RSS Feed LinkedIn Twitter Facebook
FMG Law Blog Line

Whistling While You Work: Nurses’ Complaints about Internal Procedures Not Protected Under Georgia Whistleblower Act

Posted on: August 15th, 2017

By: Robyn M. Flegal


In late June 2017, the Georgia Court of Appeals held that expressions of general safety concerns do not rise to the level of activity protected by Georgia’s Whistleblower Statute – no matter how well-founded or well-intended.  The court reached its conclusion after considering a retaliation action brought by two nurses who were terminated after they voiced concerns to their supervisors about the way a Georgia healthcare provider staffed its shifts (one of the nurses raised her issues after a patient attempted suicide). The hospital, however, cited failure of the nurses to perform their assigned shifts as the reason for their terminations.

Georgia’s Whistleblower Statute prohibits public employers from (1) retaliating against a public employee for disclosing a violation of or noncompliance with a law, rule, or regulation to either a supervisor or a government agency; or (2) retaliating against a public employee for objecting to, or refusing to participate in, any activity, policy, or practice of the public employer that the public employee has reasonable cause to believe is in violation of or noncompliance with a law, rule, or regulation.

The Court decided that the trial court properly granted summary judgment to the defendant healthcare provider because the nurses’ complaints concerned only internal operating procedures. The women’s whistleblower action failed because they were unable to demonstrate that they disclosed a violation of a law, rule, or regulation to a supervisor or objected to participating in an activity they thought violated the same.

Public employers should be well aware of Georgia’s Whistleblower Statute and what constitutes protected activity thereunder. For more information, contact Robyn Flegal at [email protected].

SEC Issues Risk Alert on the Cybersecurity Practices of Registered Broker-Dealers, Investment Advisers, and Investment Funds.

Posted on: August 11th, 2017

By: Jennifer Lee


The U.S. Securities and Exchange Commission (“SEC”) is becoming increasingly focused on cybersecurity issues in recent years as data breaches and ransomware attacks become more frequent and wide-spread across all industries. The most recent Risk Alert, issued on August 7, 2016 by the SEC’s Office of Compliance Inspections and Examinations (“OCIE”), shows that cybersecurity continues to be a high priority for the SEC in 2017.

The Risk Alert was based on an examination of the cybersecurity policies and practices of 75 broker-dealers, investment advisers, and investment funds over a nine-month period, from September 2015 to June 2016. The examinations focused on firms’ written policies and procedures regarding cybersecurity, including whether such policies were actually implemented and followed.

The 6-page report found that although most firms had cybersecurity policies in place, such policies were often too general and vague, as they did not articulate specific procedures for implementing the policies or examples of how employees can apply the policies in their daily work. In addition, even when firms had specific cybersecurity protocols in place, their actual practices were much more lax and did not reflect their stated policies and procedures. For example, firms often had policies requiring all employees to complete cybersecurity awareness training. However, they did not have a mechanism in place to enforce such requirements. The Risk Alert also pointed out that some firms were using outdated operating systems that were no longer supported by security patches and not taking measures to address the results of any penetrating testing.

In light of the findings, the report listed specific measures firms can take to ensure that their cybersecurity practice are “robust,” including:

  • Creating and maintaining an inventory of data and information, including classification of the risks of the disclosure of each category of data or information and business consequences in the event of such disclosures;
  • Tracking access and requests for access to data and information;
  • Following a regular schedule of system scans and updates, including security patches;
  • Establishing and enforcing controls concerning firm network and equipment, including protocols with respect to personal devices on firm networks; and
  • Requiring mandatory employee training on cybersecurity issues.

Cybersecurity incidents are a growing and costly problem for the financial services industry, and they do not appear to be going away anytime soon. The SEC has picked up on this and has begun to dedicate more resources to cybersecurity enforcement. In fact, last year, the SEC brought charges against Morgan Stanley Smith Barney LLC (“MSSB”) following a data breach involving customer data for failure to adopt written policies and procedures reasonably designed to protect customer records and information. MSSB, a dually registered broker-dealer and investment adviser, settled the matter by agreeing to a censure and a $1 million fine. With the release of the August 7, 2017 Risk Alert, it seems more likely now, more than ever, that firms will be held accountable for cybersecurity incidents, including data breaches and ransomware attacks, if they fail to implement the recommended measures and protocols contained in the Risk Alert.

