It is highly likely that the National Association of Insurance Commissioners (“NAIC”) will adopt a model data cyber security law premised largely on the New York State Department of Financial Services (“NYSDFS”) cyber security regulations.  Recently, we discussed the NYSDFS’ proposed extension of its cyber security regulations to credit reporting agencies in the wake of the Equifax breach.  New York Governor Andrew Cuomo has announced, “The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation.”  Upon adoption by the NAIC, the NYSDFS regulations requiring that NYS financial organizations have in place a written and implemented cyber security program will gain further traction toward setting a nationwide standard for cyber security and breach notification.  Indeed, although there are differences, the NAIC drafters emphasized that any Licensee in compliance with the NYSDFS “Cybersecurity Requirements for Financial Services Companies” will also be in compliance with the model law.

The NAIC Working Committee expressed a preference for a uniform nationwide standard: “This new model, the Insurance Data Security Model Law, will establish standards for data security and investigation and notification of a breach of data security that will apply to insurance companies, producers and other persons licensed or required to be licensed under state law. This model, specific to the insurance industry, is intended to supersede state and federal laws of general applicability that address data security and data breach notification. Regulated entities need clarity on what they are expected to do to protect sensitive data and what is expected if there is a data breach.  This can be accomplished by establishing a national standard and uniform application across the nation.”  Other than small licensees, the only exemption is for Licensees certifying that they have in place an information security program that meets the requirements of the Health Insurance Portability and Accountability Act.  According to the Committee, following adoption, it is likely that state legislatures throughout the nation will move to adopt the model law.

The model law is intended to protect against both data loss negatively impacting individual insureds, policy holders and other consumers, as well as loss that would cause a material adverse impact to the business, operations or security of the Licensee (e.g., trade secrets).  Each Licensee is required to develop, implement and maintain a comprehensive written information security program based on a risk assessment and containing administrative, technical and physical safeguards for the protection of non-public information and the Licensee’s information system.  The formalized risk assessment must identify both internal threats from employees and other trusted insiders, as well as external hacking threats.  Significantly, the model law recognizes the increasing trend toward cloud based services by requiring that the program address the security of non-public information held by the Licensee’s third-party service providers.  The model law permits a scalable approach that may include best practices of access controls, encryption, multi-factor authentication, monitoring, penetration testing, employee training and audit trails.

In the event of unauthorized access to, disruption or misuse of the Licensee’s electronic information system or non-public information stored on such system, notice must be provided to the Licensee’s home State within 72 hours.  Other impacted States must be notified where the non-public information involves at least 250 consumers and there is a reasonable likelihood of material harm.  The notice must specifically and transparently describe, among other items, the event date, the description of the information breached, how the event was discovered, the period during which the information system was compromised, and remediation efforts.  Applicable data breach notification laws requiring notice to the affected individuals must also be complied with.

Our colleague Michelle Capezza of Epstein Becker Green authored an article in Confero, titled “Managing Employee Benefits in the Face of Technological Change.”

Following is an excerpt – click here to download the full article in PDF format:

There are many employee benefits challenges facing employers today, from determining the scope and scale of traditional benefits programs to offer that will attract, motivate and retain multigenerational employees, to embracing new models for defining and providing benefits, while simultaneously managing costs. In the midst of these challenges is the wave of technological change that is impacting all areas of the workplace, including human resources and benefits. In recent years, many new technological tools have emerged to aid in the administration of benefit plans, delivery of participation communications, as well as provide education and advice. These tools often require collection of sensitive data or allow employees to provide personal information in an interactive environment, such as:

  • Benefits, HR and payroll software, and plan recordkeeping, systems
  • Online and mobile applications for benefits enrollment and benefits selection assistance
  • Social media tools and applications for benefits information and education
  • Online investment allocation tools, robo advisors, financial platforms
  • Telehealth and wellness programs

These and other advancements are a sign of the times. While they appeal to employees, reduce burdens on employers, and assist in driving down program costs, organizations must be mindful that cyberattacks on benefit plans and participant information have occurred and measures should be taken to protect against such data breaches.

Our colleague Sharon L. Lippett, at Epstein Becker Green, has a post on the Financial Services Employment Law blog that will be of interest to many of our readers technology industry employers and plan sponsors: “Plan Sponsors: Potential Targets for IRS Compliance Examinations.”

Following is an excerpt:

The IRS recently released the Tax Exempt and Government Entities FY 2018 Work Plan (the “2018 Work Plan”) which provides helpful information for sponsors of tax-qualified retirement plans about the focus of the IRS’ 2018 compliance efforts for employee benefit plan.  While the 2018 Work Plan is a high-level summary, it does address IRS compliance strategies for 2018 and should assist plan sponsors in administering their retirement plans.…

Read the full post here.

New York State has issued proposed regulations extending existing regulations requiring banks and other financial institutions to have in place a comprehensive cybersecurity program to credit reporting agencies.  Governor Mario Cuomo announced that “The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation.”

Under the proposed regulations, every consumer reporting agency that assembles, evaluates or maintains a consumer credit report on NYS consumers must register with the State by February 1, 2018 and have in place a written cybersecurity program by April 4, 2018. The program must identify and assess internal and external cybersecurity risks that may threaten non-public information, including personally identifying consumer information. The program must include provisions that address data governance and classification, asset inventory and device management, access control and identity management, systems and network security and monitoring, as well as other mandated areas.

Because the elements required to be addressed in the program are comprehensive, credit reporting agencies should begin the process of developing the program now to meet the April 4, 2018 deadline. Once the program is in place, moreover, the regulations also mandate phase in implementation dates for additional minimum protective standards that must be met.  These include requirements for annual penetration testing, bi-annual vulnerability assessments, limitations on data retention, encryption of non-public information and system generated audit trails to detect and respond to cybersecurity events.

Each agency must conduct a risk assessment of its information systems to include criteria for the evaluation and categorization of identified internal and external threats facing the organization. The risk assessment must describe how identified risks will be mitigated or accepted and how the program will address those risks.  Significantly, the risk assessment must not only address external hacking threats, but also require the identification and mitigation of risks posed by employees and other insiders, such as trusted vendors and independent contractors.  For example, employees who remotely access internal networks must be subject to multi-factor authentication or other “reasonably equivalent or more secure access controls.”

Each organization must also designate a qualified person as a Chief Information Security Officer responsible for implementation and enforcement of the program. The CISO will ultimately be responsible for responding to requests for “examination by the Superintendent of Financial Services as often as the Superintendent may deem it necessary.”  There are also breach notification requirements, as well as a mandate that the Board of Directors or a Senior Officer annually certify compliance with the cybersecurity regulations.  Failure to comply may result in revocation of the agency’s authorization to do business with New York’s regulated financial institutions and consumers.

Stay tuned to whether New York State’s call to action takes hold across the nation. In the meantime, you may find the governor’s press announcement by clicking here.

When: Thursday, September 14, 2017 8:00 a.m. – 4:30 p.m.

Where: New York Hilton Midtown, 1335 Avenue of the Americas, New York, NY 10019

Epstein Becker Green’s Annual Workforce Management Briefing will focus on the latest developments in labor and employment law, including:

  • Immigration
  • Global Executive Compensation
  • Artificial Intelligence
  • Internal Cyber Threats
  • Pay Equity
  • People Analytics in Hiring
  • Gig Economy
  • Wage and Hour
  • Paid and Unpaid Leave
  • Trade Secret Misappropriation
  • Ethics

We will start the day with two morning Plenary Sessions. The first session is kicked off with Philip A. Miscimarra, Chairman of the National Labor Relations Board (NLRB).

We are thrilled to welcome back speakers from the U.S. Chamber of Commerce. Marc Freedman and Katie Mahoney will speak on the latest policy developments in Washington, D.C., that impact employers nationwide during the second plenary session.

Morning and afternoon breakout workshop sessions are being led by attorneys at Epstein Becker Green – including some contributors to this blog! Commissioner of the Equal Employment Opportunity Commission, Chai R. Feldblum, will be making remarks in the afternoon before attendees break into their afternoon workshops. We are also looking forward to hearing from our keynote speaker, Bret Baier, Chief Political Anchor of FOX News Channel and Anchor of Special Report with Bret Baier.

View the full briefing agenda and workshop descriptions here.

Visit the briefing website for more information and to register, and contact Sylwia Faszczewska or Elizabeth Gannon with questions. Seating is limited.

Our colleague Joshua A. Stein, a Member of the Firm at Epstein Becker Green, has a post on the Retail Labor and Employment Law blog that will be of interest to many of our readers in the technology industry: “Start Spreading the News – EDNY Denies Motion to Dismiss Website Accessibility Complaint.”

Following is an excerpt:

While the ADA finished celebrating its 27th anniversary at the end of July, for plaintiffs looking to bring website accessibility complaints in New York the party is still ongoing. Following on the heels of last month’s decision of the U.S. District Court for the Southern District of New York in Five Guys, Judge Jack B. Weinstein of the U.S. District Court for the Eastern District of New York, in Andrews vs. Blick Art Materials, LLC, recently denied a motion to dismiss a website accessibility action, holding that Title III of the ADA (“Title III”), the NYS Human Rights Law and the New York City Human Rights Law all apply to websites – not only those with a nexus to brick and mortar places of public accommodation but also to cyber-only websites offering goods and services for sale to the public. …

Read the full post here.

Employers across all industries are deep in the midst of exciting but unchartered and fluid times. Rapid and unforeseen technological advancements are largely responsible for this dynamic. And while there is a natural tendency to embrace their novelty and potential, the reality is that these advancements are often outpacing our regulatory environment, our bedrock legal constructs, and, in some cases, challenging the traditional notions of work itself.

For employers, this presents numerous challenges and opportunities—from the proper design of the portfolio of the modern workforce, to protecting confidential information in an increasingly vulnerable digital world, to managing resources across less and less predictable borders, and to harnessing (while tempering the power of) intelligence exhibited by machines.

The time is now (if not yesterday!) to develop a long-term strategy to help navigate these current issues and anticipate the challenges and opportunities of the future.

The articles in this Take 5 include:

  1. Embracing the Gig Economy: You’re Already a Player in It (Yes, You!)
  2. AI in the Workplace: The Time to Develop a Workplace Strategy Is Now
  1. Best Practices to Manage the Risk of Data Breach Caused by Your Employees and Other Insiders
  1. News Media Companies Entering the Non-Compete Game
  1. Employers Dodge Bullet in Recent U.S. Supreme Court Travel Ban Order

Read the full Take 5 online or download the PDF.

Our colleague Joshua A. Stein, a Member of the Firm at Epstein Becker Green, has a post on the Retail Labor and Employment Law blog that will be of interest to many of our readers in the technology industry: “As the ADA Turns 27, Recent Developments Suggest No End to Website Accessibility Lawsuits.”

Following is an excerpt:

Today marks the 27th Anniversary of the Americans with Disabilities Act (ADA).  Unfortunately for businesses, two recent developments in the context of website accessibility suggest that there is no reason to celebrate and every reason to believe the ever-increasing wave of demand letters and lawsuits in this area will continue unabated.

First, in Lucia Marett v. Five Guys Enterprises LLC (Case No. 1:17-cv-00788-KBF), the U.S. District Court for the Southern District of New York has finally issued a decision directly speaking to the applicability of Title III of the ADA (Title III) to websites, denying Five Guys’ motion to dismiss, and holding that Title III does indeed apply to websites.  Facing a class action lawsuit brought by serial plaintiff, Lucia Marett, Five Guys sought to dismiss the claim that its website (which, among other things, allows customers to order food online for delivery or pick up at its brick and mortar stores) violated Title III and related state/local statutes because it is inaccessible to the blind, on the grounds that Title III does not apply to websites and, even if it did, the case was moot because Five Guys was in the process of updating its website to provide accessibility.  The Court rejected Five Guys’ arguments.  Citing both the text and the broad and sweeping purpose of the ADA, the Court held that Title III applies to websites – either as its own place of public accommodation or as a result of its close relationship as a service of Five Guys’ restaurants (which the court noted are indisputably public accommodations under Title III).  …

Read the full post here.

Our colleagues , at Epstein Becker Green, have a post on the Health Employment and Labor blog that will be of interest to many of our readers in the technology industry: “DFEH Publishes Materials to Assist Employers With Handling Harassment Allegations.”

Following is an excerpt:

The Department of Fair Employment and Housing (DFEH) recently released a brief, nine-page guide for California employers, which was prepared in conjunction with the California Sexual Harassment Task Force. This guide is intended to assist employers in developing an effective anti-harassment program, including information about how to properly investigate reports of harassment and understand what recourse is available. The guide addresses all forms of workplace harassment, including harassment based on sex. …

Read the full post here.

Our colleagues , and Corben J. Green at Epstein Becker Green, have a post on the Retail Labor and Employment Law blog that will be of interest to many of our readers in the technology industry: “The Department of Consumer Affairs Publishes Rules Governing FIFA.”

Following is an excerpt:

On May 15th, the Freelance Isn’t Free Act (“FIFA”) went into effect in New York City. The Department of Consumer Affairs (“DCA”) recently issued guidelines to help employers comply with the law. …

As previously explained, FIFA requires parties that retain freelance workers to provide any service where the contract between them has a value of $800 or more to reduce their agreement to a written contract. Under the DCA guidelines, the value of the contract includes “the reasonable value of all actual or anticipated services, costs for supplies, and any other expenses under the contract.” …

Read the full post here.