Our colleague  at Epstein Becker Green has a post on the Health Law Advisor blog that will be of interest to our readers in the technology industry: “NIST Seeks Comments on Cybersecurity Standards for Patient Imaging Devices.”

Following is an excerpt:

The National Institute of Standards and Technology (“NIST) has announced that it will be seeking industry input on developing “use cases” for its framework of cybersecurity standards related to patient imaging devices. NIST, a component of the Department of Commerce, is the agency assigned to the development and promulgation of policies, guidelines and regulations dealing with cybersecurity standards and best practices.  NIST claims that its cybersecurity program promotes innovation and competitiveness by advancing measurement science, standards, and related technology in ways that enhance economic security and quality of life. Its standards and best practices address interoperability, usability and privacy continues to be critical for the nation. NIST’s latest announcement is directed at eventually providing security guidance for the healthcare sector’s most common uses of data, inasmuch as that industry has increasingly come under attack. …

Read the full post here.

As 2017 comes to a close, recent headlines have underscored the importance of compliance and training. In this Take 5, we review major workforce management issues in 2017, and their impact, and offer critical actions that employers should consider to minimize exposure:

  1. Addressing Workplace Sexual Harassment in the Wake of #MeToo
  2. A Busy 2017 Sets the Stage for Further Wage-Hour Developments
  3. Your “Top Ten” Cybersecurity Vulnerabilities
  4. 2017: The Year of the Comprehensive Paid Leave Laws
  5. Efforts Continue to Strengthen Equal Pay Laws in 2017

Read the full Take 5 online or download the PDF.

Our colleague Michelle Capezza of Epstein Becker Green authored an article in Confero, titled “Managing Employee Benefits in the Face of Technological Change.”

Following is an excerpt – click here to download the full article in PDF format:

There are many employee benefits challenges facing employers today, from determining the scope and scale of traditional benefits programs to offer that will attract, motivate and retain multigenerational employees, to embracing new models for defining and providing benefits, while simultaneously managing costs. In the midst of these challenges is the wave of technological change that is impacting all areas of the workplace, including human resources and benefits. In recent years, many new technological tools have emerged to aid in the administration of benefit plans, delivery of participation communications, as well as provide education and advice. These tools often require collection of sensitive data or allow employees to provide personal information in an interactive environment, such as:

  • Benefits, HR and payroll software, and plan recordkeeping, systems
  • Online and mobile applications for benefits enrollment and benefits selection assistance
  • Social media tools and applications for benefits information and education
  • Online investment allocation tools, robo advisors, financial platforms
  • Telehealth and wellness programs

These and other advancements are a sign of the times. While they appeal to employees, reduce burdens on employers, and assist in driving down program costs, organizations must be mindful that cyberattacks on benefit plans and participant information have occurred and measures should be taken to protect against such data breaches.

New York State has issued proposed regulations extending existing regulations requiring banks and other financial institutions to have in place a comprehensive cybersecurity program to credit reporting agencies.  Governor Mario Cuomo announced that “The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation.”

Under the proposed regulations, every consumer reporting agency that assembles, evaluates or maintains a consumer credit report on NYS consumers must register with the State by February 1, 2018 and have in place a written cybersecurity program by April 4, 2018. The program must identify and assess internal and external cybersecurity risks that may threaten non-public information, including personally identifying consumer information. The program must include provisions that address data governance and classification, asset inventory and device management, access control and identity management, systems and network security and monitoring, as well as other mandated areas.

Because the elements required to be addressed in the program are comprehensive, credit reporting agencies should begin the process of developing the program now to meet the April 4, 2018 deadline. Once the program is in place, moreover, the regulations also mandate phase in implementation dates for additional minimum protective standards that must be met.  These include requirements for annual penetration testing, bi-annual vulnerability assessments, limitations on data retention, encryption of non-public information and system generated audit trails to detect and respond to cybersecurity events.

Each agency must conduct a risk assessment of its information systems to include criteria for the evaluation and categorization of identified internal and external threats facing the organization. The risk assessment must describe how identified risks will be mitigated or accepted and how the program will address those risks.  Significantly, the risk assessment must not only address external hacking threats, but also require the identification and mitigation of risks posed by employees and other insiders, such as trusted vendors and independent contractors.  For example, employees who remotely access internal networks must be subject to multi-factor authentication or other “reasonably equivalent or more secure access controls.”

Each organization must also designate a qualified person as a Chief Information Security Officer responsible for implementation and enforcement of the program. The CISO will ultimately be responsible for responding to requests for “examination by the Superintendent of Financial Services as often as the Superintendent may deem it necessary.”  There are also breach notification requirements, as well as a mandate that the Board of Directors or a Senior Officer annually certify compliance with the cybersecurity regulations.  Failure to comply may result in revocation of the agency’s authorization to do business with New York’s regulated financial institutions and consumers.

