Category: Labor & Employment

What’s the Lowdown on the Shutdown?

The partial government shutdown continues. The shutdown has captured the attention of Washington politicians and the media, not to mention the hundreds of thousands of federal employees who are currently furloughed or working without pay.

For employers, the shutdown has some important implications. While the Department of Labor (DOL) and the National Labor Relations Board (NLRB) are fully funded through October 2019, the Equal Employment Opportunity Commission (EEOC) is not.

As a result of the lack of funding, the EEOC is closed until further notice.

WHAT DOES THAT MEAN FOR EMPLOYERS? A FEW THINGS:

  • The EEOC will not begin processing new employment discrimination cases until it reopens.
    However, the EEOC has been clear that the shutdown will not extend the statute of limitations for employees to file charges (300 days for Wisconsin employees). Employees who are close to the filing deadline are being encouraged to file charges by mail while the EEOC’s online portal remains closed to the public. Presumably, charges postmarked within the statute of limitations will be considered timely; however, this extra step may discourage some employees from filing claims.
  • Deadlines assigned to employers cannot be ignored on account of the shutdown.
    For example, a notice of charge dated December 21, 2018 with a position statement due date of January 21, 2019 cannot be ignored. Just as employees remain subject to the statute of limitations for their claims, so too are employers required to continue to meet their deadlines. If an extension is required, you should contact legal counsel as soon as possible. Generally, EEOC staff will not be able to respond to communications.
  • Pending EEOC charges will be suspended during the shutdown.
    This includes claims currently under investigation and those in the EEOC’s mediation program. Likewise, all EEOC litigation will be suspended except in cases where a continuance has not been granted.
  • The government shutdown does not affect state law discrimination claims.
    The Wisconsin Equal Rights Division (ERD) continues to accept discrimination claims, including those normally cross-filed with the EEOC. Employers must continue to respond to communications from the ERD.

Past experience suggests that if and when the EEOC reopens for business, there will be a significant backlog of cases to sort through. Employers should therefore expect the EEOC’s actions and communications to lag in 2019 as the agency works to get caught up on processing, investigating, and resolving cases.

 

Copyright © 2019 Godfrey & Kahn S.C.
This post was written by M. Scott LeBlanc of Godfrey & Kahn S.C.

Read more labor and employment news on the National Law Review’s labor and employment type of law page.

Scan Your Practices: Illinois Supreme Court to Resolve Biometric Privacy Standard

Fingerprinting, retina scans, and voiceprints – practices once reserved for FBI agents, criminals, and Jason Bourne – are now widely used by companies of all sizes. These “biometric identifiers” are collected, often by employers, to provide for workplace efficiencies such as clocking time and ensuring secure access to sensitive locations. Or they may be used by businesses looking to track and identify customers. Whatever the case may be, collection and use of biometric identifiers are landing companies in legal hot water.

There has been a frenzy of class action lawsuits filed under the Illinois Biometric Information Privacy Act (BIPA) in recent weeks, in anticipation of a pending decision from the Illinois Supreme Court regarding the statute’s scope. BIPA provides a roadmap for how to lawfully gather, store, and destroy biometric data. When companies flout these requirements, they expose themselves to legal liability.

Compliance with BIPA is not terribly difficult. A private entity must: 1) develop a written policy, available to the public, that establishes a retention schedule and guidelines for permanently destroying biometric data; 2) provide information to the subject in writing, and obtain a written release before collecting and using biometric information; 3) safely store and prevent disclosure or dissemination of the biometric data to unauthorized third parties; and 4) destroy the biometric data when there is no longer a reason for keeping it, or within three years of the individual’s last interaction with the entity, whichever comes first.

The statute provides that “any person aggrieved by a violation” of these rules can bring suit. The tricky question, which the Illinois Supreme Court will soon answer, is who is a person aggrieved? Is someone aggrieved if a private entity technically violates the statute, but does not otherwise cause harm to the individual through unauthorized dissemination or disclosure of his or her biometric data? If a company forgets to obtain written authorization, but otherwise posts appropriate notices and protects the security of the data, are its employees or customers aggrieved persons?

The answer once appeared favorable to companies. In Rosenbach v. Six Flags Entertainment Corporation, the Second District Appellate Court held that “a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person” under BIPA. In other words, technical violations of the statute, without any accompanying harm, did not pave the way for litigation.

