Workplace Archives - Page 3 of 3 - The National Law Forum

Three Lessons for Mitigating Network Security Risks in 2015: Bring Your Own Device

Not too long ago, organizations fell into one of two camps when it came to personal mobile devices in the workplace – these devices were either connected to their networks or they weren’t.

But times have changed. Mobile devices have become so ubiquitous that every business has to acknowledge that employees will connect their personal devices to the corporate network, whether there’s a bring-your-own-device (BYOD) policy in place or not. So really, those two camps we mentioned earlier have evolved – the devices are a given, and now, it’s just a question of whether or not you choose to regulate them.

This decision has significant implications for network security. If you aren’t regulating the use of these devices, you could be putting the integrity of your entire network at risk. As data protection specialist Vinod Banerjee told CNBC, “You have employees doing more on a mobile device and doing it ad hoc here and there and perhaps therefore not thinking about some of the risks that are apparent.” What’s worse, this has the potential to happen on a wide scale – Gartner predicted that, by 2018, more than half of all mobile users will turn first to their phone or tablet to complete online tasks. The potential for substantial remote access vulnerabilities is high.

So what can risk practitioners within IT departments do to regain control over company-related information stored on employees’ personal devices? Here are three steps to improve network security:

1. Focus on the Increasing Number of Endpoints, Not New Types

Employees are expected to have returned from holiday time off with all sorts of new gadgets they received as gifts, from fitness trackers to smart cameras and other connected devices.

Although these personal connected devices do pose some network security risk if they’re used in the workplace, securing different network-enabled mobile endpoints is really nothing special for an IT security professional. It doesn’t matter if it’s a smartphone, a tablet or a smart toilet that connects to the network – in the end, all of these devices are computers and enterprises will treat them as such.

The real problem for IT departments involves the number of new network-enabled endpoints. With each additional endpoint comes more network traffic and, subsequently, more risk. Together, a high number of endpoints has the potential to create more severe remote access vulnerabilities within corporate networks.

To mitigate the risk that accompanies these endpoints, IT departments will rely on centralized authentication and authorization functions to ensure user access control and network policy adherence. Appropriate filtering of all the traffic, data and information that is sent into the network by users is also very important. Just as drivers create environmental waste every time they get behind the wheel, network users constantly send waste – in this case, private web and data traffic, as well as malicious software – into the network through their personal devices. Enterprises need to prepare their networks for this onslaught.

2. Raise the Base Level of Security

Another way that new endpoints could chip away at a network security infrastructure is if risk practitioners fall into a trap where they focus so much on securing new endpoints, such as phones and tablets, that they lose focus on securing devices like laptops and desktops that have been in use for much longer.

It’s not difficult to see how this could happen – information security professionals know that attackers constantly change their modus operandi as they look for security vulnerabilities, often through new, potentially unprotected devices. So, in response, IT departments pour more resources into protecting these devices. In a worst-case scenario, enterprises could find themselves lacking the resources to both pivot and mitigate new vulnerabilities, while still adequately protecting remote endpoints that have been attached to the corporate network for years.

To offset this concern, IT departments need to maintain a heightened level of security across the entire network. It’s not enough to address devices ad hoc. It’s about raising the floor of network security, to protect all devices – regardless of their shape or operating system.

3. Link IT and HR When Deprovisioning Users

Another area of concern around mobile devices involves ex-employees. Employee termination procedures now need to account for BYOD and remote access, in order to prevent former employees from accessing the corporate network after their last day on the job. This is particularly important because IT staff have minimal visibility over ex-employees who could be abusing their remote access capabilities.

As IT departments know, generally the best approach to network security is to adopt policies that are centrally managed and strictly enforced. In this case, by connecting the human resources database with the user deprovisioning process, a company ensures all access to corporate systems is denied from devices, across-the-board, as soon as the employee is marked “terminated” in the HR database. This eliminates any likelihood of remote access vulnerabilities.

Similarly, there also needs to be a process for removing all company data from an ex-employee’s personal mobile device. By implementing a mobile device management or container solution, which creates a distinct work environment on the device, you’ll have an easy-to-administer method of deleting all traces of corporate data whenever an employee leaves the company. This approach is doubly effective, as it also neatly handles situations when a device is lost or stolen.

New Risks, New Resolutions

As the network security landscape continues to shift, the BYOD and remote access policies and processes of yesterday will no longer be sufficient for IT departments to manage the personal devices of employees. The New Year brings with it new challenges, and risk practitioners need new approaches to keep their networks safe and secure.

ARTICLE BY

Risk Management Magazine

Risk and Insurance Management Society, Inc. (RIMS)

Employers: How Prepared Are You for Ebola?

Rapidly changing circumstances raise workplace questions.

The Ebola epidemic in 2014 has already been confirmed by the U.S. Centers for Disease Control (CDC) as the worst in history. The extent of this outbreak is still unknown, as reports of Ebola transmissions continue not only in West Africa but also (for the first time in history) inside U.S. and European borders. Because of the potential risks in a globalized economy, the U.S. government, its various agencies, and employers alike are now scrambling to ensure that appropriate rules and procedures are in place to prevent any further exposure to the disease. Reactions have been swift and fluid as officials learn more about the presence of the virus in West Africa and beyond and as they develop strategies to respond. Among the federal agencies that have already taken action, the CDC has recently issued “tightened” guidance for proper personal protective equipment (PPE) in the healthcare industry, and the Occupational Safety and Health Administration (OSHA) has issued guidance covering a number of workplace safety issues. The situation is changing rapidly and further action is expected by the U.S. government, especially after the White House announced the appointment of an Ebola Response Coordinator (or Ebola Czar).

