 2001 and who have an immigrant visa immediately available;
Certain spouses, children and parents of U.S. citizens or green card holders who have been subject to battery or extreme cruelty by a U.S. citizen or green card holder family member, even if the individual entered without being inspected and admitted by CBP; and
Certain unmarried individuals under 21 where a juvenile court has found that the child’s reunification with his or her parent(s) is not viable due to abuse, neglect, abandonment or a similar basis under state law, even if the individual entered without being inspected and admitted by CBP.
Additional guidance is expected in the coming days and weeks. Stay tuned for further updates.
Indications are that President Donald Trump likely will end the DACA (Deferred Action for Childhood Arrivals) program while signaling the Administration’s willingness to work with Congress on an alternative program. Vice President Mike Pence, speaking in Texas, noted, “President Trump has said all along that he’s giving very careful consideration to that issue and that when he makes it he’ll make it with, as he likes to say, ‘big heart’.”
Since 2012, close to 800,000 people brought to U.S. illegally as children have been allowed to remain in this country with work authorization – their deportations having been “deferred.” Eliminating DACA was a staple of Trump’s campaign, but, once he became President, he indicated that it would be a hard decision to make and even noted that the “dreamers” “should ‘rest easy’ about his immigration policies.” The Administration’s decision on whether to discontinue DACA has been made more urgent by a number of Republican attorneys general and the Texas Governor’s announcement that they will ask a federal judge to rule on the legality of DACA by September 5 if the President does not announce he is ending the program.
President Barack Obama put DACA into place by way of an executive order as a temporary measure when Congress failed to enact immigration reform that would protect these individuals because, he believed, “It [was]. . . the right thing to do.” Ending DACA likely will mean that new applications for status and work authorization will not be accepted and existing authorizations will not be renewed once they expire.
Hundreds of tech and business leaders sent a letter to the President and Congressional leaders expressing their support for DACA. It said, in part:
All DACA recipients grew up in America, registered with our government, submitted to extensive background checks, and are diligently giving back to our communities and paying income taxes. More than 97 percent are in school or in the workforce, 5 percent started their own business, 65 percent have purchased a vehicle, and 16 percent have purchased their first home. At least 72 percent of the top 25 Fortune 500 companies count DACA recipients among their employees.
Senator Orrin Hatch (R-Utah), who supports tougher immigration enforcement, tweeted that he has “urged the President not to rescind DACA . . . .” Speaker Paul Ryan (R-Wis.) has done the same.
Should DACA be rescinded, it would be up to Congress, working with the Administration, to agree upon legislation to provide legal status to these individuals.
The Trump Administration is considering the elimination of the J-1 Summer Work-Travel Program for students who come to tourist areas in the U.S. as temporary summer help and as participants in cultural exchanges. Like the numerical limitations placed on H-2B temporary seasonal visas, the elimination of this J-1 Summer Work-Travel Program would particularly affect the hospitality industry in areas that rely on these students to cook, wait tables, and run amusement park rides in tourist areas during the summer months.
Morey’s Pier Amusement Park in Wildwood, New Jersey, hired more than one-third of its 2017 summer workforce through the J-1 Summer Work-Travel Program. Its Director of Human Resources reported that it makes extensive efforts, including through job fairs, to hire U.S. workers, but cannot find enough people interested in the seasonal work. The Park hired 82 percent of the U.S. applicants who applied for jobs and the remaining 18 percent could not be hired because they were too young to be life guards or to serve alcohol.
Other tourist areas such as Hershey, Pennsylvania, and the Poconos also depend on the J-1 Summer Work-Travel Program. Congressman Bill Keating (D-MA), who represents Cape Cod and the Islands of Nantucket and Martha’s Vineyard, is critical of the reported plan to reduce these visas for students who he believes are vital to his area’s economy.
The review and possible elimination of the J-1 Summer Work-Travel Program arises out of the “Buy American, Hire American” Executive Order. The first hint that the Program might be cut was in a draft executive order that was leaked in January 2017. That draft, “Protecting American Jobs and Workers by Strengthening the Integrity of Foreign Worker Visa Programs,” was never signed or formally released. It included specific provisions questioning the desirability of the J-1 program, the L-1 visa program, the use of parole authority, and the H-1B visa program, among others. To date, the Administration has been achieving some of the goals first set forth in that draft by conducting more L-1 site visits, scrutinizing H-1B and L-1 petitions by issuing a staggering number of post-filing Requests for Evidence (RFEs), postponing (and ultimately planning to eliminate) the International Entrepreneur Rule that relied on parole authority, and, now, focusing on the possible elimination of the J-1 Summer Work-Travel Program.
According to the State Department website, “The J-1 Exchange Visitor Program [overseen by the Department of States] provides opportunities for around 300,000 foreign visitors from 200 countries and territories per year to experience U.S. society and culture and engage with Americans.” There are more than a dozen J-1 programs. Others that are reportedly being reviewed for possible elimination are the J-1 internship and au pair programs.