Category: Communication Media & Internet

How to Create an Impactful and Authentic Pride Month Social Media Campaign for Your Company

June is Pride Month, which offers companies of all kinds a unique opportunity to celebrate, show support and raise awareness for LGBTQIA+ rights on their social media channels.

Businesses of all kinds and sizes can get involved, raise awareness and give back for Pride Month regardless of their budget or reach.

While Pride is most definitely a celebration, an impactful Pride campaign should include education, awareness, and center around people.

Celebrating Pride and showing your support for the LGBTQIA+ community is not a trend— and it shouldn’t be treated as such.

Here’s how to create and implement an impactful and genuine Pride Month social media campaign at your company.

The Do’s and Don’ts of Pride Month social media planning

Before you dive head-first into planning your corporate Pride initiatives, it’s important to get a wide range of employees involved in the planning process.

If your company has an LGBTQIA+ affinity group or diversity committee, collaborate with them or if you don’t have a group, consider convening a committee of employee volunteers of diverse backgrounds to serve as a sounding board and provide their input as your plans begin to take shape.

Please note: these volunteers should be compensated for their time and efforts in some meaningful way (vacation time, bonuses, gift cards, etc.). While it may be too late to do this for this year’s campaign, activate or assemble the group now for your 2023 initiative.

Don’t: Exploit social initiatives and conversations as a means to reach business goals.

Celebrating Pride and showing your support for the LGBTQIA+ community is not a trend— and it shouldn’t be treated as such.

If you’re simply posting rainbow-branded imagery (rainbow washing) during the month or posting about your commitment to the cause without having any real initiatives or actions to back it up, you’re just paying lip service to and perhaps exploiting yet another social initiative. Make sure your company can really walk the walk before you talk the talk. Performative allyship can backfire, alienating your employees, your clients, recruits, and others.

Remember that everyone (employees, clients, and the general public) is watching what you post online, even if they don’t actually like or comment on it.

Do: Ask yourself why you’re supporting this initiative and have a clear purpose.

Before publishing Pride-related content, ask yourself, are we actually adding value to this conversation? What are we hoping to gain from inserting ourselves into this conversation? What are our motivations? Is our company an actual safe space or inclusive environment that includes active and engaged allies?

Remember, Pride Month should not be about your business goals. You also don’t have to have accomplished all of your LGBTQIA+ related inclusion goals to commemorate Pride, but your efforts should be more than surface level.

Do: Support LGBTQIA+ initiatives year-round.

If you don’t already take steps to support the LGBTQIA+ community year-round, take the opportunity to discuss doing so with management and staff before Pride. June is only one month out of the year, a month where it’s arguably the “most acceptable” to show support for the LGBTQIA+ community. To be a true ally, it’s important to show this level of support year-round. Work to ensure that your company’s policies and practices are inclusive and address the needs of your LGBTQIA+ employees.

In addition to internally focused actions, consider how your true commitment can be reflected externally. There are many organizations to which you can donate and volunteer. Solicit voluntary feedback from your LGBTQIA+ employees and clients to ensure that they feel involved and included in the process.

Do: Educate yourself and those around you on the origins and history of Pride Month.

Pride Month has a rich, political history that companies often fail to understand and recognize as they participate in Pride Month. Pride Month is celebrated in June to honor the 1969 Stonewall Uprising in Manhattan — a tipping point for the Gay Liberation Movement in the United States.

Not only is Pride a time to recognize the progress that’s been made since the Stonewall Riots, but it’s just as important to acknowledge how far we still must go as a society, particularly considering recent efforts to overturn or narrow the progress that has been made. A successful Pride campaign should have education and awareness at its core.

Do: Make education and awareness the core of your campaign.

Ideas for content for your Pride Campaign can include educating your followers on the meaning behind the Pride flag, using posts to tell the history of the Pride flag, and what Pride means to your employees, and run their answers in Q&A posts.

Another idea is to create posts to help followers better understand Pride Month and provide resources to help people better educate themselves on the cause and support those of the LGBTQIA+ community.

In addition, spotlighting members of the LGBTQIA+ community is a helpful way to educate your followers and amplify the contributions of individuals.

No matter what you choose, create a campaign that is rooted in improving awareness and education amongst your community.

Do: Let inclusivity be at the core of your all campaigns.

Inclusivity should be an active mission as part of your Pride campaign, and for your future marketing efforts too. Aim to have better representation on social media for your community — that means including people of all marginalized or otherwise underrepresented voices.

