In today’s day and age, it is widely understood that no one is safe from a data breach.  If you have been so fortunate as to escape fraudulent credit card purchases, data security breaches, or having your entire identity stolen, cybersecurity experts will tell you that is no longer a matter of “if,” but “when” it will happen to you.  In response to national and international cybersecurity incidents during the past few years, state legislators in all 50 states (as well as the District of Columbia and several U.S. territories) have enacted data breach notification legislation that requires private entities to notify individuals of security breaches involving their personal identification information (“PII”).

State and federal judiciaries have also begun to weigh in on the issue of cybersecurity, particularly in the employment context and most recently in Pennsylvania, where the State’s Supreme Court held that employers have an affirmative duty to protect employee PII from cybersecurity incidents.  Dittman v. UPMC, 2018 Pa. LEXIS 6051 (Pa. Nov. 21, 2018).

Dittman arose out of a data breach of personal information at the University of Pittsburgh Medical Center (“UPMC”) that affected all of UPMC’s 62,000 current and former employees.  A class action was filed after employees’ names, birth dates, social security numbers, tax documents, and bank accounts were hacked and stolen from UPMC’s internet-accessible computer systems.  The data was then used to file fraudulent tax returns.  Alleging negligence and breach of implied contract, the Dittman plaintiffs argued that UPMC had a common law duty of care to protect their PII, particularly given the fact that UPMC had collected this data from them as a condition of their employment.  Based on UPMC’s failure to implement a data security program (including but not limited to sufficient firewall protection, authentication protocols, encryption) and its failure to create proper processes or protocols to detect security breaches, the plaintiffs alleged that they incurred monetary damages.

The trial court dismissed the lawsuit, which Pennsylvania’s intermediate Superior Court affirmed.  In their decisions, the lower courts first declined to recognize a “new” common law duty by employers to protect employee PII, holding that the creation of such a duty was outside the province of the judiciary and should be left to the state legislature.  The lower courts also declined to expand Pennsylvania’s economic loss doctrine by allowing the plaintiffs to recover only economic damages without alleging any physical injury or property damage.

After granting discretionary review of the case, the Supreme Court of Pennsylvania reversed both of its lower courts in toto.  First, the Court determined that, as a threshold matter, it was not creating a “new” duty, but rather was “appl[ying] an existing duty to a novel factual scenario.” Second, the Court reasoned that UPMC engaged in affirmative conduct when it required the plaintiffs to submit their PII, which triggered a duty on UPMC’s part to exercise reasonable care to protect the employees from risk of harm.

The Court also rejected UPMC’s argument that it could not be liable under general tort law principles because the actions of the third party hacker were a superseding event (i.e. not foreseeable).  The Court agreed with the plaintiffs, and growing public consensus, that “troves of electronic data stored on internet-accessible computers held by large entities are obvious targets for cyber criminals” and a reasonable entity in UPMC’s position should have foreseen that “failure to use basic security measures could lead to exposure of the data and serious financial consequences…”

Lastly, with respect to the economic loss doctrine, the court confirmed that Pennsylvania law recognizes “purely economic losses are recoverable in a variety of tort actions,” and that “a plaintiff is not barred from recovering economic losses simply because the action sounds in tort rather than [in] contract law.”

Given the heightened scrutiny that is now paid to cybersecurity on the national and international stage, the Dittman decision is not completely unexpected.  Employers, both big and small, should take the decision as a lesson: employers who do not take reasonable steps to protect their employees’ data put themselves at risk of costly class action litigation.  Pennsylvania employers and employers elsewhere should take immediate steps to update and address critical gaps in insurance, procedures and I.T. services – if not only to meet the duty of care, but as good business practice to ensure that any eventual cybersecurity threat will minimize disruption to business operations.

In what should be viewed as a victory for employers, the United States Circuit Court of Appeals for the Eleventh Circuit recently issued a decision limiting the scope of OSHA inspections. United States v. Mar-Jac Poultry, Inc., No. 16-17745 (11th Cir. 2018).

In February 2016, an employee at Mar-Jac’s poultry processing facility was severely burned and hospitalized after attempting to repair an electrical panel.  Within days of Mar-Jac reporting the injury to OSHA, OSHA compliance officers visited Mar-Jac’s facility.  OSHA sought to inspect not only the accident site, but Mar-Jac’s entire facility.  Mar-Jac gave limited consent to inspection of the electrical accident site, but refused to permit inspection of any additional areas.

OSHA’s limited inspection revealed additional potential violations of electrical safety, personal protective equipment, machine guarding and other standards. OSHA also determined that the injuries reported on Mar-Jac’s OSHA 300 logs suggested additional possible violations covered by an OSHA Regional Emphasis Program (“REP”) that permits random “programmed” inspection of such facilities based on neutral criteria.

OSHA sought an administrative warrant from a federal magistrate judge to expand its inspection, arguing that it had probable cause to conduct a top-to-bottom inspection on three grounds: 1) the OSHA compliance officers had personally observed additional hazards during its limited inspection, (2) the OSHA 300 logs revealed additional potential hazards, and 3) probable cause existed to conduct a programmed inspection based on OSHA’s Poultry REP.  The District Court quashed the warrant, and OSHA appealed.

On appeal, OSHA argued that the District Court erred by applying a more stringent standard which purports to require OSHA to show that employees had been injured as a result of suspected violations.  OSHA also argued that the District Court conflated the terms “hazard” and “violation” and that OSHA had presented reasonable suspicion of additional violations based on Mar-Jac’s OSHA 300 logs.

The 11th Circuit affirmed the District Court’s ruling.  First, the Court held that the District Court correctly applied the reasonable suspicion standard and simply found that OSHA did not establish reasonable suspicion to inspect for the additional suspected hazards. Second, the Court rejected OSHA’s argument that “because there was an injury, there must have been a hazard, and because there was a hazard, there is likely a violation to be found.”  Rather, the Court affirmed that “the existence of a ‘hazard’ does not necessarily establish the existence of a ‘violation,’” and that OSHA must, when applying for a warrant, demonstrate reasonable suspicion that a violation (not simply a hazard) exists.”  Finally, after reviewing Mar-Jac’s OSHA 300 logs, the Court determined that the injury descriptions were vague and showed no common thread sufficient to justify a comprehensive inspection.

Mar-Jac (1) reinforces the notion that there are limits on OSHA’s inspection authority and (2) confirms the right of employers to limit consent to inspect or to challenge a warrant. OSHA cannot expand an accident-based inspection simply because of an emphasis program, injuries recorded on an OSHA 300 log, or the mere existence of a hazard. So, if faced with a request by OSHA to expand the scope of an accident-based inspection, employers should contact counsel immediately to determine an appropriate response.

On October 11, 2018, the Occupational Health and Safety Administration (OSHA) issued a memorandum clarifying its position regarding safety incentive programs and post-incident drug testing.

Two years ago, in October 2016, OSHA issued a memorandum that prohibited drug testing employees who reported injuries or illness unless there was an “objectively reasonable basis” for doing so. The rationale was that blanket post-accident drug and alcohol testing violated OSHA’s anti-retaliation provisions. OSHA’s prior guidance also implied that safety incentive programs were unlawful and could create a chilling effect and deter employees from reporting work-related injuries and illnesses.

With respect to post-incident drug testing, OSHA’s most recent memorandum clarifies that “most instances of workplace drug testing are permissible.” The memo specifically includes the following as types of drug testing policies that are not violative of OSHA’s anti-retaliation provisions:

  • Random drug testing
  • Drug testing unrelated to the reporting of a work-related injury or illness;
  • Drug testing under a state workers’ compensation law;
  • Drug testing under other federal law, such as a U.S. Department of Transportation rule; and
  • Drug testing to evaluate the root cause of a workplace incident that caused injury or could have caused injury to employees. In this circumstance, employers must test all the employees whose conduct could have contributed to the incident, not just employees who made reports.

With respect to safety incentive programs, OSHA’s recent memorandum acknowledges that many safety programs do, in fact, promote workplace safety and health, including rate-based safety incentive programs focused on reducing the number of work-related injuries and illnesses as well as programs rewarding employees for reporting near-misses or workplace hazards. OSHA now takes the position that safety incentive programs are only retaliatory and unlawful if they seek to “penalize an employee for reporting a work-related injury or illness rather than for the legitimate purpose of promoting workplace safety and health.”

Employers should regularly review and update their safety incentive programs and drug testing policies to ensure compliance with the new OSHA guidance and business objectives, but now can be much more comfortable that legitimate safety incentive programs and post-accident drug testing policies will not result in citations.

Under new federal regulations effective September 21, 2018, employers must now issue updated “Summary of Your Rights” forms mandated by the Fair Credit Reporting Act. In May 2018, Congress responded to several, high-profile data breaches by passing the Economic Growth, Regulatory Relief and Consumer Protection Act (“Act”). The Act adds new language to the Summary of Your Rights Form, explaining that a consumer can obtain a “security freeze” locking his or her account so that a Credit Reporting Agency may not release information on a credit report without the consumer’s authorization. The language is intended to make it more difficult for identity thieves to fraudulently open an account in a consumer’s name. Consumers also have the option of placing an initial or extended fraud alert on their account free of cost.

