Human Resources and Payroll should advise employees in their departments to be on the lookout for the latest tax season phishing scam designed to steal employees’ tax related information and social security numbers. Given the regular frequency of these types of attacks, employers should be taking appropriate steps to safeguard employee Personally Identifiable Information (“PII”).  At a minimum, Human Resources should have in place written policies regarding the handling of employee PII and provide training designed to protect employee PII against a data breach.  Because Human Resources works with employee PII on an everyday basis, it may be the best equipped to secure sensitive personnel information against the type of fraudulent scheme highlighted in the recent IRS alert.

On February 2, 2017, the IRS issued an urgent alert to employers regarding a phishing scheme intended to steal employees’ tax related information to commit identify theft and tax fraud. The IRS reports that the scam involves spoofing an email to make it appear as if it is coming from an organization’s executive.  The email is sent to an employee in the Human Resources or Payroll departments, requesting a list of employees and their Forms W-2.  The IRS reports that the phony email may also request the names and social security numbers of employees with their addresses and dates of birth.  Since the email is disguised to be from an internal email address, should the HR or Payroll employee respond with the information it will actually be sent out of the organization to a cybercriminal.  The phishing scam is presently targeting healthcare organizations, shipping companies, school districts, restaurants, and temporary staffing agencies.

What preventative steps can be taken to guard against these attacks? Human Resources should ensure that policies and procedures are in place requiring that the sending of employees’ confidential tax related information by email only be done with 100% confidence that the intended recipient is within the organization and has requested the information. Indeed, the IRS advises that employers consider adopting written policies that govern the electronic distribution of confidential employee Form W-2s and tax related information.  One simple protective measure may be that a phone call confirmation is required before hitting the send button.  As a general matter, employers should have in place comprehensive written policies and procedures that govern the electronic sending, receiving and storage of confidential personnel related PII and provide workforce training to protect against data breaches and fraudulent schemes.  In addition to procedures verifying that the recipient of sensitive PII is actually within the organization, employers may also want to consider technologies providing for use of encryption when sending personnel related PII by email.  The maxim that “an ounce of prevention is worth a pound of cure” is in full effect here since a well thought out strategy is the best defense.

For years, companies have been struggling to understand the multitude of locations where their data resides. From traditional employment files with embedded Social Security numbers, to new-aged hiring software with videos of job applicants, and enterprise software used to facilitate employee communications, controlling employee, customer, and corporate data is, to say the least, a logistical challenge. One of the newest entries into the mix is the increased use of ShadowIT and cloud-based storage systems.

ShadowIT involves workers’ use of unsanctioned products and applications to perform the work of the business enterprise. In other words, ShadowIT occurs when employees use their personal emails and applications, such as a cloud-based storage system, instead of company-approved solutions. According to a recent survey, about one-third of IT use is considered ShadowIT. Whether responding to a subpoena in a wage and hour dispute, attempting to safeguard previous corporate secrets, or analyzing the extent of a data breach, a company’s failure to understand the scope and location of ShadowIT data could be problematic. Companies should have policies in place regarding employees’ (and other workers’) use of unapproved applications, but there should also be an understanding that a policy is not a panacea.

For data storage, recent studies show that most organizations are using over 1,000 cloud-based services. Indeed, one such study found that an average organization had 1,154 cloud services in use. This large number demonstrates that companies must manage the sheer volume of data in the cloud or potentially be exposed to liability.