If you really want to reach, represent, and support your diverse community, it’s time to make active shifts towards better inclusive marketing year-round. It’s less about what you need to do for Pride today and instead, how are you supporting LGBTQIA+ folks year-round?

Do: Put your money (and time) where your mouth is.

Instead of treating Pride like a marketing campaign, put your efforts toward an activity that will positively impact the LGBTQIA+ community.

While monetary donations can be helpful, volunteering at community events or spending time with LGBTQIA+ advocacy organizations can be more impactful for your employees.

Consider hosting or taking part in LGBTQIA+ programming and donating to local charities doing work in your community to support LGBTQIA+ initiatives.

Do: Use the right hashtags to be discovered

  • #lgbtqia
  • #lgbtqpride
  • #lgbtqhumanrights
  • #equality
  • #pridemonth
  • #loveislove
  • #pride

Every organization that wants to support Pride on social media can find a way to do so, we challenge you to do it in a way that is authentic, genuine, and impactful to your brand and most importantly, to your employees and your clients. The world is watching you, so challenge yourself by doing the right thing.

This article was authored by Stefanie Marrone of Stefanie Marrone Consulting, and Paula T. Edgar, Esq, the CEO of PGE Consulting Group LLC, a firm that provides training and education solutions at the intersection of professional development and diversity, equity and inclusion. 

For more legal marketing and law office management news, click here to visit the National Law Review.

Copyright © 2022, Stefanie M. Marrone. All Rights Reserved.

Small Businesses Don’t Recognize Risk of Cyberattack Despite Repeated Warnings

CNBC surveys over 2,000 small businesses each quarter to get their thoughts on the overall business environment and their small business’ health. According to the latest CNBC/SurveyMonkey Small Business Survey, despite repeated warnings by the Cybersecurity and Infrastructure Security Agency and the FBI that U.S.- based businesses are at an increased risk of a cyber-attack following Russia’s invasion of Ukraine, small business owners do not believe that it is an actual risk that will affect them, and they are not prepared for an attack. The latest survey shows that only five percent of small business owners reported cybersecurity to be the biggest risk to their company.

What is unfortunate, but not surprising, is the fact that this is the same percentage of small business owners who recognized a cyber attack as the biggest risk a year ago. There has been no change in the perception among business owners, even though there are repeated, dire warnings from the government. Also unfortunate is the statistic that only 33 percent of business owners with one to four employees are concerned about a cyber attack this year. In contrast, 61 percent of business owners with more than 50 employees have the same concern.

According to CNBC, “this general lack of concern among small business owners diverges from the sentiment among the general public….In SurveyMonkey’s polling, 55% of people in the U.S. say they would be less likely to continue to do business with brands who are victims of a cyber attack.” CNBC’s conclusion is that there is a disconnect between business owners’ appreciation of how much customers care about data security and that “[s]mall businesses that fail to take the cyber threat seriously risk losing customers, or much more, if a real threat emerges.” Statistics show that threat actors are targeting small to medium-sized businesses to stay under the law enforcement radar. With such a large target on their backs, business owners may wish to make cybersecurity a priority. It’s important to keep customers.

Article By Linn F. Freedman of Robinson & Cole LLP

For more cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

DOJ Limits Application of Computer Fraud and Abuse Act, Providing Clarity for Ethical Hackers and Employees Paying Bills at Work Alike

On May 19, 2022, the Department of Justice announced it would not charge good-faith hackers who expose weaknesses in computer systems with violating the Computer Fraud and Abuse Act (CFAA or Act), 18 U.S.C. § 1030. Congress enacted the CFAA in 1986 to promote computer privacy and cybersecurity and amended the Act several times, most recently in 2008. However, the evolving cybersecurity landscape has left courts and commentators troubled by potential applications of the CFAA to circumstances unrelated to the CFAA’s original purpose, including prosecution of so-called “white hat” hackers. The new charging policy, which became effective immediately, seeks to advance the CFAA’s original purpose by clarifying when and how federal prosecutors are authorized to bring charges under the Act.

DOJ to Decline Prosecution of Good-Faith Security Research

The new policy exempts activity of white-hat hackers and states that “the government should decline prosecution if available evidence shows the defendant’s conduct consisted of, and the defendant intended, good-faith security research.” The policy defines “good-faith security research” as “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”

In practice, this policy appears to provide, for example, protection from federal charges for the type of ethical hacking a St. Louis Post-Dispatch reporter performed in 2021. The reporter uncovered security flaws in a Missouri state website that exposed the Social Security numbers of over 100,000 teachers and other school employees. The Missouri governor’s office initiated an investigation into the reporter’s conduct for unauthorized computer access. While the DOJ’s policy would not affect prosecutions under state law, it would preclude federal prosecution for the conduct if determined to be good-faith security research.

