“Technology is a wonderful thing but it’s scary when it’s weaponized against you.”

The first sign that my wife’s identity and my own were under attack came innocently enough.

It was an e-mail alert that we get from time to time from Comcast, so innocent that I almost ignored it.  But it said our password had been changed.  When we tried to log-in to download e-mail, the system indicated the password was incorrect.

“That’s weird”, we thought.

I mean, we have two factor authentication on it so that if someone DOES try to change the password, shouldn’t they need a code?

So I called Comcast and was assured repeated that our password wasn’t changed and our account was not compromised.

They said it was a phishing exercise and the e-mails were fake too. As for the account access, they said that someone may have just tried to access it but they were unsuccessful.

Comcast easily reset the password for me and since two factor authentication wasn’t invoked, it seemed like something unusual but nothing beyond that.

The second attack happened the same way.  This time, we knew something was most definitely wrong.

The war over our identities was now on, though I didn’t realize at the time how outmatched we were in our weaponry.

We were able to regain control of the account in just a few minutes with resetting the password on my side (two can play that game, so I thought).

And then I placed another call to Comcast for help.

After an hour on the phone and a reset password and security question, I was told again that there’s nothing otherwise suspicious in my account but they’ll keep “looking”.  No other outward sign of hacking.

Still, our credit cards were quiet and we changed some more passwords just in case.  What were they after?

The hacker’s next salvo though had already been launched and was operating secretly.

Later that evening, I received a notice from UPS that night that we had a package coming from Amazon, but, well, let’s just say that we are frequent Prime users and that didn’t raise any suspicions to be getting another one from them.

But by mid-morning the next day, still yet another e-mail arrived. Again, from UPS, but this time saying that the package we were expecting would be held at the Watertown customer care center “at the customer’s request”.

(Why, you might ask, is UPS sending me e-mails? It turns out, I set up an alert with UPS to send me an a separate e-mail account anytime a package for our hours is scheduled for delivery. As it turns out, this last countermeasure helped stem the tide, though I didn’t know it at the time)

Still, when we searched our Amazon account for the package, nothing showed up.  There was a package from over the summer that never turned up and showed it was “out for delivery”. Could that be it? Or was it a gift?

As “luck” happens, I was driving past the Watertown care center by late afternoon and decided to swing by.  A big box awaited.  My curiosity was piqued – What’s In The Box?

I open it up at the UPS facility.

Not one, but TWO high-end MacBook Pros.

Wow.  Was not expecting THAT.  Or perhaps I was.

A call to the local Watertown police was met with a response of a department that has seen one too many of these — “you should just contact your hometown police”.

A call to Amazon revealed that our account had been accessed, an Amazon store card opened up, and the purchase “hidden” as if it were a “gift” to ourselves that we didn’t want spoiled before its arrival.  Amazon set up for the computers to be returned at no charge and the card wiped clean.

At least we could claim victory in stopping the shipment, right?

Well, as we were also told by police later, sometimes hackers just send something to a customer care center and don’t pick it up just to see if the hacked worked.  If it does, then the sky’s the limit on the next go around.

But still, were we done? Had we hacked the hackers by seeing this UPS alert we weren’t suppose to see?

Well, it turns out the hackers had more tricks up their sleeve.

Upon a third call to Comcast, the security representative reviewed our account still further and he found three things:

  1. The hacker set up an “e-mail forwarding” so that a copy of EVERY single e-mail received would also be sent to the hacker.  Yes, even the ones we were sending to each other about the hacker were being read too.
  2. The hacker also set up “selective call forwarding”, an option I didn’t even know existed. Apparently, you can have up to a dozen phone numbers you choose get directly forwarded to another phone number.  As it turns out, the hacker knew the numbers that Amazon and the card verification service would call on and conveniently forwarded those calls directly to his own mobile number on a burner phone.
  3. Looking at phone logs, we could actually see that the hacker had taken a call from Amazon.  A-ha.

All done, right?

Well no. I continued to scour the account on my phone and found yet another devious hack in my “options”. The hacker had set up a series of filters (which didn’t have a title, so they showed up as “”) that forwarded e-mails from Amazon and Amazon’s card carrier directly to the hacker’s e-mail.  Delete, delete, delete.

