Employers Should Not Go Overboard On Proposed Changes to Overtime

Benny Frank ClockDespite last week’s alarmist press reports, employers can hold off on calling their payroll providers and authorizing overtime for previously exempt managers.  When President Barak Obama disrupted the news cycle by proposing changes to the overtime rules under the Fair Labor Standards Act, as is too often the case when the press reports on legal developments, many of the press reports covering the topic glossed over important details even suggesting that the President had changed the rules.  The President’s proposed rules have a number of hurdles to overcome before they transform overtime and there is significant opposition that may in fact limit or refine the proposed rules changes.

What is proposed?

Since 2004, federal law treated salaried workers who earn at least $23,660 and meet certain “white collar exemption” requirements as exempt from overtime.  Salaried employees who meet the white collar exemption need not be paid overtime, or even minimum wage, no matter how many hours they work.  For employees to be exempt from overtime, they must meet both the salary and the duties test, which means workers whose annual salary is less than $23,660 do not qualify for the white collar exemption and must be paid both minimum wage and overtime, even if they are otherwise white collar workers.

Under new rules proposed by President Obama, the threshold will move to $50,440 as early as 2016 and be adjusted annually based on the pay of the 40th percentile of full-time U.S. workers, although alternate methods of computing an ongoing adjustment are also being considered. If this rule is implemented in 2016, it would mean salaried employees whose annual earnings are less than $50,440 would not qualify for the white collar exemption even if they otherwise met the criteria for white collar employees.  Additionally, under the proposal rule changes, those classified as “highly compensated employees”  must earn at least $122,148 (rather than the current $100,000) in total annual compensation to be automatically exempt from overtime. This sweeping change is being touted as an income equality measure to combat employer’s practices of using the white collar exemption to avoid paying overtime to low level managers.  In essence, if adopted, the new rule will mean employees who earn between $23,660-$50,440 and were not overtime eligible will have to be paid for overtime if they work more than 40 hours in a workweek.

What is next?

The proposal is not ready to be adopted by the Department of Labor.  The Department of Labor is accepting comments from interested parties, including employers, for 60 days and considering additional changes which may materially affect which employees must be paid overtime.  For instance, the Department of Labor may refine other non-salary aspects of the white collar exemption tests.  Additionally, business groups and elected officials who oppose this change are vowing to fight it with legislation and litigation, which may delay its implementation.

What should employers do now?

First, employers should be sure that they are properly using the white collar exemption even for employees with salaries above the current threshold.  Employers need to remember that a salary that meets the threshold does not in and of itself make an employee exempt from overtime.   There are specific tests for executive, administrative, professional, computer, outside sales and highly compensated employee exemptions that depend on the duties these employees perform and recent court rulings have refined and narrowed the application of these tests.  Employers who have questions or concerns about compliance should consult with their counsel and consider a wage and hour audit to determine if they are currently in compliance with applicable federal and state laws regarding overtime pay.

Second, employers should plan for an increase in the salary threshold.  Even if this rule change is not fully implemented, employers should expect that the threshold will increase from its current level.  Employers, with the guidance of counsel, should begin to analyze how to best structure their workforces in light of coming changes.  For example, employers should be evaluating whether it makes more business sense to start paying more employees overtime or hire more staff or restructure certain aspects of their workforces.

Third, employers should be careful not to forget about compliance with applicable state wage laws, which differ from the federal law and will not automatically change, even if the federal law does.

In sum, employers should expect that, one way or the other, the white collar exemption will be narrowed and more employees will be eligible for overtime.  Now is the time for employers to ensure their current payroll practices and policies comply with the Fair Labor Standards Act and state law, but they can hold off on making any sweeping payroll changes until the new regulations are finalized and adopted, and the nuances of the new rules are ironed out.

Questions? Let me know.

The hacker in the henhouse

hacker-in-a-henhouse- dos

“How do we begin to covet? We begin by coveting what we see every day.”

― Dr. Hannibal Lechter in The Silence of the Lambs

Are you worried about your company’s, employee’s and/or customer’s data being hacked by sophisticated criminals or cyber activists from China, Russia, North Korea, or other far off lands? Does the idea of losing your business’s hard-earned credibility and trust with the stroke of a key or two keep you up at night? You are not alone. An enterprising TV network could get high ratings with a late, late show catering to the business owners, senior management, and general counsel who are restless with thoughts of the class action lawsuits that are hitting Target, Home Depot, Sony, Anthem and others. But, while you have to be ever vigilant to protect your business from the type of all-out-assault that is grabbing headlines, you can’t afford to overlook the threat lurking in the next office.

