A while back, I had a good discussion with a colleague on a topic with no real firm answers.

No, it wasn’t on whether the Yankees are better franchise than the Red Sox.  The answer to that is unequivocally yes.  (Sorry, Sox fans.)

Rather: When is a employee-related issue a legal one? Or alternatively, when can human resources handle the issue on it’s own?

What comes to mind at first is the old Justice Potter Stewart quote of, “I know it when I see it” but that seems unsatisfying.

For some smaller employers, the answer may lean more heavily towards “legal” in part because there may not be an in-house human resources professional to call on.

But on the flip side, there are some other employers that might rely heavily (perhaps overly so) on their HR contacts to handle matters, trying to avoid unnecessary legal expenses.

What I’ve concluded is what I’ve started with — there are no real answers to the question.

But I can outline a few (non-exclusive) times when a lawyer should probably get involved.

  1. You get a letter from a lawyer threatening legal action on behalf of an employee or, in the case of a non-compete, from a former employer.  Pretty self-evident; lawyer = legal issue.  I’m going to not even dwell on the obvious: an actual lawsuit being filed means an attorney ought to be contacted.
  2. You get a notice from a state or federal agency investigating wage/hour laws, anti-discrimination laws, workplace safety issues, or labor union-related issued. Anything from the DOL, CHRO, EEOC, OSHA, or NLRB (to name a few) has the potential to be a big deal. Things you say there can be used against you too.  The earlier the better.
    1. But unemployment compensation claims may not always rise to that level.  Some employers handle unemployment claims and appeals internally.  For those situations, it depends on the complexity of the situation.
  3. You have to conduct an investigation into a workplace issue, such as sexual harassment, AND you may want that investigation to be privileged and confidential.  Again, HR may be able to conduct a whole host of minor investigations but there are going to be some that involve sensitive issues, or perhaps raise company-wide concerns. Bring counsel involved and let them help to manage the investigation.
  4. You have a complex issue that doesn’t have a clear legal answer.  It’s pretty well-settled now that employers need to engage in interactive discussions with an employee regarding reasonable accommodations that they may need.  Qualified HR can handle those discussions.  But suppose the employee is injured on job, is out on workers’ compensation, has exhausted FMLA time and needs additional time off — what then?

But I’m interested hearing from other lawyers or human resources personnel. When is an issue a legal one and when is HR perfectly capable of addressing it? Leave your best tips in the comments below.

lock1Last night I had the opportunity to speak to the Colonial Total Rewards Association on the topic of Data Privacy and HR.  I titled the presentation “Is Your HR Data Going Rogue” and really focused on the role that Human Resources professionals should play in ensuring that company data is secured.

For those who have been following the blog for a while, you know that I’ve spoken a bit about this before (see some posts here and here).

Lest you think, this could NEVER happen at your company, the headlines from the last few weeks show otherwise. Company after company keep reporting major  data breaches — in part due to a W-2 scam that keeps claiming victims (see here, here, here and here if you’re not convinced).

Even technology companies are not immune. My favorite blurb from the last month was the following:

On Thursday, March 16, the CEO of Defense Point Security, LLC — a Virginia company that bills itself as “the choice provider of cyber security services to the federal government” — told all employees that their W-2 tax data was handed directly to fraudsters after someone inside the company got caught in a phisher’s net.

Oops.

So if even tech companies are victims of data breaches, is there any hope for the rest of us? Well, yes. It’s not easy but there are several steps that employers can take.

  1. Learn – This is NOT simply IT’s role; rather, HR professionals should have a key role at the table in discussing a company’s data privacy culture and practice.  And the first step in that is that HR should learn the basics of data privacy.
  2. Assess – HR has access to lots of data; where is it and who has access?  Where are you “leaking” data when it comes to your employees?
  3. Develop – Develop policies and your data privacy program; and develop the teams of people that will respond in the event of a data breach
  4. Educate – Data privacy and protection ought to be part of sustained training program, just like anti-harassment training
  5. Monitor – Figure out risks and review areas; when breach happens, HR needs to be at table to discuss employee impact
  6. Inform – When (not if) if you have a data breach, inform those affected and gov’t officials and implement your data breach plan.

Once you’ve made it through, it’s time to start back at the beginning. Learn from your mistakes in a data breach and re-assess your vulnerabilities.