The new policy also promises protection from prosecution for certain arguably common but contractually prohibited online conduct, including “[e]mbellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service.” Such activities resemble the facts of Van Buren v. United States, No. 19-783, which the Supreme Court decided in June 2021. In Van Buren, the 6-3 majority rejected the government’s broad interpretation of the CFAA’s prohibition on “unauthorized access” and held that a police officer who looked up license plate information on a law-enforcement database for personal use—in violation of his employer’s policy but without circumventing any access controls—did not violate the CFAA. The DOJ did not cite Van Buren as the basis for the new policy. Nor did the DOJ identify any another impetus for the change.

To Achieve More Consistent Application of Policy, All Federal Prosecutors Must Consult with Main Justice Before Bringing CFAA Charges

In addition to exempting good-faith security research from prosecution, the new policy specifies the steps for charging violations of the CFAA. To help distinguish between actual good-faith security research and pretextual claims of such research that mask a hacker’s malintent, federal prosecutors must consult with the Computer Crime and Intellectual Property Section (CCIPS) before bringing any charges. If CCIPS recommends declining charges, prosecutors must inform the Office of the Deputy Attorney General (DAG) and may need to obtain approval from the DAG before initiating charges.

Article By Kyle R. Freeny, Linda Ricci, Jena M. Valdetero, and Brittany M. Fisher of Greenberg Traurig, LLP

For more data privacy and cybersecurity legal news, click here to visit the National Law Review.

©2022 Greenberg Traurig, LLP. All rights reserved.

Trade Mark Infringement – Muslim Dating App Meets its Match [.com]

A recent Intellectual Property Enterprise Court Decision (IPEC) on 20 April 2022 has decided that ‘Muzmatch’, an online matchmaking service to the Muslim Community has infringed Match.com’s registered trade marks.

The decision by Nicholas Caddick Q.C was that Muzmatch’s use of signs and its name amounted to trade mark infringement and/or passing off of Match.com’s trade marks. This case follows successful oppositions by Match.com to Muzmatch’s registration of its marks in 2018, and unsuccessful attempts by Match.com to purchase Muzmatch between 2017 and 2019.

Match.com is one of the largest and most recognisable dating platforms in the UK. It first registered a word mark ‘MATCH.COM’ in 1996 and also owns other dating-related brands including Tinder and Hinge with other marks including the word mark ‘TINDER’. Match.com used a 2012 TNS report to illustrate its goodwill and reputation and 70% of people surveyed would be able to recall Match.com if prompted, 44% unprompted and 31% of people would name Match.com as the first dating brand off the ‘top of their head.’

Muzmatch is a comparatively niche but growing dating platform, which aims to provide a halal (i.e. in compliance with Islamic law) way for single Muslim men and women to meet a partner. Muzmatch is comparatively much smaller and was founded in 2011 by Mr Shahzad Younas and now has had around 666,069 sign-ups in the UK alone.

The Court considered that the marks ‘Muzmatch’ and ‘MATCH.COM’ and each company’s graphical marks, had a high degree of similarity in the services provided. The marks were also similar in nature orally and conceptually and the addition of the prefix ‘Muz’ did not distinguish the two marks, nor could the lack of the suffix ‘.com’ or stylistic fonts/devices.

The key issue of the case relates to the idea of the term ‘Match’ which is used by both marks to describe the nature of the business: match[ing]. Muzmatch argued that as both marks share this descriptive common element, so it is difficult to conclude that there is a likelihood of confusion between the two marks as the term just describes what each business does.

 The Court found that finding that there is a likelihood of confusion for a common descriptive element is not impossible, as the descriptive element can be used distinctively. The average consumer would conclude that the portion ‘Match’ is the badge of origin for Match.com due to its reputation as a brand and the very substantial degree of distinctiveness in the dating industry. An average consumer would have seen the word ‘Match’ as the dominant element in the Match.com trade marks and Match.com is often referred to as just ‘Match’ in advertisements.

