As we recently reported, New York’s Westchester County has published on its website Employer and Employee FAQs, along with a Notice of Rights to Employees, concerning the county’s Earned Sick Leave Law, which became effective on April 10, 2019. The county has now issued the required poster. Covered employers can download the poster and display it in a conspicuous location at their office or facility.

Notably, the poster only references the obligation of employers with five or more employees to provide paid sick time; it is silent with respect to the mandate that employers with fewer than five employees provide unpaid sick leave. However, the county’s Human Rights Commission advises that all covered employers must display the poster.

A Trending News video has been posted now that the Stop Sexual Harassment in NYC Act is in effect. New York employers must provide annual anti-harassment training for their workers, and there are specific rules that apply to independent contractors. Contractors shouldn’t be harassed, and they can also create exposure if they engage in harassment. As a reminder to NYC employers: Don’t forget your contractors!

What the full video below.

 

Our colleague Brian Cesaratto at Epstein Becker Green has a post on the Health Law Advisor Blog that will be of interest to our readers in the technology industry: “Harden Your Organization’s Domain Name System (DNS) Security to Protect Against Damaging Data Loss and Insider Threat.”

Following is an excerpt:

Although there is no specific mention of DNS in HIPAA, the Gramm Leach Bliley Act, the GDPR or State cybersecurity laws or regulations, including California, Massachusetts or New York, an organization cannot comply with those regulatory frameworks requiring reasonable network security safeguards without considering threats to DNS. The statutory requirements do not generally mandate the particular mix of cybersecurity controls required to protect DNS. Rather, the frameworks require organizations to implement formalized processes to anticipate and assess risks from cyber threats and then adopt reasonable safeguards. Organizations may reference NIST publications and other technical guidance for a catalog of controls to choose from based on the risk assessment. Consistent with the regulatory imperatives requiring vigilance and appropriate counter-measures to safeguard data when threats evolve, organizations should revisit their defenses given the recent threats to DNS.

Attackers seek to disrupt the normal operations of DNS servers and applications responsible for resolving domain names to properly route network communications between computers. DNS looks up the IP address of the computer to receive the communication based on its domain name and advises the computer requesting a connection of the associated IP address to send the request to. For example, when a user types “www.anycompany.com” in his or her web browser or sends an email (e.g., “tsmith@anycompany.com”) DNS resolves the domain name (“www.anycompany.com”) to a numerical IP address, such as 172.30.xxx.xxx. DNS advises the requesting computer of the IP address corresponding to the domain name and the requesting computer accordingly directs the traffic. …

Read the full post here.

Our colleague Tzvia Feiertag at Epstein Becker Green has a post on the Health Employment and Labor Blog that will be of interest to our readers in the technology industry: “NJ Employers and Out-of-State Employers with NJ Residents Prepare: State Updates Website on Employer Reporting for New Jersey Health Insurance Mandate.”

Following is an excerpt:

As employers are wrapping up their reporting under the Affordable Care Act (“ACA”) for the 2018 tax year (filings of Forms 1094-B/C and 1095-C/B with the IRS are due by April 1, 2019, if filing electronically), they should start preparing for new reporting obligations for the 2019 tax year.

After a string of failed efforts to repeal the ACA, Congress, through the Tax Cuts and Jobs Act of 2017 (“TCJA”), reduced the federal individual shared responsibility payment assessed (with limited exceptions) against individuals who failed to purchase health insurance to $0 beginning January 1, 2019. In response, to ensure the stability and provide more affordable rates for health coverage, States, such as New Jersey, have stepped in and adopted their own individual health insurance mandates. New Jersey’s individual health insurance mandate requires employers to verify health coverage information provided by individuals. To assist with employer reporting, New Jersey has launched an official website (lasted updated on March 19, 2019) with guidance on the filing requirements. …

Read the full post here.

Technology, media, and telecommunications organizations are at the forefront of tackling new challenges in handling employee information and managing employee populations. As legislatures (from the federal level down to states and cities) address how technology impacts today’s new workforce, employers must grapple with changes in managing data—from privacy concerns to the use of artificial intelligence in employment matters—and keeping workers happy, including dealing with wage increases, the rise in union activity, and contingent workers in the #MeToo era. A changing workplace landscape requires creative thinking and outside-the-box solutions.

