lock1Last night I had the opportunity to speak to the Colonial Total Rewards Association on the topic of Data Privacy and HR.  I titled the presentation “Is Your HR Data Going Rogue” and really focused on the role that Human Resources professionals should play in ensuring that company data is secured.

For those who have been following the blog for a while, you know that I’ve spoken a bit about this before (see some posts here and here).

Lest you think, this could NEVER happen at your company, the headlines from the last few weeks show otherwise. Company after company keep reporting major  data breaches — in part due to a W-2 scam that keeps claiming victims (see here, here, here and here if you’re not convinced).

Even technology companies are not immune. My favorite blurb from the last month was the following:

On Thursday, March 16, the CEO of Defense Point Security, LLC — a Virginia company that bills itself as “the choice provider of cyber security services to the federal government” — told all employees that their W-2 tax data was handed directly to fraudsters after someone inside the company got caught in a phisher’s net.

Oops.

So if even tech companies are victims of data breaches, is there any hope for the rest of us? Well, yes. It’s not easy but there are several steps that employers can take.

  1. Learn – This is NOT simply IT’s role; rather, HR professionals should have a key role at the table in discussing a company’s data privacy culture and practice.  And the first step in that is that HR should learn the basics of data privacy.
  2. Assess – HR has access to lots of data; where is it and who has access?  Where are you “leaking” data when it comes to your employees?
  3. Develop – Develop policies and your data privacy program; and develop the teams of people that will respond in the event of a data breach
  4. Educate – Data privacy and protection ought to be part of sustained training program, just like anti-harassment training
  5. Monitor – Figure out risks and review areas; when breach happens, HR needs to be at table to discuss employee impact
  6. Inform – When (not if) if you have a data breach, inform those affected and gov’t officials and implement your data breach plan.

Once you’ve made it through, it’s time to start back at the beginning. Learn from your mistakes in a data breach and re-assess your vulnerabilities.

Data privacy and the need for companies to view it as a key part of your company’s culture should be an integral part of your employee onboarding and training.  My thanks again to CTRA for the invitation to speak to the group and the great conversation we had last night.

Next week, I will be speaking at the CBIA Annual HR Conference along with my colleague Jarad Lucan about why you should care about the NLRB.

Unfortunately, if you don’t already have tickets, it’s sold out. It’s being held at the Radisson in Cromwell, Connecticut and features some great topics for consideration. 

But the basic gist of our presentation will be a continuation of some of the themes I’ve talked about before on the blog (here, here and here, for example) — namely that the NLRB is continuing to expand its sphere of influence.

Naturally, our presentation is entitled: “The NLRB in 2016: Why it May Be Your Biggest Headache — Particularly If You Don’t Have a Union.”

For employers that are used to dealing with unions in their workplace, many of these issues won’t be a surprise.

But as I’ve talked about before, the NLRB has been critical of even those employers without unions.  The Triple Play case regarding discipline of employees for comments on Facebook is a perfect example.

For employers then, it’s important to understand the concept of “protected concerted activities” and the fact that any employee — whether a union member or not — may be protected by federal law for his or her actions.

If you’re attending the CBIA’s HR Conference next week, feel free to say “hi”.  Should be a great event.

We’ve come a long way since “The Net”

With the headlines coming out seemingly daily about data breaches at companies, there’s a tendency to feel a bit overwhelmed with the problem.

And while a data breach regarding your employees is something that may not be as imminent as one involving credit cards, it still represents a major threat to your business.

This week, I have two presentations on the subject. But in case you can’t make it, here’s a sneak peek at four things you can do now before you have a data breach.

  • Establish and implement a written data breach response policy.  This policy will be more blueprint, than policy.  The best ones I’ve seen are in a spreadsheet format and identify a team of individuals who are already identified in case of a data breach, with roles and responsibilities clearly defined.  Notably too, you should also have outside IT consultants and a legal team identified as well.
  • Conduct a review of your systems and data, and understand where your confidential information resides.  You won’t know if you keep your data (particularly data regarding your employees) secure unless you figure out what you have and what protections are in place.
  • Conduct regular risk assessment for your company, your contractors & vendors and other business partners.  Don’t just stop at figuring out where your data resides, but understand where you data goes.  If data is sent outside the company, is it encrypted when it is sent? For example, how is employee benefit information transmitted?
  • Establish frequent privacy and security awareness trainings as part of an ongoing program.  Telling employees when they start about privacy policies isn’t good enough anymore. Regular training and followup is needed to ensure that your employees don’t provide an easy back door for your data to exit from.

If you’re interested in the subject, I would recommend attendance at one of the two programs I’ll be at.

On Wednesday, I’ll be at the National Retail Federation’s HR Executive Summit in Chicago speaking at “Protecting Your Digital Secret Sauce” at 10:15a along with representatives from Walgreens and McDonalds.  Moderated by Miller Canfield’s Adam Forman, the program description is as follows:

High profile credit card data breaches at several prominent retailers have recently made national headlines, impacting the retailers’ brand and shaking their customers’ confidence. Credit card data breaches, however, are only the tip of the iceberg. There are a whole host of related issues that are bubbling beneath the surface, many of which are within the direct control of your employees. This panel of industry experts will discuss these issues and identify practical steps to take should your organization data become compromised.