In the United States, employers are facing challenges and questions on how to best address a wide variety of issues, including workplace safety, travel policies, employee relations, leaves of absence, and refusal to work requests. Whether responding to Ebola or other emergencies, employers should use protocols that include emergency preparedness and response plans, such as assigning responsibilities, assessing the hazard, conveying effective communications, and implementing security measures to address those key issues. In the meantime, here is what you need to know right now.

OSHA’s Interim Guidance

OSHA quickly released interim guidance for workers within the United States that focuses on those in industries most likely to be affected by the Ebola crisis:

Healthcare workers
Airline and other travel industry personnel
Mortuary and death care workers
Laboratory workers
Border, customs, and quarantine workers
Emergency responders
Employers in critical infrastructure/key resource sectors, such as bus drivers and pharmacists

Employers in these key industries must evaluate how they currently respond to emergencies and if those preparedness and response plans are adequate or need modification, particularly when assessing hazards specific to their jobsites (OSHA lists industry-specific information on its website). These employers should explore ways to proactively combat and contain the virus, such as obtaining PPE, implementing cleaning and sanitation procedures, and evaluating whether engineering controls, such as pressurized glass, respirators, and decontamination devices, should be used. If an employer happens to be a hospital or similarly licensed accredited facility, state licensing and other laws as well as accreditation bodies may require those organizations to activate emergency preparedness plans. Employers should communicate with their workers and train them about sources of Ebola and any required precautions.

On its newly released website dedicated to Ebola, OSHA has asserted jurisdiction over potential worker exposure via several regulations already in place. Most notably, the Ebola virus has been classified as a “bloodborne pathogen” under OSHA’s Bloodborne Pathogens standard,[1] which explicitly covers pathogens like hepatitis B virus (HBV) and human immunodeficiency virus (HIV). The Bloodborne Pathogens standard imposes a range of requirements on employers whose workers can be reasonably anticipated to contact blood or other potentially infectious materials (OPIM), such as saliva and semen. Covered employers must train employees, prepare exposure control plans, and use “universal precautions,” engineering and work practice controls, PPE, and housekeeping measures to contain the virus. Employers must also offer medical evaluations, blood tests, and follow-up evaluations after any worker is exposed to blood or OPIM. The standard contains many other nuanced requirements, including carefully documenting compliance measures. Given the complexities of the regulation, employers are strongly encouraged to seek legal advice if workers could anticipate exposure and to seek emergency, medical, and legal advice if any work-related exposure to blood or OPIM occurs.

Beyond this standard, OSHA has reminded employers that—when undertaking precautions for contact-transmissible diseases and any bioaerosols containing the Ebola virus—they must comply with OSHA’s (1) Respiratory Protection standard^[2] if respirators are used on the job and (2) PPE standard^[3] wherever PPE is used as a precaution. Finally, OSHA reiterated that it may issue citations against employers under the General Duty Clause of the Occupational Safety and Health Act of 1970^[4]—OSHA’s “catch all” provision, which is used if no other regulation applies and where an employer allegedly fails to keep its workplace free of recognized hazards that can cause death or serious bodily harm to workers.

CDC Involvement

The primary U.S. agency embroiled in the fight against Ebola is the CDC. Of the many steps taken by the CDC in this effort, highlights of the latest guidance and advice are outlined below.

“Tightened Guidance” on PPE for U.S. Healthcare Workers

Following widespread criticism after two nurses contracted Ebola while treating a patient in Dallas, Texas, the CDC released on October 20 “tightened guidance” for PPE used by healthcare workers while caring for patients with Ebola. According to the CDC, three guiding principles control: (1) Employees must receive rigorous and repeated training to fully understand how to use PPE, (2) no skin can be exposed when PPE is worn, and (3) a trained monitor must be present to supervise all workers as they put on or take off PPE. The CDC also described “different options for combining PPE to allow a facility to select PPE for their protocols based on availability, healthcare personnel familiarity, comfort and preference while continuing to provide a standardized, high level of protection for healthcare personnel.” Among the recommendations for monitoring the safe use and removal of PPE, the CDC provides advice on step-by-step PPE removal, as well as disinfection of gloved hands.

In addition to PPE, the CDC further underscored other critical prevention activities to respond to the Ebola risk, including (1) prompt screening and triage of potential patients, (2) designating site managers who have the responsibility to ensure proper implementation of precautions, (3) limiting personnel in the isolation room, and (4) effective environmental cleaning. Employers in the healthcare industry should be aware that the CDC has highlighted management responsibility “to provide resources and support for the implementation of effective prevention precautions” and that management “should maintain a culture of worker safety in which appropriate PPE is available and correctly maintained, and workers are provided with appropriate training.” For more information and advice for healthcare workers, visit the CDC’s website.