Since then, police have been contacted. The Amazon card cancelled and account locked for a few days. Package returned. Fraud alerts placed. ID protection re-upped. Passwords being changed. Sleep lost.

And replaced with a sort of paranoia about what else is lurking.

While we can claim victory in preventing the MacBook Pros from falling into criminal hands, at what cost? The damage is already done. We may have foiled the crime, but the identity is compromised and we now need to be vigilant for other account pop-ups. The victory feels empty.

We have to instead hope the hacker will lose interest, knowing that we know about the scam and have alerted police.

This feeling of hopelessness doesn’t have to be that way.

Indeed, the irony of the situation isn’t lost on me. I’m part of my firm’s Privacy and Data Security Team and routinely give others advice with how to protect themselves.

And yet, even with the steps we took, we still couldn’t stop the attack. Here is where government and businesses have a role to play in helping to protect our identities.

For example, everytime I called Comcast to complain, I had to “verify” our info; in doing so, I had to provide the last four of her social security number and our address — the very information we KNEW was already compromised.

We have to do more. Here are five small steps to start:

  1. Congress should hold hearings to hear from security professionals about the best ways stores and utilities can protect customer information.  And then work with businesses to create a common standard.  Our current system is broken.  Health care information is treated as important; our identities need to be treated with similar care.
  2. Businesses that have sensitive customer information should offer real two-factor authentication, not offer work arounds that just open up a loophole. In Comcast’s case, resetting the password allows you to bypass the two factor authentication by answering a simple “security” question.
  3. Password management is broken.  Yes, I can set up some password managers, but using multiple devices and computers makes it difficult to have consistency.  Too many of us need to use similar passwords on websites because there is no one common log-in system. A new type of authentication system might be a start (though I acknowledge it might also then create a target for hacking too — see Equifax).
  4. After a hack, the government ought to mandate easy, free tools that people can use to help clean up their own identities. If we can get a free credit report once a year, can’t the government mandate that credit agencies assist you in cleaning up your identity for free?
  5. The police are woefully understaffed to deal with an international problem.  The only means that an ordinary person can use is their local police, but even they admit that they’re still playing catch up.  More consistent training and better tools for our police can at least start to make a dent on this.

Which gets me back to the first sentence here — which was a comment a friend shared with me upon learning of the hacking.

“Technology is a wonderful thing but it’s scary when it’s weaponized against you.”

Yes, my friend. It definitely is.

worker3After nine-plus years of writing about employment law in Connecticut, it’s getting to be pretty rare to find a topic that I haven’t at least touched upon, but here’s one: The Duty of Loyalty.

Indeed, a new Connecticut Supreme Court case is giving me the opportunity to do so.

The case arises from an employee who, while working for one employer, was secretly working as an independent contractor for a competitor.  The employer sued under a breach of the duty of loyalty claim.

The case, Wall Systems Inc. v. Pompa, officially released last week, can be downloaded here.

Lawyers will look at the case because it sets forth what types of damages are recoverable when a breach of a duty of loyalty claim is established.  In doing so, the court makes it clear that a trial court has some discretion in fashioning the appropriate remedy:

We agree with the plaintiff that the remedies of forfeiture of compensation paid by an employer, and disgorgement of amounts received from third parties, are available when an employer proves that its employee has breached his or her duty of loyalty, regardless of whether the employer has proven damages as a result of that breach. Nevertheless, the remedies are not mandatory upon the finding of a breach of the duty of loyalty, intentional or otherwise, but rather, are discretionary ones whose imposition is dependent upon the equities of the case at hand. Moreover, while certain factors, including harm to the employer, should not preclude a finding that the employee has committed a breach of the duty of loyalty, they nevertheless may be considered in the fashioning of a remedy. Here, because the trial court properly exercised its broad discretion when it awarded damages but declined to order forfeiture or disgorgement, we will not disturb its judgment on this basis.

But I think the more interesting point for companies is to understand the scope of the duty of loyalty.