Data privacy and the need for companies to view it as a key part of your company’s culture should be an integral part of your employee onboarding and training.  My thanks again to CTRA for the invitation to speak to the group and the great conversation we had last night.

robertsWith the new year upon us, cyberthieves are once again attempting to prey on unwitting HR professionals, as my colleague William Roberts explained in an article last week for SHRM on phishing.

The scam goes like this. As an HR professional, you get an e-mail from your boss (or your boss’s boss) that seems legitimate…and urgent. Something like this:

I’m in the middle of a negotiation so won’t be available by cell or e-mail but I need you to send W-2s for the management team to our new accountants. You can e-mail them to [____________]. Needs to be done today. Sorry for the rush on this and please take this as an exception to normal protocol. Thanks. – Alan

It’s happened before.  Indeed, as Bill explained in the article:

“Alan was the chief financial officer,” said William J. Roberts, a Hartford, Conn.-based data privacy attorney with the law firm Shipman & Goodwin LLP. But in this case, it wasn’t Alan who was sending the e-mail. Despite the company’s policy prohibiting employees from sending sensitive documents through e-mail, a newly hired junior HR professional fell for the phishing scam and sent the W-2s to the cyberthief’s e-mail address.

That’s more than just an “Oops” moment.

Although the IRS is taking steps to help reduce this, the best defense is for HR professionals to be aware of this scam.  I previously discussed this back in March 2016 with a quick post but it’s worth looking at some of the tips presented in the SHRM article including:

  • Train employees on cybersecurity awareness. Many companies do not.
  • Use common sense and avoid making electronic requests for sensitive data. It’s not just an e-mail threat; phishing by text is also on the rise….
  • If you receive an e-mail from upper management, verify the request….

As I continue to reflect this week on nine years of blogging, it’s hard to recall that I started this before the Great Recession hit.  Since that time, all businesses have become more cost-conscious and creative in how they are structured and how they compensate their employees.  Non-profit organizations are no exception to that.  But how can these workplaces continue to “do good” while rewarding their employees?

Today, I’m pleased to share this post from Marc Kroll, Managing Partner at Comp360 LLC.  Marc talks total about how non-profits can implement a “Total Rewards” strategy and earn a return on their investment. 

And what is “Total Rewards”? As the Houston Chronicle described it in a recent article: “Formerly referred to as simply compensation and benefits, total rewards takes on a more creative and broad definition of the ways employees receive compensation, benefits, perks and other valuable options. Total rewards include everything the employee perceives to be of value resulting from the employment relationship.”

Having a well-thought out compensation system is a key component to reducing liability and, hopefully, ensuring happy, productive employees.  If you’re looking for ways to avoid dealing with employment lawyers on issues, getting ahead of issues like this is a natural step in the right direction.  My thanks to Marc for his insights.  

Kroll_MarcAs a result of the slow growth economy, non-profit organizations are facing decreased funding due to federal and states’ fiscal deficits as well as a significant shift with grant-makers who are increasingly funding awards on a performance/return on investment basis.  In addition, the soaring costs of healthcare insurance are adding significant pressure to operating costs.

Without new revenue growth, many non-profits are looking for ways to measure and increase the value/return on their social mission and investments.

Consistent with these changes, some non-profits are responding by trying to increase the “return” on their services and programs in terms of program execution, utilization, and measurable results.  Given this environment, non-profits are being forced to examine the viability of their highest cost centers, most particularly, employee compensation and benefits for value against performance as well as market competitiveness.

Non-profit Boards and senior management are questioning what the appropriate compensation and benefit programs should be, at what levels they should be funded, and how to drive accountability and performance in the employee workforce.

While non-profit organizations have predominantly been about social service and charity with their cultures reflecting a “do-good” environment and a concern for employee welfare, present conditions have forced many to consider a culture shift toward performance and accountability as well as changes in their Total Rewards programs.  This delicate balancing act between affordability and the ability to attract and retain a stable and talented workforce presents challenges in nonprofits’ capacity to assure effective organizational culture, management practices, labor market relevance, and strategic/operational priorities.

To help navigate this challenge, the following insights to six key questions provide a prescription for change in Total Rewards:

  1. What should your Total Rewards strategy be?

This is a statement developed by your Board or management committee on how the organization’s compensation and benefits programs will support and relate to your operational objectives, culture, management practices, and employee performance.  It also describes both the labor market within which the organization wishes to compete and the level at which both compensation and benefit programs will be set and funded.

