Our colleague Amanda M. Gomez 

Following is an excerpt:

Additionally, employers that can demonstrate a good faith effort through proactive measures to comply with the Act may be able to mitigate liability should a claim arise. Similar to “safe harbor” provisions in equal pay laws in Massachusetts and Oregon, such proactive measures should include regular audits of compensation practices. While these measures do not create a complete defense, employers that successfully present evidence of a “thorough and comprehensive pay audit” with the “specific goal of identifying and remedying unlawful pay disparities” may avoid liquidated damages. The key word here is “remedying”; employers that conduct pay audits, but then fail to take steps to correct unlawful pay discrepancies revealed by the audit, will not reap the benefits of the “safe harbor” defense and could instead find themselves without the proverbial port in a storm.

Notably, the Act goes further than most other comparable state wage discrimination laws by mandating notification to employees of employment opportunities. Employers must make reasonable efforts to provide notice of internal opportunities for promotion on the same calendar day the opening occurs. These announcements must disclose the hourly or salary compensation, or at the very least a pay range, as well as a description of benefits and other compensation being offered. Failure to comply with these provisions could result in fines of between $500 and $10,000 per violation. …

Read the full post here.

Increasingly companies are using third-party digital hiring platforms to recruit and select job applicants.  These products, explicitly or implicitly, promise to reduce or eliminate the bias of hiring managers in making selection decisions.  Instead, the platforms grade applicants based on a variety of purportedly objective factors.  For example, a platform may scan thousands of resumes and select applicants based on education level, work experience, or interests, or rank applicants based on their performance on an aptitude test – whatever data point(s) the platform has been trained to evaluate based on the job opening.

Video interviews constitute one type of product offered by certain digital hiring platforms.  Video interviews may be offered in a variety of forms – from live interviews conducted by a hiring manager but simultaneously recorded for future audiences, to recorded interviews conducted by the computer program, giving applicants a limited time (e.g., 30 seconds) to record an answer to each question.  In any recorded form, these digital hiring platforms use artificial intelligence (“AI”) to analyze an applicant’s answers.  AI may be used to analyze facial expressions or eye contact, or even the speed of an individual’s response, in order to evaluate the quality of an applicant’s answers.

Such products raise a host of legal issues, including questions about hidden biases, disparate impact, disability accommodation, and data privacy.

One state has taken an initial step to put employees on notice of the use of these products. The Illinois Assembly and Senate recently passed the Artificial Intelligence Video Interview Act, a bill that creates disclosure requirements for companies that utilize video interview technology that relies on AI.  Specifically, the bill, which is expected to be signed into law by Governor J.B. Pritzker but has enough votes in the legislature to survive a veto, requires an employer seeking to use AI-enabled video interviewing technology to do the following before hiring for an Illinois-based position:

  1. Notify each applicant before the interview that AI may be used to analyze the applicant’s video interview and consider the applicant’s fitness for the position;
  2. Provide each applicant with information before the interview explaining how the AI works and what general types of characteristics it uses to evaluate applicants; and
  3. Obtain prior consent from the applicant to be evaluated by the AI program.

The bill also requires employers to take steps to protect applicants’ privacy.  Under the bill, video interview recordings can only be shared “with persons whose expertise or technology is necessary in order to evaluate an applicant’s fitness for a position.”  In addition, upon request from the applicant, employers must destroy all copies of the videos (including backups) no later than 30 days after the applicant requests the company do so.  This destruction requirement may be burdensome for employers, who should work with the vendor to ensure proper storage and timely destruction of any such videos.  Employers should also be prepared for conflicts between this provision and legal requirements to maintain copies of relevant information if litigation relating to such information is reasonably anticipated.

Illinois has a history of passing expansive laws protecting employees’ privacy, such as its 2008 Biometric Information Privacy Act (“BIPA”).  BIPA was one of the first acts to require notification and consent in collecting employee biometric data, and now the Artificial Intelligence Video Interview Act appears to be a first-of-its-kind law in the nation with similar notification and consent procedures.  While BIPA was an often ignored statute for almost a decade, recently there has been a slew of litigation involving the statute.  The Artificial Intelligence Video Interview Act could result in a similar wave of lawsuits, provided the Act allows for a private right of action (which is not clear, as currently drafted).

Assuming Governor Pritzker signs the bill into law as written, there are many questions left unanswered.  For instance, the bill does not define what AI means.  It also does not provide guidance on the specific information an employer must provide to a candidate to satisfy its obligation to describe “how” it works.  The 30-day deletion requirement is similarly vague and may conflict with other legal, statutory and/or regulatory obligations.  Nevertheless, it is likely that Illinois’ Artificial Intelligence Video Interview Act will not be an outlier.  Other jurisdictions may quickly follow suit.  Accordingly, employers using AI technology for video interviewing should, at a minimum, start considering how to provide notice and obtain consent from applicants before conducting interviews.  Notably, however, compliance with this Illinois law will not absolve an employer from liability for a product that exhibits other legal deficiencies.  Employers are advised to consult with counsel before implementing any type of digital hiring platform.

Our colleagues 

In Diaz, the plaintiff, who asserted she is visually impaired, alleged that the defendant – a supermarket chain based in Ohio – failed to make its website accessible to individuals who were blind. As a result, plaintiff claimed that she was unable to learn about certain products on the site, as well as promotions and coupons.

Defendant sought to dismiss the lawsuit on two grounds: (i) lack of subject matter jurisdiction, because its remediation of the barriers identified in the complaint rendered plaintiff’s claims moot; and (ii) lack of personal jurisdiction, because the Ohio-based defendant does not transact business in New York State, and accordingly, New York’s long-arm statute does not subject it to the court’s review.

Read the full post here.

A recent WSJ article about a private equity firm using AI to source investment opportunities by Laura Cooper presages a larger challenge facing employees and employers: AI tools do “the work of ‘several dozen humans’” “with greater accuracy and at lower cost.”  In the competitive and employee-dense financial services sector, AI tools can provide a competitive advantage.

Ms. Cooper cites San Francisco based Pilot Growth Equity Partners, one of many of a growing number of equity investment firms to utilize AI. Pilot Growth that has developed “NavPod’ a cloud based deal-sourcing and workflow tool” that displaces the need for employees to “comb through and cold-call” potential leads involved in deal sourcing.  While use of AI in this context could lead to some amount of job displacement, the article also notes that 90% of the work involved in deal sourcing can be done by computers, meaning 10% of the work remains with employees.  In some sense then, AI can be thought of as a way to augment the tools available to deal-sourcing employees, much in the way Excel was for investment bankers in the 1990s.

When considering implementing AI technology in this capacity, employers should be aware of the impact it can have on employee morale.

There are additional employment considerations as well.  As noted in Ms. Cooper’s article, the development of NavPod took two years of programming to create the first version of the AI tool.  Because the process took two years it is not unlikely that the company had to hire programmers to perform the coding and bug fixing.  There are also the attendant work-for-hire, IP protection, and non-compete issues in employing a programmer to create a niche AI tool, which gives a company a competitive advantage against other PE firms so long as that employee cannot take that knowledge across the street to a competitor.

In short, companies hoping to implement AI-solutions for their workplace should be aware of the host of employment-related issues the use of these technologies can create in the workplace.

We will be keeping an eye on this growing trend and be alert our readers to future financial sector AI developments.

Our Employee Benefits and Executive Compensation practice now offers on-demand “crash courses” on diverse topics. You can access these courses on your own schedule. Keep up to date with the latest trends in benefits and compensation, or obtain an overview of an important topic addressing your programs.

In each compact, 15-minute installment, a member of our team will guide you through a topic. This on-demand series should be of interest to all employers that sponsor benefits and compensation programs.

In our newest installmentCassandra Labbees, an Associate in the Employee Benefits and Executive Compensation practice, in the New York office, presents on “Hot New Benefits.”

Benefits are a useful and necessary tool in the recruitment and retention of employees. As a result, new benefit options are continuously being developed and offered by employers. This 15-minute crash course will discuss a few of those new benefit options as well as the tax and public policy considerations that may impact which benefits employers choose to offer.

Click here to request complimentary access to the webinar recording and presentation slides.