In discussing the scope of this duty, the Connecticut Supreme Court reaffirmed principles that were last set forth in detail over 50 years ago in Town & Country House & Homes Service, Inc. v. Evans.  In that case, the court found an employee breached the duty of loyalty by soliciting employer’s customers for his own competing business while still working for the employer.

The court noted that an employee’s duty of loyalty includes “the duty not to compete … and the duty not to disclose confidential information”.  The court noted that this duty not to compete is during the employment relationship — not necessarily after — and is not dependent on the use of employer’s property of confidential information.

The court went on to say that the duty of loyalty “also includes the duty to refreain from acquiring material benefits from third parties in connection with transaction undertaken on the employer’s behalf.”  What does this mean? Essentially, it bars the collection of “secret commissions and kickbacks which might cause the employee to act at the expense or detriment of his or her employer”.

An employer may seek the forfeiture of an employee’s compensation for the period of disloyalty, but the court concludes that such a remedy is an equitable one and subject to the facts of the particular case.

But it’s always important to read the footnotes and here, in footnote 9, the Court inserted the notion that the duty of loyalty may not apply all employees.  “The scope of the duty of loyalty that an employee owes to an employer may vary with the nature of their relationship. Employees occupying a position of trust and confidence, for example, owe a higher duty than those performing low-level tasks.”

Still, the case is an excellent one for employers to keep in mind — particularly if the employer does not have restrictive covenants with its employees.  If the employees are engaging in competing work while still employed, the employer can use this case — and the theories behind it — to see the appropriate remedies.

With the appropriate employee, the employer can further strengthen its arguments, but including this in an employment agreement along with restrictive covenants.  In such a case, the court reminds parties that an employer could then terminate that agreement prematurely and seek recovery of damages directly attributable to the employee’s breach.

Employers should consider consulting with their favored outside counsel to see how this decision may apply to them.

 

With news of yet another breach of personnel data of nearly 21 million Americans yesterday, I invited my colleague William Roberts, to chime in with an update on a new law in Connecticut that updates data privacy requirements in the state. Bill heads up our Privacy and Data Protection team here and works a lot with health care companies on compliance with various privacy laws.

My thanks to Bill for the update.

robertsOn June 1, 2015, the Connecticut Legislature passed S.B. 949, a comprehensive data privacy and security bill that tightens the state’s data breach response requirements and imposes new obligations on state contractors and the health insurance industry. While Connecticut Gov. Dannel Malloy signed the bill on June 30th. A copy of S.B. 949 is available here.

This post reviews the portions of the bill most pertinent to businesses operating in Connecticut or holding personal information of state residents.

Revisions to Breach Response Requirements

Current Connecticut law requires an entity that experiences a data breach to provide notice of such breach to the affected individuals and the Connecticut Attorney General’s Office “without unreasonable delay.” S.B. 949 amends this requirement by specifying that such notices must be provided no “later than [90] days after discovery of such breach, unless a shorter time is required under federal law.”

This amendment is striking in that it sets a maximum time period for notice that is much longer than the time periods set forth in other state or federal breach notification standards (e.g., the Health Insurance Portability and Accountability Act requires notice no later than 60 days following discovery of a breach).

Recognizing this apparent leniency, Connecticut Attorney General George Jepsen issued a press release that clarifies his office’s enforcement approach. Specifically, Jepsen clarifies that the 90-day reporting period is the “outside limit” for notifications and that “[t]here may be circumstances under which it is unreasonable to delay notification for 90 days.”

Jepsen makes clear that his office will “continue to scrutinize breaches and to take enforcement action against companies who unreasonably delay notification — even if notification is provided less than 90 days after discovery of the breach.” Thus, entities should continue to respond to breaches in a prompt manner and provide the necessary notices as soon as practicable.

In addition, S.B. 949 requires companies experiencing a breach involving Social Security numbers to provide affected individuals with free credit monitoring services and information on how such individuals may place a credit freeze on the individual’s credit file. The free credit monitoring services must be for a period of at least one (1) year.

