U.S. Supreme Court
U.S. Supreme Court

Over the last week or so, there have been two prominent Circuit Court decisions addressing whether Title VII (the federal law prohibiting employment discrimination on the basis of race, color, sex, religion and national origin) can be interpreted to also protect employees from being discriminated against because of their sexual orientation.

The Second Circuit, which covers Connecticut, basically said no in a decision last week in Christiansen v. Omnicom Group.  The court did open the door a bit to a claim that an employee was discriminated against because of sex stereotyping.

Yesterday, the Seventh Circuit created the first split at the appellate level, finding that Title VII does cover such claims in the Hivley v. Ivy Tech Community College case.   Jon Hyman, of the Ohio Employer’s Law Blog, does a good job addressing the historic nature of the case here.

Back in 2016, I wrote that it was somewhat disappointing that we were still having these battles at the federal level, considering that Connecticut already had state laws prohibiting discrimination on the basis of sexual orientation.  “Those who are gay, lesbian, bisexual or transgender frankly deserve better, in my view. They deserve their own federal law giving them the workplace protections that Connecticut has given.  Until then, the battles over the scope of Title VII will continue.”

Indeed, the battles are now going to get bigger. One or more of these cases are now likely to get heard at the U.S. Supreme Court level where it is far from certain whether Title VII can really be read so broadly.

Of course, Congress could end these debates once and for all by passing a bill prohibiting employment discrimination on the basis of sexual orientation as I discussed way back in 2008.

But unfortunately, we seem to be no closer to passage of a bill than we were a decade ago.

Connecticut employers should largely ignore the press reports about Title VII and instead focus on their obligations to comply with state law.  Eventually the federal courts will work these issues out, but the issue is mainly moot in Connecticut.

shrmprogramI’m pleased to announce an upcoming program that my firm, Shipman & Goodwin and the Connecticut State Council of SHRM are producing next month and that I’ve been planning for several months.

The program, entitled “Data Privacy & Human Resources” will be a unique endeavor for us.  First, we are planning on doing it in both our Hartford & Stamford offices at the same time.  Speakers will be in both locations (though obviously not the SAME speakers, for those grammar buffs).

On top of that, we will be broadcasting it live via a webinar.

What could go wrong?

Hopefully, nothing, because really, it should be very informative.  It’s scheduled for the morning of December 11, 2015.

The first hour will focus on the key things employers need to know about the revisions to the state’s new data privacy law. The second hour will talk about the very latest in human resources including the current status of the proposed overtime regulations and the state’s new social media privacy law.

It’s going to be fast-paced and informative. But space is definitely limited and within the first 48 hours of our e-mail alert, we’re already halfway to our in-person room capacity.

If you’re interested in attending, check out this link and register online. The cost is just $35, but this includes breakfast and the materials. (If you’re watching via webinar, breakfast is on your own — naturally.)

And if you’d like to see the flyer, you can download it here.

My colleague, Jarad Lucan (who just won a New Leader of the Law award from the Connecticut Law Tribune!) returns today with a post about the protections employees who testify in court may have. 

Lucan_J_WebMost employers (at least those employers that read this blog on a regular basis) know that it is illegal to subject an employee to an adverse employment action, such as termination, because that employee raised a claim of discrimination or was absent from work due to a serious health condition.

But what if your employee is summoned to court to fulfill his or her civic responsibility as a juror or is subpoenaed to provide witness testimony during a criminal proceeding?  Is an employer similar restricted in the actions it takes against an employee for participating in such activities?

The answer is “Yes.”  There are numerous statutes applicable to Connecticut employers providing protections to employees who attend jury duty or appear in court.

  1. Connecticut General Statute §51-247a prohibits an employer from discharging, threatening to discharge, or otherwise coercing an employee for responding to a summons or serving on a jury.  In addition, any employee who serves eight hours of jury duty in any one day must be deemed to have worked a full day’s work and an employer cannot require an employee to work in excess of those eight hours.  Any employee who is discharged in violation of this statute may bring a civil action against his or her employer for up to ten weeks’ wages plus attorneys’ fees.
  2. Connecticut General Statute § 54-85b prohibits, among other things, an employer from discharging, threatening, penalizing, or coercing an employee who obeys a legal subpoena to appear before any court in the state as a witness in any criminal proceeding.