However, SEC enforcement actions are not the only thing that broker-dealers and investment advisers need to worry about. As the public becomes more aware of cybersecurity issues, data breaches and ransomware incidents will result in the filing of customer claims. This may prove to be problematic as a single incident can affect thousands of customers, so a broker-dealer or an investment adviser may find itself trying to fight off thousands of individual actions or face a handful of actions involving a large number of customers, similar to a class action or a mass tort case.

To reduce the risk of an SEC enforcement action or customer actions based on cybersecurity incidents, broker-dealers and investment advisers should ensure that they are in compliance with SEC regulations and guidelines regarding cybersecurity, including but not limited to Regulation S-P, Exchange Act Rule 13n-6, and Exchange Act Rule 15c3-5—both on paper and in practice. Firms should also proactively implement any recommendations contained in OCIE’s Risk Alerts to the extent that they have not already.

If you have any questions regarding your firm’s compliance with SEC cybersecurity regulations or cybersecurity litigation in general, please contact the writer, Jennifer Lee, at [email protected].

Three Years After Ferguson Shooting, Litigation Trudges Forward

Posted on: August 10th, 2017

By: Wesley C. Jackson

bligThis week marks the three-year anniversary of the August 9, 2014 shooting of Michael Brown in Ferguson, Missouri. While the shooting sparked a national debate about officers’ use of force that continues to this day, one of the civil suits arising from the shooting is just now percolating through the federal court system. On July 25, 2017, the Eighth Circuit Court of Appeals affirmed a district court’s ruling that the shooting officer, Darren Wilson, is not entitled to qualified immunity based on Brown’s companion Dorian Johnson’s claims that Wilson used excessive force against the two when he seized them just before the shooting.

Johnson claims that Wilson, the Ferguson Chief of Police, and the City of Ferguson violated his Fourth Amendment right to be free from unlawful detention and excessive force when Wilson allegedly racially profiled Brown and Johnson pursuant to an unlawful pattern of policing condoned by the City and its police chief. After a federal district court concluded that Wilson was not entitled to qualified immunity based on these allegations, the Eighth Circuit Court of Appeals affirmed. The defense of qualified immunity generally protects officers from civil liability for actions taken in the scope of their duties so long as those actions do not violate a clearly established constitutional right. The Eighth Circuit concluded that the virtually unprovoked shooting—as alleged in Johnson’s complaint—amounts to a constitutional violation and thus denied Wilson’s qualified immunity defense.

The Eighth Circuit’s ruling should not be viewed as an indictment against the defendants. Because the defendants appealed a denial of qualified immunity at the early “motion to dismiss” stage of litigation, the court could only consider the facts as Johnson had alleged them. Thus, the Eighth Circuit’s ruling only means that Johnson will now be able to conduct discovery to develop evidence for use at trial that might support his allegations. But developing supporting evidence could be a challenge, as the U.S. Department of Justice has already evaluated most (if not all) of the available evidence and concluded in an official report that Johnson’s testimony concerning some of his most pertinent allegations is “inconsistent with the forensic and physical evidence.”

Even so, after the parties conduct discovery, Wilson will be able to assert the qualified immunity defense again through a motion for summary judgment before Johnson’s claims can be presented to a jury. Thus, while the public reaction to the Ferguson shooting was swift, Johnson’s case demonstrates the slow pace of civil rights cases in federal courts. Three years after the shooting, Johnson is just now able to begin the discovery phase of litigation. And at the end of the discovery phase, he will undoubtedly face additional dispositive motions and appeals before he has a chance at trial.

For more information about qualified immunity and civil rights claims, contact Wes Jackson at 770-818-4246 or [email protected].


DOL’s Regulation of Tip-Pooling May Change

Posted on: August 10th, 2017

By: Michael M. Hill

tipjarWe previously have written about the “tip credit” provision under the Fair Labor Standards Act and the developing circuit split regarding whether an employee’s tips belong to the employee or the employer. Since 2011, the U.S. Department of Labor (“DOL”) has taken the view that an employee’s tips are the employee’s property, whether or not the employer takes advantage of the tip credit or pays the full federal minimum wage in direct wages.