While this new requirement has been considered by many to be a significant change in the law, it may have limited implications in practice because the state attorney general has long expected (or even required) companies to provide such services when Social Security numbers were involved.

Notably, S.B. 949 appears to set a shorter time period for free credit monitoring than what is typically expected by the state attorney general’s office. In many instances, the attorney general has insisted that companies offer no less than two years of free credit monitoring. Addressing this apparent lowering of expectations, Jepsen announced in his office’s press release that S.B. 949 “sets a floor for the duration of the protection” and that he retains the authority “to seek more than one year’s protection — and to seek broader kinds of protection — where circumstances warrant.”

Both of the modifications to Connecticut’s breach reporting requirements are effective Oct. 1, 2015.

State Contractor Obligations

Effective July 1, 2015, S.B. 949 imposes significant new requirements for state contracts that authorize a state agency to disclose “confidential information” to a contractor.

The bill defines “confidential information” as: (1) a person’s name, date of birth or mother’s maiden name; (2) any of the following numbers: motor vehicle operator’s license, Social Security, employee identification, employer or taxpayer identification, alien registration, passport, health insurance identification, demand deposit or savings account, or credit or debit card; (3) unique biometric data such as fingerprint, voice print, retina or iris image, or other unique physical representation; (4) “personally identifiable information” and “protected health information,” as defined in federal education and patient data regulations, respectively (i.e., Family Educational Rights and Privacy Act and HIPAA); and (5) any information that a state contracting agency tells the contractor is confidential. Confidential information does not include information that may be lawfully obtained from public sources or federal, state or local government records lawfully made available to the public.

This definition is very broad and contractors should be cognizant that a large number of state contracts may be subject to the bill’s new requirements.

If a state contract involves the sharing of confidential information, the contractor will be required to undertake significant efforts to protect the privacy and security of such information.

Specifically, the contract must require the contractor to, at a minimum: (1) at its own expense, protect confidential information from being breached; (2) implement and maintain a comprehensive data security program to protect the confidential information; (3) limit access to the confidential information to the contractor’s authorized employees and agents for authorized purposes as necessary to complete the contracted services or provide contracted goods; (4) maintain all confidential information obtained from the state (a) in a secure server, (b) on secure drives, (c) behind firewall protections and monitored by intrusion detection software, (d) in a manner where access is restricted to authorized employees and agents and (e) as otherwise required under state and federal law; (5) implement, maintain and update security and breach investigation procedures that are appropriate given the nature of the information disclosed and reasonably designed to protect confidential information from unauthorized access, use, modification, disclosure, manipulation or destruction; and (6) specify how the cost of any notification about, or investigation into, a breach is to be apportioned.

The bill includes numerous detailed requirements a contractor must adhere to, particularly with respect to the development of a data security program and the reporting of breaches.

Compliance may be particularly burdensome for contractors in industries without a history of data privacy regulation or for small providers with limited financial or other resources. The bill includes a waiver provision which allows the Office of Policy and Management (“OPM”) to require additional protections or alternate security assurance measures for confidential information if the facts and circumstances warrant them after considering, among other factors, the type and amount of confidential information being shared, the purpose for which the confidential information is being shared, and the types of goods or services covered by the contract.

Notably, the bill does not include the size or resources of the state contractor as factors OPM may consider when altering data security requirements.

Insurance Industry Data Security Programs

In response to the recent Anthem Inc. data breach, S.B. 949 imposes new requirements on health insurers, pharmacy benefit managers, utilization review companies and third-party administrators licensed do to business in Connecticut with respect to these entities’ maintenance of comprehensive information security programs.

Specifically, each such entity must develop and implement a written security program no later than Oct. 1, 2017. The program must address a litany of administrative, physical and technical safeguards including, among others: (1) computer and Internet user authentication protocols; (2) access control measures; (3) risk assessments; (4) sanctions for employee violation of security policies or procedures; and (5) oversight of third parties that have access to personal information.

The extent of such safeguards must be appropriate in light of the scope and type of business, the amount of resources available, the amount of data compiled or maintained and the need for security of such data. The written security program must be updated at least annually.