Did you know a recent study found the most likely threat to information security is not the overseas hackavist, virus or worm, but rather the malicious or careless corporate insider? That’s right, employees caused more data breaches that any other source, 39% of reported breaches according to recent research. Note, I said “reported” breaches, which does not include the breaches employers do not discover or the ones they do not report. All this means it is a matter of when your data will be compromised, not if. Worse yet, when the breach is caused by a defecting employee, the information stolen can be the most crucial to your business’s success and the most harmful to its reputation.

On the one hand, employers who are the victim of malicious data breaches by employees or other insiders have a web of state and federal protections (and, hopefully, contractual rights) to help make them whole, but, on the other hand, the reality of the “unknown unknowns” and costs of recovery virtually assures that winning a lawsuit still means losing, at least, a little. If your employee steals important data to establish a new business, you may well have the legal means to put a stop to it, but you may not be able to recover the customers you lost (or the revenue from the future customers those customers would have sent your way) or succeed in collecting a monetary judgment from a former employee who invested all of his assets into his start up that is sputtering under the weight of litigation.

Breathe deeply. This blog post isn’t a horror show or an existential meditation on futility. Rather, there are key practical steps businesses should take to guard against this growing threat from within, which include:

  • Binding employees to contracts that tightly limit access to and use of key information and provide for strong remedies in the event of breach;
  • Storing only the electronic data needed to run your business and securely archiving data that is not needed on a routine business or that is merely held for contingencies (hackers can’t take what they can’t access);
  • Tightly limiting employee access to data on a need-to-know basis so that the entire organization does not have access to it (does your east coast sales manager really need access to the west coast’s prospect list?);
  • Using the latest cyber tools to protect from infiltration and detect potential hacks;
  • Enforcing security protocols and controls, including requiring regular updating of passwords;
  • Locking in protections and allocating the risk with agreements with vendors who are given access to data;
  • Establishing appropriate insurance coverage;
  • Developing a data breach plan to designate a crisis response team and identify a process for addressing the breach in hours, not days; and
  • Working with counsel to understand the scope of your liability and how to mitigate it in anticipation of a possible breach.

In sum, the ways in which the information age allows data collection and access that drives efficiency in business are the same ways it creates vulnerabilities. Employers cannot afford to overlook the likelihood of a data breach from within. By anticipating it and planning for it, employers can mitigate their damages.

Questions? Let me know.

Lenovo class action highlights the way in which a single weakness in cyber security can have devastating effects

weakest linkA class action lawsuit filed in California against computer manufacturer Lenovo highlights how a weak link in the cyber security chain can lead to disaster effects.

In the suit, the plaintiffs allege Lenovo preinstalled Superfish bloatware/adware developed by a Chinese tech firm, for a fee, on the Lenovo PCs it sold, mainly to businesses, and that the pre-installed Superfish adware created a cybersecurity vulnerability. Ostensibly, the Superfish software was only meant to display advertisements targeted to the user based on images the viewer clicked on with a mouse. However, the plaintiffs allege the Superfish software had a vulnerability whereby it could be modified and hacked to extract user data.

Lenovo has worked with Microsoft, McAfee, and others to eliminate any risk from the Superfish software but, of course, remediation requires users to install updates, which industry data suggests only one-third of users do on a timely basis. In the meantime, businesses that are running machines with this vulnerability risk allowing outside sources to access otherwise secure data.

Lessons learned: cyber security requires vigilance at every level because superfluous adware and other background processes can create significant liability for businesses.

Questions? Let me know.

Oops! Nearly a third of data breaches can be blamed on human error

Confused Businessman With Computer

Although we often think of the malicious data hacker as the “boogey man” of data breaches, more breaches can be attributed to benign sources than to criminal activity. According to the 2014 Cost of a Data Breach Study: Global Analysis, from the Ponemon Institute, (sponsored by IBM) the second largest source of data breaches (30)% is human error, meaning contractors and employees whose errors resulted in exposure of confidential information.

How do businesses guard against this: like everything else, they plan. This is includes training (obviously) and also creating systems infrastructures that limit the damage a single employee or group can do. Employees can’t compromise what they can’t access, yet, businesses that fail to plan often give employees broader access than they need to do their jobs and risk exacerbating exposure.

Questions? Let me know.

The very least every lawyer needs to know about data breach liability

calling counsel 2When a business experience’s a data breach, after calling the CIO, its second call is going to be to its counsel, as it should be. Inevitably the business wants to know two things: what have you done to protect me from this exposure and what is my total exposure. Counsel better be prepared with a good answer to both, and I do not mean the standard lawyer response; “it depends.”