At the end of 2018, however, the First District Appellate Court, in Sekura v. Krishna Schaumburg Tan, Inc., signaled a more relaxed, plaintiff-friendly standard by agreeing that an injury to a privacy right may be enough to maintain a lawsuit. Though that case also involved allegations of actual harm (unauthorized disclosure of the data to third parties), it created a fissure and undermined whatever comfort came from knowing that technical violations alone would not produce viable lawsuits. And, while the federal courts sitting in Illinois continue to dismiss these cases for lack of constitutional standing, the majority of BIPA cases are filed and remain in state court, where state precedent controls. Companies will seldom find themselves in the more favorable federal venue.

Meanwhile, the plaintiffs in Rosenbach appealed to the Illinois Supreme Court, which heard oral arguments on this issue at the end of November 2018. The central question the court will soon answer is what type of harm must be alleged in order for a plaintiff to maintain suit under BIPA: Are allegations of mere technical violations enough, or must a plaintiff allege a more particular harm? BIPA aficionados across the state are waiting with bated breath to learn the answer.

In the meantime, companies would be wise to review their biometric data notification, collection, storage, and destruction practices. In many ways, regardless of Rosenbach’s outcome, companies need to be extremely vigilant in deciding whether to collect biometric data in the first place and, if so, in developing and implementing careful practices to ensure full compliance with BIPA. Even if the Illinois Supreme Court ultimately concludes that technical violations alone are not actionable, shrewd plaintiffs and their attorneys will not hesitate to articulate allegations of harm beyond mere technicalities. Now is the time to scan your practices.

 

© 2019 Much Shelist, P.C.
This post was written by Laura A. Elkayam and James L. Wideikis of Much Shelist, P.C.
Read more on emerging employment law issues at the National Law Review’s Employment Law Resources Page.

Under Developing IRS Guidance (Not Final), an Employer Would Be Able to Fully Satisfy ACA’s Employer Mandate Without Maintaining Group Health Plan

Takeaway Message: A recent IRS notice provides a future path for employers to avoid ACA employer mandate penalties by reimbursing employees for a portion of the cost of individual insurance coverage through an employer-sponsored health reimbursement arrangement (HRA). While the notice is not binding and at this stage is essentially a discussion of relevant issues, it does represent a significant departure from the IRS’s current position that an employer can only avoid ACA employer mandate penalties by offering a major medical plan.

Background: As described in more detail in a previous update, the ACA currently prohibits (except in limited circumstances) an employer from maintaining an HRA that reimburses the cost of premiums for individual health insurance policies purchased by employees in the individual market. Proposed regulations issued by the IRS and other governmental agencies would eliminate this prohibition, allowing an HRA to reimburse the cost of premiums for individual health insurance policies (Individual Coverage HRA) provided that the employer satisfies certain conditions.

The preamble of the proposed regulations noted that the IRS would issue future guidance describing special rules that would permit employers who sponsor Individual Coverage HRAs to be in full compliance with the ACA’s employer mandate (described below). As follow up, the IRS recently issued Notice 2018-88 (the Notice), which is intended to begin the process of developing guidance on this issue.

On a high level, the ACA’s employer mandate imposes two requirements in order to avoid potential tax penalties: (1) offer health coverage to at least 95 percent of full-time employees (and dependents); and (2) offer “affordable” health coverage that provides “minimum value” to each full-time employee (the terms are defined by the ACA and are discussed further in these previous updates).

Offering Health Coverage to at Least 95 Percent of Full-Time Employees: Both the proposed regulations and Notice provide that an Individual Coverage HRA plan constitutes an employer-sponsored health plan for employer mandate purposes. As a result, the proposed regulations and Notice provide that an employer can satisfy the 95 percent offer-of-coverage test by making its full-time employees (and dependents) eligible for the Individual Coverage HRA plan.

Affordability: The Notice indicates that an employer can satisfy the affordability requirement if the employer contributes a sufficient amount of funds into each full-time employee’s Individual Coverage HRA account. Generally, the employer would have to contribute an amount into each Individual Coverage HRA account such that any remaining premium costs (for self-only coverage) that would have to be paid by the employee (after exhausting HRA funds) would not exceed 9.86 percent (for 2019, as adjusted) of the employee’s household income. Because employers are not likely to know the household income of their employees, the notice describes that employers would be able to apply the already-available affordability safe harbors (described in more detail here) to determine affordability as it relates to Individual Coverage HRAs. The Notice also describes new safe harbors for employers that are specific to Individual Coverage HRAs, intending to further reduce administrative burdens.

Minimum Value Requirement: The Notice explains that an Individual Coverage HRA that is affordable will be treated as providing minimum value for employer mandate purposes.

Next Steps: Nothing is finalized yet. Employers are not permitted to rely on the proposed regulations or the Notice at this time. The proposed regulations are aimed to take effect on January 1, 2020, if finalized in a timely matter. The final regulations will likely incorporate the special rules contemplated by the Notice (perhaps with even more detail). Stay tuned.