Companies must also think about physical storage when a laptop or a phone is stolen and suddenly control over data on that item is lost. One leaked file in California, for example, could require a company to send out a data breach notification to millions of customers in California (an issue magnified under varying state laws as well in the current landscape). No overall system is perfect for this task, and the idea that company data can be completely controlled may be an illusory one, but there are important issues for companies to consider and sensible steps that they should take to safeguard data, including the following:

  • Survey ShadowIT Usage. Companies should consider conducting anonymous data audit surveys of employees to find out what other applications or products employees are using to perform their jobs. The company can then review its IT department to determine if it lacks the functionality for a certain program or if the problem of unsanctioned product use is simply a result of a lack of employee education as to the sanctioned products available to employees.
  • Manage ShadowIT Usage. Employees using ShadowIT or unsanctioned products create control risks for companies, and employers may consider disciplining employees for not following corporate policies on approved applications. On the other hand, having draconian disciplinary measures in an effort to maintain control over data will not necessarily stop ShadowIT use but may force it deeper undercover. Discipline could also have an adverse impact on employee engagement and retention.
  • Consider “Amnesty.” Companies should consider whether it makes sense to implement a time-limited policy, whereby employees can bring their unapproved software or application to the IT department to see if the program can be moved onto an approved list from the corporation, without the threat of discipline or sanction.
  • Review Vendor Contracts. Companies should review their contracts with vendors for approved cloud-based products and software. This may include auditing other cloud-based companies where data is stored to ensure that the company is adhering to best practices of network security. The contracts should contain data breach notification clauses, as well as indemnification agreements, when possible.
  • Train Workforce. Frequently, employees are the “weak link” in data control efforts, as they are often the cause of a data breach into a company’s secure network. Training employees about how to spot scam phishing emails and protect intellectual property can go a long way toward mitigating that risk.

Technology is constantly evolving such that there will always be a new product or service that could potentially be a benefit to employee productivity. A ShadowIT survey, while helpful, is only a look back in time. Companies need a way to address ShadowIT use as it evolves going forward. A company prohibition on ShadowIT without some method for employees to submit new products for consideration without fear of reprisal keeps the company in the dark about its data. Companies must also be mindful of the other cloud-based providers’ security protocols and the likelihood that a third party could accidently let sensitive data out into the public domain.

A version of this article originally appeared in the Take 5 newsletter “Five Trending Challenges Facing Employers in the Technology, Media, and Telecommunications Industry.”

Featured on Employment Law This Week® –  Pokémon Go creates privacy concerns for employers.

The first mainstream augmented reality game is sweeping the nation, and the game never stops, even during work hours. Despite a recent update to the game that reduces its access to players’ Google accounts, Pokémon Go’s data collection practices are under fire from privacy advocates. The Electronic Privacy Information Center has joined the fray, calling for the FTC to investigate security risks associated with the game. In light of the popularity of the game, employers should consider adding more detail into their policies about how and where business mobile devices can be used.

See the episode below.

DSCN0843Employers in the technology, media and telecommunications industry are faced with many workplace management and legal compliance challenges.  Among these are trends in the shared economy and rise of the contingent workforce, data privacy and security, and use of social media in connection with recruitment, employee monitoring and termination.  At the recent  Epstein Becker Green 34th Annual Workforce Management Briefing held at the New York Hilton, members of the firm’s TMT Group including the authors of this post, along with in-house counsel speakers Rebecca Clar of AOL and Blake Reese of Google provided a panel workshop on these hot-button issues.  Some of the key take-aways from the workshop include:

Shared Economy & Contingent Workforce

As a result of changes in the post-recession, global economy, there has been a tremendous change in how goods and services are delivered and how consumers acquire these goods and services.  As businesses try to meet these demands and save costs associated with full time employees, they have implemented many alternative work arrangements and hired workers through various means including as independent contractors,  through staffing arrangements, or temporary solutions.  Many workers also have become attracted to the flexibility that these work arrangements can provide to them.  However, employers need to be mindful of the potential pitfalls associated with the contingent workforce and take requisite steps to avoid legal risks:

  • Worker misclassifications can lead to back pay, overtime, tax, unemployment insurance, and workers compensation violations as well as employee benefit plan eligibility and coverage errors.  Ensuring that workers are properly classified is mission critical and employers should self-audit their work arrangements and benefit plans periodically for compliance.
  • The NLRB’s decision in Browning-Ferris, coupled with new “quickie” election rules and the Silicon Valley Rising movement have made for a perfect storm of issues.  As a result, TMT employers who may not currently be represented by a labor organization should be mindful that non-traditional workplaces and corporations, such as new media, may be targeted for unionizations, and/or may be brought to the bargaining table as a joint-employer who engages third-party workers.
  • Given the developments at the Department of Labor, and in particular, the proposed increase in the minimum annual salary requirement in order to meet the salary basis test of the white collar exemptions, there has never been a better and more opportune time to conduct a self-assessment audit in conjunction with counsel.

