ashleymendoza1alfredoMy colleagues, Ashley Mendoza and Alfredo Fernandez, return today for a guest post today that shows that employment law issues can sometimes present themselves in different formats.  My thanks to the both of them in presenting a fairly advanced topic in a form that will hopefully be of interest to a few of you out there.

Imagine your company has employed a research scientist to support your technology programs.  The scientist is a citizen of the People’s Republic of China and holds an H-1B visa, but is not authorized to view certain export-controlled technical data.  Unclear of the restrictions in place, other company employees provide the foreign scientist with technical data related to a military program in the course of his job duties.  This real life scenario recently resulted in a $100,000 settlement penalty with the U.S. State Department this summer.

It appears that a company policy to screen out foreign candidates for job openings of this sensitive nature would have prevented this violation and penalty, but a company also faces the challenge of avoiding discrimination in its hiring practices.  Is this a lose-lose scenario?  Not quite, but companies must pay close attention to recent guidance and regulatory revisions to understand their compliance obligations.

The Tricky Intersection of Legal Obligations

On March 31, 2016, the U.S. Department of Justice Office of Special Counsel for Immigration-Related Unfair Employment Practices (the “OSC”) released its most recent guidance to employers to aid them in navigating the murky waters where export regulations meet immigration antidiscrimination regulations.

These two regulated areas may contradict each other when it comes to the hiring practices of U.S. companies soliciting candidates for a position where the job duties impose compliance with export control laws. Unfortunately, the limited governmental guidance confounds some employers when it comes to complying with both sets of regulations in certain scenarios.   The OSC’s recent guidance and upcoming definitional changes within the export control laws do provide some general direction for employers; however several ambiguous issues remain unresolved.

IMG_7083What We Know About the Export Regulations in this Context

Exports are commonly associated with the shipment of a tangible item to a foreign country, but the U.S. export regulations have a much broader application.  An export also includes the transfer of controlled technical data or technology to foreign persons, even when the transfer takes place within the geographic territory of the United States.  Such a transfer is “deemed” to be an export to the country of the foreign person and is referred to as a “deemed export.”

Although not the only federal agencies administering export control laws, the U.S. State and Commerce Departments manage the two broadest export control systems.  The U.S. State Department’s Directorate of Defense Trade Controls administers the International Traffic in Arms Regulations (“ITAR”), found at 22 C.F.R. §§ 120-130, which control defense articles and services.  The U.S. Commerce Department’s Bureau of Industry and Security (“BIS”) administers the Export Administration Regulations (“EAR”), found at 15 C.F.R. §§ 730-774, which control commercial and dual-use items,  as well as limited low-sensitivity military items.  Generally speaking, all articles controlled under the ITAR and many articles controlled under the EAR require an export license before the export, including a deemed export, occurs.

Each set of regulations accounts for deemed exports but have slightly different definitions of key terms.  In fact, new and revised definitions under both regulations become effective September 1, 2016.  One primary intention of the definitional changes is to better harmonize the analogous definitions in both systems. Under both regulations, the deemed export rule applies only to foreign persons and, by definition, does not apply to U.S. citizens, persons lawfully admitted for permanent residence in the United States (e.g., green card holders) or to persons who are protected individuals under the Immigration and Nationality Act (“INA”)(e.g., certain refugees and asylees).

The below table showcases a few of the new definitions, including the improved harmonization for key terms such as export and release. Continue Reading How to Avoid Discrimination in Hiring, While Complying with Export Laws

lock1Last week, I had the opportunity to speak to the Corporate Compliance Forum for the Connecticut Community Providers Association. My thanks to Gayle Wintjen, General Counsel of Oak Hill, for the invitation to speak.

The topic was a familiar one to this blog — Data Privacy.  In the session, we tackled the new Connecticut law that should be keeping at least some employers up all night figuring things out.

As I said in my talk, employers that have had to adopt HIPAA compliance rules should be in a good shape to get into compliance with Connecticut law. Things like two-factor authentication aren’t nearly as intimidating when you’ve already adopted it for other areas.

Now, the rules don’t need to be adopted by everyone. But those employers who do business with the state of Connecticut are typically covered.

The Privacy and Data Protection Group of my firm put together a FAQ to inform current and potential state contractors of Connecticut’s data privacy and security requirements and to answer the most commonly asked questions about applicable Connecticut law and compliance with it. This article also includes our recommendations for analyzing compliance under applicable Connecticut law and, if necessary, developing a plan to satisfy the pertinent legal requirements.

You can download it free here.

For human resources, I think this is one of the more complicated times to be in HR. Between privacy, discrimination laws, wage & hour laws alone, there are many issues to keep on top of. Make sure data privacy is on your list of things to pay attention to for this year.

And stay tuned for more information on an upcoming program in November.

With news of yet another breach of personnel data of nearly 21 million Americans yesterday, I invited my colleague William Roberts, to chime in with an update on a new law in Connecticut that updates data privacy requirements in the state. Bill heads up our Privacy and Data Protection team here and works a lot with health care companies on compliance with various privacy laws.

My thanks to Bill for the update.

robertsOn June 1, 2015, the Connecticut Legislature passed S.B. 949, a comprehensive data privacy and security bill that tightens the state’s data breach response requirements and imposes new obligations on state contractors and the health insurance industry. While Connecticut Gov. Dannel Malloy signed the bill on June 30th. A copy of S.B. 949 is available here.

This post reviews the portions of the bill most pertinent to businesses operating in Connecticut or holding personal information of state residents.

Revisions to Breach Response Requirements

Current Connecticut law requires an entity that experiences a data breach to provide notice of such breach to the affected individuals and the Connecticut Attorney General’s Office “without unreasonable delay.” S.B. 949 amends this requirement by specifying that such notices must be provided no “later than [90] days after discovery of such breach, unless a shorter time is required under federal law.”

This amendment is striking in that it sets a maximum time period for notice that is much longer than the time periods set forth in other state or federal breach notification standards (e.g., the Health Insurance Portability and Accountability Act requires notice no later than 60 days following discovery of a breach).

Recognizing this apparent leniency, Connecticut Attorney General George Jepsen issued a press release that clarifies his office’s enforcement approach. Specifically, Jepsen clarifies that the 90-day reporting period is the “outside limit” for notifications and that “[t]here may be circumstances under which it is unreasonable to delay notification for 90 days.”

Jepsen makes clear that his office will “continue to scrutinize breaches and to take enforcement action against companies who unreasonably delay notification — even if notification is provided less than 90 days after discovery of the breach.” Thus, entities should continue to respond to breaches in a prompt manner and provide the necessary notices as soon as practicable.

In addition, S.B. 949 requires companies experiencing a breach involving Social Security numbers to provide affected individuals with free credit monitoring services and information on how such individuals may place a credit freeze on the individual’s credit file. The free credit monitoring services must be for a period of at least one (1) year.

While this new requirement has been considered by many to be a significant change in the law, it may have limited implications in practice because the state attorney general has long expected (or even required) companies to provide such services when Social Security numbers were involved.

Notably, S.B. 949 appears to set a shorter time period for free credit monitoring than what is typically expected by the state attorney general’s office. In many instances, the attorney general has insisted that companies offer no less than two years of free credit monitoring. Addressing this apparent lowering of expectations, Jepsen announced in his office’s press release that S.B. 949 “sets a floor for the duration of the protection” and that he retains the authority “to seek more than one year’s protection — and to seek broader kinds of protection — where circumstances warrant.”

Both of the modifications to Connecticut’s breach reporting requirements are effective Oct. 1, 2015.

State Contractor Obligations

Effective July 1, 2015, S.B. 949 imposes significant new requirements for state contracts that authorize a state agency to disclose “confidential information” to a contractor.

The bill defines “confidential information” as: (1) a person’s name, date of birth or mother’s maiden name; (2) any of the following numbers: motor vehicle operator’s license, Social Security, employee identification, employer or taxpayer identification, alien registration, passport, health insurance identification, demand deposit or savings account, or credit or debit card; (3) unique biometric data such as fingerprint, voice print, retina or iris image, or other unique physical representation; (4) “personally identifiable information” and “protected health information,” as defined in federal education and patient data regulations, respectively (i.e., Family Educational Rights and Privacy Act and HIPAA); and (5) any information that a state contracting agency tells the contractor is confidential. Confidential information does not include information that may be lawfully obtained from public sources or federal, state or local government records lawfully made available to the public.

This definition is very broad and contractors should be cognizant that a large number of state contracts may be subject to the bill’s new requirements.

If a state contract involves the sharing of confidential information, the contractor will be required to undertake significant efforts to protect the privacy and security of such information.

Specifically, the contract must require the contractor to, at a minimum: (1) at its own expense, protect confidential information from being breached; (2) implement and maintain a comprehensive data security program to protect the confidential information; (3) limit access to the confidential information to the contractor’s authorized employees and agents for authorized purposes as necessary to complete the contracted services or provide contracted goods; (4) maintain all confidential information obtained from the state (a) in a secure server, (b) on secure drives, (c) behind firewall protections and monitored by intrusion detection software, (d) in a manner where access is restricted to authorized employees and agents and (e) as otherwise required under state and federal law; (5) implement, maintain and update security and breach investigation procedures that are appropriate given the nature of the information disclosed and reasonably designed to protect confidential information from unauthorized access, use, modification, disclosure, manipulation or destruction; and (6) specify how the cost of any notification about, or investigation into, a breach is to be apportioned.

The bill includes numerous detailed requirements a contractor must adhere to, particularly with respect to the development of a data security program and the reporting of breaches.

Compliance may be particularly burdensome for contractors in industries without a history of data privacy regulation or for small providers with limited financial or other resources. The bill includes a waiver provision which allows the Office of Policy and Management (“OPM”) to require additional protections or alternate security assurance measures for confidential information if the facts and circumstances warrant them after considering, among other factors, the type and amount of confidential information being shared, the purpose for which the confidential information is being shared, and the types of goods or services covered by the contract.

Notably, the bill does not include the size or resources of the state contractor as factors OPM may consider when altering data security requirements.

Insurance Industry Data Security Programs

In response to the recent Anthem Inc. data breach, S.B. 949 imposes new requirements on health insurers, pharmacy benefit managers, utilization review companies and third-party administrators licensed do to business in Connecticut with respect to these entities’ maintenance of comprehensive information security programs.

Specifically, each such entity must develop and implement a written security program no later than Oct. 1, 2017. The program must address a litany of administrative, physical and technical safeguards including, among others: (1) computer and Internet user authentication protocols; (2) access control measures; (3) risk assessments; (4) sanctions for employee violation of security policies or procedures; and (5) oversight of third parties that have access to personal information.

The extent of such safeguards must be appropriate in light of the scope and type of business, the amount of resources available, the amount of data compiled or maintained and the need for security of such data. The written security program must be updated at least annually.

While extensive, many of the affected companies will already be subject to very similar requirements imposed under HIPAA and thus will likely have most, if not all, of S.B. 949’s elements already addressed in current policy. Nevertheless, insurers and others subject to this new requirement should review existing policies and procedures to determine sufficiency in light of the new requirements.