Time is running out. The effective date of New York’s cybersecurity law mandating that organizations implement an information security program to protect “private information” of New York State residents, including employee and consumer data, is now only 45 days away. New York’s law requires the implementation of a cybersecurity program, including reasonable protective measures such as risk assessments, workforce training and incident response planning and testing. Businesses should immediately take steps to comply with the Act’s requirements effective March 21, 2020. New York’s law covers all employers, individuals or organizations, regardless of size or location, which collect private information on New York State residents.

As we first reported last year at the time of the Act’s passage, the “Stop Hacks and Improve Electronic Data Security Act” (SHIELD ACT), signed into law on July 25, 2019, requires implementation of an information security program to protect “private information” defined as:

  • any individually identifiable information such as name, number or other identifier coupled with social security number, driver’s or non-driver identification card number or account number, credit or debit card number in combination with any security code, access code, password or other information that would permit access to the individual’s financial account, or biometric information (such as fingerprint, voice print, retina or iris image);
  • individually identifiable information coupled with an account number, credit or debit card number if circumstances exist wherein such number could be used to access an individual’s financial account even without additional identifying information, or a security code, access code or password; or
  • a username or email address in combination with a password or security question and answer that would permit access to an online account.

The law broadly requires that “any person or business” that owns or licenses computerized data which includes private information of a New York State resident “shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”

In order to achieve compliance, an organization must implement a data security program that includes:

  • reasonable administrative safeguards that may include designation of one or more employees to coordinate the security program, identification of reasonably foreseeable external and insider risks, assessment of existing safeguards, workforce cybersecurity training, and selection of service providers capable of maintaining appropriate safeguards and requiring those safeguards by contract;
  • reasonable technical safeguards that may include risk assessments of network, software design and information processing, transmission and storage, implementation of measures to detect, prevent and respond to system failures, and regular testing and monitoring of the effectiveness of key controls; and
  • reasonable physical safeguards that may include detection, prevention and response to intrusions, and protections against unauthorized access to or use of private information during or after collection, transportation and destruction or disposal of the information.

All organizations that collect private information must independently satisfy the SHIELD Act three-part standard for protecting sensitive individual information. However, regulated organizations that are covered by and in compliance with the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), and/or the New York State Department of Financial Services cybersecurity regulations shall be deemed in compliance with the SHIELD Act.

Failure to implement a compliant information security program is enforced by the New York State Attorney General and may result in injunctive relief and civil penalties. We can expect vigorous enforcement because the Attorney General submitted the SHIELD Act as an agency sponsored bill to keep pace with the use and dissemination of private information. Press releases from the New York State Office of the Attorney General are here: June 17 and July 25, 2019. Any enforcement activity by the Attorney General’s office will also have other damaging consequences, such as damaging publicity and raise supply chain issues with the firm’s business partners. Private litigants bringing data breach lawsuits will almost certainly assert that any non-compliance shows a disregard of standards of due care in asserting negligence claims for failing to protect sensitive individual information.  See our August 12, 2019 Client Advisory for What Businesses and Employers Should Do Now.

My recent blog post, “What Employers Should Know About the SECURE Act’s Lifetime Income Provisions,” discusses the Setting Every Community Up for Retirement Enhancement Act of 2019, which was signed into law on December 20, 2019. Employers who sponsor defined contribution retirement plans, such as 401(k) plans, should monitor these developments.

Following is an excerpt:

Predictable lifetime income is often of paramount concern to retirees.  Yet, as employer-sponsored retirement plans have moved away from the traditional pension plan model, participants in defined contribution plans may be faced with managing their own account balances and plan distributions, which may not lead to a steady stream of lifetime income in retirement.  The Setting Every Community Up for Retirement Enhancement Act of 2019 (the “SECURE Act”), signed into law on December 20, 2019, may aid in securing retirements.   Employers who sponsor defined contribution retirement plans, such as 401(k) plans, now have: (1) new participant disclosure obligations; (2) the ability to adopt certain portability design features related to lifetime income investment options; and (3) guidelines to encourage inclusion of lifetime income investment options in plan investment line-ups. …

Read the full post here.

