After a nearly eight-month delay, the New York State Department of Labor once again published draft Regulations governing the payment of employee wages via payroll debit cards, direct deposit, and other means.  As we previously reported, these proposed Regulations would impose several new requirements for New York employers, even for those who merely pay employees by direct deposit.  These proposed Regulations – now NYSDOL’s third version – are currently open for public comment. The most recent version is almost identical to the version last proposed in October 2015, with NYSDOL making only two substantive changes:  (1) the newly-proposed Regulations make clear that the requirement to provide employees with a “list of locations” -- where they can access and withdraw their wages -- only applies to the use of payroll debit cards; and (2) the newly-proposed Regulations remove language included in the October 2015 version, which provided that, when paid by check, employees must have at least one means of no-cost local access to the full amount of wages through check cashing or deposit of a check at a financial institution (but NYSDOL nevertheless stated that employers must still “ensure that employees are able to access their wages in order for payment to be effective in accordance with the requirements of Section 191 of the Labor Law”).  Notably, NYSDOL reiterated that the proposed Regulations will not be effective until six months after they are published and adopted in final form. The reason for the eight-month delay on the part of the NYSDOL in issuing these revised draft Regulations is unclear, but it is expected that final rule-making will now proceed in a timely manner.

Last month, the United States Court of Appeals for the Fifth Circuit affirmed the lower court’s decision upholding the National Labor Relations Board’s “quickie” election rule.  As we previously reported, the final rule, among other things, significantly reduces the time period between the filing of an election petition to the date of the election, narrows the issues that may be raised at a pre-election hearing, and requires disclosure of employees’ personal information, including personal telephone numbers and e-mail addresses.  The rule was effective as of April 14, 2015. The Associated Builders and Contractors of Texas, Inc. (“ABC”) mounted the challenge to the rule’s lawfulness, asserting that the Board both exceeded its authority under the National Labor Relations Act (the “Act”) and violated the Administrative Procedure Act.  ABC first argued that the rule unlawfully postpones the resolution of certain voter eligibility issues until after the election is complete, in contravention of the Act.  The Fifth Circuit rejected this argument, reasoning that under the plain language of the Act the purpose of the pre-election hearing is to determine whether a question of representation exists -- not to resolve all voter eligibility issues. Next, ABC contended that the rule arbitrarily and capriciously requires the disclosure of employees’ personal information to the petitioning union in violation of the Administrative Procedure Act.  The Fifth Circuit found that the Board had sufficiently considered employees’ privacy concerns as well as the burden on employers when it expanded the disclosure requirement, and thus, the requirement was not arbitrary and capricious in violation of the Administrative Procedure Act. ABC also challenged the rule on the grounds that faster elections interfere with an employer’s right to free speech during organizing campaigns.  In rejecting this argument, the Fifth Circuit found that there is no language in the Act which requires a specified waiting period between the filing of the petition and the date of the election.  Additionally, the Fifth Circuit noted that the Board’s Regional Directors, who are responsible for setting the date of the election, are to consider the interests of both parties when setting an election date, which may include an employer’s opportunity to communicate its views concerning unionization to its employees. Now that the Fifth Circuit has joined an earlier decision from the United States District Court for the District of Columbia upholding the Board’s “quickie” election rule, employers must be prepared to respond before an election petition is even filed.  The time employers have from date of petition to date of election has been effectively cut in half (from about 6 weeks to about 3 weeks), making a successful counter campaign extremely difficult to mount without advance planning and preparation.  We recommend regular supervisory training and the creation of a tentative campaign blueprint that is ready for immediate activation in the event of a union petition.  As before, an employer’s best opportunity to remain union-free comes from early awareness of organizing activity and an effective pre-petition campaign that discourages employees from signing the number of union authorization cards needed for the union to trigger an NLRB election.