On May 9, 2019, the United States Department of Justice announced the indictment of two Chinese Nationals as members of a sophisticated hacking group responsible for the hack of Anthem, Inc. and other unnamed U.S. based large technology, communications and basic materials companies. The hack resulted in the breach of personally identifiable information of over 78 million individuals held by Anthem and the theft of confidential business information from the victimized organizations. The indictment provides a roadmap to advanced hacking attacks regularly faced by technology, healthcare and infrastructure organizations with valuable data to protect. The indictment serves as a reminder that organizations subject to advanced persistent threat from organized hacking groups should adopt a defense in depth strategy including workforce cybersecurity training, vulnerability scanning, network monitoring and comprehensive incident response plans to thwart or mitigate these attacks. These protective countermeasures should be part of the organization’s formalized information security program.

According to DOJ, the hackers are allegedly part of a sophisticated hacking group operating inside China targeting large businesses within the United States. The hackers allegedly picked their targets because they stored large amounts of confidential business information on their computer networks. The hackers used a combination of social engineering (i.e., spear phishing), backdoor malware, privilege escalation, and encrypted file transfers to attack the networks and steal personal and confidential business information.

The indictment highlights the sophisticated hacking techniques used by advanced hacking groups and the importance of adopting appropriate countermeasures as part of a strategy to anticipate, prevent, detect and respond to future similar attacks targeting any organization. Here are the key “take aways”:

  • Conduct rigorous workforce cybersecurity training to combat spear phishing and other social engineering attacks. The hackers reportedly sent specifically-tailored spear phishing emails with embedded hyperlinks to employees, which once clicked on, caused a malicious file to be downloaded which deployed malware enabling the hackers to gain remote access and command and control over the user’s computer. The targeting of specific employees using email as the delivery vehicle for malware is frequently the preferred method for delivering malicious files (e.g., the DNC hack). Training employees to recognize threats originating in emails and social media should be part of ongoing workforce training for this very reason. Organizations should regularly train employees, particularly executives and administrators with privileged access, to recognize spear phishing emails and sophisticated social engineering attacks.
  • Perform vulnerability scanning and adopt strong access controls and a formalized patching process to deter privilege escalation across the network. The indictment alleges that once the hackers gained access to the network through the spear phishing campaign, the hackers moved laterally to gain increasing ability to make changes in the network, sometimes patiently waiting months before taking further action. To mitigate the risk of privilege escalation, organizations should conduct frequent vulnerability scans to identify weaknesses in their networks and address them in a timely matter. Strong configuration management and formalized patching processes are also a defense to privilege escalation. Similarly, for administrator accounts with access to key domains or systems, adopt strong password requirements and multifactor authentication where appropriate and ensure that credentials are immediately disabled when the administrators leave the organization.
  • Secure and monitor the organization’s Domain Name System (DNS) to deter backdoor communications using command and control malware. The indictment alleges that the malware delivered by email enabled remote access to the victims’ computers. The hackers registered phony domains and set up command and control servers on the phony domains for the malware on the victims’ computer to report into. The indictment does not go into further detail as to the communications channel used by the malware, but it is not uncommon to use DNS for malicious command and control communications. Monitoring DNS traffic for known malicious domains is critical. Similarly, hardening an organization’s Domain Name System processes may deter command and control that abuses DNS. My recent prior blog post discusses the importance of DNS security.
  • Black list cloud based file sharing services and use systems to inspect and detect anomalous encrypted traffic. The hackers are alleged to have stolen the data by placing it into encrypted files and transmitting the encrypted files to multiple computers located in China. Some of the files were allegedly exfiltrated through use of a Citrix filing sharing service. Malicious encryption will defeat inspection where an organization does not have visibility into the encrypted traffic. As described in the indictment, it is not unusual for hackers, including malicious insiders, to attempt to hide their data exfiltration using encryption. One defense is to inspect encrypted traffic. Another defense is to block access to file sharing cloud based services that may be used to exfiltrate data.
  • Play the long game because the hackers will. The indictment alleges that the hackers conducted intrusions across all the victims for nearly one year, from February 2014 to January 2015. According to the indictment, once inside the Anthem network, the hackers patiently searched the network for data of interest, purportedly ultimately stealing data of over 78 million persons, including names, health identification numbers, dates of birth, social security numbers, addresses, telephone numbers, email addresses, employment information and income data. The hackers identified Anthem’s data warehouse within the network, where a large amount of personally identifiable information was stored and then exfiltrated the information when the time was right. The defense here is to develop a cybersecurity strategy, strong internal processes, including workforce training and education, and enforce your information security program.
  • Adopt a detailed formalized incident response plan and practice, practice, practice. While the indictment does not discuss the preventative measures of the victims, even a well thought out and comprehensive defense in depth may not prevent a breach. For example, victimizing an employee through social engineering may defeat technical defenses in place. Having a detailed written incident response plan in place and training is critical, and an effective way to mitigate the harmful effects of any breach.

