In today’s day and age, it is widely understood that no one is safe from a data breach.  If you have been so fortunate as to escape fraudulent credit card purchases, data security breaches, or having your entire identity stolen, cybersecurity experts will tell you that is no longer a matter of “if,” but “when” it will happen to you.  In response to national and international cybersecurity incidents during the past few years, state legislators in all 50 states (as well as the District of Columbia and several U.S. territories) have enacted data breach notification legislation that requires private entities to notify individuals of security breaches involving their personal identification information (“PII”).

State and federal judiciaries have also begun to weigh in on the issue of cybersecurity, particularly in the employment context and most recently in Pennsylvania, where the State’s Supreme Court held that employers have an affirmative duty to protect employee PII from cybersecurity incidents.  Dittman v. UPMC, 2018 Pa. LEXIS 6051 (Pa. Nov. 21, 2018).

Dittman arose out of a data breach of personal information at the University of Pittsburgh Medical Center (“UPMC”) that affected all of UPMC’s 62,000 current and former employees.  A class action was filed after employees’ names, birth dates, social security numbers, tax documents, and bank accounts were hacked and stolen from UPMC’s internet-accessible computer systems.  The data was then used to file fraudulent tax returns.  Alleging negligence and breach of implied contract, the Dittman plaintiffs argued that UPMC had a common law duty of care to protect their PII, particularly given the fact that UPMC had collected this data from them as a condition of their employment.  Based on UPMC’s failure to implement a data security program (including but not limited to sufficient firewall protection, authentication protocols, encryption) and its failure to create proper processes or protocols to detect security breaches, the plaintiffs alleged that they incurred monetary damages.

The trial court dismissed the lawsuit, which Pennsylvania’s intermediate Superior Court affirmed.  In their decisions, the lower courts first declined to recognize a “new” common law duty by employers to protect employee PII, holding that the creation of such a duty was outside the province of the judiciary and should be left to the state legislature.  The lower courts also declined to expand Pennsylvania’s economic loss doctrine by allowing the plaintiffs to recover only economic damages without alleging any physical injury or property damage.

After granting discretionary review of the case, the Supreme Court of Pennsylvania reversed both of its lower courts in toto.  First, the Court determined that, as a threshold matter, it was not creating a “new” duty, but rather was “appl[ying] an existing duty to a novel factual scenario.” Second, the Court reasoned that UPMC engaged in affirmative conduct when it required the plaintiffs to submit their PII, which triggered a duty on UPMC’s part to exercise reasonable care to protect the employees from risk of harm.

The Court also rejected UPMC’s argument that it could not be liable under general tort law principles because the actions of the third party hacker were a superseding event (i.e. not foreseeable).  The Court agreed with the plaintiffs, and growing public consensus, that “troves of electronic data stored on internet-accessible computers held by large entities are obvious targets for cyber criminals” and a reasonable entity in UPMC’s position should have foreseen that “failure to use basic security measures could lead to exposure of the data and serious financial consequences…”

Lastly, with respect to the economic loss doctrine, the court confirmed that Pennsylvania law recognizes “purely economic losses are recoverable in a variety of tort actions,” and that “a plaintiff is not barred from recovering economic losses simply because the action sounds in tort rather than [in] contract law.”

Given the heightened scrutiny that is now paid to cybersecurity on the national and international stage, the Dittman decision is not completely unexpected.  Employers, both big and small, should take the decision as a lesson: employers who do not take reasonable steps to protect their employees’ data put themselves at risk of costly class action litigation.  Pennsylvania employers and employers elsewhere should take immediate steps to update and address critical gaps in insurance, procedures and I.T. services – if not only to meet the duty of care, but as good business practice to ensure that any eventual cybersecurity threat will minimize disruption to business operations.

Under new federal regulations effective September 21, 2018, employers must now issue updated “Summary of Your Rights” forms mandated by the Fair Credit Reporting Act. In May 2018, Congress responded to several, high-profile data breaches by passing the Economic Growth, Regulatory Relief and Consumer Protection Act (“Act”). The Act adds new language to the Summary of Your Rights Form, explaining that a consumer can obtain a “security freeze” locking his or her account so that a Credit Reporting Agency may not release information on a credit report without the consumer’s authorization. The language is intended to make it more difficult for identity thieves to fraudulently open an account in a consumer’s name. Consumers also have the option of placing an initial or extended fraud alert on their account free of cost.

The new form is effective immediately, and employers should begin using it now to avoid gaps in compliance. However, the new regulations do temporarily permit continued use of the old Summary of Your Rights forms, provided a separate page containing the newly required information (i.e. the security freeze and fraud coverage rights) is provided at the same time.

On Wednesday, the Senate confirmed Trump’s nominee, David Zatezalo, for a key employment-related position: Assistant Secretary of Labor for Mine Safety and Health Administration (MSHA). Mr. Zatezalo is the former Chief Executive Officer of the coal mining company, Rhino Resources.

Democratic Senators, including Joe Manchin from mining-heavy West Virginia, have publicly opposed Mr. Zatezalo’s confirmation, citing Rhino Resources’ MSHA violations under his leadership. Despite opposition, Mr. Zatezalo was confirmed to the position by a 52-46 vote along party lines, with all 52 Republican Senators voting to confirm Mr. Zatezalo. Mr. Zatezalo was approved by the Senate Committee on Health, Education, Labor and Pensions in October, also on party lines (12-11).

As the Assistant Secretary of Labor for Mine Safety and Health, Mr. Zatezalo will manage the MSHA, which regulates safety and health in all types of mines in the US. For more information on Mr. Zatezalo’s background and other key nominees refer to our previous post on his nomination.

Ten months after his election, President Trump has sent nominations to the Senate for a number of key positions, including four with significant importance in the employment area. David Zatezalo, the former Chief Executive Officer of coal mining company, Rhino Resources, is the nominee for the position of Assistant Secretary of Labor for Mine Safety and Health. In that role, he will manage the Mine Safety and Health Administration, which regulates safety and health in all types of mines in the US. He has extensive background as an underground coal miner and a coal executive, but no previous government experience. Mr. Zatezalo has criticized the Obama Administration’s approach to mine safety as being disconnected from working America. Since Rhino Resources had been cited by MSHA for violations, that history will likely be raised in Mr. Zatezelo’s confirmation hearings. Not surprisingly, the mining industry was supportive of the pick, expecting that it will herald an era of more cooperative and effective safety regulation, as contrasted with the punitive approach of the most recent administration, while labor interests have a more skeptical attitude. For more information, click here.

President Trump nominated Cheryl Stanton as Wage and Hour Administrator. If confirmed, she will head the Department of Labor’s Wage & Hour Division. This part of the DOL has responsibility for, among other things, overtime and minimum wage enforcement. A significant portion of this relates to the issue of whether workers are employees or independent contractors. Ms. Stanton is the Executive Director of the South Carolina Department of Employment and Workforce, and had worked in the George W. Bush White House as its liaison to the DOL, NLRB and EEOC. She practiced law with a management-side law firm before working for South Carolina.

A third DOL nominee is Katherine McGuire to serve as the DOL’s Assistant Secretary of Labor for Congressional and Intergovernmental Affairs. She is a veteran congressional aide, having worked for Sen. Mike Enzi and most recently for Rep. Randy Holtgren, and also spent several years in government relations with the Business Software Alliance. In her new role, she will support Secretary of Labor Acosta’s agenda in Congress and with state and local governments.

The fourth nomination may set a new tone for the federal government’s employment policy. The President has nominated the current Chief Human Resources and Strategy Officer at the Society for Human Resource Management (SHRM) to head the Office of Personnel Management. Jeff Tien Han Pon has experience with Booz Allen Hamilton as a consultant and has worked in the Federal Government as the Department of Energy’s Chief Human Capital Officer. Federal employment practices have come under increasing scrutiny as being outmoded, overly costly and impervious to improvements, so Mr. Pon’s position has the potential to be extremely important. He is the second nominee for the position. The first withdrew from consideration after the Senate received a letter of opposition from a coalition of federal employee unions. The new nominee is unlikely to be deterred by opposition from the unions that are benefitting from the current system.

While not in the employment field, the latest attack on arbitration as a sensible, fair and comparatively inexpensive and fast dispute resolution mechanism comes from the federal government. Until now, the federal level has been a primary supporter of arbitration, through the Federal Arbitration Act, which protects arbitration clauses in contracts affecting commerce from interference by states and local governments, and policies of agencies. Now, the Consumer Finance Protection Bureau has taken a provocative step hostile to the institution of arbitration. On Monday, July 10, it issued a Final Rule prohibiting banks and other financial institutions under the jurisdiction of the CFPB from using contracts that require individuals with disputes to arbitrate those disputes individually.

In addition, the Rule would require financial institutions to provide broad information about the number of arbitration cases filed, and the outcomes.

Characterizing arbitration provisions as “Contract Gotcha’s”, the CFPB relied upon a controversial study completed in 2015. The study reviewed available records of class actions, small claims actions and arbitration cases in 2010—2012, plus a survey. Many cases covered in the survey’s time period were not completed by the cut-off date, so their results were not included. There are substantial disagreements over the validity of the study and the “lessons” from the data it assembled. The CFPB, however, believes the study supports its conclusion that individual arbitration is unfair and abusive to consumers.

