Category Archives: Uncategorized

Guest Blog: 4 Ways To Keep Your Business Secure During The COVID-19 Pandemic

Cyber security concept businessman Lock on digital screen, contrast, virtual screen with a consultant doing presentation in the background Closed Padlock on digital, cyber security, key WannaCrypt

On Wednesday, March 11, 2020, the World Health Organization declared the outbreak of the coronavirus to be a pandemic. This is significant for several reasons. The first is that the way we interact has drastically, and must necessarily, change because of the contagiousness of the coronavirus and its effect on public health. Secondly, a public health scare such as this can adversely affect the health of a business’s cybersecurity and data privacy. Hackers and other cyber threat actors are capitalizing on the global concern over COVID-19. For example, Check Point researchers found that coronavirus-themed domains are over fifty (50) times more likely to be malicious than other domains and over 4,000 coronavirus-related domains have been registered since January 2020. In fact, a malicious website purporting to be the live map for COVID-19 global cases run by Johns Hopkins has been found to be circulating.

What does all of this mean? It means that your business, including your employees and clients, could be in danger if you don’t take precautionary measures to prevent the risk of a data breach.

How can small and mid-size businesses adapt quickly to ensure effective cybersecurity and data privacy protection right now? If your workforce has gone largely remote, you should focus your cybersecurity and data privacy efforts mainly on the following four areas most susceptible to a breach. This may help to mitigate the risk of a breach actually happening and limit any potential liability.

Below are four ways to keep your business safe from hackers and data breaches during this tumultuous time:

  1. Email Security
    • Make sure you and your staff know how to keep your email secure. Avoid opening emails, downloading attachments, or clicking on suspicious links sent from unknown or untrusted sources.
    • Verify unexpected attachments or links from people you know by contacting them through another method of communication like a phone call or text message.
    • Do not provide personal information to unknown sources like passwords, birthdates, and especially, social security numbers.
    • Be especially cognizant of emails with poor design, grammar, or spelling as this can be a sign of a phishing attempt.
  2. Password Protection and Multi-Factor Authentication
    • Use strong passwords on all of your accounts, and encourage your staff to do the same.
    • Avoid easy-to-guess words like names of pets, children, and spouses as well as common dates like birthdays.
  3. Web Safety
    • As noted above, there has been a massive influx of fake websites, whose creators are looking to take advantage of the fear surrounding the coronavirus.
    • Make sure that any websites that require the insertion of account credentials like usernames and passwords, along with those used to conduct financial transactions, are encrypted with a valid digital certificate to ensure your data is secure. Secure websites like these will typically have a green padlock located in the URL field and will begin with “https.”
    • While your workforce is working remotely, ensure that they are not using public computers and/or logging into public Wi-Fi connections to log into accounts and access sensitive information.
    • You may want to connect with an IT company or your in-house IT department to implement ad-blocking, script-blocking, and coin-blocking browser extensions to protect systems against malicious advertising attacks and scripts designed to launch malware.
    • Sign out of accounts and shut down computers and mobile devices when not in use.
  4. Device Maintenance 
    • Keep all hardware and software updated with the latest, patched version.
    • Run reputable antivirus or anti-malware applications on all devices and keep them updated with the latest version.
    • Create multiple, redundant backups of all critical and sensitive data and keep them stored off the network in the event of a ransomware infection or other destructive malware incident. This will allow you to recover lost files, if needed.

Lastly, if your business is not already protected by a cyber-insurance policy, now may be the time to consider obtaining coverage.

Small and mid-size businesses in the Delaware Valley should consider implementing the above cybersecurity and data privacy measures while adapting to a shifting health and security landscape in the wake of the coronavirus.

Stay safe, everyone!

ABOUT THE AUTHOR:

corporate attorney philadelphia law firm


Krishna A. Jani
 is a member of Flaster Greenberg’s Litigation Department focusing her practice on complex commercial litigation. She is also a member of the firm’s cybersecurity and data privacy law practice groups. She can be reached at 215.279.9907 or krishna.jani@flastergreenberg.com.

Supreme Court of NJ Affirms Employee May State A Claim for Reasonable Accommodation for Medical Cannabis Use

medical marijuana

You may recall, in 2019, this blog post reported New Jersey’s Appellate Division joined courts that found an employee may be able to state a disability discrimination claim against an employer who takes an adverse employment action due to the employee’s use of medical cannabis.  That case, Wild v. Carriage Funeral Holdings, Inc., was one in a spate of recent decisions as courts in New Jersey and other states that allow medical use of cannabis have grappled with reconciling laws protecting employees from disability discrimination, employers’ rights to maintain workplaces free of drug use, and federal statutes outlawing cannabis use for any reason. Early decisions in these cases came down in favor of employers, permitting employers to discipline, terminate, or refuse to hire employees who use medical cannabis, even without evidence of use or impairment in the workplace.