The DOL’s position on employee tips may soon change. The DOL has announced it soon will issue a Notice of Proposed Rulemaking that will propose to rescind the 2011 restrictions at least in part. Moreover, the DOL reportedly has instructed its investigators nationwide not to enforce this regulation with regard to employers’ tip-pooling policies.

We will keep monitoring this issue and provide an update when the Notice of Proposed Rulemaking is issued. For now, however, employers should be aware that the 2011 regulation regarding tip-pooling still is on the books. Thus, even though DOL investigators may not be enforcing it, individual employees still may bring claims based on this regulation. As always, employers should make sure their policies regarding tips comply with the interpretation of federal law in their circuit, as well as with the applicable compensation laws of their state.

If you have any questions or would like more information, please contact Michael M. Hill at [email protected].

An Exception to Florida Sunshine Laws – Helping Cybersecurity Secrecy

Posted on: August 9th, 2017

By: Jeremy W. Rogers

blogFor the legally uninitiated, in hearing the term “sunshine laws,” it would be easy to misunderstand what exactly that would entail. This is especially so in Florida where tourism boards and state marketing inundate the eyes and ears with all forms of advertising centered on the wonderful weather. Florida is, after all, known as the “Sunshine State.” Even when it rains, you may hear it referred to as “liquid sunshine.” What are sunshine laws, then? Obviously, there is no statute in Florida mandating that sunshine be the order of each day. Sunshine laws are, rather, statutes that govern public access to government records. They exist in a number of states, and are sometimes known as open records laws, public records laws, or FOIA laws (after the federal Freedom of Information Act).

In Florida, there are multiple statute sections covering open access to government records. The openness of records in Florida dates back to the original passage of Chapter 119 in 1909. Over the years, decisional law has interpreted Florida’s sunshine laws very liberally. Any question is answered in favor of openness, while exceptions are construed narrowly. This is particularly true in more recent years as technology has evolved at a tremendous pace. Seemingly every government related document, in any form including electronic, is open to review by anyone who goes through proper channels to obtain it. It is somewhat surprising to many, frankly, just how comprehensive and inclusive Florida’s open records laws are interpreted. They can include the more obvious records, such as official reports, down to the more questionable such as emails or texts, to the more personal such as personnel records. The records do, however, need to relate in some way or fashion to governmental official business, but, again, the laws are interpreted very broadly.

The exceptions to the laws are limited. They do cover, for example, information related to medical records, security, active criminal investigations, and some personal identification records. Importantly, the laws apply to all units of state, county, and local government as well as entities or individuals acting on behalf of any public agency.

The overarching policy of openness belies the necessity for comprehensive and strong security measures to combat and help prevent cyberattacks against government and government-related agencies and agents. As noted above, any independent contractor of a government entity or agency may fall within the definition of an agent working on behalf of a public entity, thus having the sunshine laws apply to its records. One can easily imagine the issues that may arise if records regarding cybersecurity, network breaches, detection methodology, response practices, security audits, etc. were available to the public. This would have the very real potential, and likelihood, of exposing information about vulnerable spots in the state’s or agent’s systems to cyberattackers. Once this information is obtained, there is untold havoc that could be inflicted.

Fortunately, this loophole in the sunshine laws was closed by § 282.318, Florida Statutes which exempts such information and records from Florida’s sunshine laws. This exemption would seem to go against what is the norm for public records in Florida. However, to its credit, the legislature has historically exempted from availability matters that may jeopardize public safety or may negatively affect personal privacy or security. The cyber matters discussed herein certainly fall within those categories. What is somewhat different, however, is that this particular potential loophole was closed proactively rather than reactively. In other words, this was addressed prior to the advent of significant security issues from disclosure under the sunshine laws. This is opposed to changing the laws afterward. These measures will certainly not prevent cyberattacks, but they help to avoid a situation where the key is being handed to them on a platter.

If you have any questions or would like more information, please contact Jeremy W. Rogers at [email protected].