One of the many joys of parenthood is the opportunity to relive one’s childhood.  To a parent who grew up on the old-school comic books, the steady roll-out by Marvel Studios of big budget super-hero movies offers a unique bonding opportunity with one’s children, which can take place over a uniquely unhealthy massive bowl of movie theater popcorn (with the glee from the experience outweighing the fear of the hyper-caloric intake). My kids frequently ask me about my favorite superhero.  To me it is undoubtedly Hulk, a character who metes out just-desserts -- an admirable goal for a management-side employment lawyer (the side of angelic innocence).  Hulk is not Hulk unless provoked.  As Bruce Banner he is a quintessential good guy, just like all of us in the world of Human Resources. That brings us to Hulk’s relationship with employment law.  We need a Hulk when our employees steal from us, harass other employees, take our trade secrets, and secretly compete against us.  But in the real world where does one find a muscle-bound green skinned superhero that is pretty much indestructible?  Enter the faithless servant doctrine. In New York, the faithless servant doctrine is more than one hundred years old.  This doctrine, a subspecies of the duty of loyalty and fiduciary duty, requires an employee to forfeit all of the compensation he/she was paid from his/her first disloyal act going forward.  The doctrine applies to a wide-array of employee misconduct, including unfair competition (Maritime Fish Products, Inc. v. World-Wide Fish Products, Inc., 100 A.D.2d 81, 474 N.Y.S.2d 281 (1st Dep't 1984)), sexual harassment (Astra USA Inc. v. Bildman, 455 Mass. 116, 914 N.E.2d 36 (2009)), insider-trading (Morgan Stanley v. Skowron, 2013 WL 6704884 (S.D.N.Y. 2013)), theft (William Floyd Union Free School District v. Wright, 61 A.D.3d 856, 877 N.Y.S.2d 395 (2d Dep’t 2009)), and off-duty sexual misconduct (Colliton v. Cravath, Swaine & Moore, LLC., 2008 WL 4386764 (S.D.N.Y. 2008)). As the faithless servant doctrine becomes more well-known, the full breadth of its power continues to be litigated.  Specifically, just how much damage can this doctrine inflict?  Disloyal employees have argued that forfeiture under the doctrine should be limited to a so-called “task-by-task” apportionment.  Under this argument, if an employee earns for example $200,000 a year and steals $20,000 over five months in four separate transactions, the remedy is a return of the stolen funds and a salary forfeiture of a day’s pay on each of the four days of misconduct.  But, whatever superficial appeal this argument may have, once the employee steals we enter Hulk’s world, and Hulk does not deliver justice with surgical precision.  Rather, in the immortal words of Captain America, Hulk “smashes.” In William Floyd Union Free School District v. Wright, 61 A.D.3d 856, 877 N.Y.S.2d 395 (2d Dep’t 2009) (argued by the author of this article), the Second Department rejected the task-by-task apportionment argument, holding:  “Where, as here, defendants engaged in repeated acts of disloyalty, complete and permanent forfeiture of compensation, deferred or otherwise, is warranted under the faithless servant doctrine.”  The forfeiture in that case included all salary and deferred compensation, including paid health and life insurance in retirement.  Turning back to our hypothetical, the faithless servant doctrine requires not only the return of the $20,000 stolen, but also forfeiture of all of the salary paid to the employee after the first theft and any related deferred compensation, such as contractual payments owed upon retirement. Despite the William Floyd decision, disloyal employees have tried in earnest to limit the scope of the forfeiture.  On June 2, 2016, the Third Department added strength and vigor to the faithless servant doctrine in a case where an employee committed repeated acts of theft.  In City of Binghamton v. Whalen (also argued by the author of this article), the Court reaffirmed the strict application of the faithless servant doctrine:  “We decline to relax the faithless servant doctrine so as to limit plaintiff’s forfeiture of all compensation earned by the defendant during the period of time in which he was disloyal.”  The Court specifically noted that the faithless servant doctrine is designed not merely to compensate the employer, but also to create a harsh deterrent against disloyalty by employees.  The Court ordered the disloyal employee to pay back $316,535.54 (which was all of the compensation earned by the employee during the nearly six-year period of disloyalty), and held that the employer was relieved of the obligation to provide the disloyal employee with health insurance benefits earned through his employment. The City of Binghamton decision solidifies the Hulk-like power of the faithless servant doctrine -- a remedy that serves up justice with “smashing” deterrent impact.

On May 18, the New York State Division of Human Rights adopted a new regulation prohibiting employment discrimination based on an individual’s relationship or association with a member of a protected category covered by the New York Human Rights Law.  The proposed rule was published in the State Register on March 9.  The agency did not receive any public comments regarding the proposed rule, and adopted the rule without making any changes. According to the Division, the purpose of the new regulation is to confirm long-standing precedent supporting anti-discrimination protection for individuals based on their relationship or association with members of a protected class.  The new regulation applies to employment discrimination and all other types of discrimination protected under the New York Human Rights Law, including housing, public accommodations, access to educational institutions, and credit.  In order to prove a claim of employment discrimination in this context, an individual must prove that he or she was subjected to an adverse employment action based on the individual's known relationship or association with a member of a protected class. This latest expansion of the protections afforded by the New York Human Rights Law underscores the importance of basing all employment decisions on legitimate reasons that can be supported by objective facts, and documenting the legitimate reasons for those decisions.  Supervisors should also be trained to apply workplace policies and standards fairly and uniformly among all employees, to further reduce the risk of discrimination claims.