Stay tuned to whether New York State’s call to action takes hold across the nation. In the meantime, you may find the governor’s press announcement by clicking here.

A New Year and a New Administration: Five Employment, Labor & Workforce Management Issues That Employers Should MonitorIn the new issue of Take 5, our colleagues examine five employment, labor, and workforce management issues that will continue to be reviewed and remain top of mind for employers under the Trump administration:

Read the full Take 5 online or download the PDF. Also, keep track of developments with Epstein Becker Green’s new microsite, The New Administration: Insights and Strategies.

Michelle Capezza of Epstein Becker & Green  recently returned from the TechAmerica DC Fly-in held February 10th and 11th in Washington, D.C., a Tech Policy Summit that brought together members of technology councils, business leaders and academicians from across the country to discuss various policies and legislation impacting today’s technology companies and our economy.    As a member of the New Jersey Technology Council and an NJTC Ambassador, Michelle joined the NJTC delegation for this summit which included James Barrood (President and CEO-NJTC), Karen Lisnyj (Government Affairs-NJTC), Kevin M. Pianko, CPA (Partner, Weiser Mazars), James C. Bourke, CPA (Partner, WithumSmith+Brown), Stuart Hanebuth (Vice President, Power Survey Company), Richard Napoli (CEO, ObjectFrontier, Inc.) and Venu Myneni, CEO Radiant Systems, Inc.  Following a briefing regarding various policy initiatives, our delegation had the opportunity to meet with New Jersey Representatives in the House and Senate to discuss these policies, including Senator Cory A. Booker, Congressman Leonard Lance, Congressman Scott Garrett and staff for Congresswoman Bonnie Watson Coleman, Congressman Frank Pallone, Jr., Congressman Donald M. Payne, Jr., Congressman Frank A. LoBiondo, Congressman Rodney P. Frelinghuysen, and Congressman Christopher H. Smith.  The following are a few of the important policy priorities that were discussed and debated during the Tech Policy Summit:

High-Skilled Immigration Reform and Skills for the 21st Century Workforce.  Recognizing the need for high-skilled workers in the technology industry, delegations addressed bills such as the Immigration Innovation or “I-Squared” Act of 2015 (see our January 22, 2015 blog post Current Visa Caps Hold for 2015 but Bills Introduced to Loosen Restrictions on High-Skilled Guest Workers by Patrick Lucignani).  Problematically, many foreign students are educated at U.S. institutions but are unable to remain in the U.S. and work, and they return to their home countries taking their knowledge and skills with them.  Further, more American students need to embark on STEM careers and it is imperative to increase education and training for the high skilled jobs of tomorrow.  Since it will take many years to improve the educational system and guide American students to these careers, delegations advocated for high-skilled immigration reform to meet immediate demands.  Whether this can become a reality will depend on whether this issue can be separated from more comprehensive immigration reform which is being debated in Congress.

Cybersecurity/Threat data sharing and a Federal data breach notification law.  Recognizing that economic expansion rests on the creation of new and innovative business models that leverage internet-based platforms that are trusted, secure and accessible, there is an imminent need for common sense data and cybersecuity policies.  Delegations advocated for enhanced national cybersecurity and critical infrastructure protection through support for an environment that fosters real time threat sharing between the government and private sector, an incentive-based voluntary approach to cybersecurity to develop a framework that utilizes industry best practices and promotes voluntary adoption.  In addition, a national standard is needed for data breach notification that preempts state laws and provides greater penalties for cybercriminals to deter and combat bad actors and punish criminals.  It is anticipated that legislation in this regard will be introduced this year.

Availability and delivery of high speed broadband communications.  It is becoming increasingly important to keep the internet open and encourage deployment of new, faster broadband to ensure innovation, economic growth and social interaction, especially to geographic areas that could benefit from increased development.  Delegations advocated for policies to make more spectrum available for licensed and unlicensed use and encourage incentives for government spectrum users to share, sell or lease their spectrum.

Internet Tax Freedom Act (ITFA).  Since its enactment in 1998, the ITFA has banned federal, state and local governments from taxing internet access charges and multiple taxes on electronic commerce.  However, this moratorium is set to expire on October 1, 2015.  Delegations advocated for a permanent ban on taxation of internet access charges as provided in H.R. 235.

The tech sector clearly favors passing of law and other legal reforms that will spur economic growth, create and protect jobs, reform our immigration policies, protect privacy and security and improve educational systems.  Developments on these issues will be watched closely by Epstein Becker Green attorneys in its workplace management, immigration, litigation and regulatory practice groups who can assist businesses navigate these issues as they evolve.