The new form is effective immediately, and employers should begin using it now to avoid gaps in compliance. However, the new regulations do temporarily permit continued use of the old Summary of Your Rights forms, provided a separate page containing the newly required information (i.e. the security freeze and fraud coverage rights) is provided at the same time.

In a 7-2 decision yesterday, the U.S. Supreme Court issued a ruling in favor of a Colorado baker who refused to bake a custom wedding cake for a same-sex couple based on his devout Christian beliefs. Masterpiece Cakeshop, Ltd. v. Colorado Civil Rights Commission, No. 16-111 (June 4, 2018). Although the case received heightened media coverage because of potential equal protection and public accommodation repercussions, the Court’s decision largely avoided the constitutional question of whether the First Amendment’s free exercise and free expression clauses protected the baker’s right to deny services to same-sex couples. The majority (comprised of Justices Roberts, Kennedy, Breyer, Alito, Kagan and Gorsuch) focused, instead, on the Colorado Civil Rights Commission’s failure to provide the baker with religious neutrality and due process during its adjudication process.

The dispute began when Charlie Craig and David Mullins, a same-sex couple, came into Jack Phillips’ cake shop with Craig’s mother Deb to order a wedding cake. Phillips refused to create a custom cake for the couple, citing his religious beliefs. The couple filed a Complaint with the Colorado Civil Rights Commission, which concluded that Phillips violated the Colorado Anti-Discrimination Act and that the First Amended did not permit Phillips to refuse his services to the couple. Phillips argued that the Commissions’ decision, as well as the subsequent state court Order affirming the ruling, violated Phillips’ First Amendment protections.

Justine Kennedy, once again a critical voice and vote in what could have been a politically fractured outcome, wrote for the majority, focusing largely on the religious bias demonstrated by the Commission against Phillips: “The Commission’s hostility was inconsistent with the First Amendment’s guarantee that our laws be applied in a manner that is neutral toward religions. Phillips was entitled to a neutral decision-maker who would give full and fair consideration to his religious objection as he sought to assert it in all of the circumstances in which this case was presented, considered, and decided.” Justice Kennedy also reiterated, however, that “Our society has come to the recognition that gay persons and gay couples cannot be treated as social outcasts or as inferior in dignity and worth. For that reason the laws and the Constitution can, and in some instances must, protect them in the exercise of their civil rights. The exercise of their freedom on terms equal to others must be given great weight and respect by the courts.” The Court underscored the delicate and balanced approach that must be taken by future courts in deciding these core constitutional questions: “The outcome of cases like this in other circumstances must await further elaboration in the courts, all in the context of recognizing that these disputes must be resolved with tolerance, without undue disrespect to sincere religious beliefs, and without subjecting gay persons to indignities when they seek goods and services in an open market.”

The takeaway for employers, whether places of public accommodation or not, is that non-discrimination obligations remain intact after this decision.

Thanks to a recent federal appellate court decision, OSHA now has even more leeway to issue costly repeat citations to employers. As many employers know, there are different classifications for civil violations of OSHA regulations, including other-than-serious, serious, repeat, and willful. Penalties, both monetary and non-monetary, increase with higher classification levels. OSHA recently increased the maximum penalty for repeat violations to $129,336, and additional increases to the maximum penalty are expected. Click here to read the full client alert.

At this year’s National Safety Council (NSC) Congress & Expo in Indianapolis, OSHA’s Deputy Director of Enforcement Programs announced its preliminary list of the top ten citations issued for fiscal year 2017. OSHA’s top 10 violations for 2017 are as follows:

  1. Fall Protection in Construction (29 CFR 1926.501) 6,072 violations
    Frequently violated requirements include unprotected edges and open sides in residential construction and failure to provide fall protection on low-slope roofs.
  2. Hazard Communication (29 CFR 1910.1200) 4,176 violations
    Failure to have a written hazard communication program was the most frequently violated requirement, followed by failing to provide employee access to safety data sheets.
  3. Scaffolding (29 CFR 1926.451) 3,288 violations
    Frequent violations include improper access to surfaces and lack of guardrails.
  4. Respiratory Protection (29 CFR 1910.134) 3,097 violations
    Failure to establish a written respiratory protection program topped these violations, followed by failure to provide medical evaluations.
  5. Lockout/Tagout (29 CFR 1910.147) 2,877 violations
    Frequent violations were inadequate worker training and failure to conduct periodic inspections.
  6. Ladders in Construction (29 CFR 1926.1053) 2,241 violations
    Frequent violations include improper use of ladders, damaged ladders, and using the top step.
  7. Powered Industrial Trucks (29 CFR 1910.178) 2,162 violations
    Violations included inadequate worker training and refresher training.
  8. Machine Guarding (29 CFR 1910.212) 1,933 violations
    Exposure to/failure to guard points of operation topped these violations.
  9. Fall Protection—Training Requirements (29 CFR 1926.503) 1,523 violations
    The most frequent violations include failure to train workers in identifying fall hazards and proper use of fall protection equipment.
  10. Electrical—Wiring Methods (29 CFR 1910.305) 1,405 violations
    Violations of this standard included temporary writing in lieu of permanent wiring and were found in most general industry sectors, including food and beverage, retail, and manufacturing.

While OSHA’s top ten rankings vary little from year to year (2017’s top five violations remained the same), there is one new addition this year: Fall Protection – Training Requirements in the number 9 slot. The final report on the Top 10 violations for 2017 will be published in the December. Roughly 13,000 of these violations were in the construction industry, which is disproportionate to the employment in that industry compared with all others. This is likely reflective of the high turnover of employees and the number of employers who engage in construction work on an intermittent basis. The number of training and communication citations show the importance of paying attention to the administrative and paperwork regulations, and not just to the health and safety rules.

imagesBefore the expiration of the extended deadline last week, the U.S. Equal Employment Opportunity Commission received over 100 comments to its proposed Enforcement Guidance (“Proposed Guidance”) on workplace harassment. The revised guidance is the first revision to the EEOC’s workplace harassment guidance since the 1990s and the result of the July 2016 report by the EEOC’s Select Task Force, which notes that “During the course of fiscal year 2015, EEOC received approximately 28,000 charges alleging harassment from employees … This is almost a full third of the approximately 90,000 charges of employment discrimination the EEOC received that year.” See report here.

In addition to other aspects of the Proposed Guidance, certain commentators such as The Employment Law Alliance (“ELA”), the U.S. Chamber of Commerce (“The Chamber”), and The Society for Human Resources Management (“SHRM”) were particularly critical of the EEOC’s position on sexual orientation bias and harassment as inconsistent with existing law and outside the scope of the legislative intent of the statute.

The Proposed Guidance confirms the EEOC’s position that harassment based on gender identity and sexual orientation is prohibited under Title VII, and defines the two terms as follows:

Gender identity: Sex-based harassment includes harassment based on gender identity. This includes harassment based on an individuals’ transgender status or the individual’s intent to transition. It also includes using a name or pronoun inconsistent with the individuals’ gender identity in a persistent or offensive manner.

Sexual orientation: Sex-based harassment includes harassment because an individual is lesbian, gay, bisexual, or heterosexual.

Each of these definitions is accompanied in the Proposed Guidance by a footnote. As The Chamber noted in its comment, however, the single case referenced by the EEOC in its gender identity footnote is a case issued by the EEOC itself, not a Court. The EEOC’s footnote to its sexual orientation definition also highlights one of its own cases and contains an arguably one-sided and misleading representation of support for its own position.  As The Chamber notes, the Proposed Guidance fails to include several Court-issued rulings that explicitly reject the EEOC’s position. SHRM’s comment to the Proposed Guidance also expressed concern that the EEOC failed to clearly communicate in the body of the Proposed Guidance that its position is opposed to established law, as the EEOC did in other areas of the Proposed Guidance. The ELA similarly observed that the EEOC’s inclusion of “gender identity,” “transgender status,” an “individual’s intent to transition” and “sexual orientation” is beyond the plain language of Title VII and “reflects the commission’s impermissible trespassing into legislative rulemaking.”

While the EEOC has been similarly chastised by multiple other sources during the recent past for “legislating” and not regulating, the EEOC has continued to actively pursue its position on LBGT and gender identity issues and it is unlikely to take steps to substantially revise its position or the final Guidance.

Work Injury Claim Form on desk with glasses and pen
Work Injury Claim Form on desk with glasses and pen

On November 28, 2016, the United States District Court for the Northern District of Texas denied industry employers’ efforts to enjoin OSHA from beginning to enforce portions of OSHA’s May 2016 final rule that purports to prohibit, among other things: 1) disciplinary action against employees for not immediately reporting work-related injuries or illnesses; and 2) blanket, automatic post-accident/injury drug and alcohol testing.

In May 2016, OSHA published a new record keeping rule that included, among other provisions, an express anti-retaliation prohibition. Commentary to OSHA’s final rule suggested that employer policies requiring immediate reporting of injuries could have a chilling effect on employees reporting slow-developing or chronic injuries or illnesses. According to OSHA, to be reasonable, the policies must allow for reporting within a reasonable time after the employee realizes that he or she has suffered a work-related injury instead of requiring reporting immediately following the occurrence of an injury. The Commentary also implied that post-incident drug or alcohol testing under a blanket policy could constitute prohibited retaliation. Instead, OSHA instructed employers to “limit post-incident testing to situations in which employee drug use is likely to have contributed to the incident, and for which the drug test can accurately identify impairment caused by drug use.”

The National Association of Manufacturers and similar industry groups and employers filed a lawsuit in the Northern District of Texas (TEXO ABC/AGC, Inc., et al. v. Perez, Civil Action No. 3:16-cv-01998-D) shortly after the final rule was published, challenging the rule’s anti-retaliation provisions and seeking a preliminary injunction to prevent OSHA from beginning to enforce the provisions until the Court decided their underlying legal challenge. Although the original effective date for the rule had been August 10, 2016, OSHA voluntarily postponed its enforcement of the anti-retaliation provisions until December 1, 2016 to allow the Court to rule on the request for preliminary injunctive relief.

The Court has now denied the employers’ request for injunctive relief on narrow grounds, holding that the employers could not demonstrate immediate, irreparable harm if enforcement of the anti-retaliation rule became effective. The Court’s decision was limited to the element of irreparable harm, and did not reach the underlying merits of the claim that the new rule creates an unlawful enforcement scheme under OSHA. In short, the Court has allowed OSHA to implement the new rule without deciding whether the rule is valid.

The Texas District Court’s ruling means that OSHA’s regulations are now in effect, allowing OSHA to investigate complaints by employees who have suffered retaliation under blanket drug and alcohol testing policies or who have suffered adverse or disciplinary action for “late” injury reporting. In addition to ongoing litigation, additional complications may result from additional/different regulatory changes made by the incoming new presidential administration early next year. For now, however, OSHA’s regulations are fully in effect. They have not been “approved,” however, so employers cited under them are able to challenge the citation based upon the rules’ invalidity. Employers are urged to consult with counsel to determine whether immediate changes to their accident reporting and drug testing policies and programs are needed, and, of course, whenever they receive a citation under these rules.

 

 

outsickSince Connecticut’s 2011 passage of the first law requiring employers to issue paid sick leave benefits, over 30 states, counties, and cities — mostly on the East and West coasts — have enacted similar statues. These include Massachusetts, California, Oregon, Vermont, San Francisco, Seattle, New York City, and Philadelphia.  Chicago and Minneapolis have also passed paid leave ordinances.

On September 7, 2016 Saint Paul, Minnesota joined its Twin City in following this bi-coastal trend when its City Council unanimously passed a paid sick time ordinance. Under the new St. Paul Ordinance, employees may earn up to 48 hours of sick time per year with the option of carrying over hours into the following year. No more than 80 hours may be accrued at any time. The St. Paul Ordinance contains no express limit on the amount of paid sick time that an employee can use in a year.

As is the case in other states in which multiple paid sick leave laws have been passed by local governments, St. Paul and Minneapolis’ ordinances differ in material respects. First, while the Minneapolis Ordinance exempts businesses with five or fewer employees, the St. Paul Ordinance applies to businesses of all sizes. The St. Paul Ordinance also provides for a private right of action against employers for retaliation, while the Minneapolis Ordinance currently does not. Duluth has now also begun exploring its own individualized sick leave ordinance, which could potentially lead to more inconsistency within the State.

Both before and after its passage, members of the business community as well as the St. Paul Chamber of Commerce asked the St. Paul City Council to consider amending the Ordinance to align with Minneapolis’ small company exemption, and to include additional exemptions for highly-compensated part-time workers and student workers at private colleges. Those requests were rejected.

The St. Paul ordinance will take effect July 1, 2017 for employers with 24 or more employees and January 1, 2018 for employers with fewer than 24 employees.

Employers operating in various locations around the country need to be alert to these local ordinances, which are not always consistent. Shying away from the coasts is no longer a reliable method of avoiding the imposition of these costs upon employers. Accordingly, covered employers should review their policies and handbooks carefully to ensure compliance with the various paid sick leave laws across the country.