As we have previously blogged, use of third-party digital hiring platforms to select job applicants using video interviews can present an array of potential legal issues. A recent Complaint filed with the Federal Trade Commission (“FTC”) by a consumer advocacy organization, Electronic Privacy Information Center (“EPIC”), illustrates some of those potential pitfalls. EPIC asks the FTC to investigate the recruiting technology company HireVue for alleged discriminatory screening of job applicants through its face-scanning software. HireVue asks job applicants to video-record answers to pre-approved questions and upload those recordings. HireVue then uses artificial intelligence (“AI”) to scan applicants’ faces during the recorded answers to analyze facial expressions and grade applicants’ expressions according to a non-public rubric.

The Complaint alleges that HireVue’s recruiting tools are unfair and deceptive, producing results that are “biased, unprovable, and not replicable” through algorithmic models that fail to meet international standards to AI-based decision making, facial recognition software that could be racially biased or improperly used to identify sexual orientation, and discriminatory eye movement tracking captured in video assessments. The Complaint alleges that HireVue’s software fails to adhere to the Universal Guidelines for Artificial Intelligence framework, a set of 12 non-binding principles announced in Brussels, Belgium, on October 23, 2018, at the Public Voice symposium. The Universal Guidelines have not been adopted into law in the United States. The Complaint also alleges that HireVue’s software could be biased towards certain groups of individuals, stating that “AI tools often contain gender biases” because the hiring algorithms are built “on data based from top performers” that can be flawed. The Complaint further alleges that the eye tracking software could disparately impact people with certain disabilities, e.g., visually impaired applicants whose eyes do not move in the same manner as the “sighted.” In short, the Complaint calls into question many of the features HireVue uses in its video interview software.

Once a complaint has been filed with the FTC, the Commission undertakes an investigation. During the course of the investigation, the Commission must determine, under Section 5 of the FTC Act, if the trade practice complained about is unfair. “Unfairness” is determined by analyzing whether the practice at issue “causes or is likely to cause substantial injury to consumers … and not outweighed by countervailing benefits to consumers or to competition.” Following an investigation, if the FTC has “reason to believe” the law is being violated, it may initiate an enforcement action through an administrative or judicial process, which could result in the imposition of a temporary restraining order and preliminary injunction to halt the unfair conduct, and/or civil penalties or monetary relief, up to and including freezing assets.

While the HireVue investigation remains in the early stages, companies using any type of digital hiring software should proceed with caution pending the FTC’s investigation. While companies do not have to cease using the technology, there are sensible steps they can take to mitigate against legal risk.

When utilizing third-party technology for the hiring process, employers should:

  • Conduct due diligence on the product or software prior to purchase;
  • Review legal requirements in the applicable jurisdiction (such as Illinois or outside the U.S.);
  • Work with the vendor to conduct a job analysis prior to implementation;
  • Monitor the use of the software and conduct adverse impact analyses to reduce the likelihood of disparate impact claims;
  • Review overall results of the hiring process by analyzing job offer outcomes;
  • Audit the systems and algorithms implemented for bias;
  • Prepare an appropriate validation study; and
  • Give prospective employees notice of the use of the software.

Employers should partner with legal counsel to ensure that these actions are conducted under privilege.

As we enter the last quarter of 2019 and the business community begins to plan ahead for 2020, New York employers should be aware of the changes coming to the New York Paid Family Leave (“NYPFL”) program. On January 1, 2020, both the amount of employee contributions and weekly benefits allowed under the program are scheduled to increase. This will be the second of three annual increases in weekly benefits.

The NYPFL program, which took effect in 2018, provides partially-paid, job-protected leave for bonding with a new baby, caring for a seriously ill family member, and matters related to a family member who is deployed abroad on active military duty. The length of permissible leave began at eight weeks, is currently at 10 weeks, and will increase to 12 weeks in 2021.