As we wrote last month, the state of Washington passed legislation barring most inquiries into salary history by employers, as well as requiring employers to divulge salary bands for posted jobs.  On May 9, 2019, the governor of Washington, Jay Inslee, signed the bill, confirming the law statewide.  The law will take effect on July 28, 2019, and prior to that date, Washington employers should plan to amend any employment applications and hiring practices to conform to the new law.

Our colleagues 

As we previously reported, on April 9, 2019, the New York City Council passed Int. 1445-A, which prohibits employers from pre-employment drug testing for marijuana and tetrahydrocannabinols (“THC,” the active ingredient in marijuana). On May 10, 2019, Int. 1445-A became law by operation of the New York City legislative process, which automatically made the bill law after 30 days without action by Mayor de Blasio. The law becomes effective May 10, 2020, giving New York City employers one year to prepare.

Under the law, employers, labor organizations, and employment agencies, and all of their agents, are prohibited from requiring a prospective employee to submit to a marijuana or THC drug test as a condition of employment. This conduct is now characterized as an “unlawful discriminatory practice.” There are, however, several exceptions to the law. For example, the law will not apply to employees in the following roles: safety-related positions, transport-related positions, caregivers, and certain federal contractors. Further, to the extent that a collective bargaining agreement requires drug testing, the law will not apply to such testing. Please see our Act Now Advisory for further details related to these exceptions. …

Read the full post here.

With warmer weather quickly approaching, many employers are beginning to schedule happy hours, parties, softball games, and other off-site events that employees (and interns) look forward to attending. However, at offsite work events, employees might forget—or might not realize in the first place—that they are still in a workplace setting. This could result in unwelcome behavior, such as sexual harassment, which could leave an employer open to liability.

Under federal law, as well as the law of many states, cities, and municipalities, sexual harassment is considered a type of prohibited gender discrimination. New York City and New York State now require employers to provide their employees with anti-sexual harassment training. States such as California, Connecticut, Delaware, and Maine have similar requirements. Further, even where not required, case law and agency guidance recommend anti-harassment training in several other states. New York does require employers to establish policies against sexual harassment.

Employers should remind their employees that they remain subject to company policies at events outside the workplace.

No matter if harassment occurs at an outside work event or during normal business hours, employers should have clear policies and provide training so that employees are aware of applicable complaint procedures, and can bring any instance of potential sexual harassment to the employer’s attention.

While the summer can be a time for workplace comradery and other off-site events, employers should remember to make sure their employees are aware of their expectations to remain professional and to never engage in discriminatory or harassing behavior.

This tip is featured as Rule #7 in Halting Harassment’s Rules of the Road. Check out the rest of the Rules, and learn more about how Epstein Becker Green’s Halting Harassment e-learning course can help your organization foster a respectful and inclusive environment—both inside and outside the workplace.

On February 19, 2019, New Jersey Governor Phil Murphy signed into law A 3975 (“the Law”), which significantly expanded the state’s the Family Leave Act (“NJFLA”), Family Leave Insurance Act (“NJFLI”), and Security and Financial Empowerment Act (“SAFE Act”).  We prepared an Act Now Advisory, summarizing the extensive changes made by the Law, including, among other things, the expanding and making uniform the definition of “family member” for all three laws, and, effective June 1, 2019, extending the NJFLA to employers that have 30 or more employees.

In response to these amendments, the state recently issued an updated NJFLA poster, which  may be accessed here and an updated NJFLI poster, which may be accessed here.  In addition, the NJDOL has posted updated FAQs regarding the NJFLI. The NJ Safe Act Poster has not yet been updated.