 

© 2019 Foley & Lardner LLP
This post was written by Jessica M. Simons and Nick J. Welle of Foley & Lardner LLP.

Partial Government Shutdown Causes Full-Blown Headache for Employers Using E-Verify

If you are an employer that is obligated to or has chosen to use E-Verify, then you have probably already received this message from the E-Verify website: “NOTICE: Due to the lapse in federal funding, this website will not be actively managed. This website was last updated on December 21, 2018, and will not be updated until after funding is enacted. As such, information on this website may not be up to date. Transactions submitted via this website might not be processed, and we will not be able to respond to inquiries until after appropriations are enacted.”

But what does this notice actually mean for your business? As long as the shutdown remains in effect, you will not be able to:

  • enroll in the program

  • access your E-Verify account

  • create a case in E-Verify

  • take action on a case you previously submitted

  • add, delete, or edit accounts

  • terminate accounts

  • run reports

Also during this time, your employees will not be able to resolve any E-Verify Tentative Nonconfirmations (TNCs) they received prior to the shutdown. Indeed, the number of days E-Verify is not available will not count toward the days employees have to begin the process of resolving their TNCs.

So, what should you do with your new hires given that you cannot create a case in E-Verify within the three business days required?

  • Make sure you are still completing I-9s in a timely manner. The shutdown does not affect the three business days you have to obtain and verify documentation in Section 2 or any other I-9 obligations.

  • Do not take any adverse action against employees who have open cases in E-Verify.

  • Create a list of all employees hired during the time period E-Verify has been inoperable, and make a notation that the reason the employees were not run through E-Verify is due to the government shutdown.

  • Take the time now to establish a system for running these employees through E-Verify once the system becomes available. Absent other instructions from USCIS, you will most likely be choosing the “other” drop-down field when asked why the case was not created within three days and typing in “government shutdown.”

  • If you’re a federal contractor with a Federal Acquisition Regulation E-Verify clause, think about getting confirmation in writing from your contracting officer that the E-Verify deadlines are extended. Or, if the officer is not available, at least create documentation that you have inquired about this.

© 2019 Jones Walker LLP
This post was written by Laurie M. Riley and Mary Ellen Jordan of Jones Walker LLP.

Los Angeles Living Wage Ordinance Amended With Annual Increases

Any employer working with the city of Los Angeles should be aware of recent amendments to the Los Angeles Living Wage Ordinance, which lays out annual cash wage increases, time off and health benefits.

The Los Angeles Living Wage Ordinance (LWO) applies to city contractors and ensures that employees working on city contracts are paid the city’s set living wage (which consists of a cash wage rate and an employer’s health related benefits contribution) and are provided with time off as required by the LWO (at least 96 compensated hours off and 80 uncompensated hours off).

Effective October 15, 2018, the city amended the ordinance to require employer contractors to pay their non-airport employees the following wage going forward:

  • On July 1, 2019, the wage rate for an Employee shall be no less than $14.25 per hour.
  • On July 1, 2020, the wage rate for an Employee shall be no less than $15.00 per hour.
  • July 1, 2022, and annually thereafter, the hourly wage rate paid to an Employee to be adjusted.

In addition to the above base wage, employers must provide health benefits of at least $1.25 per hour to employees towards the provision of health care benefits for employees and their dependents.

For example, if an employer does not currently provide an employee with health benefits as provided in Section 10.37.3 of this article, the employee must be paid an additional wage rate of $1.25 per hour for a total of $14.50 per hour (based on the current $13.25 per hour base rate).

Employers working with Los Angeles Airport Employees must comply with separate wage rates. Effective July 1, 2018 (and adjusted annually thereafter), airport employees must be paid at minimum $13.75 per hour in cash wages and $5.24 per hour in health benefits, for a total economic package of $18.99. The term “total economic package” is not defined in the ordinance. However, it is traditionally interpreted to mean “health related” benefits. “Health related” is defined liberally to include vacation time, health insurance, sick pay, etc.

Because the LWO’s wage rate increases annually, California employers thinking about entering into collective bargaining agreements should consider including flexible language around the annual rate increase.

 

© 2019 Barnes & Thornburg LLP
This post was written by Michael Lee and Barnes & Thornburg LLP.

Connecticut’s Pay Equity Law Prohibits Salary History Inquiries

As of January 1, 2019, Connecticut employers are prohibited from inquiring about prospective employees’ wage or salary histories. Connecticut’s new pay equity law is intended to promote equality in pay and close the wage gap. Under the new law, employers—defined as entities having “one or more employees”—are also prohibited from using a third party to inquire about any applicant’s wage or salary history. Employers may still inquire about the components of an applicant’s compensation structure—for example, retirement benefits or stock option plans—but they may not inquire about the value of any individual component.