While extensive, many of the affected companies will already be subject to very similar requirements imposed under HIPAA and thus will likely have most, if not all, of S.B. 949’s elements already addressed in current policy. Nevertheless, insurers and others subject to this new requirement should review existing policies and procedures to determine sufficiency in light of the new requirements.

When we think about protecting customer and employee data, we often think that the biggest hazards are outside hackers.

But a recently publicized incident involving AT&T shows that the threats may also be from within. As The New York Times reported:

“[I]t serves as a cautionary tale about the types of information that employees at technology and communications companies can retrieve just by breaking the rules, no hacking required.”

What happened? According to the Times, “AT&T, the telecommunications provider, said on Monday that it had fired an employee who inappropriately gained access to customer information this year, possibly including Social Security and driver’s license numbers.”

While the breach was relatively small (1600 people affected), the company dealt with the breach by sending out letters to those affected and paying for credit monitoring services.

What else should you do in a breach? Well, next week, I’m heading up a major Data Privacy & Cybersecurity Summit where we will discuss exactly that topic — particularly as it applies to employee data. The summit is scheduled for October 16th in Cromwell.  Co-sponsored with the Connecticut chapter of SHRM, the program includes speakers from GE, ESPN and the Connecticut Attorney General’s office.  The cost is just $75 and includes breakfast, lunch and materials.  You can register here.

For more details, click here. 

 

Last Thursday, I had the opportunity to speak at the Tri-State SHRM Conference held at Foxwoods Resort Casino.  The session was led by Marc Kroll of Comp360 and I thank him publicly for both the invitation and the coordination. But a post about the great work that HR consultants like Marc do is a topic for another post.

If there was a phrase that I’m sure HR personnel never thought they’d hear discussed at a Human Resources conference it would’ve been “data privacy”.  After all, shouldn’t that be something for a Information Technology summit?

But in presenting the topic: “Pirates of the Data Stream: HR’s Role In Securing Corporate Information” to a full room,  it confirmed what I had been seeing anecdotally — that HR personnel have an increasing role in making sure company data remains private.  I was approached aftewards by several people who appreciated the focus on the topic.

There were several suggestions we talked about in detail at the conference.  I’ll highlight just a few things we discussed:

  • Have a policy. Yes, it’s a cliche. But you still need one.  And make sure it’s workable.   Your policy is no good if no one follows it.
  • Train and educate your workforce (with particular emphasis on your senior executives) on the need to take reasonable steps to protect confidential company data.  This can’t just be for new employees, but needs to be an ongoing effort.
  • Audit yourself to determine where your data leakage is coming from. And don’t just focus on the electronic data; your personnel files in paper format still need to be secured as well.  Consider hiring a third-party to help find the holes in your data storage.
  • Use agreements with restrictive covenants that prohibit employee use of confidential data not only when the employee is working for you, but also when the employee leaves.

And lest you think that this is mere scaremongering, the headlines from this morning illustrate that this issue is continuing to move to the mainstream: Target’s CEO stepped down because of a massive data breach last fall.

Human Resources has a significant role to play in preserving company and employee data.  It’s time to begin the discussion at your company if you haven’t already.   If you need assistance in that endeavor, consult your lawyer or your favorite HR consultant.

Some cases are easy to explain in a short blog post.

This is not one of them.

But a new Connecticut Appellate Court case released today, Grasso v. Connecticut Hospice, Inc. (download here)  has too many nuggets of information to pass up.  It is an example to employers about how cases never truly seem to be over in this litigious climate and that details are important — even in settlement agreements. 

Background Facts

Here are the background facts:

  • Plaintiff employee worked as an employee for the hospice from 1998-2010. 
  • In 2009, she filed two complaints with OSHA regarding some defective chairs.  The administration ordered the hospice to repair the chairs.
  • Later that year, the Plaintiff then filed a whistleblower complaint with OSHA claiming that she had been retaliated against and harassed since the filing of the OSHA complaints. The administration found “reasonable cause” to believe a violation had occurred.
  • Thus in January 2010, the Hospice and Plaintiff entered into a settlement agreement on the whistleblower complaint where she worked as a part time employee in two offices.  The agreement contained a release of future claims for events that occurred prior to the execution of the agreement.
  • End of story, right? Wrong. One week later, the Plaintiff-Employee wrote to the company and alleged that they were breaching the settlement agreement.  Later that year, she quits.
  • You know what happens next, right? She filed a six-count complaint in Superior Court alleging a whistleblower violation, breach of the settlement agreement, breach of the employee handbook and claims of intentional infliction of emotional distress.   The defendant filed a counterclaim asking for declaratory judgment on the release she signed.  The Superior Court granted summary judgment to the employer.

