RSS Feed LinkedIn Twitter Facebook
FMG Law Blog Line

Trump Nominates New Labor Secretary Nominee One Day After Puzder Drops Out

Posted on: February 16th, 2017

GTY-alexander-acosta-02-as-170216_31x13_1600By: Marty Heller

Donald Trump has named Florida International University Law School Dean, R. Alexander Acosta, as his new nominee for Secretary of Labor. Acosta is a Harvard Law graduate who clerked for Supreme Court Justice Samuel Alito when he was an appeals court judge, and previously has served on the National Labor Relations Board and was an Assistant Attorney General under George W. Bush, before acting as US Attorney for the Southern District of Florida. It remains to be seen where Acosta stands on several key issues that await the new secretary of the DOL, including implementation of the currently enjoined “overtime rule” which substantially increases the minimum salary to qualify for the FLSA’s white collar exemptions. 

For any questions, please contact Marty Heller at

Breaking News – Puzder Withdraws from Consideration to be Secretary of Labor

Posted on: February 15th, 2017

By: Paul H. Derrick

Andy Puzder, President Trump’s nominee for Secretary of Labor, has withdrawn his name from consideration after being plagued by criticism since his nomination. Union leaders and prominent Democrats have been among his staunchest critics. Puzder’s decision to step down comes a day before his Senate confirmation hearing was set to begin. Just hours before the announcement of his withdrawal, media outlets had begun reporting that Republican officials advised the White House that Puzder lacked the votes needed for confirmation because at least four GOP senators intended to break ranks and vote against him. It remains to be seen who President Trump will nominate in his place.

For any questions, please contact Paul Derrick at

Cancellation vs. Expiration: The Subtle Distinction and Why it Matters

Posted on: February 14th, 2017

By: Connor M. Bateman

In most jurisdictions, insurers must adhere to a detailed set of statutory provisions when cancelling or refusing to renew certain types of insurance policies. Most notably, insurers are often charged with delivering or mailing a written notification to the insured providing clear and unequivocal notice that the insurance coverage at issue is ending. Even slight deviations from the statutory requirements governing such notices will likely vitiate the cancellation or nonrenewal and cause coverage under the policy to remain in place.

Although the law typically requires strict compliance with these provisions, there is an important distinction between cases where an insurer cancels a policy and cases where the policy simply expires by its own terms due to the insured’s failure to remit his or her premium payment. In the latter case, an insurer is not bound by the notice requirements in place for cancellations. The same distinction exists between cases where an insurer refuses to renew a policy and cases where the coverage simply lapses.

For example, say that an insurance company issues a standard residential fire insurance policy for a one year effective term. The insured consistently makes timely premium payments for five years and renews his coverage at the end of each term by paying the renewal premium. On the sixth year, however, the insured fails to pay the minimum balance required to renew his coverage and the policy expires at the end of that term. Although insurers are normally required to provide written notification of an impending nonrenewal, many courts have determined that this requirement only applies to cases where the insurer is unwilling to renew an insurance policy. In other words, the statutory notice provisions are generally inapplicable to situations where a policy is not renewed because of nonpayment of premium by the insured. Thus, in the above example, the insurer would have no obligation to notify the insurer that the policy was set to expire.

This distinction may prove crucial in cases where a loss occurs after the policy expires, and the insured insists that coverage should be afforded due to the insurer’s failure to abide by the statutory notice provisions. Although it is important for insurers to carefully follow the statutory guidelines when cancelling policies, insurers should also be aware of the distinction between instances where the termination of coverage is due to the expiration of the risk insured by the policy.

Deadline Approaching for Small Breach Notification

Posted on: February 14th, 2017

cyber-securityBy: Jeremy W. Rogers

HIPAA covered entities, which are health care providers, health plans, and health care clearinghouses, are required to report “small’ data breaches of unsecured, unprotected health information by March 1, 2017. Covered entities must report these breaches, defined as a breach that involves fewer than 500 individuals, to the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”).  This deadline applies to breaches that were discovered in 2016, and the deadline is fast approaching.

In the past, while it should never have been treated as such, some covered entities may have looked at the small breach reporting deadline as not terribly important. Events over the past several months should have changed this attitude to a great degree and emphasized the importance the OCR places on timely reporting.