The maximum amount of benefits an employee is entitled to receive while on leave is based on the employee’s average weekly wage (“AWW”) and the State’s average weekly wage (“SAWW”). Effective January 1, 2020, the maximum amount of benefits will be calculated based on 60% of an employee’s AWW, up to a cap set at 60% of the SAWW, The SAWW for 2020 is $1,401.17. The maximum weekly benefit in 2020 will be $840.70 per week.

To ensure sufficient funds to cover the increased benefits, the employee payroll contribution toward NYPFL also will be adjusted on January 1 to 0.270% of an employee’s gross wages each pay period, capped at a maximum annual contribution of $196.72.

As a reminder, beginning January 1, 2021, the last of the annual increases will take effect. On that date, the maximum length of leave will increase to 12 weeks in a 52-consecutive week period and benefits will be payable based on 67% of an employee’s AWW, up to a cap set at 67% of the SAWW.

The following chart sets forth the current status of, and coming changes to, the NYPFL program.

Date

Length of Paid Leave Within a 52-Week Period Calculation of Benefit Payments State Average Weekly Wage

Maximum Weekly Benefit Payments

January 1, 2019

Up to 10 weeks 55% of AWW, not to exceed 55% of the SAWW $1,357.11 $746.41
January 1, 2020 Up to 10 weeks

60% of AWW, not to exceed 60% of the SAWW

$1,401.17

$840.70

January 1, 2021 Up to 12 weeks 67% of AWW, not to exceed 67% of the SAWW TBD

TBD

This week, a one-year “revival” period of statute of limitations began for individuals who assert civil claims of child abuse to file claims against institutions and individuals pursuant to New York’s Child Victims Act, even if those claims had already expired and/or were dismissed because they were filed late. The premise behind the Child Victims Act is that children are often prevented from disclosing abuse due to the social, psychological and emotional trauma they experience.

Additionally, the Child Victims Act, also expands the statute of limitations for bringing criminal claims against alleged perpetrators of child sexual abuse, and  permits alleged victims of these crimes to file civil lawsuits up until they reach age 55. This aspect of the legislation will have a significant impact on the volume of criminal cases, and even more so civil lawsuits, 385 of which were filed in the first hours of the revival period, with hundreds more geared up for filing in the upcoming weeks and months. Indeed, the New York State court system has set aside 45 judges specifically to handle the expected crush of cases.

Institutional Changes Following the New Child Victim’s Act

Religious, educational and other institutions that are committed to providing a safe environment for children should be thinking about how they can implement safeguards against child abuse within their institutions. An important step is keeping internal lines of communication with staff and families open, as well as educating staff and leadership as to their reporting obligations under New York law and on how to provide appropriate support if child abuse is suspected.

The Child Victims Act joins the Sex Harassment Bill also signed into law by Gov. Cuomo as significant changes by New York Legislators involving sexual abuse and harassment in New York State.

Our Employee Benefits and Executive Compensation practice now offers on-demand “crash courses” on diverse topics. You can access these courses on your own schedule. Keep up to date with the latest trends in benefits and compensation, or obtain an overview of an important topic addressing your programs.

In each compact, 15-minute installment, a member of our team will guide you through a topic. This on-demand series should be of interest to all employers that sponsor benefits and compensation programs.

In our newest installmentTzvia Feiertag, Member of the Firm in the Employee Benefits and Executive Compensation practice, in the Newark office, presents “HIPAA Privacy and Security Rule Compliance.”

While employers themselves are not directly regulated by the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (“HIPAA”), most employers that sponsor group health plans have ongoing compliance obligations. This crash course offers a brief overview of who and what is covered by these rules, why employers should care about HIPAA compliance, and five tips to maintain compliance.

Click here to request complimentary access to the webinar recording and presentation slides.

This Employment Law This Week® Monthly Rundown discusses the most important developments for employers in August 2019.

This episode includes:

  • Increased Employee Protections for Cannabis Users
  • First Opinion Letters Released Under New Wage and Hour Leadership
  • New Jersey and Illinois Enact Salary History Inquiry Bans
  • Deadline for New York State Anti-Harassment Training Approaches
  • Tip of the Week

See below to watch the full episode – click here for story details and video.