Health and Travel Advisories

Given the severity of the risk that Ebola poses, the CDC has issued health and travel alerts, which it will continue to update as the situation develops. In the wake of various governors, particularly those from New York, New Jersey, and Illinois, having announced plans to quarantine health workers traveling from West Africa who treated Ebola patients, the CDC has also updated its guidance on October 27 regarding the monitoring and movement of persons with potential Ebola exposure. The guidance applies to anyone who recently traveled to West Africa and may have been exposed to Ebola and includes newly created tiered categories of risk, ranging from high to no risk and based on exposure to Ebola. Depending on the risk category, the CDC recommends that state and local health authorities isolate travelers who are exhibiting signs of illness or conduct “active” or “direct active” monitoring of signs and symptoms of Ebola for other at-risk individuals.

Health officials will make at least daily contact with these travelers, requiring travelers to disclose (1) temperatures and any other Ebola symptoms, such as headache, diarrhea, and vomiting, and (2) intent to travel out of state. For individuals who are under direct active monitoring, the CDC recommends that discussions with the individual include plans to work, travel, take public transportation, or go to busy public places to determine whether these activities are allowed.

Employers, and particularly employers with an international presence, should closely monitor these CDC travel advisories,^[5] as well as advisories published by the World Health Organization (WHO).^[6]Employers should evaluate their own travel policies and alerts against those published by the CDC and the WHO.

Protecting Employees from Impacted Regions from Harassment and Protecting the Confidentiality of Medical Information

Like the CDC, employers must respect workers’ privacy—and, particularly, the confidentiality of their medical information pursuant to the Americans with Disabilities Act (ADA)—and they must also comply with rules and guidance from OSHA, the CDC, and other agencies. Employers should balance their need to ensure workplace safety with their obligation to avoid unnecessary or overbroad medical inquiries, which are prohibited by the ADA. Of course, if an employee is exhibiting symptoms of Ebola exposure, it is appropriate to urge him or her to see a doctor. However, the decision to send an employee for a medical exam or to request medical documentation should be based on objective information—not unfounded fears that may or may not be grounded in reality. As an example, without some reason to believe there has been Ebola exposure, it could be risky to request medical information simply because an employee visited an Ebola-impacted region.

Employers should also take caution and consult legal counsel before they send home an employee suspected of Ebola exposure. The decision to remove an employee from the workplace for medical reasons must based on objective belief that the employee may present a direct threat of significant, imminent harm to himself or herself or others. These decisions should not be based on rumor or unfounded concerns.

To address these issues, employers should train human resources employees about the CDC guidance so they can understand the medical and scientific realities of Ebola exposure and, therefore, be prepared to respond appropriately if employees express concern about a coworker believed to be at risk for Ebola exposure. Similarly, employers should take all necessary steps to ensure that employees who are, or who are perceived to be, from regions impacted by Ebola do not experience harassment based on race, national origin, or any perceived medical condition.

HIPAA

The Ebola situation has also introduced some Health Insurance Portability and Accountability Act (HIPAA) interpretation questions for employers that are Covered Entities—such as healthcare providers—but also for those that sponsor a Covered Entity group health plan. HIPAA protects an individual’s protected health information (PHI), which includes, for example, medical, demographic, and other identifying information. HIPAA restricts Covered Entities from disclosing PHI about a worker or plan participant, except in limited circumstances. To date, the U.S. Department of Health and Human Services has not indicated that the Ebola crisis will change its enforcement or interpretation of HIPAA. The HIPAA Privacy Rule and Security Rules, as amended by the Health Information Technology for Economic and Clinical Health Act, will still apply to Covered Entities. Although narrow exceptions exist for use or disclosure for certain public health purposes, this exception will likely only apply in limited situations for limited organizations. Covered Entities should review their policies and procedures to determine if and how infectious diseases, particularly Ebola, are addressed. They should also train their Privacy Employees—workers who act on behalf of the Covered Entity—to continue to protect an individual’s PHI. Before disclosing any PHI, Covered Entities should exercise caution and consult with legal counsel to confirm that a use or disclosure will not constitute a HIPAA violation.

Labor Relations

In light of the media furor from various healthcare and service workers’ unions regarding Ebola risks to workers, employers should also expect to receive collective bargaining demands related to training, adequate safety procedures, and protective equipment and medical services provided to exposed employees, potentially including demands for leave (whether paid or unpaid). Employers should be proactive, therefore, in reaching out to union representatives of healthcare workers to develop protocols on how best to handle these types of issues, and, given the labor laws, should not act unilaterally, even if well intentioned and even if the to-be-implemented protocols are favorable to employees. Employers should also review their current collective bargaining agreements for any clauses or language requiring the employer to implement procedures related to infectious diseases or the safety of their workers. Finally, even nonunion workers can exercise rights under the National Labor Relations Act (NLRA) to engage in concerted activity for their mutual aid and protection if workers fear their safety is not adequately protected. A refusal to work because of safety concerns related to Ebola, therefore, could be protected under the NLRA, and employers should carefully consider this issue prior to implementing discipline to employees for refusing to work.