Nothing in the law prevents an employer from verifying salary information if a prospective employee voluntarily discloses such information. Additionally, the law does not apply where a federal or state law “specifically authorizes disclosure or verification of salary history” in the employment context.

A private right of action exists for violations of the law, and a prospective employee can potentially recover compensatory damages, attorneys’ fees and costs, and punitive damages. A two-year statute of limitations applies.

In light of this new law, Connecticut employers should revise their employment applications to remove any requests for candidates’ salary histories. Employers that have hiring policies and/or hiring scripts should revise these documents to remove any questions about salary histories. Further, employers may want to affirmatively state that it is the employer’s policy not to make such inquiries. Connecticut employers may also want to ensure that any employees involved in interviewing candidates are trained on the new law and understand that they should not be asking about salary history information. Finally, employers may want to verify that any third parties they are using to help screen candidates are aware of and in compliance with the new law.

 

© 2018, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.
Read more employment updates on the National Law Review’s employment law page.

Woo-Hoo! Workplace Civility Rules Upheld by NLRB General Counsel

Between 2009 and 2017, the National Labor Relations Board (NLRB) invalidated countless workplace employment policies – including those of non-union employers – where the agency found them to potentially infringe on workers’ rights under the National Labor Relations Act. Among the types of policies overturned were “positive workplace” or “workplace civility” rules, which were said to limit employees’ right to discuss the terms and conditions of their employment. While courts sometimes intervened to strike down these board decisions, the NLRB nevertheless largely held to its view.

However, in the wake of the Boeing case last year, the agency has been taking a fresh look at workplace civility rules. And those results are refreshing.

This week, the NLRB General Counsel’s office released a memo in which it analyzed a “Commitment to My Co-Workers” policy of a company. That policy required workers to “maintain healthy relationships” and to address conflicts with co-workers directly instead of behind their backs. Before the new standard announced in Boeing, that policy almost certainly would have been found to be unlawful. But relying on Boeing, the NLRB General Counsel determined the workplace civility rules at issue were permissible and that the company could require employees to sign off on the policy and even terminate ones who refused to do so.

This is great news for companies who want to promote positivity and healthy relationships in the workplace. It also serves as a reminder that under the NLRB’s current employment policy test enunciated in Boeing, many workplace policies that may have been rescinded due to board decisions issued between 2009-2017 may be worth revisiting in 2019.

 

© 2018 BARNES & THORNBURG LLP
This post was written by David J. Pryzbylski of Barnes & Thornburg LLP.

Mixed Results for Employers on Marijuana – Two Federal Courts Refuse to Find State Marijuana Laws Preempted by Federal Law

Two recent federal cases illustrate why employers – even federal contractors – must be cognizant of relevant state-law pronouncements regarding the use of marijuana (i.e., cannabis) by employees. While one case found in favor of the employer, and the other in favor of the employee, these decisions have emphasized that state law protections for users of medical marijuana are not preempted by federal laws such as the Drug-Free Workplace Act (DFWA). Employers must craft a thoughtful and considered approach to marijuana in the workplace, and in most cases should not take a zero-tolerance approach to marijuana.

Ninth Circuit Finds in Favor of Employer Who Discharged Employee for Positive Drug Test

In Carlson v. Charter Communication, LLC, the Ninth Circuit affirmed the dismissal of a lawsuit brought by an employee who alleged discrimination under the Montana Medical Marijuana Act (MMA) because he was discharged for testing positive for marijuana use. The plaintiff, a medical marijuana cardholder under Montana state law, tested positive for THC (a cannabinoid) after an accident in a company-owned vehicle. His employer, a federal contractor required to comply with the DFWA, terminated his employment because the positive test result violated its employment policy.

The District Court of Montana held that the employer was within its rights to discharge the plaintiff because (1) the DFWA preempts the MMA on the issue of whether a federal contractor can employ a medical marijuana user; and (2) the MMA does not provide employment protections to medical marijuana cardholders. Indeed, the MMA specifically states that employers are not required to accommodate the use of medical marijuana, and the Act does not permit a cause of action against an employer for wrongful discharge or discrimination. The Ninth Circuit rejected this rationale. Because the MMA does not prevent employers from prohibiting employees from using marijuana and does not permit employees for suing for discrimination or wrongful termination, the Ninth Circuit held that the MMA does not preclude federal contractors from complying with the DFWA and thus found no conflict.

The plaintiff asserted that the provisions of the MMA exempting employers from accommodating registered users and prohibiting such users from bringing wrongful discharge or discrimination lawsuits against employers are unconstitutional and sought certification of the question to the Montana Supreme Court. The Ninth Circuit rejected this request because, it determined, the Montana Supreme Court already decided the issue. The MMA and the specific sections challenged by the plaintiff appropriately balance Montana’s legitimate state interest in regulating access to a controlled substance while avoiding entanglement with federal law, which classifies the substance as illegal.

Plaintiff Wins Summary Judgment Against Employer That Rescinded Job Offer Due to Positive Test

If federal law does not preempt state law on the issue of marijuana, then in certain states – like Connecticut – employers will be more susceptible to discrimination claims from marijuana users. In Noffsinger v. SSC Niantic Operating Company, the District of Connecticut granted summary judgment to a plaintiff-employee of Bride Brook Nursing & Rehabilitation Center who used medical marijuana to treat post-traumatic stress disorder (“PTSD”) and whose offer was rescinded for testing positive for THC during a post-offer drug screen. Plaintiff filed a discrimination claim under the Connecticut Palliative Use of Marijuana Act (“PUMA”), which makes it illegal for an employer to refuse to hire a person or discharge, penalize, or threaten an employee “solely on the basis of such person’s or employee’s status as a qualifying patient or primary caregiver.”

We covered a previous decision in this case, in which the court held that PUMA is not preempted by the federal Controlled Substance Act (“CSA”), the Americans with Disabilities Act, or the Food, Drug & Cosmetic Act (“FDCA”). The decision was notable then for being the first federal decision to hold that the CSA does not preempt a state medical marijuana law’s anti-discrimination provision, a departure from a previous federal decision in New Mexico.

In this recent decision, the District Court again considered whether PUMA was preempted by federal law. In ruling for the Plaintiff, the court rejected Bride Brook’s argument that its practices fall within an exception to PUMA’s anti-discrimination provision because they are “required by federal law or required to obtain federal funding.” Bride Brook argued that in order to comply with DFWA, which requires federal contractors to make a good faith effort to maintain a drug-free workplace, it could not hire plaintiff because of her failed pre-employment drug-test. The court was not persuaded, concluding that the DFWA does not require drug testing, nor does it prohibit federal contractors from employing people who use illegal drugs outside the workplace. The court noted that simply because Bride Brook’s zero-tolerance policy went beyond the requirements of the DFWA does not mean that hiring the plaintiff would violate the Act.

The court also rejected Bride Brook’s argument that the federal False Claims Act (“FCA”) prohibits employers from hiring marijuana users because doing so would amount to defrauding the federal government. Because no federal law prohibits employers from hiring individuals who use medicinal marijuana outside of work, employers do not defraud the government by hiring those individuals.

Lastly, the court rejected the theory that PUMA only prohibits discrimination on the basis of one’s registered status and not the actual use of marijuana, as such a holding would undermine the very purpose for which the employee obtained the status.

What These Decisions Mean for Employers

These decisions are notable for the fact that the federal courts refused to find the state laws were preempted by federal law. Importantly, neither found that the DFWA preempts state law, which means that even federal contractors must be aware of and follow state law with respect to marijuana use by employees. Thus, in states in which employers may not discriminate against medical marijuana users – such as Connecticut – all employers must take care not to make adverse employment decisions based solely on off-duty marijuana use and, in certain states, must accommodate medical marijuana use. A majority of states and the District of Columbia now permit the use of medical marijuana; employers, including federal contractors, should be mindful of these statutes and consult with counsel to ensure their employment policies are compliant.

©2018 Epstein Becker & Green, P.C. All rights reserved.

This post was written by Nathaniel M. Glasser ofEpstein Becker & Green, P.C.

Pennsylvania Supreme Court Holds Employers Have a Duty to Exercise Reasonable Care to Safeguard Sensitive Personal Information About Their Employees

To date, Pennsylvania has not adopted a comprehensive law specifying how sensitive personal information about individuals must be secured or the protections that holders of this information must use to minimize risk of breach. [1] Pennsylvania only requires that, in the event of a breach, holders of sensitive personal information notify the affected individuals so they can take appropriate precautions against misuse of their information. Pennsylvania does have some laws specific to particular industries, such as health care and insurance, regarding how sensitive personal information may be used or disclosed, but there is no single mandate across all industries obligating holders of sensitive personal information to secure it in any particular way.