Aside from its marks, Muzmatch utilised a Search Engine Optimisation strategy from January 2012 whereby it utilised a list of around 5000 keywords which would take a user to a landing page on the its website. In the list of the keywords used, Muzmatch used the words ‘muslim-tinder’, ‘tinder’ and ‘halal-tinder’ which were accepted by Muzmatch during the litigation to have infringed Match’s trade marks of the Tinder brand including the word mark ‘TINDER’. Muzmatch’s SEO use was also found to cause confusion based on some of its keywords including ‘UK Muslim Match’, which again uses the term Match distinctively, therefore a consumer may confuse a link to ‘UK Muslim Match’ with ‘Match.com’.

Therefore, the Court found that there was likely to be confusion between Muzmatch and Match.com because of the distinctive nature of the term ‘Match’ in the world of dating platforms.  An average consumer would conclude that Muzmatch was connected in a material way with the Match.com marks, as if it was targeted at Muslim users as a sub-brand, so this confusion would be trade mark infringement under S10(2) of the Trade Marks Act 1994.

The Court also considered that Muzmatch had taken unfair advantage of Match.com’s trade marks and had therefore infringed those marks under S10(3) of the Trade Marks Act 1994. This was due to the reputation of Match.com’s trade marks and because a consumer would believe that Muzmatch was a sub-brand of Match.com.

The Court rejected Muzmatch’s defence of honest concurrent use and found that Match.com would also have an alternative claim in the tort of passing off.

Key Points:

  • The Court found that a common descriptive element can acquire distinctiveness in an area, solely because of a company’s reputation and influence in that market.
  • The use of Search Engine Optimisation strategies can also constitute a trade mark infringement.
  • The lack of the suffix ‘.com’ in a mark is not sufficient to distinguish use from a household brand such as Match.com, so care should be taken with brands such as ‘Match.com’, ‘Booking.com’[1]

Source:

[1] Match Group, LLC, Meetic SAS, Match.Com International Limited v Muzmatch Limited, Shahzad Younas [2022] EWHC 941 (IPEC)

[1] Note- Blog Post of July 6 2020 Relating to Booking.com- https://www.iptechblog.com/2020/07/us-supreme-court-opens-doors-to-generic-com-trademarks/

Article By Connor Sargeant and the Intellectual Property and Technology Practice Group at Squire Patton Boggs (US) LLP ​.

For more intellectual property legal news, click here to visit the National Law Review.

© Copyright 2022 Squire Patton Boggs (US) LLP

NCLC Tells FCC “Callers can easily avoid making calls to telephone numbers that have been reassigned….” – But Is it That Simple?

The National Consumer Law Center is at it again.

In response to the Department of Health and Human Services’ recent letter to the FCC seeking clarity on whether the TCPA applies to texts it would like to make to alert Americans of certain medical benefits, the NCLC–an organization that nominally represents consumers, but really seems to represent the interests of the plaintiff’s bar–has filed a comment.

Unsurprisingly, the NCLC takes the position that HHS needs no relief. Government contractors are covered by the TCPA–it says–but the texts at issue in HHS’ letter are consented, so they’re fine. (Although it later clarifies that only “many” but not “all” of the enrollees whom HHS wishes to call have “probably” given their telephone numbers as part of written enrollment agreements–so perhaps not.)

Hmmmm. Feels like a trap. But we’ll ignore that for now.

The critical piece here though is what the NCLC–very powerful voice, for better or (often) worse–is telling the FCC about the effectiveness of the new Reassigned Number Database:

3. Callers can easily avoid making calls to telephone numbers that have been reassigned to someone other than the enrollee

A primary source of TCPA litigation risk has been calls inadvertently made to numbers that are no longer assigned to the person who provided consent. Courts have held the caller liable for making automated calls to a cell phone number that has been reassigned to someone other than the person who provided consent to be called.29

The Commission has implemented the Reassigned Number Database specifically to address that risk of liability, as well as to limit the number of unwanted robocalls:

The FCC’s Reassigned Numbers Database (RND) is designed to prevent a consumer from getting unwanted calls intended for someone who previously held their phone number. Callers can use the database to determine whether a telephone number may have been reassigned so they can avoid calling consumers who do not want to receive the calls. Callers that use the database can also reduce their potential Telephone Consumer Protection Act (TCPA) liability by avoiding inadvertent calls to consumers who have not given consent for the call.31

The database has been fully operational since November 1, 2021. It provides a means for callers to find out before making a call if the phone number has been reassigned. If the database wrongly indicates that the number has not been reassigned, so long as the caller has used the database correctly, no TCPA liability will apply for reaching the wrong party. 32 Thus, as long as HHS’s callers make use of this simple, readily available database, they can be confident that they will not be held liable for making calls to reassigned numbers.

While I steadfastly support both the creation and use of the RND, it also must be observed that there are myriad problems with the RND as it currently exists. Most importantly, the data sets in the RND are only comprehensive through October 1, 2021 and spotty back to February, 2021 (beyond which there are no records!)

So for folks like HHS–and servicers of mortgages, and retailers, and credit card companies–who want to reach customers who provided their contact information before 10/2021 or 2/2021 the RND is simply not helpful.

The NCLC’s over simplification of a critical issue is not surprising. They once told Congress that the TCPA is “Straightforward and Clear” after all.

Full comment here: NCLC Comments-c3

We’ll keep an eye on developments on HHS’ letter and all the FCC goings ons.

Article By Eric J. Troutman of Troutman Firm

For more TCPA and communications legal news, click here to visit the National Law Review.

© 2022 Troutman Firm

Navigating the Data Privacy Landscape for Autonomous and Connected Vehicles: Implementing Effective Data Security

Autonomous vehicles can be vulnerable to cyber attacks, including those with malicious intent. Identifying an appropriate framework with policies and procedures will help mitigate the risk of a potential attack.

The National Highway Traffic Safety Administration (NHTSA) recommends a layered approach to reduce the likelihood of an attack’s success and mitigate ramifications if one does occur. NHTSA’s Cybersecurity Framework is structured around the five principles of identify, protect, detect, respond and recover, and can be used as a basis for developing comprehensive data security policies.

NHTSA goes on to describe how this approach “at the vehicle level” includes:

  • Protective/Preventive Measures and Techniques: These measures, such as isolation of safety-critical control systems networks or encryption, implement hardware and software solutions that lower the likelihood of a successful hack and diminish the potential impact of a successful hack.
  • Real-time Intrusion (Hacking) Detection Measures: These measures continually monitor signatures of potential intrusions in the electronic system architecture.
  • Real-time Response Methods: These measures mitigate the potential adverse effects of a successful hack, preserving the driver’s ability to control the vehicle.
  • Assessment of Solutions: This [analysis] involves methods such as information sharing and analysis of a hack by affected parties, development of a fix, and dissemination of the fix to all relevant stakeholders (such as through an ISAC). This layer ensures that once a potential vulnerability or a hacking technique is identified, information about the issue and potential solutions are quickly shared with other stakeholders.

Other industry associations are also weighing in on best practices, including the Automotive Information Sharing and Analysis Center’s (Auto-ISAC) seven Key Cybersecurity Functions and, from a technology development perspective, SAE International’s J3061, a Cybersecurity Guidebook for Cyber-Physical Vehicle Systems to help AV companies “[minimize] the exploitation of vulnerabilities that can lead to losses, such as financial, operational, privacy, and safety.”

Article By Adam J. Brody, John J. Rolecki, Jeffrey M. Stefan II, Andrea M. Gumushian, and Justin M. Wolber at Varnum LLP

For more transportation legal news, click here to visit the National Law Review.

© 2022 Varnum LLP

The Metaverse: A Legal Primer for the Hospitality Industry

The metaverse, regarded by many as the next frontier in digital commerce, does not, on its surface, appear to offer many benefits to an industry with a core mission of providing a physical space for guests to use and occupy. However, there are many opportunities that the metaverse may offer to owners, operators, licensors, managers, and other participants in the hospitality industry that should not be ignored.

What is the Metaverse?

The metaverse is a term used to describe a digital space that allows social interactions, frequently through use of a digital avatar by the user. Built largely using decentralized, blockchain technology instead of centralized servers, the metaverse consists of immersive, three-dimensional experiences, persistent and traceable digital assets, and a strong social component. The metaverse is still in its infancy, so many of the uses for the metaverse remain aspirational; however, metaverse platforms have already seen a great deal of activity and commerce. Meanwhile, technology companies are working to produce the next-generation consumer electronics that they hope will make the metaverse a more common location for commerce.

The Business Case for the Hospitality Industry

The hospitality industry may find the metaverse useful in enhancing marketing and guest experiences.

Immersive virtual tours of hotel properties and the surrounding area may allow potential customers to explore all aspects of the property and its surroundings before booking. Operators may also add additional booking options or promotions within the virtual tour to increase exposure to customers.

Creating hybrid, in-person and remote events, such as conferences, weddings, or other celebrations, is also possible through the metaverse. This would allow guests on-site to interact with those who are not physically present at the property for an integrated experience and possible additional revenue streams.

Significantly, numerous outlets have identified the metaverse as one of the top emerging trends in technology. As its popularity grows, the metaverse will become an important location for the hospitality industry to interact with and market to its customer base.

Legal Issues to Consider

  1. Select the right platform for you. There are multiple metaverse platforms, and they all have tradeoffs. Some, including Roblox and Fortnite, offer access to more consumers but generally give businesses less control over content within the programs. Others, such as Decentraland and the Sandbox, provide businesses with greater control but smaller audiences and higher barriers to entry. Each business should consider who its target audience is, what platform will be best to reach that audience, and its long term metaverse strategy before committing to a particular platform.
  2. Register your IP. Businesses should consider filing trademark applications covering core metaverse goods or services and securing any available blockchain domains, which can be used to facilitate metaverse payments and to direct users to blockchain content, such as websites and decentralized applications. Given the accelerating adoption of blockchain domains along with limited dispute resolution recourse available, we strongly encourage businesses to consider securing intellectual property rights now.
  3. Establish a dedicated legal entity. Businesses may want to consider setting up a new subsidiary or affiliate to hold digital assets, shield other parts of their business from metaverse-related liability, and isolate the potential tax consequences.
  4. Take custody of digital assets. Because of their digital character, digital assets such as cryptocurrency, which may be the primary method of payment in the metaverse, are uniquely vulnerable to loss and theft. Before acquiring cryptocurrency, businesses will need to set up a secure blockchain wallet and adopt appropriate access and security controls.
  5. Protect and enforce your IP. The decentralized nature of the metaverse poses a significant challenge to businesses and intellectual property owners. Avenues for enforcing intellectual property rights in the metaverse are constantly evolving and may require multiple tools to stop third-party infringements.
  6. Reserve metaverse rights. Each Business that licenses its IP, particularly those that do so on a geographic or territorial basis, should review existing license agreements to determine what rights, if any, its licensees have for metaverse-related uses. Moving forward, each brand owner is encouraged to expressly reserve rights for metaverse-related uses and exercise caution before authorizing any third party to deploy IP to the metaverse on a business’ behalf.
  7. Tax matters. Attention needs to be paid to how the tax law applies to metaverse transactions, despite the current tax law not fully addressing the metaverse. This is particularly the case for state and local sales and use, communications, and hotel taxes.

Ready to Enter?

As we move into the future, the metaverse appears poised to provide a tremendous opportunity for the hospitality industry to connect directly with consumers in an interactive way that was until recently considered science fiction. But like every new frontier, technological or otherwise, there are legal and regulatory hurdles to consider and overcome.

Article By Charles B. Ferguson, Jr. and Kimberly A. Wachen of ArentFox Schiff LLP

For more technology legal news, click here to visit the National Law Review.

© 2022 ArentFox Schiff LLP

EEOC and the DOJ Issue Guidance for Employers Using AI Tools to Assess Job Applicants and Employees

Employers are more frequently relying on the use of Artificial Intelligence (“AI”) tools to automate employment decision-making, such as software that can review resumes and “chatbots” that interview and screen job applicants. We have previously blogged about the legal risks attendant to the use of such technologies, including here and here.

On May 12, 2022, the Equal Employment Opportunity Commission (“EEOC”) issued long-awaited guidance on the use of such AI tools (the “Guidance”), examining how employers can seek to prevent AI-related disability discrimination. More specifically, the Guidance identifies a number of ways in which employment-related use of AI can, even unintentionally, violate the Americans with Disabilities Act (“ADA”), including if:

  • (i) “[t]he employer does not provide a ‘reasonable accommodation’ that is necessary for a job applicant or employee to be rated fairly and accurately by” the AI;
  • (ii) “[t]he employer relies on an algorithmic decision-making tool that intentionally or unintentionally ‘screens out’ an individual with a disability, even though that individual is able to do the job with a reasonable accommodation”; or
  • (iii) “[t]he employer adopts an [AI] tool for use with its job applicants or employees that violates the ADA’s restrictions on disability-related inquiries and medical examinations.”

The Guidance further states that “[i]n many cases” employers are liable under the ADA for use of AI even if the tools are designed and administered by a separate vendor, noting that “employers may be held responsible for the actions of their agents . . . if the employer has given them authority to act on [its] behalf.”