Continue Reading Take 5 Newsletter – The Future of Work: Five Developing Trends for Technology, Media, and Telecommunications Employers

Our colleague Nancy Gunzenhauser Popper at Epstein Becker Green has a post on the Retail Labor and Employment Law Blog that will be of interest to our readers in the technology industry: “April Fools Joke? No. NYC Employers Really Have Two Sets of Training Requirements.”

Following is an excerpt:

Don’t forget – April 1 marks the beginning of a new set of sexual harassment training requirements in New York City. While the training requirement began across New York State on October 9, 2018 (and must be completed by October 9, 2019), the City imposes additional requirements on certain employers. Both laws require training to be provided on an annual basis.

While the State law requires training of all employees, regardless of the number of employees in each state, the City law applies only to employers with 15 or more employees. When counting employees, an employer must count independent contractors who work for the employer. …

Read the full post here.

Our colleague Laura A. Stutz at Epstein Becker Green has a post on the Health Employment and Labor Blog that will be of interest to our readers in the technology industry: “Race Discrimination on the Basis of Hair Is Illegal in NYC.”

Following is an excerpt:

The New York City Commission on Human Rights published legal enforcement guidance defining an individual’s right to wear “natural hair, treated or untreated hairstyles such a locs, cornrows, twists, braids, Bantu knots, fades, Afros, and/or the right to keep hair in an uncut or untrimmed state.”   The guidance applies to workplace grooming and appearance policies “that ban, limit, or otherwise restrict natural hair or hairstyles”:

[W]hile an employer can impose requirements around maintaining a work appropriate appearance, [employers] cannot enforce such policies in a discriminatory manner and/or target specific hair textures or hairstyles. Therefore, a grooming policy to maintain a ‘neat and orderly’ appearance that prohibits locs or cornrows is discriminatory against Black people because it presumes that these hairstyles, which are commonly associated with Black people, are inherently messy or disorderly. This type of policy is also rooted in racially discriminatory stereotypes about Black people, and racial stereotyping is unlawful discrimination under the [New York City Human Rights Law].

A grooming or appearance policy prohibiting natural hair and/or treated/untreated hairstyles to conform to the employer’s expectations “constitutes direct evidence of disparate treatment based on race” in violation of the City’s Human Rights Law. …

Read the full post here.

Washington State is considering sweeping legislation (SB 5376) to govern the security and privacy of personal data similar to the requirements of the European Union’s General Data Protection Regulation (“GDPR”). Under the proposed legislation, Washington residents will gain comprehensive rights in their personal data. Residents will have the right, subject to certain exceptions, to request that data errors be corrected, to withdraw consent to continued processing and to deletion of their data. Residents may require an organization to confirm whether it is processing their personal information and to receive a copy of their personal data in electronic form.

Covered organizations will be required to provide consumers with a conspicuous privacy notice disclosing the categories of personal data collected or shared with third parties and the consumers’ rights to control use of their personal data. Significantly, covered businesses must conduct documented risk assessments to identify the personal data to be collected and weigh the risks in collection and mitigation of those risks through privacy and cybersecurity safeguards.

Washington’s proposal follows the recent enactment of the California Consumer Privacy Act (see EBG’s Act Now AdvisoryCalifornia’s Consumer Privacy Act What Employer’s Need to Know). Washington’s legislation, however, will grant rights beyond those contained in the California Act and is more closely aligned with the GDPR’s framework. The heightened protections are grounded in the sponsors’ recognition of the detrimental effect of data breaches and the resulting loss of privacy. The Act cites to the GDPR as providing for “the strongest privacy protections in the world” and adopts the GDPR’s expansive definition of “personal data” – any information relating to any identified or identifiable natural person.

Businesses that process the personal data of more than 100,000 Washington residents are covered, as well as “data brokers” that derive 50 percent of their revenue from the brokered sale of personal information. Notably, “data sets” (i.e., Protected Health Information (“PHI”)) regulated by the federal Health Insurance Portability and Accountability Act of 1996, Health Information Technology for Economic and Clinical Health (“HITECH”) Act, or the Gramm-Leach-Bliley Act of 1999 are not covered. Financial and health care institutions may need to comply as to other personal data not protected under these statutes. If a health care or financial institution collects or processes other personal data and meets the thresholds above, then it is likely covered.