We invite you to view Employment Law This Week® – tracking the latest developments that could impact you and your workforce. The series features three components: Trending News, Deep Dives, and Monthly Rundowns. Follow us on LinkedInFacebookYouTubeInstagram, and Twitter and subscribe for email notifications.

New York is the latest state to adopt a law that requires businesses that collect private information on its residents to implement reasonable cybersecurity safeguards to protect that information. New York now joins California, Massachusetts and Colorado in setting these standards. New York’s law mandates the implementation of a data security program, including measures such as risk assessments, workforce training and incident response planning and testing. Businesses should immediately begin the process to comply with the Act’s requirements effective March 21, 2020. Notably, New York’s law covers all employers, individuals or organizations, regardless of size or location, which collect private information on New York State residents.

The “Stop Hacks and Improve Electronic Data Security Act” (SHIELD ACT), signed into law on July 25, 2019, requires implementation of an information security program to protect “private information” defined as:

  • any individually identifiable information such as name, number or other identifier coupled with social security number, driver’s or non-driver identification card number or account number, credit or debit card number in combination with any security code, access code, password or other information that would permit access to the individual’s financial account, or biometric information (such as fingerprint, voice print, retina or iris image);
  • individually identifiable information coupled with an account number, credit or debit card number if circumstances exist wherein such number could be used to access an individual’s financial account even without additional identifying information, or a security code, access code or password; or
  • a username or email address in combination with a password or security question and answer that would permit access to an online account.

The law broadly requires that “any person or business” that owns or licenses computerized data which includes private information of a New York State resident “shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”

In order to achieve compliance, an organization must implement a data security program that includes:

  • reasonable administrative safeguards that may include designation of one or more employees to coordinate the security program, identification of reasonably foreseeable external and insider risks, assessment of existing safeguards, workforce cybersecurity training, and selection of service providers capable of maintaining appropriate safeguards and requiring those safeguards by contract;
  • reasonable technical safeguards that may include risk assessments of network, software design and information processing, transmission and storage, implementation of measures to detect, prevent and respond to system failures, and regular testing and monitoring of the effectiveness of key controls; and
  • reasonable physical safeguards that may include detection, prevention and response to intrusions, and protections against unauthorized access to or use of private information during or after collection, transportation and destruction or disposal of the information.

Small businesses of fewer than 50 employees, less than three million dollars in gross revenues in each of last three fiscal years, or less than five million dollars in year-end total assets may scale their data security program according to their size and complexity, the nature and scope of its business activities and the nature and sensitivity of the information collected.

Organizations that are covered by and in compliance with the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), and/or the New York State Department of Financial Services cybersecurity regulations shall be deemed in compliance with the SHIELD Act.

Failure to implement a compliant information security program is enforced by the New York State Attorney General and may result in injunctive relief and civil penalties of up to $5,000 imposed against an organization and individual employees for “each violation.” Depending on how the Attorney General seeks to apply this provision, this could potentially lead to significant monetary penalties for entities and their employees who fail to take required protective measures, including when those failures lead to a data breach. We can expect vigorous enforcement because the Attorney General submitted the SHIELD Act as an agency sponsored bill to keep pace with the use and dissemination of private information. Indeed, absent future clarification, the Attorney General may seek civil penalties to enforce reasonable cybersecurity safeguards even in the absence of a data breach. Of course, any enforcement activity by the Attorney General’s office will also have other damaging consequences, such as reputational harm and raise supply chain issues with the firm’s business partners.

We have long counseled employers using or contemplating using artificial intelligence (“AI”) algorithms in their employee selection processes to validate the AI-based selection procedure using an appropriate validation strategy approved by the Uniform Guidelines on Employee Selection Procedures (“Uniform Guidelines”).  Our advice has been primarily based on minimizing legal risk and complying with best practices.  A recently updated Frequently Asked Questions (“FAQ”) from the Office of Federal Contract Compliance Programs (“OFCCP”) provides further support for validating AI-based selection procedures in compliance with the Uniform Guidelines.