    Further, this statute was amended in 2010 to provide protection to victims of family violence who attend court proceedings and who participate in police investigations related to that crime.   These employees also may not be discriminated against for having a protective order issued on their behalf.

    An employee who is discharged, threatened, penalized or coerced in violation of this statute may bring a civil action for damages and for an order requiring the employee’s reinstatement or otherwise rescinding such action. If the employee prevails, the employee shall be allowed a reasonable attorney’s fee to be fixed by the court.

    Aside from any possible civil liability, employers that violate either statute may be guilty of criminal contempt, and upon conviction, may be required to pay a $500 fine and serve up to thirty days in prison, or both.

  3. Under federal law, 28 U.S.C. § 1875 prohibits employers from discharging or taking any other adverse employment action (threatening to discharge, intimidating, etc.) against a permanent employee because that employee provides jury services in federal court. Employers that violate this statute may be sued for back pay, reinstatement, and attorneys’ fees and may be fined up to $5,000.
  4. Lastly, employees who testify on behalf of another employee in a discrimination claim may also be protected under both federal and state anti-discrimination laws.  Dan reported on the U.S. Supreme Court’s case back in 2011 that discussed what this “zone of interest” may look like.

With news of yet another breach of personnel data of nearly 21 million Americans yesterday, I invited my colleague William Roberts, to chime in with an update on a new law in Connecticut that updates data privacy requirements in the state. Bill heads up our Privacy and Data Protection team here and works a lot with health care companies on compliance with various privacy laws.

My thanks to Bill for the update.

robertsOn June 1, 2015, the Connecticut Legislature passed S.B. 949, a comprehensive data privacy and security bill that tightens the state’s data breach response requirements and imposes new obligations on state contractors and the health insurance industry. While Connecticut Gov. Dannel Malloy signed the bill on June 30th. A copy of S.B. 949 is available here.

This post reviews the portions of the bill most pertinent to businesses operating in Connecticut or holding personal information of state residents.

Revisions to Breach Response Requirements

Current Connecticut law requires an entity that experiences a data breach to provide notice of such breach to the affected individuals and the Connecticut Attorney General’s Office “without unreasonable delay.” S.B. 949 amends this requirement by specifying that such notices must be provided no “later than [90] days after discovery of such breach, unless a shorter time is required under federal law.”

This amendment is striking in that it sets a maximum time period for notice that is much longer than the time periods set forth in other state or federal breach notification standards (e.g., the Health Insurance Portability and Accountability Act requires notice no later than 60 days following discovery of a breach).

Recognizing this apparent leniency, Connecticut Attorney General George Jepsen issued a press release that clarifies his office’s enforcement approach. Specifically, Jepsen clarifies that the 90-day reporting period is the “outside limit” for notifications and that “[t]here may be circumstances under which it is unreasonable to delay notification for 90 days.”

Jepsen makes clear that his office will “continue to scrutinize breaches and to take enforcement action against companies who unreasonably delay notification — even if notification is provided less than 90 days after discovery of the breach.” Thus, entities should continue to respond to breaches in a prompt manner and provide the necessary notices as soon as practicable.

In addition, S.B. 949 requires companies experiencing a breach involving Social Security numbers to provide affected individuals with free credit monitoring services and information on how such individuals may place a credit freeze on the individual’s credit file. The free credit monitoring services must be for a period of at least one (1) year.

While this new requirement has been considered by many to be a significant change in the law, it may have limited implications in practice because the state attorney general has long expected (or even required) companies to provide such services when Social Security numbers were involved.

Notably, S.B. 949 appears to set a shorter time period for free credit monitoring than what is typically expected by the state attorney general’s office. In many instances, the attorney general has insisted that companies offer no less than two years of free credit monitoring. Addressing this apparent lowering of expectations, Jepsen announced in his office’s press release that S.B. 949 “sets a floor for the duration of the protection” and that he retains the authority “to seek more than one year’s protection — and to seek broader kinds of protection — where circumstances warrant.”