Data Privacy and Security

In the global, digital world, data privacy and security is top of mind for all organizations and their leaders.  Protecting organizational data, as well as that of employees, is imperative and development of data privacy and security policies will become the norm. The issues employers should address in their policies, as well as the ways in which they do business, include:

  • Conduct a self-audit of organizational networks and systems for security vulnerabilities and train workers on information security best practices
  • Establish audit procedures of vendors engaged to provide services to the organization and any employee benefit plan, especially where the vendor stores information in the cloud or remote data centers
  • Address data privacy and security issues in service agreements including notification procedures and indemnification provisions
  • Develop a breach response plan
  • Obtain cybersecurity insurance
  • Remember:  data privacy and security are no longer just CIO/CTO/IT issues – instead, these are topics that are increasingly becoming relevant in the employment law and employee benefits space.

Social Media and the Workplace

The use of social media by employers to review background information of prospective employees in the recruitment process, as well as ongoing activities during the employment or leading up to a termination process is highly prevalent.  It is easy for employers to search an employee’s name, background and activities on the internet but, how that information is used can have legal implications.  Employers should be mindful of the following:

  • Always rely on objective criteria set forth in a job description before conducting an online search and retain information among the recruitment team at the organization
  • Carefully document reasons for all hiring (and termination) decisions that are consistent with the job description and avoid discriminatory decision making
  • Consider separating the search and decision making functions and train employees searching to remove protected categories from summary of results, upon which hiring decision is made
  • Develop a company social media policy with counsel that is narrowly tailored to survive NLRB scrutiny, but that safeguards the company’s treasures and secrets.
  • Employers can continue to discipline employees for their social media activities, provided that the objectionable conduct does not implicate Section 7 behavior – a fact and circumstances based analysis that may be counterintuitive to HR and in-house personnel.

Employers that address these issues head-on will be able to benefit from the advent of new technologies in the workplace and stay in compliance with applicable laws.

IMG_0019IMG_0023IMG_0029IMG_0030

Today, Law360 published our article “Considering Best Data Practices for ERISA Fiduciaries.” (Download the full article in PDF format.)

In this article, we outline steps that ERISA plan fiduciaries can take to develop a policy concerning protection of plan data and prudent selection and monitoring of plan service providers who handle PII.  Benefit plan service providers, including technology-based outsourcing companies, should also consider these important guidelines and implement the appropriate safeguards to protect against infringement of plan and participant data.  These issues must be addressed in service arrangements and will continue to evolve.

Following is an excerpt:

Employee benefit plan fiduciaries are charged with meeting a prudence standard when discharging their duties solely in the interest of plan participants and beneficiaries. With increasing regulation of benefit plans, these duties and associated responsibilities are mounting. With advancements in technology, online enrollment and access to account information, as well as benefit plan transaction processing, participant identifiable information and data have become increasingly more vulnerable to attack as it travels through employer and third-party systems.

Earlier this year, the attack on Anthem Inc.’s information technology system, which compromised the personal information of individuals under numerous health plans (including personally identifiable information, bank account and income data, and Social Security numbers), raised questions of privacy and security under the Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act, and there have been other similar attacks.

These cases remind us that in today’s world, plan participant information, whether it be protected health information, personally identifiable information or retirement savings account information, is vulnerable to theft. Employee Retirement Income Security Act plan fiduciaries must not only act prudently in responding to a breach of their plan participants’ PHI, but should also consider developing prudent policies and procedures with respect to the handling and transmission of all PII and participant data in the regular course.

In 2011, the Advisory Council on Employee Welfare and Pension Benefit Plans studied the importance of addressing privacy and security issues with respect to employee benefit plan administration. The council examined issues and concerns about potential breaches of the technological systems used in the employee benefit industry, the misuse of benefit data and PII and the impact on all parties, including plan sponsors, service providers, participants and beneficiaries. The council recognized several potential causes of breaches relating to benefit plan information, including hacking into retirement plan financial data, and recommended that the U.S. Department of Labor provide guidance on the obligation of plan fiduciaries to secure PII and develop educational materials. To date, the the Department of Labor has issued no such guidance.

Corporations incorporated in Delaware, regardless of whether they are domiciled in Delaware, should take note of a new Delaware law that went into effect on January 1, 2015 regarding the destruction of unencrypted personal identifying information concerning employees.  Under the new Safe Destruction of Records Containing Personal Identifying Information law (19 Del. C. § 736), employers are required to take “reasonable steps to destroy or arrange for the destruction” of unencrypted records containing employees’ “personal identifying information.”  Upon passing this law, Delaware joined the list of 30 other states that have laws regulating the disposal of personal information, including New York and New Jersey.

The new safe destruction of records law is part of Delaware’s “Right to Inspect Personnel Files Act,” which broadly defines “employer” to include “any individual, person, partnership, association, corporation . . .”  While courts have yet to determine the issue of whether the Act’s expansive definition of employer automatically includes all corporations incorporated in Delaware, regardless of where they are domiciled, a reasonable interpretation of the Act and recent speculation in the media is that the Act, and the new safe destruction of records law are intended to apply to all Delaware incorporated corporations.

The new law also broadly defines both the terms “records” and “personal identifying information.”  The term “records” is defined as “information that is inscribed on a tangible medium,” and includes information “stored in an electronic or other medium.”  Under the law, “personal identifying information” means “an employee’s first name or first initial and last name” combined with any one of the following:

  • Social Security number;
  • passport number;
  • driver’s license or state identification card number;
  • insurance policy number;
  • financial services account number;
  • bank account number;
  • credit card number;
  • debit card number;
  • tax or payroll information; or
  • confidential health care information.

Companies wishing to destroy unencrypted personal identifying information must shred, erase or otherwise destroy or modify the personal identifying information in the records so that it is rendered unreadable or indecipherable.  A company who fails to properly destroy unencrypted personal data in accordance with the law could be subject to a civil action as the law provides a civil remedy to employees who incur actual damages due to a reckless or intentional violation of the law.

Given the number of companies that are incorporated in Delaware, this law has the potential to affect a large number of individuals and corporations located outside of Delaware, and further guidance should be monitored.  Employers who are incorporated in Delaware should examine and update their data destruction policies to ensure they are in compliance with the new Delaware law, as well as any other similar applicable laws that are in effect in states where they are domiciled and/or have employees located.  Epstein Becker & Green, P.C., attorneys can assist with updating existing, or developing new, policies to comply with these data destruction laws.

In light of the many high profile cyber-attacks on businesses this past year, employers should assess their vulnerability relative to data breaches and take steps to protect themselves from hackers as well as more innocuous business practices that could result in data breaches. Businesses that handle protected health information are regulated under HIPAA to adopt administrative, technical, and physical safeguards to protect the confidentiality of this information. However, various state and federal laws place duties upon employers to protect non-HIPAA-covered sensitive information in a secure manner.  Considering the recent hacking attacks, as well as the Obama Administration’s focus on cyber-security issues businesses should understand their risk relative to cyber security and consider adopting these safeguards to reduce their vulnerability to a business acceptable level. As discussed below, businesses should protect their customers, employees, and themselves by: (1) conducting a risk assessment to identify their system’s vulnerabilities; (2) adopting and regularly auditing compliance with network security policies; and (3) utilizing physical safeguards to deny unauthorized users system access.