Employers should take note that data sets maintained only for employment records purposes are excluded. Notably, the Act excludes from coverage “an employee or contractor of a business acting in their role as an employee or contractor.” The Act will impact organizations that use facial recognition technology for profiling consumers with effects on “employment purposes” and “health care services” requiring human review prior to final decisions. Organizations who contract with facial recognition firms may see pass through contractual restrictions prohibiting use for unlawful bias.

There is no private right of action. Enforcement actions may be brought by the Attorney General to obtain injunctive relief and to impose civil penalties. If enacted, the Act, scheduled to become effective December 31, 2020, will have wide-ranging impacts requiring significant advance planning, risk assessments and consideration of privacy and security by design principles.

As we previously reported, since 2017 employees have filed dozens of employment class actions claiming violations of Illinois’ 2008 Biometric Information Privacy Act (“BIPA”). In short, BIPA protects the privacy rights of employees, customers, and others in Illinois against the improper collection, usage, storage, transmission, and destruction of biometric information, including biometric identifiers, such as retina or iris scans, fingerprints, voiceprints, and scans of face or hand geometry. Before collecting such biometric information, BIPA requires an entity to: (1) provide written notice to each individual of the collection; (2) obtain a signed release from each individual for the collection of biometric data; and (3) make available a policy that contains a retention schedule and guidelines for the permanent destruction of the biometric data.

One of the unresolved legal issues was whether an entity’s failure to comply with BIPA’s requirements, absent an actual injury, was sufficient to sustain a claim under that law. On January 25, 2019, the Illinois Supreme Court weighed in on this issue in Rosenbach v. Six Flags Entertainment Corp., holding that mere collection of an individual’s biometric information may be enough to state a claim under BIPA.

In Rosenbach, a parent sued on behalf of her child after he was fingerprinted entering a Six Flags theme park. Neither the parent nor the child signed a release, Six Flags did not provide a written notice provided to the child or the parent, and Six Flags did not have a publicly available policy regarding the retention or destruction of the biometric information. Nonetheless, there have been no known data breaches on Six Flags systems, and the complaint did not allege any other harm to the parent or her son.

The Illinois Supreme Court found that the legislative intent behind BIPA dictated that a technical violation of the law, such as failure to provide notice or obtain a release, is sufficient to state a claim under the Act. Under BIPA, an “aggrieved” party is similar to the concept of the injury-in-fact requirement for standing in federal court. There, the Court found that the “injury is real and significant.”

In light of the Rosenbach decision, it is even more important that employers with operations in Illinois consider taking the following action:

(1)  First, determine if your company collects, uses, stores, or transmits any employee’s (or other individual’s) biometric information or identifiers that may be covered by BIPA (e.g., using fingerprint recognition technology for time keeping purposes or to access a company-issued property or devices).

(2)  If your company does collect, use, store, or transmit biometric data/identifiers, you should:

(a)  develop or review existing, written policies concerning the collection, storage, use, transmission, and destruction of that information, consistent with industry standards;

(b)  implement policies concerning proper notice to employees (and other affected individuals) about the company’s use, storage, etc., of such data and obtain written and signed consent forms from all affected persons; and

(c)  establish practices to protect individuals’ privacy against improper disclosure of biometric data/identifiers, using the methods and standard of care that they would apply to other material deemed confidential and sensitive.

Importantly, providing proper notice includes identifying the specific reason for the collection, storage, and use of the biometric data, as well as how long the employer will use or retain such data. 740 Ill. Comp. Stat. 14/15(a), (b); 14/10.

Our colleagues at Epstein Becker Green have a post on the Hospitality Labor and Employment Law blog that will be of interest to our readers in the technology industry: “Mayor de Blasio Proposes Mandatory Paid Personal Time Law.”

On January 9, 2019, Mayor Bill de Blasio announced his plan to make New York City the first city in the country to mandate that private sector employers provide paid personal time (“PPT”) for their employees. Under the proposal, employers with five or more employees would be required to grant their employees 10 days of PPT to use for any purpose, including vacation, religious observance, bereavement, or simply to spend time with their families. It is unclear whether the proposed legislation would apply to only full-time workers, or whether, similar to the Earned Safe and Sick Time Act (“ESSTA”), it would include many part-time employees as well. The Mayor said he would work with the New York City Council to develop the legislation, and several Council members have already voiced their support for the proposal. …

Read the full post here.