New Jersey’s Appellate Division’s Wild ruling changed course when it held an employee may state a disability discrimination claim for failure to accommodate against an employer who takes an adverse employment action due to the employee’s use of medical cannabis.  Now, on March 10, 2020, the Supreme Court of New Jersey affirmed the decision, ruling an employer can potentially be liable under New Jersey’s Law Against Discrimination (“LAD”) for failing to accommodate an employee’s use of medical cannabis outside of the workplace.

What Happened?  In 2015, the employee, a funeral director, was prescribed and used medical cannabis as authorized by New Jersey’s Compassionate Use Act. In 2016, the employee was in an auto accident while working. The employee advised hospital staff he was authorized to use medical cannabis. The treating doctor responded that “it was clear [the employee] was not under the influence of cannabis [and, thus, his cannabis use was not a cause of the accident], and therefore no blood tests were required.”

While the employee recuperated, the employer advised that a blood test was required before the employee could return to work. The employee went to a facility to take a urine and breathalyzer test; however, the results were not provided to the employer and were not part of the case record.

The employee eventually returned to work, but, his supervisor advised him that his employment was “being terminated because they found drugs in your system”, though no test results had been provided to the employer. In a subsequent letter, the company told the employee it had terminated him not because of his drug use, but because he failed to disclose his use of medication contrary to company policy. The employee brought an action alleging he had been a victim of disability discrimination.

What did the Courts decide?  The trial court dismissed the employee’s claims, finding that New Jersey’s Compassionate Use Act “does not contain employment-related protections for licensed users of medical cannabis.” The employee appealed.

On appeal, a three-judge panel of New Jersey’s Appellate Division reversed the dismissal. The Appellate Division cannabis found that the LAD might require such an accommodation. Although the Compassionate Use Act does not make illegal an employer’s adverse action against an employee for medical cannabis use, by the same token, the Appellate Division stated it does not immunize an employer’s conduct that might otherwise have been a violation of the LAD.  In affirming the decision, the Supreme Court held an employee may state a failure to accommodate claim under the LAD against an employer who takes an adverse action against the employee for use of cannabis outside of work when that use is otherwise compliant with the Compassionate Use Act.

What do employers need to know?  It is important to understand neither the Appellate Division nor the Supreme Court ruled this employee was a victim of disability discrimination. In fact, the Appellate Division expressly recognized that the case was at the earliest stages, and the employer had pled potentially valid defenses.  The Court ruled only that the case could not be dismissed on its face.

New Jersey employers need to be mindful that they no longer have a free pass to take adverse employment actions against employees and candidates solely because they use medical cannabis outside of the workplace.  It is important to note, the courts in New Jersey have not suggested an employer must accommodate impairment due to medical cannabis use, so employers should remain vigilant about addressing employee impairment issues.  The law as to when an accommodation is reasonable is still developing.  For instance, a requested accommodation that may make an employer ineligible to bid on certain projects or that conflicts with established safety laws and regulations will be subject to greater scrutiny than a requested accommodation that does not impose added burdens on the employer.

In other words, stay tuned, because we have certainly not heard the last word on this topic.

Questions? Let me know.

 

What New Jersey’s New Law On Employment Contracts Means for Employers: Are Non-Disclosure and Arbitration Provisions Out?

Law should know concept, The lawyer explained to the client to plan the case in court.

On March 18, 2019, New Jersey Governor Phil Murphy signed a new law, which, among other things, bars employers from requiring employees to sign or enforcing employment contracts that require employees to agree to waive certain rights or remedies and bars agreements that conceal details relating to discrimination claims.

Here’s what employers need to know:

  • Any provision in an employment contract that waives or limits any substantive or procedural right or remedy relating to a claim of discrimination, retaliation, or harassment will now be deemed against public policy and unenforceable;
  • No right or remedy under New Jersey’s “Law Against Discrimination,” or “any other statute or case law” shall be prospectively waived;
  • A provision in any employment contract or agreement that has the purpose or effect of concealing the details relating to a claim of discrimination, retaliation, or harassment shall be deemed against public policy and unenforceable;
  • For unionized work forces, this law does not restrict agreements to waive rights contained in collective bargaining agreements, but it does extend its prohibition to clauses designed to conceal details of a discrimination claim from unionized employees;
  • Attempting to enforce an agreement that is unenforceable under this law will give employees a private right of action to sue in court and the right to recover their attorney’s fees and costs of suit if they prevail;
  • The law protects employees from retaliation for refusing to enter into an agreement that violates their rights under this new law;
  • The law does not restrict an employer’s right to impose and enforce restrictions on the use of the employer’s confidential and proprietary information other than with respect to the details of discrimination claims;
  • The law does not expressly prohibit confidentiality provisions in settlement agreements meant to prevent disclosure of the amount of a settlement;
  • The law does not require disclosure; rather it leaves the choice in the hands of the individuals involved; and
  • The law took effect immediately and applies to all new contracts and agreements and existing contracts that are renewed, modified, or amended going forward.