First, in August, 2016, the OCR announced an important change in emphasis toward breaches affecting fewer than 500 individuals. At the time of the announcement, the OCR, through its regional offices, began an initiative to more widely investigate such breaches.  The regional offices retained discretion on prioritizing which small breaches to investigate, but the directive set forth was that each office was to increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance through more widespread investigation of small breaches.

Second, in the first resolution agreement announced in 2017, one covered entity agreed to settle potential violations of the HIPAA breach notification rules. This case was the first HIPAA enforcement action for untimely breach notification and resulted in a settlement approaching $500,000.00 in addition to implementation of a corrective action plan.  While the case did not involve untimely reporting of small breaches (the covered entity failed to timely report breaches affecting more than 500 individuals), it does illustrate quite nicely just how important the OCR believes timely reporting to be.

It should be noted, although not applicable for 2017, that a covered entity is not required to wait until the deadline to report breaches and, in many instances, should consider reporting them closer to the date of discovery. A breach is considered “discovered” on the date when any workforce member or agent of the covered entity gains direct knowledge of the breach.  Also, a covered entity is considered to have “discovered” the breach if it would have gained direct knowledge through the exercise of reasonable diligence.  This means a covered entity cannot simply put its head in the sand and claim it did not have knowledge.

With the foregoing information, it is clear that timely reporting of small breaches is imperative. To that end, covered entities must pay particular attention to the approaching March 1, 2017 deadline.

The FMG Data Security & Privacy team is available to help covered entities investigate potential data breaches and comply with all notification and reporting requirements under HIPAA.

Don’t Be a Phishing Victim: IRS Warns of Email Scam This Tax Season

Posted on: February 13th, 2017

PhishingBy: David Cole

It’s tax season again and the cyber criminals are back at it. According to the IRS, last year’s W-2 spear-phishing scam has returned and is currently making its way across the nation. The IRS and state tax authorities have issued a new alert advising HR and payroll departments to beware of phony emails intended to steal employees’ personal information in their W-2 forms.  The phony emails generally appear to be from a senior executive in the company, like the CEO or CFO, and are sent to a company payroll officer or HR employee. The email requests a PDF or list of employee W-2 forms for the tax year. Those forms contain employee names, SSNs, and income information – all of the information a cybercriminal needs to file a fraudulent tax return and collect the return.

The Federal Bureau of Investigation (FBI) has been tracking the financial impact of scams like this. In June 2016, the FBI estimated that cybercriminals had stolen nearly $3.1 billion from more than 22,000 victims of these types of schemes. Now, the IRS says it is receiving new notifications that last year’s email scam for W-2 records is underway for a second time. The IRS urges company payroll officials to double check any executive-level or unusual requests for lists of W-2 forms or SSNs.

To help you be aware, the following are some of the details that may be contained in the emails:

  • Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
  • I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

These incidents not only create headaches and worry for employees, but they also constitute data breaches reportable under state law because personal information has been exposed to an unauthorized individual and the risk of identity theft is high. Last year’s incidents also resulted in class action lawsuits by employees against some of the victimized companies.

The challenge in guarding against this scam is that the emails look legitimate. The header of the email may look exactly as you would expect, mirroring the company fonts and signature blocks, and containing the actual email address of the spoofed executive in the “From:” line. Often, the return email address won’t be visible until after the reply is sent unless the user specifically expands the address field. If you look carefully, it is likely that the domain name is a few characters different from the company’s actual domain name, such as substituting the number “1” for the letter “l” or replacing a “.org” with a “.com”.

Businesses should train employees—and particularly HR and payroll employees who handle sensitive information—to be wary of email requests like this from company executives. Make them aware of this scam and ones like it, and teach them to be skeptical. A good practice is to require that the employee obtain verbal authorization, preferably in person, from the requesting person to verify that the request is legitimate before sending any response. Your company’s IT department also should be monitoring for phishing trends and remaining on the alert for suspicious outgoing activity, including large files or attachments.

The FMG Data Security & Privacy team is here to help with employee training or preparing a plan to respond to an incident.