The Guidance also identifies various best practices for employers, including:

  • Announcing generally that employees and applicants subject to an AI tool may request reasonable accommodations and providing instructions as to how to ask for accommodations.
  • Providing information about the AI tool, how it works, and what it is used for to the employees and applicants subjected to it. For example, an employer that uses keystroke-monitoring software may choose to disclose this software as part of new employees’ onboarding and explain that it is intended to measure employee productivity.
  • If the software was developed by a third party, asking the vendor whether: (i) the AI software was developed to accommodate people with disabilities, and if so, how; (ii) there are alternative formats available for disabled individuals; and (iii) the AI software asks questions likely to elicit medical or disability-related information.
  • If an employer is developing its own software, engaging experts to analyze the algorithm for potential biases at different steps of the development process, such as a psychologist if the tool is intended to test cognitive traits.
  • Only using AI tools that measure, directly, traits that are actually necessary for performing the job’s duties.
  • Additionally, it is always a best practice to train staff, especially supervisors and managers, how to recognize requests for reasonable accommodations and to respond promptly and effectively to those requests. If the AI tool is used by a third party on the employer’s behalf, that third party’s staff should also be trained to recognize requests for reasonable accommodation and forward them promptly to the employer.

Finally, also on May 12th, the U.S. Department of Justice (“DOJ”) released its own guidance on AI tools’ potential for inadvertent disability discrimination in the employment context. The DOJ guidance is largely in accord with the EEOC Guidance.

Employers utilizing AI tools should carefully audit them to ensure that this technology is not creating discriminatory outcomes.  Likewise, employers must remain closely apprised of any new developments from the EEOC and local, state, and federal legislatures and agencies as the trend toward regulation continues.

Article By Joseph C O’Keefe and Edward C. Young of Proskauer Rose LLP

For more labor and employment legal news, click here to visit the National Law Review.

© 2022 Proskauer Rose LLP.

Comparing and Contrasting the State Laws: Does Pseudonymized Data Exempt Organizations from Complying with Privacy Rights?

Some organizations are confused as to the impact that pseudonymization has (or does not have) on a privacy compliance program. That confusion largely stems from ambiguity concerning how the term fits into the larger scheme of modern data privacy statutes. For example, aside from the definition, the CCPA only refers to “pseudonymized” on one occasion – within the definition of “research” the CCPA implies that personal information collected by a business should be “pseudonymized and deidentified” or “deidentified and in the aggregate.”[1] The conjunctive reference to research being both pseudonymized “and” deidentified raises the question whether the CCPA lends any independent meaning to the term “pseudonymized.” Specifically, the CCPA assigns a higher threshold of anonymization to the term “deidentified.” As a result, if data is already deidentified it is not clear what additional processing or set of operations is expected to pseudonymize the data. The net result is that while the CCPA introduced the term “pseudonymization” into the American legal lexicon, it did not give it any significant legal effect or status.

Unlike the CCPA, the pseudonymization of data does impact compliance obligations under the data privacy statutes of Virginia, Colorado, and Utah. As the chart below indicates, those statutes do not require that organizations apply access or deletion rights to pseudonymized data, but do imply that other rights (e.g., opt out of sale) do apply to such data. Ambiguity remains as to what impact pseudonymized data has on rights that are not exempted, such as the right to opt out of the sale of personal information. For example, while Virginia does not require an organization to re-identify pseudonymized data, it is unclear how an organization could opt a consumer out of having their pseudonymized data sold without reidentification.

ENDNOTES

[1] Cal. Civ. Code § 1798.140(ab)(2) (West 2021). It should be noted that the reference to pseudonymizing and deidentifying personal information is found within the definition of the word “Research,” as such it is unclear whether the CCPA was attempting to indicate that personal information will not be considered research unless it has been pseudonymized and deidentified, or whether the CCPA is mandating that companies that conduct research must pseudonymize and deidentify. Given that the reference is found within the definition section of the CCPA, the former interpretation seems the most likely intent of the legislature.

[2] The GDPR does not expressly define the term “sale,” nor does it ascribe particular obligations to companies that sell personal information. Selling, however, is implicitly governed by the GDPR as any transfer of personal information from one controller to a second controller would be considered a processing activity for which a lawful purpose would be required pursuant to GDPR Article 6.

[3] Va. Code 59.1-577(B) (2022).

[4] Utah Code Ann. 13-61-303(1)(a) (2022).