First, Counsel should have instituted policies and procedures to mitigate this exposure and should be in a position to reassure the victimized business. These policies include: (i) retaining only the most essential customer/employee information to minimize the risk of exposure; (ii) encrypting data; (iii) using outside vendors who are insured and can provide some cover; (iv) instituting policies to limit employee’s access to confidential information; and (v) instituting state-of-the-art data protection procedures. If counsel has done this, counsel can paint a picture of exposure that is favorable and limited.

Second, counsel must assess and, even more importantly, limit the total exposure. This means analyzing the type of data compromised and taking the appropriate steps to report the breach. Were customer account numbers stolen? If so, and the business is not a bank, the effect of the breach may be minimal and manageable. Did the hackers access highly confidential information like social security numbers, health data, trade secrets, sales data, bank account/credit card numbers, or other personal identifiers? If so, the business needs to act accordingly. Is the data from foreign entities? If so, counsel needs to have a plan to address foreign compliance.

Of course, unless you are a lawyer practicing in this area, you may not know the answers or solutions off the top of your head, but, at minimum you need to know the questions to ask:

  1. What type of data was compromised?
  2. How many accounts/people are effected?
  3. Is the data in a form that it cannot be readily accessed (e.g., encrypted)?
  4. What is the source of the data?
  5. What states’ and/or countries’ laws might apply?

Questions? Let me know.

You cannot predict when you are going to have a data breach

ask again later

A pattern I see repeated in all kinds of business disputes is that when a business fails to calculate the risk of something going wrong, it makes it even harder to repair it when does go wrong. Notice, the title of this post refers to “when” you will have a data breach, not “if.” This is not to be alarmist. In fact, many data breaches are harmless. Surprised to hear that? What about an employee using internal records to locate a co-worker’s home address to send a gift? Is that a date breach? Well, it depends on your policies and authorizations, but, even if it is a “breach” it may not be one that causes damages.

The question is what can you do to prepare for the one that does cause damage? Do you segregate data so that any breach will reach a more limited segment of your employees or customers? Do you encrypt data? According to recent reports, Anthem did not encrypt its data and that will cost it. How can you avoid this, plan, plan, oh yeah, and plan.

Your first line of defense should be to gather your crisis response team and open the crisis response playbook? You don’t have a team? You don’t have a playbook? If that’s the case, you aren’t ready to be in the game. Here’s what you need to know to get started:

Assembling a crisis response team:

  1. Identify key information holders within your organization (who will manage customer relationships, public relations, legal compliance, technology compliance, data security, and restoration of business functions?).
  2. Identify outside resources that will be needed (who has the knowledge of applicable laws in each state/country you operate or can coordinate counsel, who has the expertise to identify and stop leaks, who has the media relations that will help get your message out?)
  3. Establish a chain of command and a division of duties so everyone knows their role and who is coordinating the response.

Creating a response playbook:

  1. Develop a set of compliance procedures.
  2. Identify contingency plans to using backup data or otherwise accessing key information.
  3. Develop an exhaustive checklist to ensure you do not overlook potentially crippling problems.

When you create a crisis response plan, focus on the short term, so you know what to do right away. In the months following a data breach there will be time for information gathering and refinement and a good crisis response plan will put you in the best position to confront those medium term problems in due course.

Questions? Let me know.

You cannot ensure you will not have a data breach, but can you insure against it?

Business InsuranceFor insurance companies, each large scale data breach news story is like free advertising for data breach protection policies. Due to the increased awareness, more business are purchasing policies to protect against the risks of insurance, according to a recent story in the Boston Globe and reports from insurer Liberty Mutual.

These policies can cover the costs of a data loss, from hiring investigators to find the source of the breach to providing credit monitoring for customers to enlisting public relations experts to help salvage the company’s reputation, but there are many different types of policies available and businesses would be well advised to consult with their legal counsel for advise as to what risks and costs should be covered for their specific business.

Additionally, some general liability policies may provide additional coverage, but, as the risks of data breaches increase so do the number of policies that exclude this coverage, or, at least, provide only nominal coverage that is not sufficient to protect a business. In fact, insurance industry insiders have identified the trend that insurance companies are starting to specifically exclude electronic data losses from traditional corporate policies, forcing businesses to buy additional coverage. For instance, since October 2014, the Chubb Group of New Jersey has excluded privacy and data breaches from its standard insurance for directors and officers of health care companies.

Are you covered? Should you be? Now is the time to answer those questions.

Questions? Let me know.

%d bloggers like this: