New Illinois Employee Reimbursement Law Effective January 1, 2019

Beginning January 1, 2019, employers in Illinois will have new requirements for reimbursing employee expenses. An amendment to the Illinois Wage Payment and Collection Act (IWPCA) is the first Illinois law regulating employer reimbursement for employees’ business-related expenditures.

Previously, the IWPCA did not address employee reimbursement, so employers were free to implement their own rules and procedures for reimbursing employees for business expenses. Under the IWPCA amendment, employers must reimburse employees for “all reasonable expenditures or losses required of the employee in the discharge of employment duties” for the primary benefit of the employer and authorized or required by the employer. An employer is not required to reimburse an employee for losses caused by the employee’s negligence, losses due to normal wear, or losses due to theft (unless the theft was the result of the employer’s negligence).

To initiate the reimbursement process, an employee must submit the expenditure, with supporting documentation, to the employer within 30 days of incurring the expense. If the employee lost a receipt or never received one, the employer must accept the employee’s signed statement as documentation for the expense.

The new law permits employers to place certain limitations on reimbursement by implementing a written expense reimbursement policy. If an employee fails to comply with the written policy, the employer will not be required to reimburse the employee. Additionally, if such a policy establishes specifications or guidelines for expenditures, the employer will not be required to pay any portion of the expenditure that exceeds the specifications. However, the written policy may not provide for no reimbursement or “de minimis” reimbursement and may not shorten the 30-day period for submitting expenditures.

To avoid any penalties associated with this IWPCA amendment, which include potential liquidated damages and attorneys’ fees, employers should review the law, 820 ILCS 115/9.5, to ensure compliance. Employers are also advised to contact their legal counsel with any questions regarding the new law or to create a written expense reimbursement policy in compliance with the IWPCA.

© 2018 Dinsmore & Shohl LLP. All rights reserved.

This post was written by Zachary J. Weber of Dinsmore & Shohl LLP.

As 2019 Approaches, Private Equity Investment in Health Care Shows No Signs of Slowing Down

As the year draws to a close, it’s clear that 2018 was another record year for private equity investment in health care. In its report on the top health industry issues of 2019, PWC’s Healthcare Research Institute recently highlighted the continued prevalence of private equity in health care transactions, and predicted even more private equity investment in the coming year. Below is an overview of the current and expected trends, as well as a few key considerations for private equity deals in the health care space.

Corporate health care buyers are likely to continue seeing steep competition from private equity firms… 

According to the PWC report, since 2009 the number of health care deals involving private equity buyers or sellers has tripled, and the number of deals is projected to increase further in 2019. Private equity investment in health care remains diversified and frequent, with deals ranging from health care technology to the management of physician practices. Because the health care industry is expected to continue to grow — with CMS projecting national health spending to rise to 20 percent of GDP by 2026 — investment in health care is a relatively safe bet for private equity when compared to more volatile fields like technology. Further, private equity firms tend to be more aggressive in the bid process and more willing to move deals ahead quickly.  As such, traditional health care companies seeking to acquire new lines of business face increased competition from private equity.

…but 2019 may bring additional opportunities for traditional health care companies to partner with private equity in acquisitions.

By partnering with private equity firms, health care companies can diversify their businesses while also mitigating some of the financial and operational risks that come with any deal. Partnerships between private equity and health care companies benefit from the strengths of both parties, enabling further growth while capitalizing on the health care companies’ existing expertise. Private equity firms’ willingness to invest in health care could also mean opportunities for health care companies to divest their non-core assets and refocus on their core business.

Regulatory Considerations for PE Health Care Deals

As with any highly-regulated industry, health care deals present regulatory hurdles for any prospective buyer, some of which may provide additional challenges in the private equity context.

Private equity deals often need to be structured to accommodate corporate practice of medicine (CPOM) issues. In states with CPOM prohibitions, private equity buyers cannot directly acquire medical practices. Instead, the prospective buyer would need to invest in or create a management company through which they manage the practice for a fee, which in many states is capped at a certain percentage of the practice’s revenue.

Regulatory filing requirements and the need for review and approval of deals by regulatory bodies often drive transaction timelines much longer than those to which private equity firms are accustomed. Some states can require up to 120 days’ notice prior to a change in ownership in certain health care companies. Involving regulatory counsel at the beginning of deal negotiations can help set reasonable expectations for timing while also letting the parties get a head start on the sometimes cumbersome filing requirements.