The CFPB’s effort to prevent financial institutions from prohibiting court-based class actions by consumers instead of arbitration is likely to draw a response from Congress. Employer and business groups have already urged Congress to begin the process of using the Congressional Review Act to overturn the Rule. The CRA process, if successful, would not only void this rule, but would also prevent the agency from issuing a similar rule in the future without authorization. In addition, the CFPB is currently subject to scrutiny from Congress and the Trump Administration due to its possibly unconstitutional independence from Congressional or Presidential oversight. See the Trump Administration’s Brief asserting unconstitutionality here. This new rulemaking effort may well result in a response from the Administration consisting of an attempt to remove the head of the CFPB, Richard Cordray (who is rumored to be considering a run for the office of Governor of Ohio in 2018 as a Democrat).

The new Rule from the CFPB may represent the first of many efforts to roll back the ability of businesses to manage their dispute resolution processes through arbitration, among other tools. It could, on the other hand, represent a last gasp of those who prefer the current system of class action litigation, where businesses and lawyers resolve cases with consumers receiving little or no real relief. https://cei.org/issues/class-action-fairness

After revisions in format and technology, we are proud to announce that the Labor & Employment Law Navigator Blog is back. The Navigator, written by experienced attorneys at Frantz Ward LLP, provides succinct information on new developments in the L&E space, cautionary tales for HR professionals, and helpful hints for navigating the increasingly hazardous shoals of the L&E world. Upcoming topics include overtime changes, medical marijuana, and OSHA reporting changes.

We have incorporated a more robust comment capacity to facilitate interactivity, so we look forward to hearing from you!

–Keith Ashmus

Ashmus-Keith-web

wellness-crop-600x338On May 16, 2016, the Equal Employment Opportunity Commission (“EEOC”) issued final regulations regarding employers’ use of wellness programs. Such programs seek to promote healthy behavior by employees, often through financial incentives such as reduced healthcare benefits premiums or reduced gym membership costs. The EEOC rules amend existing regulations under the Genetic Information Nondiscrimination Act of 2008 (“GINA”) and create new regulations under the Americans with Disabilities Act (“ADA”).

Click here to read this Client Alert.

Based upon information received from a number of sources, it now appears that the Department of Labor’s controversial changes to the rules governing the white collar exemptions under the Fair Labor Standards Act will be finalized and published in the coming weeks – potentially as early as next week. Once published, it is expected that employers will have only 60 days before the new rules take effect.

Click here to read this Client Alert.

In a ruling on a motion to dismiss, U.S. District Judge Arthur Spiegel found that the Cincinnati Public Schools Could be forced to ignore a state law (H.B. 190, passed in 2007) that prohibited employment by schools of convicted felons and others convicted of drug offenses, no matter how long ago the offenses occurred. Cincinnati Board of Education Case 04-24-2013.pdf . One of the plaintiffs had been convicted of felonious assault and the other of acting as a go-between for the sale of a small amount of marijuana. Both were good employees, according to the school system, and would have been retained except for the state law.  There was no claim of intentional discrimination.  The district had to terminate ten employees under H.B. 190, and nine of them were African-American.

In these circumstances, Judge Spiegel ruled that the Board had no duty to follow H.B. 190, since “Title VII trumps state law.” He rejected the Board’s argument that state laws may only be disregarded if they “purport” to discriminate, as well as the contention that adverse impact had to be based on statewide statistics, not just on what had happened in one city. (In part, the reason for the statistical disparity in Cincinnati was that Cincinnati, unlike many other school districts, had been willing to hire minorities with criminal records.)

Because the ruling is on a motion to dismiss, it does not conclusively establish that the Public Schools discriminated, or that the plaintiffs are entitled to relief.  They still need to establish valid statistical evidence of a disparate impact and a lack of business necessity.  The outcome of those issues is fairly clearly foretold in Judge Spiegel’s order.  Employers in states where the legislators have passed laws limiting employment opportinities as collateral sanctions for criminal conduct will now have to worry whether they will be caught between state law and Title VII.  Whatever the outcome of a dispute over this issue, the employer will lose a great deal of time and money getting to any definite outcome.

According to this article from Politico, the cost of operating the health insurance exchanges, including the costs of providing subsidies to lower-income purchasers of coverage, will increase dramatically over prior estimates.  In part, this is because of the failure of some states to embrace the expansion of Medicaid.  The cost of Medicaid coverage is $3000 less than the cost of providing subsidies for private insurance on the exchanges, according to current estimates. If insurers then raise premium rates beyond current projections, the difference will grow, and the cost of running exchanges will accelerate. By 2021, the subsidies are now estimated to consume $606 Billion.