Continue Reading Guest Post: Getting The Most Out of Employees At Non-Profit Organizations – A “Total Rewards” Strategy

Well, it was bound to happen.  After nine years of writing the blog on a near daily schedule, some work and personal commitments interfered with my blog writing schedule. But never fear, more new posts from me are now right around the corner.

In the meantime, one of our summer associates, James Joyce, joins the blog today to give an update on a a law passed last year regarding pay secrecy. My thanks to James for his work on this.  James is finishing up his law degree at University of Connecticut.  

joyceLoyal readers may recall that about a year ago, Connecticut’s “Act Concerning Pay Equity and Fairness” Public Act 15-196, became law.   Dan has already blogged about the nuts and bolts of the “Pay Secrecy Bill” and its potential impact on employers.

And, as Dan highlighted, employers need to be mindful of this legislation because it created a private cause of action in court for any violation.  That is where today’s post comes into the picture.

One of the first lawsuits alleging violations of the “Pay Secrecy Bill” was recently filed in Superior Court in Stamford (the case has since been removed to Federal District Court).   The lawsuit raises other issues as well, but for today’s post, we’ll focus on the “Pay Secrecy” claim.

So what’s in this lawsuit? Well, the plaintiff alleges that her former employer maintained a “Pay Secrecy Policy” forbidding employees from discussing their salaries despite the enactment of the “Pay Secrecy Bill” in July 2015.

Specifically, the allegations include a run-in with the human resources (HR) department due to comments the Plaintiff made about salaries and her former employer’s view that this was inappropriate and none of the plaintiff’s business.  The plaintiff received an “Employee Warning Notice” from HR and HR went on to tell the plaintiff she could not discuss her wages or her co-workers’ wages.

Additionally, in February 2016, it is alleged that a former co-worker of the plaintiff was reprimanded for a conversation she had with another employee about the company’s paid time off/holiday policy.  The former co-worker was allegedly told directly by the CEO and by HR that this conversation or any similar conversations violated the company’s policy prohibiting employees from discussing compensation with other employees

Obviously, whether or not these facts are true — or rise to a level of violating the law — will play out in court.  But these types of incidents are just the sort of things that employers need to be aware of to avoid “Pay Secrecy” violations.  The law prohibits employers from implementing policies that prevent employees from, or disciplining employees for, engaging in conversations about salary-related information.

Because this case was recently filed there is no way to predict how the court will rule.  Nevertheless, that does not mean this case should be ignored until it is decided.  Employers should remind their human resources staff and managers of this new Connecticut law.

The downside will be cases like this where the employer may have to spend time and money investigating and defending themselves against the alleged “Pay Secrecy” violations.  Employers also risk being found liable for compensatory damages, attorney’s fees and costs, punitive damages, and any legal and equitable relief the court deems just and proper related to the alleged violations.

shrmprogramI’m pleased to announce an upcoming program that my firm, Shipman & Goodwin and the Connecticut State Council of SHRM are producing next month and that I’ve been planning for several months.

The program, entitled “Data Privacy & Human Resources” will be a unique endeavor for us.  First, we are planning on doing it in both our Hartford & Stamford offices at the same time.  Speakers will be in both locations (though obviously not the SAME speakers, for those grammar buffs).

On top of that, we will be broadcasting it live via a webinar.

What could go wrong?

Hopefully, nothing, because really, it should be very informative.  It’s scheduled for the morning of December 11, 2015.

The first hour will focus on the key things employers need to know about the revisions to the state’s new data privacy law. The second hour will talk about the very latest in human resources including the current status of the proposed overtime regulations and the state’s new social media privacy law.

It’s going to be fast-paced and informative. But space is definitely limited and within the first 48 hours of our e-mail alert, we’re already halfway to our in-person room capacity.

If you’re interested in attending, check out this link and register online. The cost is just $35, but this includes breakfast and the materials. (If you’re watching via webinar, breakfast is on your own — naturally.)

And if you’d like to see the flyer, you can download it here.

secretsEarlier this month, The New York Times ran another column in its Workalogist series that asked the following question:

Are conversations with a human resources department confidential? I’m contemplating retirement in about three years and would like to gather benefit information from human resources now — but I do not want my supervisor to know. Once I decide, I would like to give three weeks’ notice.

In responding, the Workalogist quotes one SHRM professional as saying that, “An H.R. professional should maintain the employee’s confidentiality to the extent possible.”  But note the caveat: HR is at the “razor’s edge of balancing confidentiality with the overall needs of the business.”  He notes that many workers assume some confidentiality even where it doesn’t exist:

Workers often assume there’s some sort of H.R. parallel to the confidentiality they’d expect from a doctor or a lawyer. That’s not the case, says Debi F. Debiak, a lawyer and labor and employment consultant in Montclair, N.J. Barring circumstances involving, for instance, a medical condition, “there is no legal obligation to maintain confidentiality” about a retirement discussion, she says.

Suzanne Lucas, the Evil HR Lady (her name, not mine), has often touched on this subject in her blog and columns.  She was asked whether it was “illegal” or immoral for the HR representative to forward to the company’s COO an employee’s angry e-mail:

Well, it’s not illegal (she says in her non-lawyer, non legal advice way). HR people are not required to keep a confidence as a doctor, priest or lawyer is. In fact, part of our job is to blab. Which means that I’m also going to suggest that it wasn’t necessarily immoral either.

Indeed, there may be times when such a referral is necessary to protect the company. Complaints of sexual harassment often need to be investigated, or reviewed.  In those instances, employers may not be able to honor a request to keep things “confidential”.

In short, those in human resources should realize that they shouldn’t make promises they can’t keep.  Protecting the company and investigating harassment complaints are two common areas when HR should be speaking up — instead of keeping silent.

papersA few weeks back, one to the best bloggers you may not be reading — Robin Shea — posted about the scathing press that Amazon had been receiving about its workplace and posed this question: Can Employees Trust Human Resources?

It’s not a trick question.

As Robin deftly points out:

Part of the problem, I think, comes from the fact that HR really cannot be an “advocate” for the employee — not like the employee’s lawyer, or his mother, or his best friend. The HR rep works for the company and has to do what’s right for the company. I think this is where the “HR doesn’t care” perception comes from.

But Robin goes on to say that “just because HR isn’t an employee advocate doesn’t mean HR doesn’t care about employees.”  Indeed, the HR person typically have to worry about compliance and recruitment — two areas that, if handled correctly, can be the “best way to stay out of legal trouble.”

Of course, other bloggers like Suzanne Lucas, tackle this issue on seemingly a daily basis. After all, Suzanne’s moniker is the “Evil HR Lady”.  Why?

All HR people are evil, it’s in our job description. Or at least, that seems to be the prevailing theory. In reality, there’s just more going on behind the scenes than most people know.

Now, before all the HR people reading this pat themselves on the back for a job well done — let’s not get too ahead of ourselves.  Human Resources doesn’t have to be evil, but that’s not to say that incompetence — or, more accurately, missteps — should be fostered either.

HR is under scrutiny all the time and missteps can often lead to misunderstandings and mistrust too.  Suppose, for example, an employee comes to HR with a “confidential” harassment complaint.  The HR person fails to tell the employee that they have an obligation to report it and followup; thus, when the HR person begins an investigation, the complaining employee may be surprised to find out that confidentiality is not something that can be promised.

Now let’s suppose that the HR person actually provides the caveat that confidentiality will be preserves where possible. But in the course of the investigation, the HR person divulges personal information to witnesses and is cavalier with the information.  No matter how good the investigation is, it will still be perceived as being improper.

One issue that may come up is training. Some companies hire HR people with little experience figuring that “anyone” can do that job.  But the problem is that these people (to generalize) may not even know the questions to ask.  They have little familiarity with the law and therefore make decisions that may seem good in theory, but are just not allowed.  The intersection of the ADA, FMLA, Paid Sick Leave, and Workers Compensation is a huge issue that is difficult to get right.

In my experience, most of the HR people I’ve dealt with are bright, well-intentioned people who just want to “get it right”.  It can be a thankless job, made only tougher when the HR people are asked to take the lead on a layoff or termination.  I can tell you that no one takes pleasure in having to fire an employee. The conversations I’ve had with HR people in those instances start off clinical — just the facts — but many times, it’s the “personal” side of the decision that gets tough. The families that may be impacted or the other difficulties that the person has.

In those cases, HR plays a crucial role in ensuring decisions are handled with care and, if the situation warrants, compassion.  HR can advocate for a severance package, or outplacement counseling, or other pieces to a separation.  HR should — and often times, does — try to get decisions “right”.

And ultimately, HR should be trusted. But that trust is difficult to be earned. To the HR people who read it, just keep plugging away.

Remember: HR will typically get blamed for any workplace employee issues and not get credit for the successes.  That just comes with the territory.

We’ve come a long way since “The Net”

With the headlines coming out seemingly daily about data breaches at companies, there’s a tendency to feel a bit overwhelmed with the problem.

And while a data breach regarding your employees is something that may not be as imminent as one involving credit cards, it still represents a major threat to your business.

This week, I have two presentations on the subject. But in case you can’t make it, here’s a sneak peek at four things you can do now before you have a data breach.

  • Establish and implement a written data breach response policy.  This policy will be more blueprint, than policy.  The best ones I’ve seen are in a spreadsheet format and identify a team of individuals who are already identified in case of a data breach, with roles and responsibilities clearly defined.  Notably too, you should also have outside IT consultants and a legal team identified as well.
  • Conduct a review of your systems and data, and understand where your confidential information resides.  You won’t know if you keep your data (particularly data regarding your employees) secure unless you figure out what you have and what protections are in place.
  • Conduct regular risk assessment for your company, your contractors & vendors and other business partners.  Don’t just stop at figuring out where your data resides, but understand where you data goes.  If data is sent outside the company, is it encrypted when it is sent? For example, how is employee benefit information transmitted?
  • Establish frequent privacy and security awareness trainings as part of an ongoing program.  Telling employees when they start about privacy policies isn’t good enough anymore. Regular training and followup is needed to ensure that your employees don’t provide an easy back door for your data to exit from.

If you’re interested in the subject, I would recommend attendance at one of the two programs I’ll be at.

On Wednesday, I’ll be at the National Retail Federation’s HR Executive Summit in Chicago speaking at “Protecting Your Digital Secret Sauce” at 10:15a along with representatives from Walgreens and McDonalds.  Moderated by Miller Canfield’s Adam Forman, the program description is as follows:

High profile credit card data breaches at several prominent retailers have recently made national headlines, impacting the retailers’ brand and shaking their customers’ confidence. Credit card data breaches, however, are only the tip of the iceberg. There are a whole host of related issues that are bubbling beneath the surface, many of which are within the direct control of your employees. This panel of industry experts will discuss these issues and identify practical steps to take should your organization data become compromised.

On Thursday, I’ll be at the joint program between Shipman & Goodwin and the Connecticut chapter of SHRM entitled “Raiders of the Data Ark: Data Privacy and Cybersecurity Summit.”  There are still a few spots open for registration. Attendance is strong for this program, please be sure to sign up today or tomorrow so we can lock in the space.

Real hackers are more fearsome than this one.

Okay, okay.  I realize the headline is a bit misleading.  But it isn’t every day that you hear about a data breach at Home Depot in which 56 MILLION credit cards may have been hacked. To put that into perspective, that’s 16 million MORE than the infamous Target breach!

But this is an employment law blog, not a shopping one. So, why does this matter to human resources professionals and companies? Because if hackers can access credit card information, they are going to try to hack into your work files.

It isn’t a matter of “if”. It’s a matter of when they will attempt to do so.

Don’t take my word for it. This comes from the head of the military’s cybersecurity division.  Admiral Mike Rogers has been preaching for months of the need for companies to take data privacy and cybersecurity seriously.  A recent news post reported on the importance Rogers has placed on this area for private businesses.

Corporations must successfully deal with cybersecurity threats, because such threats can have direct impacts on business and reputation, Rogers told the business audience.“You have to consider [cybersecurity threats] every bit as foundational as we do in our ability to maneuver forces as a military construct,” he said.

I have little doubt you’ll hear a lot more about this at an upcoming Data Privacy and Cybersecurity Summit that I’ve been helping to put together here at Shipman & Goodwin, in conduction with CT SHRM.

It’s scheduled to be held on October 16, 2014 from 8a to 2p at the Crowne Plaza in Cromwell, CT.

The cost is just $75, which includes continental breakfast, coffee, buffet lunch, and the materials.  Full details as well as registration can be found here.

Speakers include myself, Shipman & Goodwin attorneys Scott Cowperthwait, Cathy Intravia and William Roberts as well as industry experts from Adnet Technologies, the Connecticut Attorney General’s office, ESPN, the FBI, FINEX North America, General Electric Company, JPD Forensic Accounting, Quinnipiac University, United Therapeutics Corporation, and United Technologies Corporation (UTC).

Hope to see you there. Register soon as spots have been filling up over the last week.