State licensing boards also often require disclosure of detailed information about the prospective ownership and management of licensed health care entities. This information can range from basic background checks to detailed financial information. While many states only require information about individuals who will be actively involved in the day-to-day operations of the health care business, some states require information about anyone with a five percent or greater ownership in the business, which sometimes requires an examination of ownership held by controlling entities, including parent, grandparent and great grandparent companies. Private equity firms should take this into consideration and consult with regulatory counsel about potential disclosure requirements and the feasibility of providing the required information when structuring deals.

Private equity activity in the health care industry presents many evolving opportunities and challenges, but one thing remains clear as 2018 winds down: growth in health care investment is full speed ahead.

©1994-2018 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.
This post was written by Cassandra L. Paolillo of Mintz.

Ninth Circuit Affirms Jury Verdict In Favor of Homeopathic Remedy for Flu-Like Symptoms

On November 8, 2018, the Ninth Circuit affirmed a jury verdict in a consumer class action deceptive advertising case in favor of Defendants Boiron Inc. and Boiron USA, Inc. (together, “Boiron”), the sellers of a homeopathic treatment for flu-like symptoms called Oscillococcinum (“Oscillo”).  Although the Ninth Circuit’s memorandum decision is marked “Not for Publication” and therefore is non-precedential under Ninth Circuit rules, the decision is still worth noting, as jury verdicts in class action false advertising cases are rare.

According to the appellate briefs, Oscillo’s active ingredient is a compound (extracted from the heart and liver of the Muscovy duck for those foodies in our readership) that is subjected to a homeopathic dilution process.  The diluted compound is then sprayed onto specially-manufactured granules.  Plaintiff argued that, due to the homeopathic dilution process, Oscillo was essentially “water sprayed on sugar,” which could not provide the relief from flu-like symptoms that Boiron advertised.  Plaintiff claimed that Boiron had therefore violated two California deceptive advertising statutes, the Unfair Competition Law (“UCL”) and Consumers Legal Remedies Act (“CLRA”).

At the conclusion of a one-week trial in the Central District of California, the jury found in Boiron’s favor that its representations that Oscillo relieves flu-like symptoms were not false.  On appeal, the Ninth Circuit affirmed, finding that the jury verdict did not constitute plain error because Boiron presented sufficient evidence from which the jury could have concluded that Oscillo actually works against flu-like symptoms.  This was a “battle of the experts” for the jury, the court wrote, that could not be relitigated on appeal.  And the jury appeared to have believed Boiron’s expert, clinical studies, and anecdotal evidence more than it believed the plaintiff’s expert, according to the court.

The Ninth Circuit further noted that in explicitly finding that Boiron’s claim that Oscillo treated flu-like symptoms was not false, the jury must have implicitly rejected Plaintiff’s argument that Oscillo was merely a sugar pill or water sprayed on sugar.  Nor did Plaintiff offer a theory of how Boiron’s representations could be false if the product did indeed treat flu symptoms.

The case is Christopher Lewert v. Boiron Inc., et al., No. 17-56607 in the Ninth Circuit.© 2018 Proskauer Rose LLP. To read all news published by the National Law Review click here.

Authored by: Lawrence I Weinstein and Tiffany Woo originally published at Proskauer Rose LLP Proskauer on Advertising Law Blog


EB-5 Processing During the Government Shutdown

The U.S. federal government shut down at the end of the day on Dec. 21, 2018, and the president did not sign into law the extension of the EB-5 program passed by the Senate. Until the shutdown ends, and the Regional Center EB-5 program extension is signed into law, no new I-526 petitions can be filed. To clarify, while EB-5 petitions may continue to be prepared, petitions cannot be mailed to USCIS until the conclusion of the shutdown and extension of the program. Please note, however, that investors must continue to file timely responses to USCIS Requests for Evidence (RFE) and Notices of Intent to Deny (NOID). In addition, investors may continue to prepare and file I-829 petitions.

With respect to the immigrant visa process, the State Department will cease to schedule new immigrant visa interviews until extension of the program is signed into law and the government resumes operations. If the interview was previously scheduled, and the Consular Post has not reached out to cancel said interview, the investor and family should still plan to attend. However, the immigrant visas will not be issued until the government resumes operations. The State Department will experience a significant slowdown and even cessation of all visa-issuing services during the period of the government shutdown. Furthermore, investors will be unable to file new DS-260 applications and supporting documents until the program is officially extended and the Visa Bulletin is updated.

With respect to the adjustment of status process, investors will be unable to file any new adjustment of status applications based on the I-526 petitions until the program is officially extended and the Visa Bulletin is updated. However, investors can continue to file renewals of employment authorization and advance parole, and should continue responding in a timely manner to USCIS’s RFEs relating to pending adjustment of status (I-485) applications. USCIS is unlikely to schedule any adjustment of status interviews until the conclusion of the shutdown and extension of the program.