Immigration

In coordination with the CDC, the Department of Homeland Security (DHS) implemented a set of travel restrictions^[7] involving additional screening and protective measures for travelers from Ebola-affected countries at U.S. ports of entry. Travelers to the United States who are arriving directly or indirectly from Liberia, Sierra Leone, or Guinea will undergo enhanced screening that includes the following:

Identifying and interdicting travelers from the Ebola-affected countries.
Isolating these travelers from the rest of the traveling public while the individual completes a questionnaire and contact information form.
Medically trained personnel will take the traveler’s temperature. If the traveler has a fever or other symptoms, or may have been exposed to Ebola, U.S. Customs and Border Protection (CBP) will refer the traveler to the CDC for a public health assessment. The CDC will then determine whether the traveler can continue to travel, should be taken to a hospital for further evaluation, or should be referred to a local health department for further monitoring.
Encouraging the traveler to seek healthcare at the first sign of any potential illness.

If CBP discovers that a traveler has been in one of the three countries in the prior 21 days, he or she will be referred for additional screening, and, if necessary, the CDC or other medical personnel in the area will be contacted pursuant to existing protocols. The enhanced screening is in place at the five U.S. airports that account for 94% of travelers flying to the United States from Ebola-affected countries. The airports are John F. Kennedy International, Newark Liberty International, Washington Dulles International, Hartsfield-Jackson Atlanta International, and Chicago O’Hare International. DHS has authority under existing law to deny admission to individuals who represent a public health threat.

Given the rapidly changing circumstances, employers are faced with many labor and employment challenges to consider.

_{[1]. 29 C.F.R. § 1910.1030.}

_{[2]. 29 C.F.R. § 1910.134.}

_{[3]. 29 C.F.R. 1910.132.}

_{[4]. View the act here.}

_{[5]. View the advisories here.}

_{[6]. View the advisories here.}

_{[7]. View the restrictions here.}

ARTICLE BY

Michelle Seldin Silverman

Georgina L. O’Hara

Morgan, Lewis & Bockius LLP

Managing Ebola Concerns in the Workplace [PODCAST]

Many employers are struggling to understand the potential workplace implications of Ebola hemorrhagic fever (EHF). We invite you to listen to a complimentary 48-minute podcast during which three Jackson Lewis practice group leaders discuss some of the legal and practical issues relating to the virus. Among the issues discussed are:

Steps employers should consider taking to ensure OSHA and state workplace health and safety laws are satisfied;
ADA, GINA and FMLA compliance challenges that may arise as employers attempt to lawfully identify and manage employees who are or may have been exposed to Ebola; and
HIPAA and other sources of privacy and medical confidentiality obligations that should be considered as employers respond to workplace Ebola concerns.

You can access the podcast here.

ARTICLE BY

Bradford T. Hammock

Jackson Lewis P.C.

Micro Bargaining Units Coming To a Workplace Near You

It is no secret that many employers take steps to try and keep their workplaces union-free. One of the newer concerns for employers in that camp is the possibility that employees could form a “micro bargaining unit,” which is a unit of employees that make up only a small portion of the workforce.

Act Now! to Preserve Your Collective Bargaining Rights!

In a 2011 case, Specialty Healthcare, the National Labor Relations Board (NLRB) established a new standard for determining appropriate bargaining units. Specifically, the Board stated that, in evaluating a potential unit, it would focus on the community of interest among the petitioning employees. According to the Board in that case, factors such as the extent of common supervision, interchange of employees, and geographic considerations should all be taken into account when evaluating a proposed unit.

Specialty Healthcare also placed a significant burden on employers trying to challenge smaller units. The Board stated that, if an employer wished to argue that a unit should include additional employees, the employer needs to show that employees in a larger unit have an “overwhelming” community of interest with those in the proposed smaller unit. That’s a higher burden than what has been applicable in the past, and not one easy to meet.

The effects of Specialty Healthcare were evident in a more recent Board decision. In Macy’s Inc., the Board recently confirmed that 41 Macy’s cosmetic and fragrance department sales employees could form a bargaining unit. Those 41 employees made up about one-third of the employees at that Macy’s store. Macy’s argued that this unit was inappropriate because cosmetic and fragrance employees shared an overwhelming community of interest with the other sales employees, but the Board saw it differently.

The Board noted several factors that established the community of interest among the cosmetic and fragrance employees: they all worked in the same department, were supervised by the same manager, had limited contact with other sales employees, and were paid on the same commission-based based structure. Additionally, the Board pointed out that Macy’s rarely transferred employees between the cosmetic and fragrance department and other store departments.

While the Macy’s, Inc. case was not a positive development for employers, the NLRB then rejected a proposed micro-unit about a week later in a different case at Bergdorf-Goodman, a Nieman Marcus subsidiary. In that case, the Board found that salon shoes salespeople and contemporary shoe salespeople lacked a community of interest. In so deciding, the Board noted that the proposed unit in that case was not created based on any administrative or operational lines established by the employer. Additionally, the employees had different department managers, different floor managers, and different directors of sales.

While both of these cases dealt with the retail industry, the results are important to employers in any sector, since the Specialty Healthcare standard certainly can be applied to create micro-bargaining units in other industries. In fact, employers can probably expect unions to try organizing smaller bargaining units within larger companies, particularly where efforts to organize larger groups have proved unsuccessful. This strategy allows unions to select pro-union employee groups and increase their likelihood of winning an election.