Both of the modifications to Connecticut’s breach reporting requirements are effective Oct. 1, 2015.

State Contractor Obligations

Effective July 1, 2015, S.B. 949 imposes significant new requirements for state contracts that authorize a state agency to disclose “confidential information” to a contractor.

The bill defines “confidential information” as: (1) a person’s name, date of birth or mother’s maiden name; (2) any of the following numbers: motor vehicle operator’s license, Social Security, employee identification, employer or taxpayer identification, alien registration, passport, health insurance identification, demand deposit or savings account, or credit or debit card; (3) unique biometric data such as fingerprint, voice print, retina or iris image, or other unique physical representation; (4) “personally identifiable information” and “protected health information,” as defined in federal education and patient data regulations, respectively (i.e., Family Educational Rights and Privacy Act and HIPAA); and (5) any information that a state contracting agency tells the contractor is confidential. Confidential information does not include information that may be lawfully obtained from public sources or federal, state or local government records lawfully made available to the public.

This definition is very broad and contractors should be cognizant that a large number of state contracts may be subject to the bill’s new requirements.

If a state contract involves the sharing of confidential information, the contractor will be required to undertake significant efforts to protect the privacy and security of such information.

Specifically, the contract must require the contractor to, at a minimum: (1) at its own expense, protect confidential information from being breached; (2) implement and maintain a comprehensive data security program to protect the confidential information; (3) limit access to the confidential information to the contractor’s authorized employees and agents for authorized purposes as necessary to complete the contracted services or provide contracted goods; (4) maintain all confidential information obtained from the state (a) in a secure server, (b) on secure drives, (c) behind firewall protections and monitored by intrusion detection software, (d) in a manner where access is restricted to authorized employees and agents and (e) as otherwise required under state and federal law; (5) implement, maintain and update security and breach investigation procedures that are appropriate given the nature of the information disclosed and reasonably designed to protect confidential information from unauthorized access, use, modification, disclosure, manipulation or destruction; and (6) specify how the cost of any notification about, or investigation into, a breach is to be apportioned.

The bill includes numerous detailed requirements a contractor must adhere to, particularly with respect to the development of a data security program and the reporting of breaches.

Compliance may be particularly burdensome for contractors in industries without a history of data privacy regulation or for small providers with limited financial or other resources. The bill includes a waiver provision which allows the Office of Policy and Management (“OPM”) to require additional protections or alternate security assurance measures for confidential information if the facts and circumstances warrant them after considering, among other factors, the type and amount of confidential information being shared, the purpose for which the confidential information is being shared, and the types of goods or services covered by the contract.

Notably, the bill does not include the size or resources of the state contractor as factors OPM may consider when altering data security requirements.

Insurance Industry Data Security Programs

In response to the recent Anthem Inc. data breach, S.B. 949 imposes new requirements on health insurers, pharmacy benefit managers, utilization review companies and third-party administrators licensed do to business in Connecticut with respect to these entities’ maintenance of comprehensive information security programs.

Specifically, each such entity must develop and implement a written security program no later than Oct. 1, 2017. The program must address a litany of administrative, physical and technical safeguards including, among others: (1) computer and Internet user authentication protocols; (2) access control measures; (3) risk assessments; (4) sanctions for employee violation of security policies or procedures; and (5) oversight of third parties that have access to personal information.

The extent of such safeguards must be appropriate in light of the scope and type of business, the amount of resources available, the amount of data compiled or maintained and the need for security of such data. The written security program must be updated at least annually.

While extensive, many of the affected companies will already be subject to very similar requirements imposed under HIPAA and thus will likely have most, if not all, of S.B. 949’s elements already addressed in current policy. Nevertheless, insurers and others subject to this new requirement should review existing policies and procedures to determine sufficiency in light of the new requirements.

It’s Baseball Season; a time for the Sox to come out and play.

Not the Red Sox — this is, after all, a legal blog (run by a Yankees fan, no less).  No, today, we’re talking about Sarbanes-Oxley (SOX) Whistleblower Protection.

Still with us. 