The legal rulings

Several years ago, Connecticut passed a law that, for the first time, required employers to take special precautions to protect the personal data of their employees. 

For a refresher, you can see my prior posts here and here

Now, there is news of some tweaks to the law with some implications for employers and companies.  My colleague, Steve Bonafonte, has this update:

For those of us who were watching proposed legislation on data breaches unsuccessfully move its way through the 2012 General Session, we see now that it was passed as part of the Connecticut General Assembly’s Special Session by attaching it as Section 130 of the Budget Bill.

The new statute, Section 36a-701b, is effective October 1, 2012. 

It requires the reporting of a “breach of security” to the Connecticut Attorney General.  This is in addition to any other data breach reporting requirements that exist in the Connecticut Statutes or promulgated by industry regulators (e.g., Connecticut Department of Insurance Bulletin IC-25).   

Failure to comply constitutes an unfair trade practice under Connecticut General Statutes Section 42-110b  and is enforceable by the Attorney General.

What’s the takeaway for employers? This is yet another reminder that businesses should have a system to monitor and adjust internal data breach response policies and procedures in order to comply with these actively changing laws, particularly when it comes to protecting the private information of your employees.

While Connecticut-based businesses ought to give special attention to Connecticut law, the laws of other states may apply if you maintain or use personal information of residents of those states.   Additionally, these laws are increasingly providing for more active enforcement mechanisms that enable monetary damages or fines – both of which can be costly to defend and harmful to the brand reputation of the business if reported in the media.

With all the focus lately on social media, it’s easy for forget that there are other laws and issues that remain vitally important to employers. One of them is the need for employees to understand the importance of compliance with data privacy laws.  I talked in 2008 about a new law in Connecticut that may have been overlooked.

In today’s guest post, my fellow law partner, Steven Bonafonte shares a recent case that emphasizes what can happen with an employer doesn’t take its obligations seriously.  My thanks to Steve for the post.

We routinely hear stories about “Data Breaches” “Identity Theft” “Credit Monitoring” and other data loss-related events in the media.

These reports are becoming more frequent – almost routine – and may run the risk of being overlooked by many companies, even those who are in the business of collecting, processing or otherwise using confidential information of individuals.

One recent case, however, illustrates why employers should not be complacent when it comes to data breaches. They are anything BUT “routine”. 

The Wall Street Journal recently reported on the bankruptcy of a national medical records firm after over 14,000 medical records were compromised during a burglary of their California offices in December 2011.

The burglary occurred on December 31, 2011, was discovered just three days later.  It was promptly reported to law enforcement. Nonetheless, the company was required to report the incident to various state and federal regulators as well as notify each of the potentially affected individuals.

The company stated that “The cost of dealing with the breach was prohibitive” in its explanation of why it was seeking protection under Chapter 7 bankruptcy. Chapter 7 bankruptcy (unlike Chapter 11) is used when the company is to be liquidated and its proceeds distributed to its creditors, so it appears as if this firm is headed out of business permanently.

Fortunately, events such as this are usually avoidable with the right combination of preventive legal and technical counseling.

It also is critical from a risk management and a business continuity perspective that companies have a legally defensible system of controls in place to meet their regulatory and contractual responsibilities.

Having the minimum of: policies and procedures for managing sensitive personal data, technology controls such as encryption and other data loss prevention software, physical security and a critical incident response plan will go a long way toward avoiding this unfortunate result.

Importantly, the responsibility should be emphasized to employees and to human resources as well.  Breaches of an employee’s privacy may be just as costly as a customer. 