If there’s one proactive takeaway from these cases, it’s that employers need to think in advance about how they can make themselves less vulnerable to micro-unit organizing. For example, cross-training employees and having them work in different departments makes it less likely a union could demonstrate a community of interest among a small group of employees. Of course, any steps taken to combat against micro-unit organizing also need to be evaluated for their operational feasibility. In most cases, it’s probably best that employers contact experienced legal counsel to weigh the pros and cons involved.

Does March Madness = Workplace Madness? Some Thoughts on the Legality of NCAA Bracket Pools and the Tournament’s Effect on the Workplace

With the Olympics now behind us (were they ever in front of us?), this time of year usually marks the sports netherworld between the Super Bowl and the NCAA Men’s Division I Basketball Tournament, which is better known as March Madness. This lull provides employers with an excellent opportunity to contemplate the issues that March Madness creates in their workplace. We explore some of those issues below.

Participating in a NCAA Bracket Pool: Everyone Else Does It, So Why Can’t We?

Nothing presages the coming of spring like the NCAA Tournament, and concurrently, perhaps nothing is as ubiquitous in the American workplace during this time period as NCAA bracket pools. Estimates of participating Americans are in the 50-60 million range and we can totally understand why. Even President Obama completes a bracket each year (he even picked last year’s winner correctly). And we expect those numbers to go up because of contests like these: Quicken Loans is offering a $1 billion prize to anyone who completes the perfect bracket. The chances of doing that: 1 in 9.2 quintillion (9 with about eighteen zeroes after it, or the same odds of the Knicks winning the NBA Championship this year. Please come to New York Phil Jackson. Please.).

The typical workplace bracket pool scenario involves an email attaching a bracket or an embedded link to a website that requires you to sign up for and complete an online bracket; think: ESPN.com or cbsports.com (whose home page even promotes “co-worker” participation). Sometimes these e-mails are sent office-wide, other times they are limited to a select group of employees. The typical entry fee can range from $5 to $20 per bracket, with the winner collecting the biggest payout and the second and third place finishers collecting more moderate sums. Some brackets also return the last place “winner” his or her entry fee (see: probably you at least once in the last 10 years). The pool “manager” may also take a cut for dealing with the administrative burden (including having to stop by your cubicle at least twice a day for your entry fee). Of course, all this varies from pool to pool. We’ve heard of pools where the winner gets to donate the collected entry fees to the charity of his or her choice (awwww). We’ve heard of pools going in the opposing direction: $1,000 per entry, winner takes all (grrrrrr). Overall, close to $2.5 billion is wagered on the tournament.

But is any of this legal? The results are mixed. On the federal level, probably not; on the state level, it depends on the state. Participation in a bracket pool may violate at least two federal laws. NCAA bracket pools that are conducted across state lines (i.e. a company pool involving offices from several states) or which are managed online (the vast majority), could violate the Interstate Wire Act of 1961. There is a “fantasy sports” exception to that law, but bracket pools don’t seem to fit within that exception since they require the individual to bet on the outcomes of the games. Participation in these bracket pools may also violate the Professional and Amateur Sports Protection Act, which prohibits wagers on sports anywhere, except in certain grandfathered states (Nevada, Delaware, Oregon and Montana).

On the state level, while most states ban gambling, their gaming laws provide exceptions for so-called “social” or “recreational” gambling. While the particulars vary, to qualify for these exceptions: (1) all of the money in a pool must go to a winner or a charitable organization (i.e. the “house” does not receive any of the proceeds); (2) there must be a maximum amount a person can wager (like a $20 entry fee), and (3) the pool must be limited to a certain number of people with pre-existing relationships (like co-workers). Thus, in certain states, NCAA bracket pools that meet these requirements may be permissible. In Wisconsin, by contrast, NCAA bracket pools are illegal without exception. Sad, considering the Badgers are set to make a serious run at the NCAA Championship this year.

Based on the above, especially because of the Professional and Amateur Sports Protection Act, the simplest and safest approach for (non-Nevada, Delaware, Oregon and Montana) employers would be to prohibit NCAA bracket pools in the office. But realizing that this will likely not be the majority approach, if you are an employer comfortable enough to allow your employees to run an NCAA bracket pool, we would recommend setting certain parameters, including: (1) requiring employees to complete paper brackets instead of participating online, (2) prohibiting bracket pools that will result in employees participating in offices located across multiple states; (3) prohibiting employees from using company e-mail or printers to administer the pool; (4) limiting the entry fees (i.e. $20 or less), (5) ensuring that the collected entry fees are distributed to the winner(s) (or charitable organization) and no portion goes to the house; and (6) threatening discipline if any employee pressures any other employee to participate in a bracket pool. Another option altogether is to allow your workers to participate in a bracket pool for free, with the winner collecting a prize.

Watching the Games: Everybody Else is Watching, So Why Can’t We?

Completing a bracket is one thing, but watching the games is where the fun really begins. You wake up Thursday morning annoyed that there’s still five hours before the first game tips off. Wait, this is 2014, not 2000; the tournament now boasts of 68 teams and starts on Tuesday with the “First Four” play-in games. But in reality, the tournament “starts” on Thursday, and in anticipation, your employees (and maybe even you) have probably done the following:

(a) downloaded the CBS Sports app onto their computer, tablet or mobile device that will allow them to stream the games into their workspaces

(b) arranged to watch some games at an “extended” lunch with some co-workers

(d) All of the Above

(e) None of the Above (because, instead, they are busy binge-watching the first three seasons of Game of Thrones before the April 6 Season 4 premier)

Regardless of how your employees (or you) would answer that question, the point is that come Thursday (and Friday) they will probably be focused on something unrelated to their job. And when their focus is elsewhere, job productivity suffers. And boy does it suffer. According Challenger Gray & Christmas, an outplacement firm, this equates to $134 million in lost productivity on just the first two days of the Tournament alone where at least 3 million employees will spend between 1-3 hours watching games at work and2/3rds of all workers will track games during the workday. We wouldn’t be surprised if this number climbs again this year as CBS continues to make it easier to stream games live. (And if it really wants that number to climb, it needs to offer a better “boss button” than the one it offered last year. And on that front, when are we going to see a lawyer-friendly boss button – maybe one that clicks away to a draft brief or a redlined employment agreement? C’mon already. But we digress.)

So we know that lost productivity is an issue. But what about the related issue of employee morale? A survey conducted last year by OfficeTeam found that 20% of managers believe that the NCAA tournament has a positive effect on employee morale. Only 4% believed it had a negative effect and 1% didn’t know what effect it had. Perhaps the most shocking statistic is that 75% of the managers surveyed believed that it had no effect whatsoever.

To us, the result of the productivity-morale equation is employer-specific and depends on the nature of your workplace and your business goals. For example, we can certainly see how management at an accounting firm may grow uneasy at a lack of focus from its employees as their clients’ tax filing deadline nears. At the same time, we can also see how management at this firm (perhaps if it’s located by Syracuse or Kentucky) may want to convert this into an employee appreciation moment, gather its employees in a conference room for an extended lunch and game-viewing session and take a breather from their overwhelming workloads (and maybe be lucky enough to catch a top-5 all time buzzer beater.)

Employees in downtown Richmond, Viriginia probably had trouble focusing on their work in 2011.Only you can best gauge what will motivate your workforce against how it will affect your bottom line. If you could care less about employee morale or don’t think it’s a factor, then consider blocking access to the streaming site or mobile app, remind employees of your acceptable computer use policy, and threaten disciplinary action as necessary. If you are concerned about lost productivity, but want to maintain or enhance employee morale, consider allowing employees to wear or display items related to their favorite college teams that day (whether it is Villanova, Wichita St. or “Anyone but Duke”). Consider designating certain times where employees are “free” to check scores, or consider going further and allowing employees a time and place to watch games. By tuning break-room television sets to the NCAA tournament and possibly adding pizza or popcorn to the mix, it represents a cheap investment that may boost employee morale and reduce some of the short-term productivity losses while producing long-term productivity gains.

All right, that is all. We hope this helps you prepare your workplace for the upcoming NCAA tournament so that when it’s over you can proudly belt out One Shining Moment, including…

And when it’s done

win or lose

you always did your best

cuz inside you knew…

(that) ONE SHINING MOMENT, YOU REACHED FOR THE SKY

ONE SHINING MOMENT, YOU KNEW

ONE SHINING MOMENT, YOU WERE WILLING TO TRY

ONE SHINING MOMENT….

Article by:

Michael S. Arnold

Robert Sheridan

Of:

Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

Office Romances: 3-Part Series on How to Shield Your Company from Liability Part 3

According to a recent CareerBuilder survey, four in ten people admitted to dating a co-worker, and one-third eventually married that person. Whether a relationship between peers, relationships between supervisors/subordinates, flings, long-term relationships, or extramarital affairs, office romances can lead to unwelcome complaints and expensive lawsuits.

Part 1 of this three-part series addressed the potential risks that office romances pose to companies, and Part 2 covered the importance of adopting and enforcing a company policy addressing fraternization. This final installment offers recommended steps you should take now to defend potential claims of discrimination and harassment.

Tips for Employers

Employers should prepare and implement a clear policy regarding office relationships or update an existing one, and be sure to disseminate it and obtain employees’ acknowledgements. The policy should address to extent to which office relationships are permissible, and, if appropriate, require employees to promptly disclose the existence (or termination) of a romantic or sexual relationship to a designated member of Human Resources or management. When the employees involved are in a supervisor/subordinate relationship, disclosure is especially critical so that the employer may effectively address the impact of the relationship (e.g., evaluating if it is necessary to change job duties or reassign the employee(s)).

If harassment occurs despite an employer’s best efforts to prevent and stop it, you will have a strong defense if you can demonstrate that you have done the following:

Implement and enforce a sexual harassment and office romance policy that provides a clear reporting channel and prohibits retaliation for good faith complaints.
Respect employees’ reasonable expectations of privacy regarding their relationship in line with the company policies.
Train new and existing employees on the sexual harassment policy and document the training.
Train managers on what constitutes sexual harassment and how to handle complaints.
Train employees to report inappropriate behavior.
If a relationship develops between a manager and his/her subordinate, transfer one of them if possible to eliminate a direct reporting relationship.
Promptly and thoroughly investigate complaints.
Take appropriate corrective action to address prior incidents of sexual harassment.