In the wake of the massive attacks against Sony, its employees have filed a putative class action Michael Corona and Christina Mathis v. Sony Pictures Entertainment Inc., No. 2:14-cv-9600 in the U.S. District Court for the Central District of California, alleging that Sony was negligent for allowing itself to be hacked. The Complaint alleges that Sony breached its duty to its employees to implement technical safeguards, specifically: “failing to properly and adequately encrypt data, losing control of and failing to timely regain control over Sony Network’s cryptographic keys, and improperly storing and retaining” personal identifying information. Businesses should conduct a risk assessment or penetration test to determine their network’s vulnerabilities and ensure that they are exercising reasonable care in protecting employee information. This will allow businesses to identify and address their most pressing vulnerabilities.

Even the most formidable of technical safeguards can be compromised without adequate administrative safeguards such as policies regarding the storage of confidential information and computer use. In addition to implementing these policies it is vital that employers adequately train employees regarding these policies. ICANN, the nonprofit organization in charge of assigning internet domain names, was hacked this past year. The hackers penetrated ICANN’s security using a “spear phishing” attack against ICANN’s employees. The hackers disguised emails containing malware as internal ICANN emails, and an employee fell for the ruse. Adopting robust internet security policies and educating employees on how to follow these policies greatly reduces the risk of an employee compromising network security. Employers should also audit their network security policies on an annual basis or as systems change to ensure compliance with these policies.

By limiting access to workstations and electronic media, companies can implement physical safeguards to protect confidential information. By requiring employees to keep doors locked and not leave company devices unattended, as well as enforcing and educating employees regarding these policies, employers can reduce their vulnerability to hackers.

In addition to HIPAA and common law negligence claims, victims of hacking are subject to state laws requiring them to notify everyone whose information may have been compromised. Because each state’s law protects residents of that particular state, companies may be subject to a variety of different disclosure requirements. For example, an employer with employees in California, Virginia, and New York would be subject to three different sets of laws governing the content of the disclosure and who is entitled to receive it.[1] All three laws punish failure to promptly disclose a data breach with consequential damages associated with the cost of identity theft protection, and the economic consequences of identity theft. New York’s law also provides for punitive damages of up to $150,000 for knowing or reckless failures to promptly disclose.

More data breach reporting laws are likely on the way. The Obama administration recently proposed a federal data breach reporting law and the New York Attorney General recently proposed measures to toughen New York’s law. Businesses should carefully monitor new legislative developments to ensure compliance with the most up to date guidance in this rapidly transforming area of the law. Epstein Becker & Green, P.C., attorneys can assist in conducting risk assessments and penetration tests and assist in developing network security policies.


[1] California Civil Code § 179.80; Code of Virginia § 18.2-186.6; New York General Business Law § 899-aa.

By Steven C. Sheinberg, General Counsel of the Anti-Defamation League & Guest TMT blogger.*

A recent McKinsey report on twelve “disruptive” technologies included four that will fundamentally transform how employers relate to their employees: mobile Internet, automation of knowledge work, the Internet of things and cloud computing. I would add to the list three results of these technologies: big-data, cybercrime and privacy.

From an employment law perspective, the common element here is data – data that flows to, is stored by, and is used (or misused) by employers, third parties and employees.

Employers

As new devices and technologies are deployed, employers will likely inadvertently gather information they probably do not want – for instance, protected health information (perhaps by detecting a disease-related app on a phone) or detailed records of employee movements (which can be very harmful in wage and hour litigation).

As employers look at these (and other) large pools of data (including applicant data), some will wish to “mine” this data using increasingly low-cost “intelligent” automated systems.  Such work has to be carefully done – both algorithmic errors and poor statistical methodology can easily lead to significant errors in the information derived from the raw data.  The results, from at least an EEO point of view, can be quite disastrous.

This data will likely be stored on third-party “cloud” storage systems –an arrangement that will raise new risks for employers.

Third Parties

Employers need to be concerned data in third party hands — whether it is there intentionally or not.

For instance, employers ask employees to use devices that are loaded with third party apps – and sometimes they even ask employees to use these apps.  These apps routinely collect significant amounts of data, including location and unique device identifier information. Such data can be combined to create a very detailed profile on users.   This data – owned, protected and even sold by these third parties – can create a new window into an employer’s operations that litigants and corporate spies alike would love to see.