On Thursday, I’ll be at the joint program between Shipman & Goodwin and the Connecticut chapter of SHRM entitled “Raiders of the Data Ark: Data Privacy and Cybersecurity Summit.”  There are still a few spots open for registration. Attendance is strong for this program, please be sure to sign up today or tomorrow so we can lock in the space.

You just finished interviewing a great candidate for a manager-level position at your company.  She looks great on paper and interviewed well.

But you’re wondering: What dark secrets about her loom on Facebook? After all, you did see that tattoo on her arm and she mentioned a fun time at Bonnaroo 2013.

“Maybe there are some pictures?”, you think to yourself.  And so, in your curiousity, you conduct some searches and find out a lot more than you’ve bargained for. Now what?

If you’re down in the Stamford area, my colleagues, Robin Frederick and Christopher Parkin — both contributors to this blog as well — are putting on a 90-minute program on September 16th at 8a entitled “The Seven Deadly Sins of Social Media Employment Screening” to address some of these issues.

It’ll help provide some context to whether this type of online searching is a good idea — and when. (I’ve touched on this subject in some prior posts here and here.)

This free program for in-house counsel and human resources professionals will cover the very latest in how researching job applicants (and even current employees) on social media can lead to illegal discrimination and expose companies to a myriad of legal issues.

As always, the program will offer practical advice for screening and hiring without risk.

Workshop topics include:

  • Who, when and how to screen
  • When enough is enough
  • Compliance with applicable laws
  • Collecting social media passwords
  • Negligent hiring

If you’ve wondered whether a Google search is the same thing as hiring a company do a Google search for you, this program will tackle it in depth.

You can register here.

Interested in social media for business but wondering how to deal with a policy to manage it?

Central Connecticut State University’s Institute for Technology & Business Development is sponsoring an executive breakfast series seminar on October 3, 2013 from 7:30-9:30 a.m. on Social Media Policy.

I will be among the panel of speakers discussing the subject.  Along with me, will be:

  • Jessica Rich, Director of Operations and Employee Services at The Walker Group;
  • Suzi Craig, Director of Opportunity & Engagement at Fathom;
  • Rob McGuiness, Manager of E-Communications at Pratt & Whitney

In this presentation, we will be covering both the legal aspects of social media policy but also best practices for you and your company to follow.

The executive breakfast program is just $25 and open to the public.  My thanks to CCSU for the invite and TD Bank for its sponsorship of this event.

It will be held at the ITBD headquarters at 185 Main Street, New Britain, CT.  You can RSVP here to attend.  Hope to see you all there.

For additonal background on social media policy, see some of my recent social media policy posts here and here.

The Appellate Court, in a decision that will be officially released next week, rejected the claims of a former medical resident that his program director owed a “fiduciary duty” to protect that resident’s interests.

In Golek v. Saint Mary’s Hospital, Inc. (download here), the court was asked to review the propriety of a decision by a hospital that conducts an accredited surgical residency training program to decline to promote a senior resident to the position of chief resident.  In all facets of its review, the Court upheld the hospital’s decision.

Much of the decision concerns a review of evidentiary issues and jury instructions. But one facet of the decision should be of note to employers.  It reviewed the appropriate standards as to whether a fiduciary relationship was created; if a relationship is found, that creates a higher standard of care by the fiduciary.

It is well settled that a fiduciary or confidential relationship is characterized by a unique degree of trust and confidence between the parties, one of whom has superior knowledge, skill or expertise and is under a duty to represent the interests of the other. . . . Although this court has refrained from defining a fiduciary relationship in precise detail and in such a manner as to exclude new situations . . . . we have recognized that not all business relationships implicate the duty of a fiduciary. . . . In particular instances, certain relationships, as a matter of law, do not impose upon either party the duty of a fiduciary.

To show this, the court said, requires ‘‘a unique degree of trust and confidence between the parties such that the [defendant] undertook to act primarily for the benefit of the plaintiff.’’

Here, the court rejected the notion of a fiduciary relationship between the resident and program director, noting that the resident is an “adult”. 

[No] fiduciary relationship existed between [the director] and the plaintiff while the parties were negotiating the plaintiff’s role in the surgical residency program. As the [trial] court noted, the plaintiff is an adult who voluntarily became a physician and entered the hospital’s surgical residency program. The plaintiff alleges that … [the] program director, sometimes praised and sometimes criticized the plaintiff’s performance and that he certified surgical residents’ performance records to ACGME. That history does not suffice to establish anything other than a form of a student-teacher relationship. We know of no case, and the plaintiff has cited none, to support the proposition that such a relationship, without something more, was fiduciary in nature…

For employers, understanding claims like this are the best way to avoid such claims in the future. Disclaimers to employees that they are “at-will” and that nothing in an offer letter is intended to alter the employee-employer relationship, are one way to reduce the risk of such claims in the future.

Continuing my series of posts on the public program produced by the CHRO on new Public Act 11-237 (for prior posts go here and here), the remainder of the program focused on the changes to the CHRO procedures including a new early mediation option.