Although the law is aimed primarily at prospective waivers of rights and clauses concealing the details of discrimination claims, the full scope of this law’s applicability will become clear only after it has been interpreted by the courts.  For example, one of the most significant open questions is whether New Jersey courts will deem mandatory arbitration provisions in employment agreements unenforceable as to discrimination claims and, if they do, whether the Federal Arbitration Act will, in turn, be deemed to preempt such a limitation on the enforcement of arbitration clauses.  Another important question is whether courts will construe this law to bar confidentiality provisions in settlement agreements that restrict employees from disclosing the terms of the settlement.

As we wait for the courts to resolve these and other open questions, employers should proceed thoughtfully when seeking confidentiality in connection with a claim of discrimination.  A precisely drafted confidentiality agreement or policy might be desirable in some situations, such as to preserve the integrity of an ongoing investigation, but employers need to be mindful of this law and understand the limitations and potential consequences of requiring confidentiality and/or taking disciplinary action when confidentiality is breached.  Employers relying on mandatory arbitration provisions should also consider the impact of this law and consult their counsel in evaluating whether to exclude discrimination claims from arbitration.

If you have any questions about this legal alert or if you run across a related issue in your workplace, please feel free to contact Adam Gersh or any other member of Flaster Greenberg’s Labor & Employment Department.

Employment Law Myth Busters – The “Unenforceable” Non-Compete

Man is signing Non compete agreementNon-compete and other restrictive covenants are commonly used by employers in many industries to protect their trade secrets and legitimate business interests.  While employees may be willing to sign them when they take a new position, they are often frustrated by them when it comes time to look for a new job. Some employees take to Google to see if their agreement is enforceable.  What they find on Google often provides them with false confidence that their non-compete or other restrictive covenant is unenforceable, but relying on Google research in the complicated, fact-sensitive legal morass of non-compete agreements is risky business.  True, a Google search can turn up numerous court opinions that express the view that non-competes are viewed unfavorably by courts as anti-competitive restraints on trade and, as such, are narrowly construed and enforced only to the extent that they protect a legitimate business interest of an employer.  However, those cases may or may not be useful in deciding whether your restrictive covenant is likely to be enforced. First, the law governing non-competition agreements varies from state to state. Thus, an opinion by a court in California applying California law (which bars enforcement of restrictive covenants except under specific, narrow circumstances), for example, is of little help in assessing whether a court in New Jersey or Pennsylvania, where non-competes are routinely enforced, is likely to enforce a restrictive covenant under that state’s laws. Making the analysis even more complicated, courts decide whether to enforce restrictive covenants based upon a thorough review of the specific language used in the agreement; even slight variations in the language of the agreement can lead to vastly different results. In addition, because they are viewed as anti-competitive, a court will generally enforce one only if it is well drafted so that its restrictions narrowly target the business interests at issue and nothing more.  The finer points of enforcing restrictive covenants, such as non-competes, are too detailed to address here, but employees with employment agreements that contain restrictive covenants and businesses that are hiring employees subject to them should not rely on Google to assess their enforceability or their liability for a breach.

Savvy employer takeaways: Employers should have an experienced employment lawyer evaluate the enforceability of their employees’ post-employment restrictions and the enforceability of post-employment restrictions by which prospective employees may be bound.  Employers should also require candidates to disclose whether they are subject to any restrictive covenants before offering them employment. 

Questions? Let me know.

You cannot predict when you are going to have a data breach

ask again later

A pattern I see repeated in all kinds of business disputes is that when a business fails to calculate the risk of something going wrong, it makes it even harder to repair it when does go wrong. Notice, the title of this post refers to “when” you will have a data breach, not “if.” This is not to be alarmist. In fact, many data breaches are harmless. Surprised to hear that? What about an employee using internal records to locate a co-worker’s home address to send a gift? Is that a date breach? Well, it depends on your policies and authorizations, but, even if it is a “breach” it may not be one that causes damages.

The question is what can you do to prepare for the one that does cause damage? Do you segregate data so that any breach will reach a more limited segment of your employees or customers? Do you encrypt data? According to recent reports, Anthem did not encrypt its data and that will cost it. How can you avoid this, plan, plan, oh yeah, and plan.

Your first line of defense should be to gather your crisis response team and open the crisis response playbook? You don’t have a team? You don’t have a playbook? If that’s the case, you aren’t ready to be in the game. Here’s what you need to know to get started:

Assembling a crisis response team:

  1. Identify key information holders within your organization (who will manage customer relationships, public relations, legal compliance, technology compliance, data security, and restoration of business functions?).
  2. Identify outside resources that will be needed (who has the knowledge of applicable laws in each state/country you operate or can coordinate counsel, who has the expertise to identify and stop leaks, who has the media relations that will help get your message out?)
  3. Establish a chain of command and a division of duties so everyone knows their role and who is coordinating the response.

Creating a response playbook:

  1. Develop a set of compliance procedures.
  2. Identify contingency plans to using backup data or otherwise accessing key information.
  3. Develop an exhaustive checklist to ensure you do not overlook potentially crippling problems.

When you create a crisis response plan, focus on the short term, so you know what to do right away. In the months following a data breach there will be time for information gathering and refinement and a good crisis response plan will put you in the best position to confront those medium term problems in due course.

Questions? Let me know.

%d bloggers like this: