Our colleague at Epstein Becker Green has a post on the Retail Labor and Employment Law blog that will be of interest to our readers in the technology industry: “DOJ Finally Chimes In On State of the Website Accessibility Legal Landscape – But Did Anything Really Change?

Following is an excerpt:

As those of you who have followed my thoughts on the state of the website accessibility legal landscape over the years are well aware, businesses in all industries continue to face an onslaught of demand letters and state and federal court lawsuits (often on multiple occasions, at times in the same jurisdiction) based on the concept that a business’ website is inaccessible to individuals with disabilities. One of the primary reasons for this unfortunate situation is the lack of regulations or other guidance from the U.S. Department of Justice (DOJ) which withdrew long-pending private sector website accessibility regulations late last year. Finally, after multiple requests this summer from bi-partisan factions of Members Congress, DOJ’s Office of Legislative Affairs recently issued a statement clarifying DOJ’s current position on website accessibility. Unfortunately, for those hoping that DOJ’s word would radically alter the playing field and stem the endless tide of litigations, the substance of DOJ’s response makes that highly unlikely.

DOJ’s long-awaited commentary makes two key points…

Read the full post here.

Join Epstein Becker Green attorneys, Brian G. Cesaratto and Brian E. Spang, for a discussion of how employers can best protect their critical technologies and trade secrets from employee and other insider threats. Topics to be discussed include:

  • Determining your biggest threat by using available data
  • What keeps you up at night?
  • Foreseeing the escalation in risk, from insider and cyber threats to critical technologies
  • New protections and remedies under the Trade Secret Protection Act of 2014
  • Where are your trade secrets located, and what existing protections are in place?
  • What types of administrative and technical controls should your firm consider implementing for the key material on your network to protect against an insider threat?
  • What legal requirements may apply under applicable data protection laws?
  • How do you best protect trade secrets and other critical technologies as information increasingly moves into the cloud?
  • Using workforce management and personnel techniques to gain protection
  • The importance of an incident response plan
  • Developing and implementing an effective litigation response strategy to employee theft

Wednesday, October 3, 2018.
12:30 p.m. – 2:00 p.m. ET
Register for this complimentary webinar today!

Our colleagues at Epstein Becker Green has a post on the Retail Labor and Employment Law blog that will be of interest to our readers in the technology industry: “NYC Commission on Human Rights Issues Guidance on Employers’ Obligations Under the City’s Disability Discrimination Laws.”

Following is an excerpt:

The New York City Commission on Human Rights (“Commission”) recently issued a 146-page guide titled “Legal Enforcement Guidance on Discrimination on the Basis of Disability” (“Guidance”) to educate employers and other covered entities on their responsibilities to job applicants and employees with respect to both preventing disability discrimination and accommodating disabilities. The New York City Human Rights Law (“NYCHRL”) defines “disability discrimination” more broadly than does state or federal disability law, and the Guidance is useful in understanding how the Commission will be interpreting and enforcing the law. …

Read the full post here.

This extended interview from Employment Law This Week will be of interest to many of our readers. Attorney and co-editor of this blog, Michelle Capezza explains how recent legal developments have prepared employers for their future workforce, which will include artificial intelligence technologies working alongside human employees. She also looks at the strategies employers should start to consider as artificial intelligence is incorporated into the workplace.

We published an article with NYSBA Labor and Employment Law Journal, titled “Employee Threats to Critical Technologies Are Best Addressed Through a Formalized Insider Threat Risk Assessment Process and Program.” With the New York State Bar Association’s permission, we have linked it here.

Featured on Employment Law This Week: New Legislation Eases Disclosure Requirements for Startups under the Dodd-Frank Wall Street Reform.

Startups offering equity plans get regulatory relief. The legislation that President Trump signed in May to ease regulations under the Dodd-Frank Wall Street Reform and Consumer Protection Act also contained some good news for startups. The law adjusts the Rule 701 thresholds, which allow private companies to offer equity to employees without registering the sales as public offerings.

Watch the segment below.

Our colleague at Epstein Becker Green has a post on the Hospitality Labor and Employment Law blog that will be of interest to our readers in the technology industry: “The Generally Prevailing Website Accessibility Guidelines Have Been Refreshed – It’s Time to Officially Welcome WCAG 2.1.”

Following is an excerpt:

After nearly ten years, on Tuesday, June 5, 2018, the World Wide Web Consortium (the “W3C”), the private organization focused on enhancing online user experiences, published the long awaited update to its Web Content Accessibility Guidelines 2.0 (“WCAG 2.0”), known as the WCAG 2.1. Those who have been following along with website accessibility’s ever-evolving legal landscape are well aware that, despite not having been formally adopted by regulators for the vast majority of the private sector, compliance with WCAG 2.0 at Levels A and AA has become the de facto baseline for government regulators, courts, advocacy groups, and private plaintiffs when discussing what it means to have an accessible website. …

Read the full post here.

Our colleague  at Epstein Becker Green has a post on the Health Law Advisor blog that will be of interest to our readers in the technology industry: “NIST Seeks Comments on Cybersecurity Standards for Patient Imaging Devices.”

Following is an excerpt:

The National Institute of Standards and Technology (“NIST) has announced that it will be seeking industry input on developing “use cases” for its framework of cybersecurity standards related to patient imaging devices. NIST, a component of the Department of Commerce, is the agency assigned to the development and promulgation of policies, guidelines and regulations dealing with cybersecurity standards and best practices.  NIST claims that its cybersecurity program promotes innovation and competitiveness by advancing measurement science, standards, and related technology in ways that enhance economic security and quality of life. Its standards and best practices address interoperability, usability and privacy continues to be critical for the nation. NIST’s latest announcement is directed at eventually providing security guidance for the healthcare sector’s most common uses of data, inasmuch as that industry has increasingly come under attack. …

Read the full post here.

The European Union’s (“EU’s”) General Data Protection Regulations (“GDPR”) go into effect on May 25, 2018, and they clearly apply to U.S. companies doing business in Europe or offering goods and services online that EU residents can purchase. Given that many U.S. companies, particularly in the health care space, increasingly are establishing operations and commercial relationships outside the United States generally, and in Europe particularly, many may be asking questions akin to the following recent inquiries that I have fielded concerning the reach of the GDPR:

What does the GDPR do? The GDPR unifies European data and privacy protection laws as to companies that collect or process the personally identifiable information (“PII” or, as the GDPR calls it, “personal data”) of European residents (not just citizens).

Who must comply? The GDPR applies to any company that has personal information of EU residents or citizens or that conducts business in the EU, regardless of its home country.

What is the risk of non-compliance? The GDPR mandates documented compliance. The regulations provide for substantial fines of up to €20 million or 4 percent of global revenues for noncompliance. Willful non-compliance is most heavily fined under this tiered system.

How far along are most companies as to compliance? The consulting firm Gartner estimates that more than half of the companies that are subject to the GDPR will not be in compliance throughout this year. They will be at risk.

Who will adopt the regulations? All 28 EU members, plus Iceland, Norway, and Liechtenstein (collectively known as the “European Economic Area”), and likely the United Kingdom, will adopt the regulations.

Will the regulations be enforced extraterritorially? The GDPR applies worldwide as to any company that offers goods or services (even if they are free) within the EU or collects, processes, or maintains (anywhere) personal data about European residents (again, not just citizens).

How is “personal data” defined? The definition includes any information as to a human being (called a “data subject”) that can directly or indirectly identify him or her, including, but not limited to, names; birthdates; physical addresses; email and IP addresses; and health, biometric, and demographic information.

What constitutes compliance? In general terms, a subject company must limit the use of the retained personal data and maintain it securely.

  • Explicit consent is required for each processing activity as to any covered datum.
  • Access, free of charge, must be afforded to any data subject on request to a “data controller” (a person at the company charged with maintaining data), who, in turn, must assure that any “data processor” (any person or company that takes data from consumers and manipulates or uses it in some way to then pass along information to a third party) is compliant as to the requested action.
  • Data subjects have the right to be “forgotten, i.e., to have their data expunged, and may revoke consent at will.

What does the GDPR require if there is a data breach? Data breaches that “may” pose a risk to individuals must be notified officially within 72 hours and to affected persons without undue delay.

This, of course, is only an outline of GDPR requirements and procedures. Any specific advice only can be provided knowing an individual company’s circumstances and needs. One does note that, as is the case in other regards, for example, antitrust, the assumptions prevalent within the EU are decidedly different from those in the United States. As a number of commentators have observed, while there is no defined “right of privacy” in the United States, a company is required to preserve information, including PII and personal health information, or PHI, in the event of litigation. In Europe, which has very limited litigation discovery, there is a defined right of privacy and individuals can cause data describing them to be erased (“forgotten”).

Many of you know also that there is a case pending a decision in the Supreme Court of the United States involving whether the U.S. government can compel Microsoft to produce PII that is collected and stored outside of the United States. An affirmative decision might create a conflict of law that will complicate the data retention abilities of American companies doing business overseas. So stay tuned.

Featured on Employment Law This Week:  A California federal judge has ruled that a former GrubHub delivery driver was an independent contractor, not an employee.

The judge found that the company did not have the required control over its drivers for the plaintiff to establish that he is an employee. This decision comes as companies like Uber and Lyft are also facing lawsuits that accuse them of misclassifying employees as independent contractors. Carlos Becerra, from Epstein Becker Green, has more.

Watch the segment below and read our recent post.