 

©2018 Greenberg Traurig, LLP. All rights reserved.
This post was written by Jennifer Hermansky of Greenberg Traurig, LLP
More immigration news on the National Law Review Immigration Page.

Woo-Hoo! Workplace Civility Rules Upheld by NLRB General Counsel

Between 2009 and 2017, the National Labor Relations Board (NLRB) invalidated countless workplace employment policies – including those of non-union employers – where the agency found them to potentially infringe on workers’ rights under the National Labor Relations Act. Among the types of policies overturned were “positive workplace” or “workplace civility” rules, which were said to limit employees’ right to discuss the terms and conditions of their employment. While courts sometimes intervened to strike down these board decisions, the NLRB nevertheless largely held to its view.

However, in the wake of the Boeing case last year, the agency has been taking a fresh look at workplace civility rules. And those results are refreshing.

This week, the NLRB General Counsel’s office released a memo in which it analyzed a “Commitment to My Co-Workers” policy of a company. That policy required workers to “maintain healthy relationships” and to address conflicts with co-workers directly instead of behind their backs. Before the new standard announced in Boeing, that policy almost certainly would have been found to be unlawful. But relying on Boeing, the NLRB General Counsel determined the workplace civility rules at issue were permissible and that the company could require employees to sign off on the policy and even terminate ones who refused to do so.

This is great news for companies who want to promote positivity and healthy relationships in the workplace. It also serves as a reminder that under the NLRB’s current employment policy test enunciated in Boeing, many workplace policies that may have been rescinded due to board decisions issued between 2009-2017 may be worth revisiting in 2019.

 

© 2018 BARNES & THORNBURG LLP
This post was written by David J. Pryzbylski of Barnes & Thornburg LLP.

Administrative Agency Deference Theme Reemerges with SCOTUS Considering Overturning Auer

The U.S. Supreme Court signaled that it remains concerned with the issue of administrative deference following its grant of certiorari last week to hear Kisor v. O’Rourke specific to the issue of whether the Court should overrule Auer v. Robbins and Bowles v. Seminole Rock & Sand Co. Overruling one or both of these decisions could result in courts giving considerably less deference to agencies’ interpretations of their own regulations.

The ability of regulatory agencies to interpret their own regulations is a fundamental issue in many environmental disputes. Both Auer and Seminole Rock are frequently cited in environmental cases to support agency actions, as these decisions require courts to give agencies near-absolute deference, so long as their decisions are not “plainly erroneous or inconsistent” with other regulations.

In practice, agencies that promulgate vague regulations through notice-and-comment procedures required by the federal Administrative Procedure Act can later expand the ambit of these regulations through informal memoranda or regulatory interpretations. These less formal processes preempt the ability of the public and regulated community to meaningfully participate in the regulatory process.

Administrative deference is an ongoing theme that we have seen arise a number of times in the past few years. Indeed, the legal community had pondered whether the Supreme Court would review administrative deference issues in the Weyerhaeuser Co. v. U.S. Fish & Wildlife Service caseinvolving the dusky gopher frog that was decided a few weeks ago. Although the Supreme Court decided Weyerhauser without reference to issues of administrative deference, the Kisor case is a clear example that this is not going away.

However, Kisor actually arises in a context fairly atypical for administrative deference. The case involves a claim for PTSD-related retroactive disability benefits brought by a former Vietnam-War-era Marine who was denied retroactive disability benefits for PTSD he suffered as a result of his service in Vietnam. Kisor’s eligibility for such benefits hinged on whether the VA received “relevant official service department records” after initially denying his claim for benefits in 1982.

Kisor argued that material he submitted to the VA relating to his service in Vietnam constituted “relevant official service department records” and entitled him to retroactive benefits. The Board of Veterans Appeals (“Board”) disagreed, stating that, in Kisor’s case, “relevant” records were those relating to a diagnosis of PTSD (which was contested at the time of his initial denial). That Kisor served in the military was never in dispute.

The Court of Federal Claims upheld the Board’s interpretation of the meaning of “relevant.” In so holding, the court concluded that the term was ambiguous, and that the Board’s interpretation was entitled to deference under AuerSeminole Rock, and their progeny, because it was neither “plainly erroneous or inconsistent” with the VA’s regulatory framework.

Kisor illustrates the breadth of power granted to agencies by Auer and Seminole Rock – the agency’s determination of whether “relevant” records were provided was quite possibly outcome-determinative for the involved claims.

The case is expected to be heard by the Court at some point in 2019. We will keep an eye out for further developments on Kisor and similar cases touching on administrative deference.