Regardless of the type of policy your company adopts, be sure to customize it to the needs and actual practices of your business. Train employees and managers on expectations governing office romances. A well-drafted and uniformly enforced fraternization (or non-fraternization) policy will not prevent workplace relationships altogether, but it can protect you if you encounter office romances.

See Part 1 Here

See Part 2 Here

Article by:

Mona M. Stone

Of:

Greenberg Traurig, LLP

Office Romances: 3-Part Series on How to Shield Your Company from Liability Part 2

More than ever, employers are facing serious claims arising from office romances. Part 1of this three-piece series covered the potential claims, charges and lawsuits that may arise from workplace relationships. In this installment, learn why it is imperative to adopt a company policy addressing fraternization. Part 3 will address tips for employers to mitigate potential liability.

What Does Company Policy Say?

With Valentine’s Day around the corner, now is a good time for employers to update or create a policy governing dating among workers. While some policies prohibit romantic relationships altogether, many employers recognize that employees will date each other regardless of policy. In fact, they might “sneak around” to avoid violating the policy, which could create even more tension if the relationship is discovered or known only to a select few. Moreover, strict no-dating policies may be difficult to implement and enforce, as they may not clearly define the conduct that is forbidden (e.g., does the policy prohibit socializing, dating, romantic relationships, or something else?).

Some policies interdict dating among management and staff, while others specify that there is to be no fraternization with outside third parties to avoid conflicts of interest or the appearance of impropriety. Still, other organizations mandate that employees who date one another voluntarily inform the company about their relationship.

In such cases, the notification policies direct employees to report their dating relationships to Human Resources, the EEOC officer, or a member of management, and they ask employees to sign a written consent regarding the romantic relationship. While this type of policy may seem intrusive, these documents are drafted to protect employers from unwanted complaints of future sexual harassment or retaliation.

When asking employees to sign consents, you should again advise them about the company’s sexual harassment policy and remind them about ramifications of policy violations. Document that the employees entered into the relationship voluntarily, were counseled and – if/when the relationship ends – include a memo in their respective personnel records that the relationship ended, and the employees were reminded about the company’s sexual harassment policy. You should require the dating parties to make certain written representations to shield the company from future claims:

The individuals have entered the relationship voluntarily and the relationship is consensual.
The employees will not engage in any conduct that makes others uncomfortable, intimidated, or creates a hostile work environment for other employees, guests, or third parties.
The employees do not and will not make any decisions that could impact each other’s terms and conditions of employment.
The employees will act professionally toward each other at all times, even after the relationship has ended.
The relationship will not cause unnecessary workplace disruptions or distractions or otherwise adversely impact productivity.
The employees will not retaliate against each other if/when the relationship ends.

Stay tuned for Part 3 for steps to take now to defend potential claims of discrimination and harassment.

Article by:

Mona M. Stone

Of:

Greenberg Traurig, LLP

Office Romances: 3-Part Series on How to Shield Your Company from Liability Part 1

Love is in the air – which could bring claims of sexual harassment and discrimination. As Valentine’s Day approaches, employers should be mindful of office romances:

Statistics show that more than 20% of married couples met at work, yet nearly half of those employees reported that they did not know if their company had a policy on office romances.
According to a recent survey by Monster Worldwide, 59% of employees admitted that they have been involved in an office romance.
An additional 64% answered that they would be willing to do so if the opportunity arose.
Yet, 75% of employers do not have a policy regarding workplace relationships.
AshleyMadison.com (a dating site for married people looking to cheat – yikes!) reports that 46% percent of men and 37% percent of women have had an affair with a co-worker. Among these cheaters, 72% percent of women and 59% percent of men say that they had their first encounter with the affair partner at a company holiday party … which means now is the time for employers to pay attention!

In this three-part series, learn (1) the potential risks to employers from workplace relationships, (2) how to draft an office romance policy, and (3) what steps to take to head off potential litigation. Part I addresses the negative consequences that office romances can pose to unprepared employers.

What’s the Harm?

While consensual office relationships are more commonplace than in the past, they can trigger business and legal headaches for employers when the relationship fizzles or is no longer consensual. Moreover, fellow employees may feel resentful, jealous, uncomfortable, or intimidated (especially in relationships between a supervisor and a subordinate), leading to complaints of sexual harassment, discrimination, or retaliation.

Importantly, claims may be brought not only by the individuals in the relationship, but even by third parties. Complaints of “paramour favoritism” are on the rise and are being filed by employees who allege they are overlooked due to preferential treatment towards a co-worker who is engaged in a romantic relationship with the boss. While courts differ on whether such claims are meritorious, turning a blind eye to such relationships may result in business interruption and liability.

In 2011, for example, the EEOC reported that 11,364 charges of sexual harassment were filed, and 16.3% of those were filed by men. These charges are quite costly to employers – the EEOC recovered over $52 million in damages for sexual harassment claims in 2011. Employers might not be able to prevent love in the office, but you can take action to mitigate potential liability. An important initial measure is to draft a good policy depending on your company’s size, structure, business goals, and culture. Make sure that, if you implement an office dating policy, you enforce it uniformly and take appropriate and equal action for violations of the policy.