[5] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-573(A)(1) through (4)

[6] C.R.S. 6-1-1307(3) (2022) (exempting compliance with C.R.S. Section 6-1-1306(1)(b) to (1)(e)).

[7] Utah Code Ann. 13-61-303(1)(c) (exempting compliance with Utah Code Ann. 13-61-202(1) through (3)).

[8] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-573(A)(1) through (4)

[9] C.R.S. 6-1-1307(3) (2022) (exempting compliance with C.R.S. Section 6-1-1306(1)(b) to (1)(e)).

[10] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-573(A)(1) through (4)

[11] C.R.S. 6-1-1307(3) (2022) (exempting compliance with C.R.S. Section 6-1-1306(1)(b) to (1)(e)).

[12] Utah Code Ann. 13-61-303(1)(c) (exempting compliance with Utah Code Ann. 13-61-202(1) through (3)).

[13] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-574).

[14] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-574).

Article By David A. Zetoony of Greenberg Traurig, LLP

For more data privacy and cybersecurity legal news, click here to visit the National Law Review.

©2022 Greenberg Traurig, LLP. All rights reserved.

Alabama Enacts New Telemedicine Law

Alabama Governor Kay Ivey recently signed SB 272 into law, setting forth telemedicine practice standards and abolishing Alabama’s previous “special purpose license” that allowed physicians licensed in other states to practice across state lines into Alabama. The law is effective July 11, 2022.

The law creates a new article in the Code of Alabama (Sections 34-24-701 through 34-24-707 of Chapter 24, Title 34). The statutory language is lengthy, but the key provisions are summarized below.

Medical License

Unless the physician meets an exception to licensure (e.g., peer-to-peer consultations, irregular or infrequent services), a physician must obtain either a full Alabama medical license or a license via the Interstate Medical Licensure Compact in order to provide “telehealth medical services” to a patient located in Alabama.

  • Telehealth medical services means “[d]igital health, telehealth, telemedicine, and the applicable technologies and devices used in the delivery of telehealth. The term does not include incidental communications between a patient and a physician.
  • The term “irregular or infrequent” services refers to “telehealth medical services” occurring less than 10 days in a calendar year or involving fewer than 10 patients in a calendar year.

Defined Terms and Allowable Modalities

  • Telehealth is defined as “[t]he use of electronic and telecommunications technologies, including devices used for digital health, asynchronous and synchronous communications, or other methods, to support a range of medical care and public health services.”
  • Telemedicine is defined as “[a] form of telehealth referring to the provision of medical services by a physician at a distant site to a patient at an originating site via asynchronous or synchronous communications, or other devices that may adequately facilitate and support the appropriate delivery of care.” The term includes digital health, but does not include incidental communications between a patient and a physician.
  • Digital Health is defined as “[t]he delivery of health care services, patient education communications, or public health information via software applications, consumer devices, or other digital media.”
  • Asynchronous is defined as “[t]he electronic exchange of health care documents, images, and information that does not occur in real time, including, but not limited to, the collection and transmission of medical records, clinical data, or laboratory results.”
  • Synchronous is defined as “[t]he real-time exchange of medical information or provision of care between a patient and a physician via audio/visual technologies, audio only technologies, or other means.”

Physician-Patient Relationship

A physician-patient relationship may be formed via telehealth without a prior in-person exam.

Telemedicine Prescribing of Medications and Controlled Substances

A practitioner may prescribe a legend drug, medical supplies, or a controlled substance to a patient via telehealth. However, a prescription for a controlled substance may only be issued if:

  1. The telehealth visit includes synchronous audio or audio-visual communication using HIPAA compliant equipment;
  2. The practitioner has had at least one in-person encounter with the patient within the preceding 12 months; and
  3. The practitioner has established a legitimate medical purpose for issuing the prescription within the preceding 12 months.

In-Person Visit for Unresolved Medical Condition

If a physician or practice group provides telehealth medical services more than 4 times in a 12-month period to the same patient for the same medical condition without resolution, the physician must either see the patient in-person within 12 months or refer the patient to a physician who can provide the in-person care within 12 months. This in-person visit requirement does not apply to the provision of mental health services.

The Alabama Board of Medical Examiners and the Alabama Medical Licensure Commission are currently developing administrative rules in accordance with the new law.

Article By Kristen A. Murphy and Jacqueline N. Acosta of Foley & Lardner LLP

For more health law legal news, click here to visit the National Law Review.

© 2022 Foley & Lardner LLP