In theory, employers are all generally familiar with the “interactive process” and the need to provide disabled employees with reasonable accommodation absent undue hardship.  But in practice are employers actually complying with these legal obligations?  Maybe not, says the EEOC. On May 9, 2016, the EEOC issued a strong reminder to employers about their legal obligations under the Americans with Disabilities Act related to accommodation of disabled employees.  According to the EEOC, it continually receives complaints that indicate employers may not be fully aware of their legal obligations:  "For example, some employers may not know that they may have to modify policies that limit the amount of leave employees can take when an employee needs additional leave as a reasonable accommodation.  Employer policies that require employees on extended leave to be 100 percent healed or able to work without restrictions may deny some employees reasonable accommodations that would enable them to return to work.  Employers also sometimes fail to consider reassignment as an option for employees with disabilities who cannot return to their jobs following leave." The EEOC has recently taken a particularly close look at employer leave policies to ensure they are not so inflexible as to foreclose the possibility of a leave of absence being provided as an accommodation. So what exactly is a “reasonable accommodation”?  Generally, a reasonable accommodation is “any change in the work environment or in the way things are customarily done that enables an individual with a disability to enjoy equal employment opportunities.”  But what this means in any given situation will necessarily depend on a number of factors, including for example the particular position held by the employee, the particular restrictions the employee’s disability places on his/her ability to perform that job, and the projected duration of the restrictions.  Perhaps for one employee reasonable accommodation means providing a leave of absence after he/she has already exhausted any leave available under the Family and Medical Leave Act so that the employee is able to recover from a serious health condition before returning to work.  Or perhaps it means allowing an employee to return to work from a leave of absence in a light duty capacity while he/she completes recovery.  For another it could mean moving an employee’s work location to an area where he/she has easy access to a restroom, or restructuring an employee’s marginal (or non-essential) job duties so he/she does not have to lift items over a certain weight. It is also important to remember that although it will never be deemed “reasonable” for an employee, as an accommodation, to be excused from having to perform the essential functions of his/her job, whether something actually is an essential function is not always intuitive.  For example, is it an essential function of a firefighter’s job to be physically able to fight fires?  Perhaps not.  In Stone v. City of Mount Vernon, the Second Circuit Court of Appeals reversed a decision granting summary judgment to the employer in an ADA lawsuit filed by a former fire department employee, holding that there was a genuine issue of material fact warranting a trial regarding whether fire suppression was an essential function of the job.  Or is heavy lifting necessarily an essential function of a manual laborer’s job?  Again, perhaps not (according to the 1993 decision of the U.S. District Court for the Northern District of New York in Henchey v. Town of North Greenbush). A key take-away when dealing with accommodation issues is that there is no one-size-fits-all approach.  That is why it is so important for an employer to engage in the “interactive process” with the employee and find out exactly what his/her limitations are and whether there is an accommodation that can reasonably be provided to enable the employee to perform the essential functions of his/her job.  It may be that the interactive process reveals there is no accommodation that can be provided without imposing an undue hardship on the employer, or that will enable the employee to perform the essential functions of his/her job.  If that is the case, accommodation need not be provided under the law.  But the employer will not know that unless and until it engages in the interactive process and finds out. Following predetermined policies and rules might seem to be the essence of fairness.  But when it comes to accommodations of disabilities, employers who follow rules too inflexibly can get into trouble.  One rule that employers should always follow is to engage in good faith in the “interactive process.”

If the recent and tragic shootings at an office holiday party in San Bernardino, California, and at a lawn care company in Kansas have taught us anything, it is that these unfortunate incidents of workplace violence are becoming more and more commonplace.  In addition to the devastating human cost of these tragedies, workplace violence can also bring significant liability for employers. According to the Occupational Safety and Health Administration, workplace violence is responsible for $55 million in lost wages each year.  When the cost of lost productivity, legal expenses, property damage, diminished public image, and increased security are factored in, workplace violence costs the American workforce approximately $36 billion dollars per year. Among other sources of potential liability, employers may be cited by OSHA for violating the “General Duty Clause” of the OSH Act, which requires employers to maintain workplaces free from “recognized hazards” that are likely to cause death or serious physical harm to employees.  OSHA has previously published guidance citing certain types of workplace violence as recognized hazards for “heightened-risk industries,” which include healthcare and social services, late-night retail establishments, and taxi and for-hire drivers.  But an employer in any industry may be considered to have a recognized hazard of workplace violence based on factors like previous incidents, employee complaints, injury and illness data, prior corrective actions, and its own safety rules and policies. Last month, Bond attorneys presented a breakfast briefing on workplace violence at 12 locations across the state, providing guidance on developing an action plan to address workplace violence, identifying the potentially violent employee, and best practices for responding to an incident of violence in the workplace.  To avoid liability and prevent the unthinkable, employers should start taking steps to develop a workplace violence prevention program.

The U.S. Department of Labor recently issued its final regulations revising the white collar exemptions under the Fair Labor Standards Act.  Although the final regulations significantly raise the salary threshold for the administrative, professional, executive, and computer employee exemptions, employers can take some solace in the fact that the increase is actually lower than the one proposed by the USDOL last summer.  In addition, employers who still have extensive work to do in order to prepare for the implementation of the final regulations will have more time to do so than expected.  The final regulations will not become effective until December 1, 2016, which gives employers more than six months to make decisions regarding whether to increase salaries to retain the exemptions or reclassify formerly exempt employees as non-exempt. The USDOL's proposed regulations issued last summer set the minimum salary to qualify for the white collar exemptions at the salary level equal to the 40th percentile of earnings for full-time salaried workers in the United States.  The final regulations set the minimum salary to qualify for the white collar exemptions at the salary level equal to the 40th percentile of earnings for full-time salaried workers in the lowest-wage Census Region of the United States.  So, instead of the salary threshold increasing to approximately $970.00 per week as anticipated, the salary threshold for the administrative, professional, executive, and computer employee exemptions will increase to $913.00 per week (which amounts to $47,476 per year) effective December 1, 2016.  Although this salary increase is slightly more palatable to employers than the proposed salary increase, it is still a significant increase from the current federal minimum salary level of $455.00 per week to qualify for the white collar exemptions and the current New York minimum salary level of $675.00 per week to qualify for the administrative and executive exemptions.  Teachers, lawyers, and doctors will continue to not be subject to this minimum salary requirement. The USDOL's proposed regulations set the minimum salary to qualify for the highly compensated employee exemption at the salary level equal to the 90th percentile of earnings for full-time salaried workers in the United States.  This did not change in the final regulations.  Effective December 1, 2016, the minimum salary to qualify for the highly compensated employee exemption will be increased from $100,000 per year to $134,004 per year. The USDOL's proposed regulations included a provision that would have automatically raised the minimum salary levels to qualify for the white collar exemptions from year to year without further rulemaking.  The USDOL's final regulations still provide for automatic increases, but instead of occurring every year, these automatic increases will occur every three years beginning on January 1, 2020.  The automatic increases will continue to be based on the 40th percentile of earnings for full-time salaried workers in the lowest-wage Census Region of the United States to qualify for the executive, administrative, professional, and computer employee exemptions, and the 90th percentile of earnings for full-time salaried workers in the entire United States to qualify for the highly compensated employee exemption.  Although this will still force employers to evaluate their exempt workforces on a periodic basis to determine whether to reclassify employees as non-exempt, going through this process every three years instead of every single year will ease this burden slightly. Currently, employers are not permitted to count commissions, bonuses, and other forms of incentive compensation toward the minimum weekly salary for an employee to qualify for the executive, administrative, professional, and computer employee exemptions.  However, the USDOL's final regulations allow employers to satisfy up to 10% of the new salary threshold by the payment of non-discretionary bonuses, incentives, and commissions that are paid quarterly or more frequently.  Employers should take this into consideration when deciding how to restructure the compensation of exempt employees in order to retain the white collar exemptions. The final rule does not include any revisions to the outside sales exemption, so employees who are engaged in the primary duty of making sales outside the workplace will continue to not be subject to a minimum salary requirement to qualify for the exemption.  In addition, although the USDOL solicited comments about whether revisions should be made to the duties tests for the white collar exemptions, the final rule leaves the duties requirements untouched. Employers should keep in mind that they have many options when evaluating compliance with the new white collar exemption regulations.  One of those options is to convert salaried exempt employees to hourly non-exempt employees and do so at an hourly rate that will not raise the total personnel expense for their business.  Of course, that means that the hourly rate will need to be set low enough to account for straight time pay for the first 40 hours per work week and overtime pay for hours worked in excess of 40 hours per work week, without raising an employee’s total average weekly earnings above the current salary.  In other words, many of the 4.2 million employees who will potentially now be eligible for overtime pay may find that they will not earn any more than they did when they were exempt employees who were ineligible for overtime pay.

President Obama on May 11 signed into law the Defend Trade Secrets Act (DTSA) of 2016. This is truly a landmark law; one that expands the federal remedies companies can pursue to halt the theft of trade secrets vital to a company’s operation and financial security. DTSA received unprecedented bipartisan support, with passage by 87-0 in the Senate, 410-2 in the House of Representatives.

This new law recognizes the vital role that trade secrets play in generating billions of dollars in annual revenues and millions of jobs as a key component of our national – and local – economy. It also comes in response to several high profile cases which demonstrate how vulnerable U.S. companies are from internal and external cyber-threats.

A trade secret is anything which gives a company a competitive advantage and is kept confidential, including a design, formula, manufacturing process, financial data, or customer information. Prior to DTSA, trade secrets did not receive the same protections afforded to other forms of intellectual property such trademarks, copyrights, and patents.

DTSA provides the first ever federal civil statutory remedies for theft of trade secrets. These remedies exceed those which may have been previously available under state law, including aggressive ex parte seizure mechanisms similar to those used to seize counterfeit goods under trademark law, exemplary damages, and attorney fees.

There is a caveat: imbedded within the text of DTSA is a warning that if you fail to include whistleblower immunity notice in any agreement with an employee that governs the use of a trade secret or other confidential information you will not be able to take advantage of the exemplary damages and attorney fees available under DTSA.

This notice must inform the employee, among other things, that he or she cannot be held liable under any trade secret law for the disclosure of a trade secret that is made (1) in confidence to a government official or to an attorney for the sole purpose of reporting a suspected violation of law or (2) in a document in a lawsuit or proceeding filed under seal.

Non-compete and non-disclosure agreements play a key role in protecting a company’s trade secrets. The law governing the enforceability of these agreements is constantly changing. Failure to revise these agreements periodically could have disastrous consequences. The passage of DTSA provides yet another reason why you need to review and revise your agreements to maximize the protections available. A simple and cost effective way to have your agreements reviewed, along with your physical and digital security measures, is through Bond Schoeneck & King’s innovative Trade Secret Protection Audit.  

Most employers traditionally have had little to no interaction with the Occupational Safety and Health Administration (OSHA), the federal agency tasked with overseeing workplace safety.  Unless they were inspected by OSHA -- and the 35,820 inspections conducted in FY 2015 pales in comparison to the tens of millions of employers across the country -- most businesses, particularly smaller businesses, may have gone for many years without interacting with the agency.  But that is about to change. Currently, most employers other than those in partially-exempt industries are required to maintain injury and illness reporting records on a log (OSHA Form 300), with supporting documentation (OSHA Form 301, or other equivalent document such as workers compensation records).  Each employer then summarizes that information each year onto OSHA Form 300A, which the employer then posts at the workplace from February 1 to April 30.  Other than serious injuries such as amputations, fatalities, or accidents requiring hospitalization, which require more immediate reporting, employers have not been required to submit injury and illness data to OSHA.  Now, however, many businesses will have to submit injury and illness information periodically to OSHA electronically.  Not only that, but OSHA also will post this information online. The reporting changes affect businesses depending on their size and classification:

• Businesses with 250 or more employees.  These businesses will have to submit the annual summary form 300A electronically by July 1, 2017; submit the Forms 300, 301, and 300A electronically by July 1, 2018; and then submit Forms 300, 301, and 300A by March 2 annually thereafter.
• Businesses with 20-249 employees in “high-hazard” industries.  OSHA has compiled a long list of high-hazard industries, including but not limited to hospitals, nursing homes, long-term care facilities, agriculture, utilities, construction, manufacturing, grocery stores, department stores, transportation companies, that must also submit information electronically if they have 20-249 employees, albeit less information than larger businesses.  These businesses need only submit Form 300A by July 1, 2017 and July 1, 2018, and then continue submission of Form 300A each year by March 2 thereafter.

In determining business size, the final rule states:  “each individual employed in the establishment at any time during the calendar year counts as one employee, including full-time, part-time, seasonal, and temporary workers.” OSHA claims that Personally Identifiable Information will be removed before the data it receives is released on its web site, but OSHA’s stated reliance on software to perform this function has raised concerns with employers and privacy advocates alike.  Also, it is unclear as to what form OSHA’s online publication will take, and how third parties may seek to utilize this information. The above rule revisions represent a sea change in employers’ interaction with OSHA regarding injury and illness reporting.  But OSHA did not stop there.  OSHA also published changes in its final rule, effective August 10, 2016, that affect all employers, regardless of size:

• Employers must establish a “reasonable” procedure for employees to report work-related injuries and illnesses, and inform employees of that procedure.  The rule states that “[a] procedure is not reasonable if it would deter or discourage a reasonable employee from accurately reporting a workplace injury or illness.”
• Employers must inform employees of their right to report work-related injuries and illnesses free from retaliation.  OSHA has issued a Fact Sheet stating this obligation may be met by posting the “OSHA Job Safety and Health — It’s The Law” poster from April 2015 or later.
• The rule also adds a provision prohibiting discrimination against an employee for reporting a work-related injury, filing a safety or health complaint, or asking to see the employer’s injury and illness logs.

These provisions have raised additional concerns for employers.  The rule regarding “reasonable” procedures is targeted at employers’ safety incentive plans.  If an employer has a safety incentive plan wherein employees get a bonus, or days off, or an award, if the employee, department, or company has a certain number of days without injury -- so the theory goes -- employees may be hesitant to report injuries and illnesses.  It is precisely these kind of incentive plans the new rule intends to eliminate.  In addition, Section 11(c) of the Occupational Safety and Health Act, which has certain requirements before OSHA can initiate enforcement action against an employer in federal district court, has been the exclusive provision for employees to make complaints about retaliation for exercising their rights under the Act.  To the extent that OSHA now intends to issue citations against employers under a different process -- and even if an individual employee has not alleged or filed a Section 11(c) retaliation complaint -- this will be another sea change in enforcement. The bottom line is this:  employers with 20 or more employees in “high-hazard” industries, and with 250 or more employees in all industries, will have to report their injury and illness information electronically by July 1, 2017, which will be made available to the public in some form with personally identifiable information about employees removed.  And, all employers, regardless of size, should review their handbooks, safety incentive plans, and incident reporting policies to ensure they provide a “reasonable procedure for employees to report work-related injuries and illnesses.”

It seems as though we hear about new cybersecurity issues every day -- from traditional hacking incidents to the increasingly sophisticated phishing, malicious apps and websites, social engineering, and ransomware attacks.  Employee benefit plan sponsors likely have a fiduciary duty to ensure participant information and plan assets are protected from the growing number of cyber threats (to the extent possible, given the ever-changing cybersecurity landscape), AND, perhaps more importantly, that there is a plan in place to respond to a data breach and mitigate any associated damages. For many years now, health plan sponsors have been subject to a variety of privacy and security rules under the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”).  Health plan sponsors are (among other things) required to enter into contracts with TPAs and other service providers called “business associate agreements” that spell out the parties’ obligations under HIPAA in connection with the plan’s HIPAA-protected information or “PHI.” Notwithstanding HIPAA’s broad scope, it is important to note that HIPAA only establishes the floor (i.e., the bare minimum requirements) when it comes to privacy and security of PHI.  Health plan sponsors also should consider including references to state data breach notification laws and cyber liability insurance in business associate agreements (or related services agreements) in addition to the HIPAA minimums. Although HIPAA does not extend to retirement plans, and retirement plan sponsors are not required to enter into specific agreements with TPAs governing the privacy and security of participants’ personally identifiable information or “PII,” ERISA’s fiduciary duties nonetheless likely apply.  Although the DOL has yet to weigh in on fiduciary duties raised by cybersecurity issues, retirement plan sponsors should consider including both “HIPAA-like” and expanded cybersecurity provisions in contracts with TPAs that govern the privacy and security of participants’ PII and plan assets.  Examples include, but are not limited to, provisions that:  (1) address the TPA’s data security policies and procedures; (2) restrict the use of and access to PII; (3) explain the TPA’s obligations in the event of a data breach or security incident (i.e., investigation, notification of the plan sponsor and participants, mitigation, remediation, etc.); (4) specify liability for cybersecurity incidents, including the requirement to maintain adequate cyber liability insurance; and (5) provide for the ability to terminate the applicable services agreement, without additional or early termination fees, in the event of a data breach or other security incident, at the discretion of the plan sponsor. Finally, in recognition of the fact that participant information also needs to be protected while in the hands of the plan sponsors (including from their employees as well as external cyber threats), plan sponsors should include any plan-related PHI or PII in their organizational cybersecurity efforts.

Inherent in all employment relationships is the fact that employers are privy to all sorts of confidential information about their employees.  For example, in order to do something as simple as paying an employee’s wages, an employer will generally need to know the employee’s social security number, and, in cases of direct wage deposit, will also need to know the employee’s bank account information.  Employers also often come into possession of confidential medical information in connection with employees’ requests for medical leaves of absence under the Family and Medical Leave Act, or when engaging in the “interactive process” with disabled employees who have requested accommodation for their disabilities. Because employers are necessarily privy to confidential employee information, they are also inherently at risk for unauthorized disclosure of such information to others.  Especially with all of the news in recent months about consumer and employee data breaches, employers should question whether the security measures they have in place to protect private employee information are actually sufficient. But even those employers who have generally taken appropriate security measures are not necessarily immune from potential liability and are still at risk for potential disclosure of confidential information.  Take, for example, the situation where an employer, who has otherwise implemented appropriate controls to protect confidential information, is undergoing maintenance of its IT system, and during the maintenance process certain file access restrictions are temporarily disabled.  That is precisely the situation that occurred in Tank Connection, LLC v. Haight, a case that was decided by the U.S. District Court for the District of Kansas on February 5, 2016. The employer in Tank Connection, a manufacturer of above-ground storage tanks with approximately 300 employees, was like many other employers with regard to how it limited employee access to its IT systems:  “Each employee's computer was password protected.  Access to data on the server was controlled by user-account privileges (Microsoft Active Directory).  The user accounts were set up with standard authentication practices including user name and password.”  The company also had certain IT directories and files that were only accessible to Tank Connection’s president and network administrator because they contained confidential and proprietary information.  So far, so good.  But here comes the problem.  When the company changed its IT servers, certain security settings were not correctly transferred from the old server to the new, and a file whose access was previously restricted to the president and network administrator was now accessible to employees.  Unfortunately, this mistake was not discovered by the company until after a particular employee, who was leaving the company to work for a competitor, accessed and copied confidential information from the file just prior to leaving Tank Connection. When the mistake was ultimately discovered, Tank Connection took legal action to recover the information from the now former employee.  The company claimed that notwithstanding the mistake with the IT server, the employee accessed the information without authorization and essentially “stole” it from the company.  But the court ultimately rejected this claim, reasoning:  “The problem with Tank Connection's argument that [the employee] exceeded his authorized access is that it is premised upon a restriction that was supposed to be incorporated into its network settings, but which in fact was not. . . .  The fact that Tank Connection inadvertently provided [this employee] with access to the folder did not restrict or limit his authority.  Nor does the fact that [the employee] apparently accessed these folders for purposes contrary to Tank Connection’s interests amount to evidence that he exceeded ‘authorized access.’” In other words, despite Tank Connection’s intent to maintain confidentiality of the file, the inadvertent mistake that occurred with the IT server resulted in the company failing to properly protect the confidential information and exposing it to potential disclosure and misuse. An important lesson should be learned from the Tank Connection, LLC case -- actions speak louder than intentions with regard to maintaining confidentiality.  Even an employer’s best intentions to protect the confidentiality of employee information can go awry and will be rendered meaningless if the employer’s actions do not actually safeguard the information at issue.  To ensure that intentions match actions, employers should regularly audit their information security protocols, including all security measures in effect on their IT systems to protect confidential employee information kept in electronic form, to ensure the continued functionality of such measures and make sure that what they think is in place actually is.

On April 4, 2016, Governor Cuomo signed legislation, as part of the 2016-2017 state budget, enacting a $15.00 minimum wage plan and a 12-week paid family leave benefit. Minimum Wage Increase The legislation includes a historic increase in the minimum wage (currently $9.00 per hour) that will ultimately reach $15.00 per hour for all workers in New York State.  The increases vary based on employer size and geographic location as follows:

• For large employers (11 or more employees) whose employees work in New York City, the state minimum wage will increase to $11.00 per hour on December 31, 2016, $13.00 per hour on December 31, 2017, and $15.00 per hour on December 31, 2018.
• For small employers (10 or fewer employees) whose employees work in New York City, the state minimum wage will increase to $10.50 per hour on December 31, 2016, $12.00 per hour on December 31, 2017, $13.50 per hour on December 31, 2018, and $15.00 per hour on December 31, 2019.
• For employers with employees working in Nassau, Suffolk, and Westchester Counties, the state minimum wage will increase to $10.00 per hour on December 31, 2016, $11.00 per hour on December 31, 2017, $12.00 per hour on December 31, 2018, $13.00 per hour on December 31, 2019, $14.00 per hour on December 31, 2020, and $15.00 per hour on December 31, 2021.
• For all employers with employees working outside of New York City and Nassau, Suffolk, and Westchester counties, the state minimum wage will increase to $9.70 per hour on December 31, 2016, $10.40 per hour on December 31, 2017, $11.10 per hour on December 31, 2018, $11.80 per hour on December 31, 2019, and $12.50 per hour on December 31, 2020.  The minimum wage will continue to increase to $15.00 thereafter on an indexed schedule to be set by the Director of the Budget in consultation with the Commissioner of the Department of Labor.  These increases will be published on or before October 1^st of each year.

The legislation also includes a safety measure allowing the Division of Budget, beginning in 2019, to conduct an annual analysis to determine whether there should be a temporary suspension or delay in any scheduled increases.  These minimum wage increases do not affect the timing and amounts of the minimum wage increases for fast food workers that were incorporated into the Hospitality Industry Wage Order effective December 31, 2015. Paid Family Leave In addition to a gradual increase in the minimum wage, a paid family leave program was enacted that will eventually result in eligible employees being entitled to up to 12 weeks of paid family leave when they are out of work for the following qualifying reasons:  (1) to care for a family member with a serious health condition; (2) to bond with a child during the first 12 months following birth or placement for adoption or foster care; or (3) because of a qualifying exigency arising out of the fact that the employee’s spouse, domestic partner, child, or parent is on active duty (or has been notified of an impending call or order to active duty) in the armed forces. In order to be eligible for paid family leave, employees must work for a covered employer – as defined under the New York Disability Law – for 26 or more consecutive weeks.  Family leave benefits will be phased in as follows:

• Beginning on January 1, 2018, eligible employees will receive up to 8 weeks of paid family leave in a 52-week calendar period at 50% of the employee’s average weekly wage, capped at 50% of the state average weekly wage;
• Beginning on January 1, 2019, eligible employees will receive up to 10 weeks of paid family leave in a 52-week calendar period at 50% of the employee’s average weekly wage, capped at 50% of the state average weekly wage;
• Beginning on January 1, 2020, eligible employees will receive up to 10 weeks of paid family leave in a 52-week calendar period at 60% of the employee’s average weekly wage, capped at 60% of the state average weekly wage; and
• Beginning on January 1, 2021 and each year thereafter, eligible employees will receive up to 12 weeks of paid family leave in a 52-week calendar period at 67% of the employee’s average weekly wage, capped at 67% of the state average weekly wage.

Like with the minimum wage increase, the legislation includes a safety measure whereby the Superintendent of Financial Services has the discretion to delay the scheduled increases listed above. Family leave benefits may be payable to employees for family leave taken intermittently or for less than a full workweek in increments of one full day or one-fifth of the weekly benefit.  Significantly, employers are not required to fund any portion of this benefit.  Rather, the program is funded entirely through a nominal employee payroll deduction.  The maximum employee contribution will be set by the Superintendent of Financial Services on June 1, 2017 and annually thereafter. Entitlement to paid family leave is also subject to certain medical certification and notification requirements.  Paid family leave benefits must be used concurrently with leave under the Family and Medical Leave Act.  In addition, employees are prohibited from collecting disability and paid family leave benefits concurrently. In addition to paid leave, this legislation contains a provision for the continuation of health benefits which provides as follows:  “In accordance with the Family and Medical Leave Act (29 U.S.C. §§ 2601-2654), during any period of family leave the employer shall maintain any existing health benefits of the employee in force for the duration of such leave as if the employee had continued to work from the date he or she commenced family leave until the date he or she returns to employment.” Lastly, employees who take paid family leave must be restored to their current position or to a comparable position with equivalent pay, benefits, and other terms and conditions of employment. Clearly, there are a lot of questions that remain unanswered regarding the paid family leave program.  However, covered employers should begin to prepare for the implementation of this legislation.