Watch for installments 2 and 3 to learn the dos and don’ts when drafting an office romance policy and tips for employers to avoid liability.

Article by:

Mona M. Stone

Of:

Greenberg Traurig, LLP

Google Glass In the Workplace

WSJ reported on November 22, 2013, Google’s push to move Google Glass, a computerized device with an “optical head-mounted display,” into the mainstream by tapping the prescription eyewear market through VSP Global—a nationwide vision benefits provider and maker of frames and lenses. If the speed and immersion of technology over the past few years had shown us anything, it is that it will not be too long before employees are donning Google Glass on the job, putting yet another twist on technology’s impact on the workplace.

Employers continue to adjust to the influx of personal smartphones in the workplace, many adopting “Bring Your Own Device” (BYOD) strategies and policies. These technologies have no doubt been beneficial to businesses and workplace around the globe. The introduction of Google Glass into the workplace may have similar benefits, but the technology also could amplify many of the same challenges as other personal devices, and create new ones.

For example, employers may experience productivity losses as employees focus on their Glass eye piece and not their managers, co-workers, customers. Likewise, some businesses will need to consider whether Google Glass may contribute to a lack of attention to tasks that can create significant safety risks for workers and customers, such as for employees who drive or use machinery as a regular part of their jobs.

A popular feature of Google Glass is the ability to record audio and video. Smartphones and other devices do this already, but recording with Glass seems so much easier and become potentially less obvious overtime as we get used to seeing folks with the Glass. Of course, recording of activities and conversations in the workplace raise a number of issues. In healthcare, for instance, employees might capture protected health information with their devices, but potentially without the proper protections under HIPAA. Conversations recorded without the consent of the appropriate parties can violate the law in a number of states. Employees with regular access to sensitive financial information could easily capture a wealth of personal data, raising yet another data privacy and security risk.

The capturing of data on the Glass, even if not collected, used or safeguarded improperly, will add to the challenges businesses have to avoid spoliation of data stored in these additional repositories of potentially relevant evidence.

Only time and experience will tell what the impact of Google Glass will be in the workplace. However, as companies continue to adapt to present technologies, they should be keeping an eye on the inevitable presence of such new technologies, and avoid being caught without a strategy for reducing risks and avoidable litigation.

Article by:

Joseph J. Lazzarotti

Of:

Jackson Lewis LLP

Facebook Friends & Workplace Enemies

Inappropriate Facebook posts, pictures and the like have led to many firings in recent years. A large number of employees have become smarter on social media and made a concerted effort to not “friend” a manager or boss. They think that they are keeping their online persona and work reputation separate…but is that really possible when dealing with the Internet?

It is not uncommon for an employer to be completely oblivious to an employee’s inappropriate online actions until presented with the evidence from a Facebook “friend” and coworker of the subject employee. If the employer chooses to take adverse employment action against the subject employee, the coworker’s evidence can be crucial in defending against a discrimination lawsuit.

Nonetheless, employers should think twice before they solicit coworkers to disclose the postings of another employee because of the Federal Stored Communications Act (“SCA”). The SCA prohibits intentionally accessing without authorization a facility through which an electronic communication service is provided or intentionally exceeding an authorization to access that facility. 18 U.S.C. §2701(a).

In Ehling v. Monmouth-Ocean Hospital Service Corp., No. 2:11-cv-3305 (WMJ)(D.N.J. Aug. 20, 2013), a New Jersey federal court held than an employee’s Facebook wall posts were protected by the SCA.

Deborah Ehling (the plaintiff) was a registered nurse and paramedic. She had a Facebook account with approximately 300 friends, but was careful to not add any hospital managers or supervisors as friends and maintained her privacy settings so that only friends could see posts.

In 2009, Ehling made a statement on her Facebook wall criticizing emergency response paramedics at a shooting at the Holocaust Museum in Washington, D.C., who reportedly saved the life of the shooter. It read:

An 88yr old sociopath white supremacist opened fire in the Wash D.C. Holocaust Museum this morning and killed an innocent guard (leaving children). Other guards opened fire. The 88 yr old was shot. He survived. I blame the DC paramedics. I want to say 2 things to the DC medics. 1. WHAT WERE YOU THINKING? And 2. This was your opportunity to really make a difference! WTF!!!! And to the other guards…go to target practice.

A coworker and Facebook friend of Ehling’s printed a screenshot of this post and emailed it to Ehling’s manager. It is important to note that the friend was not prompted by the manager for any information about Ehling or to be apprised of any of her online activity. It was simply something the “friend” chose to do on his own.

Ehling was subsequently suspended and received a memo from the hospital explaining that such action was taken because her Facebook comment reflected a “deliberate disregard for patient safety.” The memo prompted Ehling to file a complaint with the National Labor Relations Board. It was found that the hospital was not in violation of the National Labor Relations Act. She then filed suit in federal court, alleging the hospital had violated her rights under the SCA.

To learn about the outcome of this case, check back tomorrow.

Article by:

Cynthia L. Effinger

Of:

McBrayer, McGinnis, Leslie and Kirkland, PLLC

Tag: Workplace

Three Lessons for Mitigating Network Security Risks in 2015: Bring Your Own Device