Next, data will inevitably end up in third party hands through litigation and discovery.  As the cost of sophisticated analytics concerning that data is falling, there will be a sea-change in how employment cases are litigated – especially class actions.  And in the regulatory and EEO context, as a recent White House panel on so-called “big data” concluded, “the federal government should build the technical expertise to be able to identify practices and outcomes facilitated by big data analytics that have a discriminatory impact on protected classes.”   The use or misuse of this information by the government or litigants will require a very sophisticated legal response – one that will likely involve the world of statistical analysis and coding.

Information will also end up in third party hands through crime.  Whether inadvertent or not, the primary source of data breaches is through an employee’s keyboard.  As the breaches continue and the costs rise, employers will have to take radical approaches to data protection, including new levels of data segregation, radically shoring up security-related policies and treating mobile phones, whether company-owned or not, as on par with laptops.

Employees

As data is produced by more and different devices, there will be serious questions about who owns the data those devices store and generate.   Will an employee-owned, GPS-enabled app used on a “BYOD” device contain data that is owned by the employee (say, concerning their fitness activity) or, because it was worn during work, will it contain proprietary information (such as a record of where the employee visited)?   Employers must understand what data their employees are gathering – and update policies and executive employment agreements to deal with it.

In the social media context, employers will be forced to grapple with always-on devices, including those that constantly stream video.  It is unclear whether a simple workplace ban on such recording (as recently permitted under the NLRA) will survive video streaming’s convergence with social media –the latter of which the NLRB maintains can be a form of protected concerted activity.

Last, employers need to have action plans in place for data breaches caused by or impacting employees.  Employers should also ensure that insurance policies cover employee-caused data breaches and incidents involving employee information.

Concerns about privacy cover all three areas, but this is well covered elsewhere.

Summary

This short survey illustrates that the world of the employer will more and more involve data-driven risk –placing their lawyers deep in the world of statistics, system design and security management.

*EBG appreciates Steven C. Sheinberg’s contribution and respects his views, but notes they are his views and not necessarily those of EBG or any of its attorneys.

Companies who utilize cloud vendors to store their data on cloud-based applications should be advised: failing to understand the application’s storage and retrieval capabilities, and failing to preserve such data during litigation could lead to sanctions for both the company and its counsel.  That’s the lesson to be learned from a recent case in the Southern District of Ohio, one of the first of its kind to directly address the intersection between the cloud and its impact on litigation strategy.

In Brown v. Tellermate Holdings, Ltd., Case No. 2:11-cv-1122, 2014 U.S. Dist. LEXIS 90123 (S.D. Ohio July 1, 2014), plaintiffs, in an age discrimination suit against former employer Tellermate, Inc. (“Tellermate”), sought electronically stored information (“ESI”) from accounts that they and other employees maintained with Salesforce.com (“Salesforce”) during their employment to aid their argument that their terminations were due to their ages, and not due to performance issues.  Salesforce is a cloud-based vendor with whom Tellermate had contracted to provide Tellermate employees with a sales tracking tool to record all customer-related activity.

The Salesforce contract gave Tellermate access to the accounts and provided the ESI remained the property of Tellermate.  However, Tellermate erroneously informed its counsel that it could not gain access to the ESI.  Tellermate’s counsel, who the Court found unreasonably relied on Tellermate’s representations and misconstrued the Salesforce contract, repeatedly misrepresented to the Court that the ESI residing on Salesforce’s cloud could not be accessed.

The Court ordered Tellermate to produce the requested ESI.  Nevertheless, Tellermate waited nine months from receiving the Order before asking Salesforce about its backup policy, thus learning for the first time that Salesforce did not keep backup files for more than three to six months from the current date.  Tellermate’s failure to timely ask its cloud vendor about its backup system or promptly take measures to either suspend Salesforce’s policy, or obtain a backup copy of the ESI early in the litigation, guaranteed that the ESI was unreliable, if not irretrievable.