Employers, however, are a common denominator among all industries, and recently, the Pennsylvania Supreme Court in Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center held that when employers (regardless of the industry, the size of the employer, or the number of employees they hire) require their employees to provide sensitive personal information, such as Social Security numbers, bank accounts, tax returns, or other financial information, those employers have a legal duty to exercise reasonable care to safeguard that information when they store it on an Internet-accessible computer system. [2] Employers who do not exercise reasonable care to safeguard the sensitive personal information may be liable for financial damages to their employees in the event of a breach. [3]

All employers who collect sensitive personal information about their employees and maintain the information electronically on an Internet-accessible system are affected by the court’s decision. The court’s analysis also suggests that, regardless of how the information is stored (i.e., electronically or otherwise), an employer has a duty to exercise reasonable care to safeguard the sensitive personal information it collects about its employees from known threats to the information. This alert examines the court’s holding and identifies questions employers should be asking about their data requests, data security practices, and data-retention policies and procedures, and it offers suggestions for mitigating associated risks that apply regardless of whether employers store the information on an Internet-accessible computer.

What Happened?

UPMC’s Internet-connected computer system was hacked and sensitive personal information about its employees was accessed and stolen. This information included names, birth dates, Social Security numbers, addresses, tax forms, and bank account information. The hackers used the stolen information to file false tax returns, and affected employees incurred financial damages. As a result, several UPMC employees filed a class-action lawsuit against UPMC on behalf of all 62,000 current and former UPMC employees whose data were accessed and stolen. The employees alleged that:

• UPMC affirmatively required employees to provide certain sensitive personal and financial information (including names, birth dates, Social Security numbers, addresses, tax forms, and bank account information) as a condition of employment.
• UPMC had a duty to exercise reasonable care to protect their employees’ personal and financial information from being compromised, lost, stolen, misused, and/or disclosed to unauthorized parties.
• UPMC stored the employees’ sensitive personal information on its Internet-accessible computer system without adopting adequate security measures, such as encryption, adequate firewalls, and an adequate authentication protocol, to safeguard that information, which allowed hackers to access the system and steal the information.
• UPMC breached its duty to exercise reasonable care to protect the information, which allowed hackers to access the system and steal the information.
• UPMC was liable to the employees for the financial damages they incurred resulting from the breach.

UPMC filed preliminary objections to the complaint — Pennsylvania’s form of a motion to dismiss — and asserted that the economic-loss doctrine barred the employees from recovering purely economic damages. Under the economic-loss doctrine, actions sounding in tort require physical injury or property damage in order to recover for a breach of duty. [4] The trial court agreed with UPMC that the economic-loss doctrine barred recovery. [5] The trial court also found UPMC owed no existing duty to the employees as they alleged, and the “‘courts should not impose ‘a new affirmative duty of care that would allow data breach actions to recover damages recognized in common law negligence actions.’” [6] The trial court accordingly dismissed the complaint.

The employees appealed to the Pennsylvania Superior Court, and in a split decision, the Superior Court affirmed the trial court’s determination that employers did not owe their employees a duty under Pennsylvania law to exercise reasonable care to safeguard their sensitive personal information. [7] The Superior Court also agreed that the economic-loss doctrine barred recovery. [8] The Superior Court therefore affirmed the trial court’s order sustaining UPMC’s preliminary objections and dismissing the claim. [9]

The Pennsylvania Supreme Court’s Review

The Pennsylvania Supreme Court granted a discretionary appeal to determine the narrow questions of (1) whether an employer in Pennsylvania has a legal duty to use reasonable care to safeguard sensitive personal information about its employees when the employer chooses to store such information on an Internet-accessible computer system, and (2) if so, whether the employees could recover purely financial damages resulting from the breach of the duty. As discussed more fully below, the Supreme Court held that (i) employers have an existing duty to employees under Pennsylvania common law to exercise reasonable care in collecting and storing their sensitive personal information on their computer systems, and (ii) purely financial damages may be recovered if employers fail to exercise reasonable care in securing the sensitive personal information. [10]

First, the Supreme Court disagreed with the lower courts’ analysis that, if employers owed such a duty to exercise reasonable care to safeguard their employees’ sensitive personal information, such duty was a “new, affirmative duty” and was being created solely by the employees’ allegations. [11] In the Supreme Court’s view, the employees’ allegations were simply a “novel factual scenario” to apply an existing duty employers owe to the employees. [12]The Supreme Court stated that, as it has observed previously, “in scenarios involving an actor’s affirmative conduct, he is generally ‘under a duty to others to exercise the care of a reasonable man to protect them against an unreasonable risk of harm arising out of the act.’” [13] The Supreme Court concluded that, in this case, the employees alleged such affirmative conduct on the part of UPMC — namely, that “as a condition of employment, UPMC required them to provide certain personal and financial information, which UPMC collected and stored on its internet-accessible computer system without use of adequate security measures, including proper encryption, adequate firewalls, and an adequate authentication protocol. These factual assertions plainly constitute affirmative conduct on the part of UPMC.” [14] The Supreme Court also agreed with the employees that “this affirmative conduct resulted in UPMC owing the employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.” [15]