Various legal staff members provided the details on the new act through a Powerpoint presentation (which you can view below).  Throughout the presentation, however, feedback was sought from various panel members made up of attorneys representing employers and employees throughout the state.  I was invited to represent the “employer” perspective.

The goals of the new law are certainly laudable:

  • Expedite case processing
  • Focus on early mediation of cases
  • Make the best use of limited CHRO resources
  • Clear CHRO backlog
  • Increase uniformity among the regional offices
  • Involve legal department with case processing
  • Increase use of technology

How does the CHRO believe that the new law will accomplish this? Through several key changes.

  • If cases are dismissed on a Merit Assessment Review, the legal department will review those cases to provide more consistency
  • After a case is retained for investigation, an early mediation will now get scheduled quickly
  • Moreover, a specific investigator will also be assigned to the case early on to prevent the case from “sitting in file drawers”
  • Another major change is that the parties can seek an expedited legal review which could, in some circumstances, send the case directly to a Public Hearing.
  • Finally, the CHRO will also now be using e-mail as the primary means of communicating.

Overall, I expressed optimism on the proposed changes. But I think we’ll only be able to tell whether these changes are truly working in another year or so.  In the meantime, attorneys and the companies they represent should be prepared to address these new procedures and figure out how these procedures will change the strategy that employers have used at the agency.

Public Training 11-237 Power Point

Yesterday, I recapped part of the CHRO program on the new Public Act 11-237 which revises the procedures for processing and investigating complaints.

Next up was CHRO Principal Attorney Charles Krich.  (Careful blog readers may note that he comments on the blog from time to time.)

First off, Charlie gets kudos from me just for giving this blog a shout-out at the program.  He cited to one of the posts last month where I trumpeted that it was a “whole new world” for the CHRO on October 1st.

But substantively, Charlie had a frenetic powerpoint presentation that summarized where the CHRO has been and why the changes in the procedures were needed.

While he, like CHRO Executive Director Robert Brothers, Jr. before him, said that part of the problem was decreased staffing levels (69 employees, down from 108 nearly 20 years ago), he acknowledged that the problems with the agency were far deeper than that.  He also acknowledged that, even back in the late 1980s, the CHRO was under fire — as a result of a series of articles from the Hartford Courant (Hartford Courant articles from 1984-1992 are not online).

Despite the criticism that the agency has faced, he also pointed out that the agency has been successful in some areas. For example, he noted that the settlement record at the agency is higher than similar state agencies.  He also noted that the funding that the agency receives from the federal government is also less than others — meaning the agency is doing its job with less resources.

Some of the slides won’t make sense without Charlie’s talk, but he was kind enough to allow me to share them.  You can view them below.

 

As I’ve saying for a few weeks now, I was asked to be part of a panel discussion sponsored by the CHRO today on the impact and implications of Public Act 11-237 on the practice before the agency.  There were several powerpoints used and there was lots discussed. I will share various points in some upcoming posts including discussing all of the various changes in procedures .

Today I will recap the introductory comments made by the CHRO Exective Director Robert Brothers, Jr.

CHRO Holds Program at Capitol

He described his job and the situation the agency is in now as “absolutely challenging”.  He indicated that staffing levels are down 33 percent over the last ten years or so, adding to the difficulties for the agency.

He also acknowledged the agency’s shortcomings.  He indicated that the criticism of the delays of processing cases is “well-founded”.  While he said that part of the reason behind the delays was due to lack of staff, he said that it was also due to “the way we’ve been doing things.”

He asked all those in attendance for input on how the new law is working and whether the agency is getting closer to its goal of completing more investigations than it takes it.

“We will do it faster,” was a mantra repeated over and over again.

Of course, the skeptics can point to the fact the agency has tried to reinvent itself over the years with only mediocre success.  But with someone who has been with the agency for a long time (instead of an outsider) at the helm, there is no doubt that Brothers has more support than others have had.

But one big problem remains.  The Human Rights Referees — the ones who run the hearings — have not yet been reappointed and Brothers admitted that he just didn’t know when that would take place.  He indicated that “I think its taking longer than it should,” but had no concrete information to share.

The program was taped and will be aired on CT-N in the upcoming weeks. (Update: It is now available through a link here.)

Well, you have to give the state some credit for trying.

As I mentioned yesterday, I’ll be speaking today at a program run by the CHRO about the new law the changes the CHRO’s procedures.  It appears to be part of a concerted effort by various agencies to reach out to businesses in the state more.

In fact, the program today is just part of several programs being put on by various agencies.  The CHRO is sponsoring another program next week entitled: Civil Rights is GOOD for Business Employer Seminar.   It will be held on Wednesday, October 26th from 10 a.m. – 12 p.m. at the State Capitol, Room 310.

It is open to the public though employers are asked to RSVP to Cheryl Sharp at cheryl.sharp@ct.gov.

The program will discuss the services available to employers and some of the best practices that employers can implement.

Not to be left out, the Connecticut Department of Labor also has two upcoming programs on the new Paid Sick Leave law.  Details on those programs are available here.