The Court found that the actions of Tellermate and its counsel were “simply inexcusable,” and ordered that Tellermate could not present or rely upon evidence that it terminated the plaintiffs’ employment for performance-related reasons either at the summary judgment phase or at trial.  The Court also ordered Tellermate and its counsel to jointly pay the plaintiffs’ reasonable attorneys’ fees and costs incurred in the various ESI-related discovery motions.

The Brown decision emphasizes the importance that employers who use cloud-based applications understand the terms of the agreement with the cloud-based provider, including (1) who maintains control and ownership of the ESI; (2) the provider’s backup policy; and (3) the options for preserving the ESI to maintain its reliability.  By fully understanding the intricacies involved in using cloud-based technology and taking appropriate steps at the beginning of a litigation to preserve discoverable ESI, an employer and its counsel can prevent misrepresentations to the court and take measures to avoid sanctionable conduct.

As a member of the New Jersey Technology Council and an NJTC Ambassador,  I participated in the TechVoice D.C. Fly-in held February 11 through 12 in Washington, D.C. on Capitol Hill.   This Tech Policy Summit was sponsored by TechVoice, CompTIA and TECNA which brought together delegations from nation-wide State technology councils and organizations, technology industry business leaders, and academicians (the “Advocates”), as well as members of the U.S. Congress (House and Senate) and their staff to discuss various policies and legislation impacting today’s technology companies and our economy.  The following are a few of the policy priorities and reform issues that were debated and discussed:

  • Data Breach Notification Legislation.  Currently, there is not a national standard for how a company must notify its customers regarding a data breach; instead, companies must navigate a web of 47 different and often conflicting state data breach notification laws.  The Advocates championed policies that include setting a national standard for data breach and notification that would preempt the various state laws on these issues and provide appropriate exemptions for companies complying with other applicable laws on these issues or those that use encryptions or technologies that render data unusable, development of reasonableness standards, centralized government enforcement in connection with data breach issues, and passage of privacy legislation that balances the needs of small and medium-sized businesses to collect data to improve the customer experience while promoting consumer-friendly privacy and security policies.  This year, the Data Security and Breach Notification Act was introduced by Senators Dianne Feinstein, Chairman of the Intelligence Committee; John Rockefeller, Chairman of the Committee on Commerce, Science and Transportation; Mark Pryor, Chairman of the Commerce Subcommittee on Communications, Technology, and the Internet; and Bill Nelson, Chairman of the Commerce Subcommittee on Science and Space.  Developments on these issues will be watched closely by Epstein Becker Green which has both litigation and regulatory practice groups devoted to data breach issues:  Data Breach/Cybersecurity Litigation and Privacy and Security Law.
  • New/Emerging Technology Platforms and Patent Reform.  Many new public policy considerations are raised by advancements in cloud computing, mobility, machine-to-machine (M2M), unified communications platforms and various internet-based applications.  The Advocates supported release of a greater quantity, and larger blocks, of unlicensed wireless spectrum, nurturing of appropriate advancements in smart M2M technology, promotion of the responsible use and leveraging of big data to spur innovation and economic growth, support of limited, technology-neutral digital policies and education of policymakers on the need for best practices for mobility devices and applications.  On a related note, the Advocates discussed several recent patent reform legislative proposals which have been championed by members of both the House and Senate and remain hopeful that the Senate will consider the Innovation Act (H.R. 3309) passed by the House last year (whereas the America Invents Act was passed in 2011 to address the quality of patents awarded, patent assertion entities (PAEs) or patent trolls continue to be a significant problem for small and medium-sized businesses and these issues must be addressed).  Priorities of the Advocates include passage of patent reform to reduce abusive patent infringement litigation to curb costs and protect technology innovators, require various disclosures and more transparency concerning demand letters, and protections for end-users from abusive patent claims by allowing for the stay of cases against downstream customers.  Developments with regard to new and emerging technologies and patent reform will be closely watched by attorneys across Epstein Becker Green’s practice areas (including health care and life sciences, labor and employment and corporate services), which are all well poised to assist businesses navigate these issues and their impact on communications systems, design of the workplace, and operation of health care delivery systems:  Technology TeamTelehealth, and Product Marketing.
  • Workforce, Educational, and Immigration Reform.  According to the Burning Glass Technologies Labor Insights, there were up to 600,000+ open IT and IT-related jobs in the U.S. throughout 2013.  Creation of a sustainable IT workforce was recognized as critical to U.S. global competitiveness.  Further, recognizing that small and medium-sized IT firms account for over $100 billion in payroll and more than 2 million jobs, the Advocates championed policies on tax reform that would assist business growth (including enacting tax code benefits and credits that help the technology industry such as Section 179  small business expensing and the R&D tax credit for investments in technology research (which could allow small start-up firms and pass-through investors to offset the credit against payroll tax liability).  However, as businesses continue to emerge and expand, it will be critical to attain the high-skilled workers to fill the growing demand for these jobs.  The Advocates stressed the need for policies to expand life-long education in the computer sciences and IT skills to promote a skilled workforce to spur job growth and the ability of the U.S. to compete globally.  In this vein, the Advocates stressed the need for improvement of the America Works Act, Workforce Investment Act and “No Child Left Behind”, support for science, technology, engineering and math (STEM) education in grades K-12 for college and post-secondary preparation and skilled-based certifications, legislative initiatives to encourage pursuit of IT career paths, funding for workforce training and certifications and high-skilled immigration reform (particularly as it relates to new visas for STEM graduates). Given that educational reforms will take years to have an impact, immediate immigration reform will also be needed to ensure that high-skilled workers can obtain visas to fill the current jobs, including those for foreign born but U.S. educated students and entrepreneurs.  Several proposals in Congress must weigh border security, legalization, family and work visas and it is likely that immigration will be addressed piece-by-piece.  Passage of workforce focused legislation that will help close the technology skills gap and drive students to STEM careers will be critical to U.S. growth and competitiveness. Moreover, as businesses compete for high-skilled talent in the technology sectors, it will become increasingly more critical to ensure that workplace policies and employee benefits are in effect to attract and retain these workers.  Epstein Becker Green attorneys in our labor and employment, employee benefits, and immigration practices are well-versed in these issues: Executive Compensation, Non-Competes, Unfair Competition and Trade Secrets, and Immigration