 

© 2018 Schiff Hardin LLP
Read more Litigation news at the National Law Review’s Litigation page.

Mixed Results for Employers on Marijuana – Two Federal Courts Refuse to Find State Marijuana Laws Preempted by Federal Law

Two recent federal cases illustrate why employers – even federal contractors – must be cognizant of relevant state-law pronouncements regarding the use of marijuana (i.e., cannabis) by employees. While one case found in favor of the employer, and the other in favor of the employee, these decisions have emphasized that state law protections for users of medical marijuana are not preempted by federal laws such as the Drug-Free Workplace Act (DFWA). Employers must craft a thoughtful and considered approach to marijuana in the workplace, and in most cases should not take a zero-tolerance approach to marijuana.

Ninth Circuit Finds in Favor of Employer Who Discharged Employee for Positive Drug Test

In Carlson v. Charter Communication, LLC, the Ninth Circuit affirmed the dismissal of a lawsuit brought by an employee who alleged discrimination under the Montana Medical Marijuana Act (MMA) because he was discharged for testing positive for marijuana use. The plaintiff, a medical marijuana cardholder under Montana state law, tested positive for THC (a cannabinoid) after an accident in a company-owned vehicle. His employer, a federal contractor required to comply with the DFWA, terminated his employment because the positive test result violated its employment policy.

The District Court of Montana held that the employer was within its rights to discharge the plaintiff because (1) the DFWA preempts the MMA on the issue of whether a federal contractor can employ a medical marijuana user; and (2) the MMA does not provide employment protections to medical marijuana cardholders. Indeed, the MMA specifically states that employers are not required to accommodate the use of medical marijuana, and the Act does not permit a cause of action against an employer for wrongful discharge or discrimination. The Ninth Circuit rejected this rationale. Because the MMA does not prevent employers from prohibiting employees from using marijuana and does not permit employees for suing for discrimination or wrongful termination, the Ninth Circuit held that the MMA does not preclude federal contractors from complying with the DFWA and thus found no conflict.

The plaintiff asserted that the provisions of the MMA exempting employers from accommodating registered users and prohibiting such users from bringing wrongful discharge or discrimination lawsuits against employers are unconstitutional and sought certification of the question to the Montana Supreme Court. The Ninth Circuit rejected this request because, it determined, the Montana Supreme Court already decided the issue. The MMA and the specific sections challenged by the plaintiff appropriately balance Montana’s legitimate state interest in regulating access to a controlled substance while avoiding entanglement with federal law, which classifies the substance as illegal.

Plaintiff Wins Summary Judgment Against Employer That Rescinded Job Offer Due to Positive Test

If federal law does not preempt state law on the issue of marijuana, then in certain states – like Connecticut – employers will be more susceptible to discrimination claims from marijuana users. In Noffsinger v. SSC Niantic Operating Company, the District of Connecticut granted summary judgment to a plaintiff-employee of Bride Brook Nursing & Rehabilitation Center who used medical marijuana to treat post-traumatic stress disorder (“PTSD”) and whose offer was rescinded for testing positive for THC during a post-offer drug screen. Plaintiff filed a discrimination claim under the Connecticut Palliative Use of Marijuana Act (“PUMA”), which makes it illegal for an employer to refuse to hire a person or discharge, penalize, or threaten an employee “solely on the basis of such person’s or employee’s status as a qualifying patient or primary caregiver.”

We covered a previous decision in this case, in which the court held that PUMA is not preempted by the federal Controlled Substance Act (“CSA”), the Americans with Disabilities Act, or the Food, Drug & Cosmetic Act (“FDCA”). The decision was notable then for being the first federal decision to hold that the CSA does not preempt a state medical marijuana law’s anti-discrimination provision, a departure from a previous federal decision in New Mexico.

In this recent decision, the District Court again considered whether PUMA was preempted by federal law. In ruling for the Plaintiff, the court rejected Bride Brook’s argument that its practices fall within an exception to PUMA’s anti-discrimination provision because they are “required by federal law or required to obtain federal funding.” Bride Brook argued that in order to comply with DFWA, which requires federal contractors to make a good faith effort to maintain a drug-free workplace, it could not hire plaintiff because of her failed pre-employment drug-test. The court was not persuaded, concluding that the DFWA does not require drug testing, nor does it prohibit federal contractors from employing people who use illegal drugs outside the workplace. The court noted that simply because Bride Brook’s zero-tolerance policy went beyond the requirements of the DFWA does not mean that hiring the plaintiff would violate the Act.