With respect to the economic-loss doctrine, the Supreme Court held that the decisions relied upon by the trial court and the Superior Court “do not stand for the proposition that the economic loss doctrine, as applied in Pennsylvania, precludes all negligence claims seeking solely economic damages.” [16] Instead, the ability to recover “turns on the determination of the source of the duty plaintiff claims the defendant owed.” [17] In cases where the duty arises outside the context of a contract between the parties, the breach of that duty may be the basis of a negligence claim. [18] According to the Supreme Court, the employees’ allegations in the complaint existed independently from any contractual obligations between the parties. Accordingly, the employees had stated a claim upon which they could recover if their allegations proved to be true.

The Implications of the Court’s Holding for Employers

Private employers in Pennsylvania (regardless of industry) who affirmatively request sensitive personal information from their new or existing employees and who maintain the sensitive personal information on Internet-connected computer systems have an existing duty to exercise reasonable care to safeguard that information. [19] As a result, employers (regardless of size or number of employees) should be evaluating their data collection and maintenance policies and procedures to mitigate the risk of being found not to have exercised reasonable care in safeguarding the information. In particular, employers should be answering the following questions:

1. Is the information really needed? Employers should be able to connect each data request to a legitimate business need (e.g., a legal requirement) and limit the data requested to the minimum amount of data required to achieve that legitimate business purpose. Some data elements are essential: names, addresses, Social Security numbers, and birth dates. This data is necessary to pay employees, to report tax withholdings, and to prevent fraud, among other purposes. Any data being requested from employees that is not absolutely necessary for a legitimate business purpose should be reevaluated and collection discontinued if it is determined to be unnecessary. Unnecessary data should also be deleted.

2. Could any of the information collected and maintained about the employees and determined to be necessary for a legitimate employer-purpose harm employees if it were stolen? To make this determination, employers must have a thorough understanding of precisely what information they maintain about employees. Information such as names and addresses likely does not qualify as sensitive personal information (although there are always exceptions) but financial information does. In order for an employer to be able to show it exercised reasonable care, it must first know the nature of the data in its possession.

3. What are foreseeable threats to the information being inappropriately accessed or stolen?Information being stored electronically is literally under attack. If employers maintain sensitive personal information about their employers electronically (or employers hire vendors who do so), they must understand these threats and how they might come to fruition. As noted above, however, the Supreme Court’s analysis applies equally to sensitive personal information in other forms, such as paper. If an employer could reasonably foresee that the paper records could be misused, the employer likewise has an existing duty to exercise reasonable care to protect it (e.g., locked file cabinets with limited access).

4. Based on the nature of the information and the identified foreseeable threats to that information, have appropriate safeguards to protecting the information been identified and implemented?Safeguards may vary depending on the nature of the underlying data and the identified foreseeable risks, although certain security practices have become or are quickly becoming fairly standard and failure to implement them would likely be seen as a failure to exercise reasonable care. At a minimum, employers should be able to demonstrate that people with appropriate experience and knowledge in safeguarding information are involved in these decisions.

5. Have the steps taken to safeguard the information been documented? The Supreme Court’s holding does not impose strict liability on employers in the event they get hacked and sensitive personal information about employees is accessed or stolen. The Supreme Court’s holding requires the exercise of reasonable care to safeguard the information from foreseeable threats. The best way to be able to support that reasonable care was exercised is to document all the steps taken including those listed above.

6. Does the cyber insurance policy cover breaches of employee data? It probably does, but employers should check the scope of coverage and ensure that nothing in the policy excludes the types of financial damages the employees in UPMC experienced.

Conclusion

The Supreme Court’s holding drives home that employers must use reasonable care in the collection of sensitive employee data and adds an incentive for doing so (the risk of incurring economic damages for breach).

NOTES:

[1] Indeed, there is no overarching definition of “sensitive personal information,” but it typically includes personal information that if acquired inappropriately could be used to harm the person to whom it belonged, such as Social Security or a driver’s license number coupled with bank account information.
[2] Dittman v. UPMC d/b/a The Univ. of Pittsburgh Med. Ctr. & UPMC McKeesport, No. 43 WAP 2017, slip op. at 1–2 (Pa. Nov. 21, 2018) (herein, “UPMC”).
[3] Id.
[4] See Bilt-Rite v. The Architectural Studio, 866 A.2d 270, 273 (Pa. 2005).
[5] See UPMC, slip op. at 4–5.
[6] See id. at 5 (quoting Bilt-Rite, supra). The trial court also “observed that the Legislature is aware of and has considered the issues that Employees sought the court to consider herein as evidenced by the Breach of Personal Information Notification Act (Data Breach Act), 73 P.S. §§ 2301 – 2329. Specifically, the court explained that, under the Data Breach Act, the Legislature has imposed a duty on entities to provide notice of a data breach only … and given the Office of the Attorney General the exclusive authority to bring an action for violation of the notification requirement … The court thus reasoned that, as public policy was a matter for the Legislature, it was not for the courts to alter the Legislature’s direction.” Id. at 6–7.
[7] Id. at 8–9.
[8] Id. at 7.
[9] Id.
[10] Id. at 1–2.
[11] Id. at 15.
[12] Id. at 10. Indeed, “[c]ommon-law duties stated in general terms are framed in such fashion for the very reason that they have broad-scale application.” Id. at 15–16. “‘Like any other cause of action at common law, negligence evolves through either directly applicable decisional law or by analogy, meaning that a defendant is not categorically exempt from liability simply because appellate decisional law has not specifically addressed a theory of liability in a particular context.’” Id. at 16 (quoting Scampone v. Highland Park Care Ctr., LLC, 57 A.3d 582, 299 (Pa. 2012)).
[13] Id. at 16 (emphasis added).
[14] Id. (emphasis added).
[15] Id. at 16–17. In arriving at this conclusion, the Supreme Court also rejected UPMC’s argument that “the presence of third-party criminality in this case eliminates the duty it owes to Employees …” Id. at 17. The Supreme Court acknowledged that an actor otherwise owing a duty “cannot be liable for third-party conduct that could ‘conceivably occur.’” Id. at 17. However, the Supreme Court agreed that “liability could be found if the actor ‘realized or should have realized the likelihood that such a situation might be created and that a third person might avail himself of the opportunity to commit such a tort or crime.’” Id. at 17–18 (quoting Mahan v. Am-Gard, Inc., 841 A.2d 1052 1061 (Pa. Super. 2003)) (emphasis added).
[16] Id. at 28.
[17] Id.
[18] Id.
[19] The court did not consider whether a cause of action would exist against local or state agencies under the limited waivers of sovereign immunity.

 

Copyright 2018 K & L Gates
This post was written by Patricia C. Shea of K & L Gates.
Read more about Cybersecurity concerns on the National Law Review’s Communication page.

Social Security Administration ‘No Match’ Letters to Employers Make Another Comeback

Social Security Administration (SSA) has begun notifying employers that the information reported on an individual employee’s W-2 form does not match the SSA’s records with “Request for Employer Information” letters, known as “No-Match” letters.

SSA started sending these controversial informational requests in 1993, but the practice has waxed and waned in part due to litigation. In 2011, SSA resumed the practice of notifying employers of social security number mismatches. But in 2012, the Obama Administration decided to simply stop the practice.

Now, the letters are back! In July 2018, probably in response to President Donald Trump’s Buy American, Hire American Executive Order, SSA re-started the practice by sending “informational notifications” to employers and third party providers telling them of mismatches on their 2017 Forms W-2 and explaining where to find helpful resources. The plan was to send 225,000 of these notices every two weeks. Starting in Spring 2019, notices will be sent regarding 2018 Forms W-2s, but these letters, unlike the “informational” letters, will tell employers that corrections are necessary.

A mismatch does not necessarily mean that there is any wrongdoing. It can be caused by an administrative error: numbers can be reversed, names might be misspelled or changed, for instance, due to marriage. But once a letter is received, in determining how to respond, employers find themselves caught between agencies. SSA wants to maintain accurate records of earnings. ICE wants to ensure compliance with employment verification laws. And the Immigrant and Employee Rights Section of the Department of Justice (IER) wants to ensure that employers are not discriminating on the basis of citizenship, nationality or by pursuing unfair documentary practices in violation of the INA.

What is an employer to do?

  1. Don’t take any adverse action against an employee based on a No-Match letter alone.

  2. Compare the SSA information with the individual’s employment records.

  3. If the employer’s records match, ask the employee to check the name and number on his or her Social Security card.

  4. If there is a mistake on the card or the card needs to be changed or corrected, ask the employee to reach out to SSA to resolve the issue.

There are no “safe harbors.” Each case is different and must be analyzed individually to avoid missteps and penalties from either SSA, ICE, or IER.

Jackson Lewis P.C. © 2018
This post was written by Sean G. Hanagan of Jackson Lewis P.C.