My colleague, Clarisse Thomas, has taken a look back at the U.S. Supreme Case of Lawson v. FMR LLC , which was decided last month.  Now that the dust and analysis have settled on the case, she gives us some practical and useful tips on what to take away from the case. 

A month ago, the Supreme Court significantly expanded — and dangerously I might add — the scope of Sarbanes-Oxley’s whistleblower protection provision. Now, not only does the provision protect employees of publicly traded companies, but it also protects employees of any private contractor or subcontractor who may work for those public companies. So, private employers, beware…

The case appears to be based more on public policy concerns than the actual text of the statute.

Let’s look first at the language of the law itself.  SOX’s whistleblower provision says:

§ 1514A. Civil action to protect against retaliation in fraud cases

(a) Whistleblower protection for employees of publicly traded companies. No [public] company . . . or any officer, employee, contractor, subcontractor, or agent of such company . . . may discharge, demote, suspend, threaten, harass, or in any other manner discriminate against an employee in the terms and conditions of employment because of any lawful act done by the employee . . . .

Although the provision’s heading expressly indicates protection for employees of public companies, the Court held that the caption heading was just a “short-hand reference,” and therefore not intended to exclude employees who may work for private employers.

The problem in Lawson was that the public companies at issue were not public employers to which the statute’s protections would apply. They in fact were mutual funds, which, by their very nature, have no employees. Thus, given the statute’s limitations, the Court extended the statute’s reach to private contractors and subcontractors, and in doing so, dramatically increased the exposure of these private employers to potential liability.

The Court’s reasoning was simple: “It is common ground that Congress installed whistleblower protection in the Sarbanes-Oxley Act as one means to ward off another Enron debacle.” Herein lies the basis for the Court’s ruling. The term Enron was mentioned 34 times throughout the majority opinion.

Because the Court chose not to limit its holding in any way, the dissent opined that the decision would open the floodgates for whistleblowing lawsuits that are beyond the scope of SOX’s protections. The majority dismissed these concerns, by noting that such claims can be addressed later on.

Truth be told, a month after the case was decided, it remains unclear what the impact of this case will really be.  But because the case provides very little guidance as to the scope of claims that may be beyond SOX’s protections, and as to the types of private employers to which it applies, this decision will no doubt result in threatened and actual lawsuits in the years (if not months) to come.

What can private employers do to protect themselves? Much has been written (including a good summary in Employment Law 360) but the basic tips remain as follows:

  • As with a lot of these types of technical provisions, knowledge is key.
  • Familiarize yourself with SOX’s whistleblower protections and provide training to supervisory and managerial employees in furtherance of this goal.
  • Understand the full extent of the contractual relationship you may have with a public company, so that you can better assess whether Lawson may apply, given that relationship.
  • Consider preparing (or revising) policies that prohibit retaliation, to include the protected activities set forth in SOX’s whistleblower statute.
  • Finally, ensure that there are sufficient avenues in your workplace for employees to complain about possible SOX violations (being able to report an issue to just an immediate supervisor may not be enough), and ensure that sufficient procedures are in place to identify and prevent retaliatory conduct against employees who may report possible SOX violations.

The SOX are going to be playing ball for a long time to come.

Buried in a new law regarding identity theft is a provision that requires employers to protect employment applications from being disclosed. (Hat tip to my colleague Jennifer Willcox for pointing this out.)

The law (Public At 09-239), which went into effect on October 1, 2009, states that "Each employer shall obtain and retain employment applications in a secure manner and shall employ reasonable measures to destroy or make unreadable such employment applications upon disposal. Such measures shall, at a minimum, include the shredding or other means of permanent destruction of such employment applications in a secure setting."

Before you discard this as just another employment regulation, you should know that there are hefty civil penalties than can be imposed for each violation — $500 for each violation and up to $500,000 for a single "event".

What’s the Takeaway for Employers?

This takeaway should be an obvious one – treat the employment applications as you would personnel files and take the necessary precautions for both storage and destruction.  For electronic applications, be sure to delete any information from discarded laptops etc. For paper copies, a shredder should suffice to protect that information.

With so many outside services now offering bulk shredding (and recycling at the same time), it’s never been easier to comply with this new rules.