The court also rejected Bride Brook’s argument that the federal False Claims Act (“FCA”) prohibits employers from hiring marijuana users because doing so would amount to defrauding the federal government. Because no federal law prohibits employers from hiring individuals who use medicinal marijuana outside of work, employers do not defraud the government by hiring those individuals.

Lastly, the court rejected the theory that PUMA only prohibits discrimination on the basis of one’s registered status and not the actual use of marijuana, as such a holding would undermine the very purpose for which the employee obtained the status.

What These Decisions Mean for Employers

These decisions are notable for the fact that the federal courts refused to find the state laws were preempted by federal law. Importantly, neither found that the DFWA preempts state law, which means that even federal contractors must be aware of and follow state law with respect to marijuana use by employees. Thus, in states in which employers may not discriminate against medical marijuana users – such as Connecticut – all employers must take care not to make adverse employment decisions based solely on off-duty marijuana use and, in certain states, must accommodate medical marijuana use. A majority of states and the District of Columbia now permit the use of medical marijuana; employers, including federal contractors, should be mindful of these statutes and consult with counsel to ensure their employment policies are compliant.

©2018 Epstein Becker & Green, P.C. All rights reserved.

This post was written by Nathaniel M. Glasser ofEpstein Becker & Green, P.C.

More Employers Were “ICED” in Fiscal Year 2018

The U.S. Immigration and Customs Enforcement agency (ICE) recently released statistics on its worksite enforcement activities for the federal fiscal year ending on September 30, 2018. It should surprise no one that worksite enforcement designed to crack down on the employment of undocumented aliens has skyrocketed.

In FY 2018, 6,848 worksite investigations were initiated, representing a fourfold increase from the prior fiscal year. Similarly, ICE conducted 5,981 audits of employers’ Form I-9s, which is five times the number from the prior year. Criminal and worksite arrests were also way up and readers will recall that immigration law violations are one of the few areas of employment law which can result in direct criminal prosecution.

As stated by ICE, “[our] worksite enforcement strategy continues to focus on the criminal prosecution of employers who knowingly break the law, and the use of I-9 audits and civil fines to encourage compliance.”

What does this flurry of activity mean for employers? Under the Immigration Reform and Control Act of 1986, all employers must verify the identity and work eligibility of all individuals hired by completing a Form I-9 within three days of starting work. While appearing to be fairly simple on its face, many employers fail to pay attention to the details and fail to properly complete and certify that they have carefully verified the identity and work authorization of each hire. This can be especially true when hiring is done in remote locations where there are no trained management personnel to supervise the completion of the I-9.

When an employer receives a Notice of Inspection from ICE, it has three business days after which ICE will physically inspect the I-9s. Noncompliance could result in civil fines or even criminal prosecution. ICE worksite investigations are also designed to look for evidence of mistreatment of workers, human trafficking, and document fraud.

Given the reality that immigration enforcement activities are not likely to update anytime soon, employers are well-advised to take the following steps now:

  • Conduct a self-audit of all of your I-9s and if mistakes are identified take the appropriate steps to correct them. Consult the Handbook for Employers to know how the form must be completed.

  • Review and, where necessary, retrain all employees who are responsible for reviewing the documents presented by the new hire and certifying the accuracy of the form I-9.

  • Be sure you know the right way to fix errors that are identified.

  • Audit the records of any employees who are working under temporary visas. Oftentimes, employers verify work authorization at the time of hire but then fail to track expirations and renewals. What may have been legal at the time of hire may not be the case years later.

© 2018 Foley & Lardner LLP
This post was written by Mark J. Neuberger of Foley & Lardner LLP.
More immigration news at the National Law Review’s Immigration Page.

Don’t Let Down Your Guard: An Object Lesson In Dealing With Government Investigators

Every time we turn on the news recently, it seems there is a new government investigation being taken up. Putting aside any political angles, these investigations and the way they unfold highlight a very important life lesson for employers.

Employers frequently are visited by government agents of varying stripes. While these visits typically do not involve the FBI or something as serious as a criminal investigation, most employers can expect site visits at some point by agents of the Department of Labor, the EEOC, OSHA, ICE or a myriad of other federal, state and local agencies.

The government employees behind those visits can be friendly, cordial and in some cases may be people the employer knows personally. While employers have every reason (and in fact are legally required) to cooperate with government agents, it is vital that employers remember not to lower their guard. An off-hand comment – even one the employer may regard as innocent – potentially could be turned against the employer.

As with anything in life, the key in dealing with any government investigation is preparation. Preparation helps employers avoid getting caught flat-footed when agents show up at their doorstep. The single most critical component of that preparation should be to engage counsel as soon as possible.

Getting counsel involved not only brings in an ally and resource to coordinate the defense (and hopefully provide some much-needed reassurance), but also should help employers dodge landmines along the way.

For instance, if an investigator comes on site, the company may want to talk to employees about what is going on. While that sounds reasonable at first glance, consider that, if viewed in the wrong light, such discussions could be seen as retaliatory or interfering with the investigation. It would be best to confer with counsel first and work out a strategy to deal with questions about whether employees should be notified and, if so, how that will go down, what message will be communicated, and when it will be delivered.

In the same light, if an employer talks to the government without the benefit of counsel, then there is no one who can interject that topics are outside of the scope of the investigation, or who can spot potential problems and work out a strategy for dealing with them ahead of time.

Another point to consider is that government investigations can be very stressful for an employer – which raises the possibility that the employer may say something out of context or which could be taken the wrong way. All in all, this is not the best time for an employer to represent themselves. To paraphrase Abraham Lincoln, an employer that represents itself has a fool for a client.

If the government comes calling, it is best to lawyer up. And anytime a government agent says that you don’t need to have a lawyer present, it would be a good idea to treat that as a red flag.

 

© 2018 Barnes & Thornburg LLP
This post was written by Hannesson Murphy of Barnes & Thornburg LLP.

Pennsylvania Supreme Court Holds Employers Have a Duty to Exercise Reasonable Care to Safeguard Sensitive Personal Information About Their Employees

To date, Pennsylvania has not adopted a comprehensive law specifying how sensitive personal information about individuals must be secured or the protections that holders of this information must use to minimize risk of breach. [1] Pennsylvania only requires that, in the event of a breach, holders of sensitive personal information notify the affected individuals so they can take appropriate precautions against misuse of their information. Pennsylvania does have some laws specific to particular industries, such as health care and insurance, regarding how sensitive personal information may be used or disclosed, but there is no single mandate across all industries obligating holders of sensitive personal information to secure it in any particular way.

Employers, however, are a common denominator among all industries, and recently, the Pennsylvania Supreme Court in Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center held that when employers (regardless of the industry, the size of the employer, or the number of employees they hire) require their employees to provide sensitive personal information, such as Social Security numbers, bank accounts, tax returns, or other financial information, those employers have a legal duty to exercise reasonable care to safeguard that information when they store it on an Internet-accessible computer system. [2] Employers who do not exercise reasonable care to safeguard the sensitive personal information may be liable for financial damages to their employees in the event of a breach. [3]

All employers who collect sensitive personal information about their employees and maintain the information electronically on an Internet-accessible system are affected by the court’s decision. The court’s analysis also suggests that, regardless of how the information is stored (i.e., electronically or otherwise), an employer has a duty to exercise reasonable care to safeguard the sensitive personal information it collects about its employees from known threats to the information. This alert examines the court’s holding and identifies questions employers should be asking about their data requests, data security practices, and data-retention policies and procedures, and it offers suggestions for mitigating associated risks that apply regardless of whether employers store the information on an Internet-accessible computer.

What Happened?

UPMC’s Internet-connected computer system was hacked and sensitive personal information about its employees was accessed and stolen. This information included names, birth dates, Social Security numbers, addresses, tax forms, and bank account information. The hackers used the stolen information to file false tax returns, and affected employees incurred financial damages. As a result, several UPMC employees filed a class-action lawsuit against UPMC on behalf of all 62,000 current and former UPMC employees whose data were accessed and stolen. The employees alleged that:

• UPMC affirmatively required employees to provide certain sensitive personal and financial information (including names, birth dates, Social Security numbers, addresses, tax forms, and bank account information) as a condition of employment.
• UPMC had a duty to exercise reasonable care to protect their employees’ personal and financial information from being compromised, lost, stolen, misused, and/or disclosed to unauthorized parties.
• UPMC stored the employees’ sensitive personal information on its Internet-accessible computer system without adopting adequate security measures, such as encryption, adequate firewalls, and an adequate authentication protocol, to safeguard that information, which allowed hackers to access the system and steal the information.
• UPMC breached its duty to exercise reasonable care to protect the information, which allowed hackers to access the system and steal the information.
• UPMC was liable to the employees for the financial damages they incurred resulting from the breach.

UPMC filed preliminary objections to the complaint — Pennsylvania’s form of a motion to dismiss — and asserted that the economic-loss doctrine barred the employees from recovering purely economic damages. Under the economic-loss doctrine, actions sounding in tort require physical injury or property damage in order to recover for a breach of duty. [4] The trial court agreed with UPMC that the economic-loss doctrine barred recovery. [5] The trial court also found UPMC owed no existing duty to the employees as they alleged, and the “‘courts should not impose ‘a new affirmative duty of care that would allow data breach actions to recover damages recognized in common law negligence actions.’” [6] The trial court accordingly dismissed the complaint.

The employees appealed to the Pennsylvania Superior Court, and in a split decision, the Superior Court affirmed the trial court’s determination that employers did not owe their employees a duty under Pennsylvania law to exercise reasonable care to safeguard their sensitive personal information. [7] The Superior Court also agreed that the economic-loss doctrine barred recovery. [8] The Superior Court therefore affirmed the trial court’s order sustaining UPMC’s preliminary objections and dismissing the claim. [9]

The Pennsylvania Supreme Court’s Review

The Pennsylvania Supreme Court granted a discretionary appeal to determine the narrow questions of (1) whether an employer in Pennsylvania has a legal duty to use reasonable care to safeguard sensitive personal information about its employees when the employer chooses to store such information on an Internet-accessible computer system, and (2) if so, whether the employees could recover purely financial damages resulting from the breach of the duty. As discussed more fully below, the Supreme Court held that (i) employers have an existing duty to employees under Pennsylvania common law to exercise reasonable care in collecting and storing their sensitive personal information on their computer systems, and (ii) purely financial damages may be recovered if employers fail to exercise reasonable care in securing the sensitive personal information. [10]

First, the Supreme Court disagreed with the lower courts’ analysis that, if employers owed such a duty to exercise reasonable care to safeguard their employees’ sensitive personal information, such duty was a “new, affirmative duty” and was being created solely by the employees’ allegations. [11] In the Supreme Court’s view, the employees’ allegations were simply a “novel factual scenario” to apply an existing duty employers owe to the employees. [12]The Supreme Court stated that, as it has observed previously, “in scenarios involving an actor’s affirmative conduct, he is generally ‘under a duty to others to exercise the care of a reasonable man to protect them against an unreasonable risk of harm arising out of the act.’” [13] The Supreme Court concluded that, in this case, the employees alleged such affirmative conduct on the part of UPMC — namely, that “as a condition of employment, UPMC required them to provide certain personal and financial information, which UPMC collected and stored on its internet-accessible computer system without use of adequate security measures, including proper encryption, adequate firewalls, and an adequate authentication protocol. These factual assertions plainly constitute affirmative conduct on the part of UPMC.” [14] The Supreme Court also agreed with the employees that “this affirmative conduct resulted in UPMC owing the employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.” [15]

With respect to the economic-loss doctrine, the Supreme Court held that the decisions relied upon by the trial court and the Superior Court “do not stand for the proposition that the economic loss doctrine, as applied in Pennsylvania, precludes all negligence claims seeking solely economic damages.” [16] Instead, the ability to recover “turns on the determination of the source of the duty plaintiff claims the defendant owed.” [17] In cases where the duty arises outside the context of a contract between the parties, the breach of that duty may be the basis of a negligence claim. [18] According to the Supreme Court, the employees’ allegations in the complaint existed independently from any contractual obligations between the parties. Accordingly, the employees had stated a claim upon which they could recover if their allegations proved to be true.

The Implications of the Court’s Holding for Employers

Private employers in Pennsylvania (regardless of industry) who affirmatively request sensitive personal information from their new or existing employees and who maintain the sensitive personal information on Internet-connected computer systems have an existing duty to exercise reasonable care to safeguard that information. [19] As a result, employers (regardless of size or number of employees) should be evaluating their data collection and maintenance policies and procedures to mitigate the risk of being found not to have exercised reasonable care in safeguarding the information. In particular, employers should be answering the following questions:

1. Is the information really needed? Employers should be able to connect each data request to a legitimate business need (e.g., a legal requirement) and limit the data requested to the minimum amount of data required to achieve that legitimate business purpose. Some data elements are essential: names, addresses, Social Security numbers, and birth dates. This data is necessary to pay employees, to report tax withholdings, and to prevent fraud, among other purposes. Any data being requested from employees that is not absolutely necessary for a legitimate business purpose should be reevaluated and collection discontinued if it is determined to be unnecessary. Unnecessary data should also be deleted.

2. Could any of the information collected and maintained about the employees and determined to be necessary for a legitimate employer-purpose harm employees if it were stolen? To make this determination, employers must have a thorough understanding of precisely what information they maintain about employees. Information such as names and addresses likely does not qualify as sensitive personal information (although there are always exceptions) but financial information does. In order for an employer to be able to show it exercised reasonable care, it must first know the nature of the data in its possession.

3. What are foreseeable threats to the information being inappropriately accessed or stolen?Information being stored electronically is literally under attack. If employers maintain sensitive personal information about their employers electronically (or employers hire vendors who do so), they must understand these threats and how they might come to fruition. As noted above, however, the Supreme Court’s analysis applies equally to sensitive personal information in other forms, such as paper. If an employer could reasonably foresee that the paper records could be misused, the employer likewise has an existing duty to exercise reasonable care to protect it (e.g., locked file cabinets with limited access).

4. Based on the nature of the information and the identified foreseeable threats to that information, have appropriate safeguards to protecting the information been identified and implemented?Safeguards may vary depending on the nature of the underlying data and the identified foreseeable risks, although certain security practices have become or are quickly becoming fairly standard and failure to implement them would likely be seen as a failure to exercise reasonable care. At a minimum, employers should be able to demonstrate that people with appropriate experience and knowledge in safeguarding information are involved in these decisions.

5. Have the steps taken to safeguard the information been documented? The Supreme Court’s holding does not impose strict liability on employers in the event they get hacked and sensitive personal information about employees is accessed or stolen. The Supreme Court’s holding requires the exercise of reasonable care to safeguard the information from foreseeable threats. The best way to be able to support that reasonable care was exercised is to document all the steps taken including those listed above.

6. Does the cyber insurance policy cover breaches of employee data? It probably does, but employers should check the scope of coverage and ensure that nothing in the policy excludes the types of financial damages the employees in UPMC experienced.

Conclusion

The Supreme Court’s holding drives home that employers must use reasonable care in the collection of sensitive employee data and adds an incentive for doing so (the risk of incurring economic damages for breach).

NOTES:

[1] Indeed, there is no overarching definition of “sensitive personal information,” but it typically includes personal information that if acquired inappropriately could be used to harm the person to whom it belonged, such as Social Security or a driver’s license number coupled with bank account information.
[2] Dittman v. UPMC d/b/a The Univ. of Pittsburgh Med. Ctr. & UPMC McKeesport, No. 43 WAP 2017, slip op. at 1–2 (Pa. Nov. 21, 2018) (herein, “UPMC”).
[3] Id.
[4] See Bilt-Rite v. The Architectural Studio, 866 A.2d 270, 273 (Pa. 2005).
[5] See UPMC, slip op. at 4–5.
[6] See id. at 5 (quoting Bilt-Rite, supra). The trial court also “observed that the Legislature is aware of and has considered the issues that Employees sought the court to consider herein as evidenced by the Breach of Personal Information Notification Act (Data Breach Act), 73 P.S. §§ 2301 – 2329. Specifically, the court explained that, under the Data Breach Act, the Legislature has imposed a duty on entities to provide notice of a data breach only … and given the Office of the Attorney General the exclusive authority to bring an action for violation of the notification requirement … The court thus reasoned that, as public policy was a matter for the Legislature, it was not for the courts to alter the Legislature’s direction.” Id. at 6–7.
[7] Id. at 8–9.
[8] Id. at 7.
[9] Id.
[10] Id. at 1–2.
[11] Id. at 15.
[12] Id. at 10. Indeed, “[c]ommon-law duties stated in general terms are framed in such fashion for the very reason that they have broad-scale application.” Id. at 15–16. “‘Like any other cause of action at common law, negligence evolves through either directly applicable decisional law or by analogy, meaning that a defendant is not categorically exempt from liability simply because appellate decisional law has not specifically addressed a theory of liability in a particular context.’” Id. at 16 (quoting Scampone v. Highland Park Care Ctr., LLC, 57 A.3d 582, 299 (Pa. 2012)).
[13] Id. at 16 (emphasis added).
[14] Id. (emphasis added).
[15] Id. at 16–17. In arriving at this conclusion, the Supreme Court also rejected UPMC’s argument that “the presence of third-party criminality in this case eliminates the duty it owes to Employees …” Id. at 17. The Supreme Court acknowledged that an actor otherwise owing a duty “cannot be liable for third-party conduct that could ‘conceivably occur.’” Id. at 17. However, the Supreme Court agreed that “liability could be found if the actor ‘realized or should have realized the likelihood that such a situation might be created and that a third person might avail himself of the opportunity to commit such a tort or crime.’” Id. at 17–18 (quoting Mahan v. Am-Gard, Inc., 841 A.2d 1052 1061 (Pa. Super. 2003)) (emphasis added).
[16] Id. at 28.
[17] Id.
[18] Id.
[19] The court did not consider whether a cause of action would exist against local or state agencies under the limited waivers of sovereign immunity.

 

Copyright 2018 K & L Gates
This post was written by Patricia C. Shea of K & L Gates.
Read more about Cybersecurity concerns on the National Law Review’s Communication page.

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by