Our colleagues 

In Diaz, the plaintiff, who asserted she is visually impaired, alleged that the defendant – a supermarket chain based in Ohio – failed to make its website accessible to individuals who were blind. As a result, plaintiff claimed that she was unable to learn about certain products on the site, as well as promotions and coupons.

Defendant sought to dismiss the lawsuit on two grounds: (i) lack of subject matter jurisdiction, because its remediation of the barriers identified in the complaint rendered plaintiff’s claims moot; and (ii) lack of personal jurisdiction, because the Ohio-based defendant does not transact business in New York State, and accordingly, New York’s long-arm statute does not subject it to the court’s review.

Read the full post here.

A recent WSJ article about a private equity firm using AI to source investment opportunities by Laura Cooper presages a larger challenge facing employees and employers: AI tools do “the work of ‘several dozen humans’” “with greater accuracy and at lower cost.”  In the competitive and employee-dense financial services sector, AI tools can provide a competitive advantage.

Ms. Cooper cites San Francisco based Pilot Growth Equity Partners, one of many of a growing number of equity investment firms to utilize AI. Pilot Growth that has developed “NavPod’ a cloud based deal-sourcing and workflow tool” that displaces the need for employees to “comb through and cold-call” potential leads involved in deal sourcing.  While use of AI in this context could lead to some amount of job displacement, the article also notes that 90% of the work involved in deal sourcing can be done by computers, meaning 10% of the work remains with employees.  In some sense then, AI can be thought of as a way to augment the tools available to deal-sourcing employees, much in the way Excel was for investment bankers in the 1990s.

When considering implementing AI technology in this capacity, employers should be aware of the impact it can have on employee morale.

There are additional employment considerations as well.  As noted in Ms. Cooper’s article, the development of NavPod took two years of programming to create the first version of the AI tool.  Because the process took two years it is not unlikely that the company had to hire programmers to perform the coding and bug fixing.  There are also the attendant work-for-hire, IP protection, and non-compete issues in employing a programmer to create a niche AI tool, which gives a company a competitive advantage against other PE firms so long as that employee cannot take that knowledge across the street to a competitor.

In short, companies hoping to implement AI-solutions for their workplace should be aware of the host of employment-related issues the use of these technologies can create in the workplace.

We will be keeping an eye on this growing trend and be alert our readers to future financial sector AI developments.

Our Employee Benefits and Executive Compensation practice now offers on-demand “crash courses” on diverse topics. You can access these courses on your own schedule. Keep up to date with the latest trends in benefits and compensation, or obtain an overview of an important topic addressing your programs.

In each compact, 15-minute installment, a member of our team will guide you through a topic. This on-demand series should be of interest to all employers that sponsor benefits and compensation programs.

In our newest installmentCassandra Labbees, an Associate in the Employee Benefits and Executive Compensation practice, in the New York office, presents on “Hot New Benefits.”

Benefits are a useful and necessary tool in the recruitment and retention of employees. As a result, new benefit options are continuously being developed and offered by employers. This 15-minute crash course will discuss a few of those new benefit options as well as the tax and public policy considerations that may impact which benefits employers choose to offer.

Click here to request complimentary access to the webinar recording and presentation slides.

On May 9, 2019, the United States Department of Justice announced the indictment of two Chinese Nationals as members of a sophisticated hacking group responsible for the hack of Anthem, Inc. and other unnamed U.S. based large technology, communications and basic materials companies. The hack resulted in the breach of personally identifiable information of over 78 million individuals held by Anthem and the theft of confidential business information from the victimized organizations. The indictment provides a roadmap to advanced hacking attacks regularly faced by technology, healthcare and infrastructure organizations with valuable data to protect. The indictment serves as a reminder that organizations subject to advanced persistent threat from organized hacking groups should adopt a defense in depth strategy including workforce cybersecurity training, vulnerability scanning, network monitoring and comprehensive incident response plans to thwart or mitigate these attacks. These protective countermeasures should be part of the organization’s formalized information security program.

According to DOJ, the hackers are allegedly part of a sophisticated hacking group operating inside China targeting large businesses within the United States. The hackers allegedly picked their targets because they stored large amounts of confidential business information on their computer networks. The hackers used a combination of social engineering (i.e., spear phishing), backdoor malware, privilege escalation, and encrypted file transfers to attack the networks and steal personal and confidential business information.

The indictment highlights the sophisticated hacking techniques used by advanced hacking groups and the importance of adopting appropriate countermeasures as part of a strategy to anticipate, prevent, detect and respond to future similar attacks targeting any organization. Here are the key “take aways”:

  • Conduct rigorous workforce cybersecurity training to combat spear phishing and other social engineering attacks. The hackers reportedly sent specifically-tailored spear phishing emails with embedded hyperlinks to employees, which once clicked on, caused a malicious file to be downloaded which deployed malware enabling the hackers to gain remote access and command and control over the user’s computer. The targeting of specific employees using email as the delivery vehicle for malware is frequently the preferred method for delivering malicious files (e.g., the DNC hack). Training employees to recognize threats originating in emails and social media should be part of ongoing workforce training for this very reason. Organizations should regularly train employees, particularly executives and administrators with privileged access, to recognize spear phishing emails and sophisticated social engineering attacks.
  • Perform vulnerability scanning and adopt strong access controls and a formalized patching process to deter privilege escalation across the network. The indictment alleges that once the hackers gained access to the network through the spear phishing campaign, the hackers moved laterally to gain increasing ability to make changes in the network, sometimes patiently waiting months before taking further action. To mitigate the risk of privilege escalation, organizations should conduct frequent vulnerability scans to identify weaknesses in their networks and address them in a timely matter. Strong configuration management and formalized patching processes are also a defense to privilege escalation. Similarly, for administrator accounts with access to key domains or systems, adopt strong password requirements and multifactor authentication where appropriate and ensure that credentials are immediately disabled when the administrators leave the organization.
  • Secure and monitor the organization’s Domain Name System (DNS) to deter backdoor communications using command and control malware. The indictment alleges that the malware delivered by email enabled remote access to the victims’ computers. The hackers registered phony domains and set up command and control servers on the phony domains for the malware on the victims’ computer to report into. The indictment does not go into further detail as to the communications channel used by the malware, but it is not uncommon to use DNS for malicious command and control communications. Monitoring DNS traffic for known malicious domains is critical. Similarly, hardening an organization’s Domain Name System processes may deter command and control that abuses DNS. My recent prior blog post discusses the importance of DNS security.
  • Black list cloud based file sharing services and use systems to inspect and detect anomalous encrypted traffic. The hackers are alleged to have stolen the data by placing it into encrypted files and transmitting the encrypted files to multiple computers located in China. Some of the files were allegedly exfiltrated through use of a Citrix filing sharing service. Malicious encryption will defeat inspection where an organization does not have visibility into the encrypted traffic. As described in the indictment, it is not unusual for hackers, including malicious insiders, to attempt to hide their data exfiltration using encryption. One defense is to inspect encrypted traffic. Another defense is to block access to file sharing cloud based services that may be used to exfiltrate data.
  • Play the long game because the hackers will. The indictment alleges that the hackers conducted intrusions across all the victims for nearly one year, from February 2014 to January 2015. According to the indictment, once inside the Anthem network, the hackers patiently searched the network for data of interest, purportedly ultimately stealing data of over 78 million persons, including names, health identification numbers, dates of birth, social security numbers, addresses, telephone numbers, email addresses, employment information and income data. The hackers identified Anthem’s data warehouse within the network, where a large amount of personally identifiable information was stored and then exfiltrated the information when the time was right. The defense here is to develop a cybersecurity strategy, strong internal processes, including workforce training and education, and enforce your information security program.
  • Adopt a detailed formalized incident response plan and practice, practice, practice. While the indictment does not discuss the preventative measures of the victims, even a well thought out and comprehensive defense in depth may not prevent a breach. For example, victimizing an employee through social engineering may defeat technical defenses in place. Having a detailed written incident response plan in place and training is critical, and an effective way to mitigate the harmful effects of any breach.

As we wrote last month, the state of Washington passed legislation barring most inquiries into salary history by employers, as well as requiring employers to divulge salary bands for posted jobs.  On May 9, 2019, the governor of Washington, Jay Inslee, signed the bill, confirming the law statewide.  The law will take effect on July 28, 2019, and prior to that date, Washington employers should plan to amend any employment applications and hiring practices to conform to the new law.

Our colleagues 

As we previously reported, on April 9, 2019, the New York City Council passed Int. 1445-A, which prohibits employers from pre-employment drug testing for marijuana and tetrahydrocannabinols (“THC,” the active ingredient in marijuana). On May 10, 2019, Int. 1445-A became law by operation of the New York City legislative process, which automatically made the bill law after 30 days without action by Mayor de Blasio. The law becomes effective May 10, 2020, giving New York City employers one year to prepare.

Under the law, employers, labor organizations, and employment agencies, and all of their agents, are prohibited from requiring a prospective employee to submit to a marijuana or THC drug test as a condition of employment. This conduct is now characterized as an “unlawful discriminatory practice.” There are, however, several exceptions to the law. For example, the law will not apply to employees in the following roles: safety-related positions, transport-related positions, caregivers, and certain federal contractors. Further, to the extent that a collective bargaining agreement requires drug testing, the law will not apply to such testing. Please see our Act Now Advisory for further details related to these exceptions. …

Read the full post here.

With warmer weather quickly approaching, many employers are beginning to schedule happy hours, parties, softball games, and other off-site events that employees (and interns) look forward to attending. However, at offsite work events, employees might forget—or might not realize in the first place—that they are still in a workplace setting. This could result in unwelcome behavior, such as sexual harassment, which could leave an employer open to liability.

Under federal law, as well as the law of many states, cities, and municipalities, sexual harassment is considered a type of prohibited gender discrimination. New York City and New York State now require employers to provide their employees with anti-sexual harassment training. States such as California, Connecticut, Delaware, and Maine have similar requirements. Further, even where not required, case law and agency guidance recommend anti-harassment training in several other states. New York does require employers to establish policies against sexual harassment.

Employers should remind their employees that they remain subject to company policies at events outside the workplace.

No matter if harassment occurs at an outside work event or during normal business hours, employers should have clear policies and provide training so that employees are aware of applicable complaint procedures, and can bring any instance of potential sexual harassment to the employer’s attention.

While the summer can be a time for workplace comradery and other off-site events, employers should remember to make sure their employees are aware of their expectations to remain professional and to never engage in discriminatory or harassing behavior.

This tip is featured as Rule #7 in Halting Harassment’s Rules of the Road. Check out the rest of the Rules, and learn more about how Epstein Becker Green’s Halting Harassment e-learning course can help your organization foster a respectful and inclusive environment—both inside and outside the workplace.

On February 19, 2019, New Jersey Governor Phil Murphy signed into law A 3975 (“the Law”), which significantly expanded the state’s the Family Leave Act (“NJFLA”), Family Leave Insurance Act (“NJFLI”), and Security and Financial Empowerment Act (“SAFE Act”).  We prepared an Act Now Advisory, summarizing the extensive changes made by the Law, including, among other things, the expanding and making uniform the definition of “family member” for all three laws, and, effective June 1, 2019, extending the NJFLA to employers that have 30 or more employees.

In response to these amendments, the state recently issued an updated NJFLA poster, which  may be accessed here and an updated NJFLI poster, which may be accessed here.  In addition, the NJDOL has posted updated FAQs regarding the NJFLI. The NJ Safe Act Poster has not yet been updated.

Washington State has begun implementing its new Paid Family & Medical Leave program (“PFML”). Other states, such as New Jersey, New York, and Rhode Island already have paid family and medical leave programs in place, and now Washington, Massachusetts and Washington, D.C. are set to join them over the next few years. Although the benefits portion of Washington’s program does not kick in until 2020, employers’ reporting and remitting of premiums for Quarters 1 and 2 are due between July 1 and July 31, 2019.

The Washington Employment Security Department (“ESD”), which will administer the PFML program, has provided a useful website that summarizes key components of the new statute. Beginning January 1, 2020, employees may collect benefits pursuant to the PFML for (i) their own serious health condition, (ii) to bond with a newborn child or a child placed for adoption or foster care, (iii) to care for a family member with a serious health condition, or (iv) for certain military-connected activities. Under the PFML, most employees will be eligible for a maximum of 12 weeks of partially paid leave.

Current Law Will Sunset

As the PFML becomes effective, Washington’s current Family Leave Act (“FLA”) will sunset on December 31, 2019. The PFML itself does not provide job-protected leave, so in order to receive job protection, employees must be covered under the federal Family and Medical Leave Act (“FMLA”).

Like the FMLA, the FLA provides 12 weeks of job-protected leave to employees who:  (i) work for an employer who employs at least 50 workers within a 75-mile radius,  (ii) work for 12 months for the employer, and (ii) work 1,250 hours in the prior 12 months.  Unlike the FMLA, however, the FLA, permits employees to take family and medical leave to care for a domestic partner. Further, the FLA does not run concurrently with any period of pregnancy disability leave. As a result  an employee may be eligible for a period of leave for her own serious health condition due to pregnancy disability (which is covered by the FMLA), and then may be entitled  to an additional 12 weeks of bonding time under the FLA. When the FLA sunsets, this leave for bonding will be partially paid but not job-protected. Notably, PFML benefits for birthmothers can reach up to 18 weeks (though only in circumstances where there is a serious pregnancy-related health condition that results in incapacity).

PFML Premium Collection and Important Dates

Generally, all Washington employees will be covered under the PFML law. Federal employers, federally-recognized tribes, and self-employed workers are not covered by the program; however, such tribes and self-employed workers may opt-in to participate and receive benefits. To qualify for PFML, employees must have worked for 820 hours or more in the first four of the last five completed calendar quarters. Employees who are covered by a collective bargaining agreement (“CBA”) that was in existence on or before October 19, 2017 are not subject to the PFML, and will not pay premiums for the PFML, until the CBA is reopened, renegotiated, or expires. Employers whose leave programs are comparable to or exceed the requirements of the state’s law may opt-out of the state program, and instead offer a voluntary plan.

Implementation of the program is already in progress, as employers were to begin collecting PFML premiums on January 1, 2019. Both employers and employees are responsible for the PFML premiums. The employee and employer split the medical leave premium and employees shoulder the family leave premium. Employers typically use payroll deductions to collect premiums from employees. For 2019, employee premiums are 0.4% of an employee’s gross wages (the ESD’s premium calculator is a helpful tool for determining premium amounts). The ESD will reassess the employee premium each year, based upon guidelines set by the commissioner of the ESD. Employers can opt to cover some or all of their employees’ share of the premiums. Importantly, companies with fewer than 50 employees in the state of Washington are not required to remit the employer-portion of the premiums, but must remit their employees’ premiums and report certain information, including employee wages and hours, to the ESD.

Employers’ reporting and remitting of premiums for Quarters 1 and 2 are due between July 1 and July 31, 2019. Note that if an employer did not start collecting premiums from employees on January 1, 2019, there is no penalty imposed by the ESD and the employer can, with one pay period advance notice, begin withholding employee premiums at any time. Employers may not, however, retroactively withhold premiums from employees, and employers are responsible for paying any missed employee premiums on behalf of those employees for whom premiums weren’t collected.

As the July 2019 deadline for reporting and remitting of premiums quickly approaches, employers should consider whether they are eligible for a voluntary plan exemption. The ESD began accepting voluntary plan applications on May 6, 2019, and employers can apply for their exemptions here. Employers that do not qualify for a voluntary plan should assess whether all the necessary elements for implementing the state plan are in place, including systems for collecting premiums and reporting employee information.

In an attempt to reduce the gender wage gap, the Washington State Legislature passed HB 1696,(“the Bill”), legislation that will prevent all private employers in Washington State from inquiring into the salary history of prospective employees  or requiring that an applicant’s prior wage or salary history meet certain criteria.  Additionally, the Bill mandates that, upon an applicant’s request, an employer with 15 or more employees must provide the applicant with certain details about the pay rate or salary range for the open position.

If, as expected, the measure is signed into law by Governor Jay Inslee,  the State of Washington will join an increasing number of jurisdictions (including New York City, California, and, most recently, Maine) that have imposed restrictions or bans on salary history inquiries. Similar to some of these other laws, the Bill allows an employer to confirm a prospective employee’s salary history (i) if the prospective employee has voluntarily disclosed his or her salary history, or (ii) after an offer of employment (including compensation) has been made to the prospective employee.

Unlike most of the other jurisdictions’ salary history inquiry bans, however, but, similar to California’s, the Bill requires an employer with 15 or more employees, upon request by a prospective employee who has been offered the position, to disclose the minimum wage or salary range for that position.  Upon request of an employee offered an internal transfer to a new position or promotion, the employer must provide the wage scale or salary range for the employee’s new position. If no range exists (due to a lack of employees or otherwise), the employer must provide a minimum wage or salary expectation prior to the posting of the position, making a position transfer, or making a promotion.

If signed by Governor Inslee, the Bill would become effective 90 days after adjournment of the session in which the bill is passed, on July 28, 2019. Washington’s employers should plan to amend hiring practices to conform to the new Bill’s prohibitions.