On July 23, 2019, the OFCCP updated the FAQ section on its website to provide guidance on the validation of employee selection procedures.  Under the Uniform Guidelines, any selection procedure resulting in a “selection rate for any race, sex, or ethnic group which is less than four-fifths (4/5) (or eighty percent) of the rate for the group with the highest rate will generally be regarded by Federal enforcement agencies as evidence of adverse impact,” which in turn requires the validation of the selection procedure.  These validation requirements are equally applicable to any AI-based selection procedure used to make any employment decision, including hiring, termination, promotion, and demotion.

As stated in the Uniform Guidelines, and emphasized in the FAQ, the OFCCP recognizes three methods of validation:

  1. Content validation – a showing that the content of the selection procedure is representative of important aspects of performance on the job in question;
  2. Criterion-related validation – production of empirical data demonstrating that the selection procedure is predictive or significantly correlated with important aspects of job performance; and
  3. Construct validation – a showing that the procedure measures the degree to which candidates possess identifiable characteristics that have been determined to be important in successful performance on the job.

With the exception of criterion-related validating studies, which can be “transported” from other entities under certain circumstances, the Uniform Guidelines require local validation at the employer’s own facilities.

If a selection procedure adversely impacts a protected group, the employer must provide evidence of validity for the selection procedure(s) that caused the adverse impact. Thus, it is crucial that employers considering the implementation of AI-based algorithms in the selection process both conduct adverse impact studies and be prepared to produce one or more validation studies.

The new FAQ also provides important guidelines on the statistical methods utilized by OFCCP in evaluating potential adverse impact.  In accordance with the Uniform Guidelines, OFCCP will analyze the Impact Ratio – the disfavored group’s selection rate divided by the favored group’s selection rate.  Any Impact Ratio of less than 0.80 (referred to as the “Four – Fifths Rule”) constitutes an initial indication of adverse impact, but OFCCP will not pursue enforcement without evidence of statistical and practical significance.  For statistical significance, the OFCCP’s standard statistical tests are the Fisher’s Exact Test (for groups with fewer than 30 subjects) and the Two Independent-Sample Binomial Z-Test (for groups with 30 or more subjects).

With the publication of this new FAQ, employers – and particularly federal contractors – should be sure to evaluate their use of AI-based algorithms and properly validate all selection procedures under the Uniform Guidelines.  Moreover, although not addressed in the OFCCP’s new FAQ, employers should also ensure that their AI-based algorithms are compliant with all other state and federal laws and regulations.  Additional recommendations from Epstein Becker & Green’s Artificial Intelligence strategic industry group can be found here and here.

Our colleagues Maxine NeuhauserNathaniel M. GlasserDenise Dadika, & Anastasia A. Regne

Following is an excerpt:

In Wild, which we discussed in a recent client alert, plaintiff Justin Wild (“Wild”) alleged that his employer, Carriage Funeral Holdings (“Carriage Funeral”) failed to reasonably accommodate his disability (cancer) and unlawfully discharged him in violation of the LAD because he used medical marijuana, as legally permitted by CUMMA. Carriage Funeral terminated Wild’s employment after he tested positive for cannabis following an on-duty motor vehicle accident.

The trial court dismissed the lawsuit holding that the fact Wild tested positive for cannabis  constituted a legitimate business reason for his discharge because cannabis use (medical or otherwise) remains prohibited under federal law. In rendering its decision the trial court relied on a provision in the law stating that CUMMA did not require employers to reasonably accommodate licensed use of medical marijuana in the workplace. The Appellate Division reversed, holding that the fact that CUMMA did not “require” employers to accommodate an employee’s use of  medical marijuana in the workplace, did not affect an employer’s requirement under the LAD to reasonably accommodate an employee’s disability, which could include an employee’s off-duty and off-site use of medical cannabis. …

Read the full article here.