 

The Appellate Court, in a decision that will be officially released next week, rejected the claims of a former medical resident that his program director owed a “fiduciary duty” to protect that resident’s interests.

In Golek v. Saint Mary’s Hospital, Inc. (download here), the court was asked to review the propriety of a decision by a hospital that conducts an accredited surgical residency training program to decline to promote a senior resident to the position of chief resident.  In all facets of its review, the Court upheld the hospital’s decision.

Much of the decision concerns a review of evidentiary issues and jury instructions. But one facet of the decision should be of note to employers.  It reviewed the appropriate standards as to whether a fiduciary relationship was created; if a relationship is found, that creates a higher standard of care by the fiduciary.

It is well settled that a fiduciary or confidential relationship is characterized by a unique degree of trust and confidence between the parties, one of whom has superior knowledge, skill or expertise and is under a duty to represent the interests of the other. . . . Although this court has refrained from defining a fiduciary relationship in precise detail and in such a manner as to exclude new situations . . . . we have recognized that not all business relationships implicate the duty of a fiduciary. . . . In particular instances, certain relationships, as a matter of law, do not impose upon either party the duty of a fiduciary.

To show this, the court said, requires ‘‘a unique degree of trust and confidence between the parties such that the [defendant] undertook to act primarily for the benefit of the plaintiff.’’

Here, the court rejected the notion of a fiduciary relationship between the resident and program director, noting that the resident is an “adult”. 

[No] fiduciary relationship existed between [the director] and the plaintiff while the parties were negotiating the plaintiff’s role in the surgical residency program. As the [trial] court noted, the plaintiff is an adult who voluntarily became a physician and entered the hospital’s surgical residency program. The plaintiff alleges that … [the] program director, sometimes praised and sometimes criticized the plaintiff’s performance and that he certified surgical residents’ performance records to ACGME. That history does not suffice to establish anything other than a form of a student-teacher relationship. We know of no case, and the plaintiff has cited none, to support the proposition that such a relationship, without something more, was fiduciary in nature…

For employers, understanding claims like this are the best way to avoid such claims in the future. Disclaimers to employees that they are “at-will” and that nothing in an offer letter is intended to alter the employee-employer relationship, are one way to reduce the risk of such claims in the future.

Suppose a former employee has breached your company’s covenant not to compete after she left employment.  Are you, the employer, entitled to get the non-compete period extended as a remedy for the breach?

Great question. And one that differs depending on the state.

A federal court in Connecticut (Aladdin Capital Holdings, LLC v. Donoyan) looked at the different paths that various state courts use to analyze the issue. In a decision released last week, it found:

  • First, some courts have reasoned that a court has broad and inherent power to extend the duration of a restrictive covenant as an equitable remedy for breach.
  • Second, some courts have suggested that the duration of a restrictive covenant may only be extended as a remedy for breach if the parties included language in their restrictive covenant contemplating such a remedy.
  • Third, some courts have reasoned that the contractually-specified duration of a restrictive covenant may never be extended by a court as a remedy for breach.
The Federal Courthouse in New Haven

So, what’s the proper result in Connecticut?

Well, in this case, the court rejected the employer’s argument for an extension. In doing so, it concluded that the ending of the restrictive covenant time period ends the matter.  In fact, the court concluded “The Court finds no evidence that the Connecticut Supreme Court would follow the decisions of other states’ high courts that have held that trial courts have broad equitable power to extend even an expired restrictive covenant as a remedy for breach.”

But all is not hope for employers in Connecticut.  The court did suggest that the result might be different if  “the restrictive covenant contains language that expressly permits extension of the restrictive covenant.”  In that type of situation, the court might then possess the power to extend the duration of the non-compete.

What’s the Takeaway for Employers?

If you use non-compete agreements or other types of restrictive covenants, consider adding a provision that expressly permits an extension of the restrictive covenant if the employee breaches the agreement.  That way, you may have an additional type of remedy besides seeking monetary damages.

In addition, employers may want to review their existing agreements to see if that language is present and consider amending them at an appropriate time to add this provision if necessary.