Following a briefing by various panels on these issues over the course of Day 1 of the Tech Policy Summit, the Advocates had opportunities on Day 2 to meet with their local representatives on Capitol Hill.  Our New Jersey Technology Council delegation was led by Maxine Ballen (President and CEO of NJTC) and Paul Frank (Vice President, Membership of NJTC) who secured additional meetings with many New Jersey representatives to discuss the issues outlined above.  I participated in our group meetings with Senator Cory Booker, Senator Robert Menendez, Congressman Frank Pallone, Congressman Leonard Lance, as well as staff for Congressman Donald Payne and Congressman Jon Runyan.  The importance of these issues, as well as the impact on the future growth of technology businesses in New Jersey and across the nation, was recognized and heard. By the close of Day 2, it became increasingly clear that the issues we discussed at the Tech Policy Summit are critical to the future of our nation.  As our world changes and new technologies and businesses emerge, we all must do our part to ensure that the future of our economy and our country continue to be well-poised for innovation.  We need laws enacted to spur economic growth, create and protect jobs, protect our privacy and security, and improve our educational systems.  Once enacted, implementation and compliance will also need to be addressed.  I remain hopeful that businesses and the government can work together toward a common goal on these issues and that we will preserve for our citizens and future generations  the right to life, liberty and the pursuit of happiness.

2N5A8994.jpg

photo.png

photo2.png

2N5A9092.jpg

photo.jpg

2N5A9086.jpg

2N5A9069.jpg

2N5A9061.jpg

2N5A9034.jpg

2N5A9024.jpg

photo-3.jpg