CLOSE X
RSS Feed LinkedIn Twitter Facebook
Search:
FMG Law Blog Line

Archive for July, 2015

FMG Cyber Toolkit Now Available to Help Prevent Data Breaches and Reduce Costs

Posted on: July 31st, 2015

option 2By: David Cole

FMG is  pleased to announce the availability of a new FMG Data Breach Toolkit.  The toolkit consists of policy and form documents intended to provide your organization with everything it needs from a document standpoint to help prevent a data breach from occurring and respond effectively if one happens.

Included in the Toolkit are :

  1. Data Security Plan for maintaining the security of sensitive information that employees may access during their employment;
  2. Data Breach Response Plan with procedures to be followed in the event of a data breach, such as the creation of data breach response team, steps for identification and assessment of the breach, containment and recovery of the breach, and notification to affected individuals, employees, and the public; and
  3. Multiple form documents to be use during execution of the Data Breach Response Plan, including a data breach incident reporting form, data breach response checklist, chronology of events to document steps taken, chain of custody forms, and sample breach notification letters and website provisions.
  4. Access to our firm’s Cyber Emergency Response Team (see here).

Studies  consistently have shown that organizations that implement these preventive policies are less vulnerable to attacks and save a lot money when responding to a breach.  For instance, the 2015 Ponemon Cost of Data Breach Study, released in June, reported that that some of the best preventative and cost-reducing measures for any organization are to adopt a data breach response plan and train employees on it and on data security in general.  As the report stated, “[t]he most profitable investments companies can make seem to be an incident response plan . . . employee training, [and] board-level involvement[.]”   The Ponemon report found a per record cost of response in the United States of $217.  However, implementing an incident response plan ahead of time dropped the per-record cost by $12.60, conducting employee training on information security practices reduced costs by $8 per record, and having board involvement in cyber security policy development lowered costs by $5.50 per record.

If you have been reading our blog (see here and here) or attending our seminars, then you know this issue has been a point of emphasis and concern for clients.  It is essential that every organization not relegate data security and privacy to the IT department, but instead make it a “board room issue.”  In addition, just like every organization should have an employee handbook that sets forth your personnel policies, every organization should have in place a data breach response plan that is part of your training to employees.

To discuss the toolkit for your organization, as well as training that is available for your workplace, please contact one of our Data Security, Privacy and Cyber Liability Practice Team  attorneys:

David Cole – Partner in Charge (Atlanta office)
(770) 818-1287 (o)
(404) 805-6558 (c)
[email protected]

John Goselin –  (Atlanta office)
(770) 818-1423(o)
(678) 478-3570(c)
[email protected]

Joshua Lott –  (Atlanta office)
(770)-818-1283 (o)
(706) 248-6132 (c)
[email protected]

Jonathan Romvary – (Philadelphia office)
(267) 758-6009 (o)
(609) 304-2883 (c)
[email protected]

Behnam Salehi – (Philadelphia office)
(267) 758-6013 (o)
(949) 2949230 (c)
[email protected]

Kacie Manisco – (San Francisco office)
(415) 689-1215 (o)
(909) 969-3757 (c)
[email protected]

And the Hits Keep Coming for Fiat Chrysler America

Posted on: July 27th, 2015

fireBy: Wayne S. Melnick

In March, Fiat Chrysler America (“FCA”) was hit with one of the largest tort verdicts in Georgia history when a Decatur County jury found it 99% liable for the death of a four-year-old that was burned to death in the back of a 1999 Jeep Grand Cherokee following a rear-end accident.  In that case, the jury determined the vehicle was defectively designed by having its gas tank behind the rear axle making the gas tank vulnerable in such a rear-end accident.  A motion for new trial or to reduce the verdict is currently pending before the trial court.  As of now, the parties still appear to be over $145M apart in what each considers to be a “fair” verdict.

However, even if that verdict is reduced significantly, FCA is still going to be reeling as a result of FCA’s vehicle design and the actions taken by FCA after questions regarding FCA vehicle safety started coming to light. Over the weekend, it was announced that FCA had agreed not only to a record $105M fine for “shortcomings in reporting defects and inadequate recall procedures” related to the Jeep Grand Cherokee (and similarly designed Jeep Liberty vehicles), but that FCA was also required to buy back a limited number of vehicles, offer incentives for owners to participate in recall repairs, and be subject to independent monitoring to ensure its safety program continues to meet minimum standards.  The new federal oversight will last a minimum of three years.

Of the $105M fine, FCA must pay a $70 million cash penalty — equal to the record $70 million civil penalty the agency imposed on Honda in January for an undercount that led to 1,729 deaths and injury claims not being reported to NHTSA over 11 years.  FCA must also spend at least $20 million on meeting performance requirements included in the Consent Order. Another $15 million could come due if the independent monitor discovers additional violations of the Safety Act or the Consent Order.

As a result of this action, it is clear that FCA’s headaches from the older model Jeep Liberty and Grand Cherokee models are far from over.  Due to the explosive nature of these claims, there is no doubt that there will be additional claims/law suits related to similar injuries and/or deaths.  Any attorney or claims representative involved in these claims can surely learn lessons on what not to do from the Georgia trial resulting in such a runaway verdict.

Court of Appeals Explains the Limits of Penalties for Violations of Georgia’s Open Meetings Act

Posted on: July 27th, 2015

Video CameraBy: Kevin Stone

Earlier this week, in Gravitt v. Olens, 2015 WL 4314382, the Georgia Court of Appeals clarified several provisions of Georgia’s Open Meetings Act (“OMA”).  In Gravitt, during a meeting of the Cumming City Council, a member of the public, Nydia Tisdale, sought to videotape the meeting.  The Mayor announced that videotaping was prohibited (the first alleged violation of the OMA), and directed the City’s Chief of Police to move the camera, and the tripod on which it was mounted, to the rear of the meeting area (the second alleged violation). Tisdale initially resisted by shouting at the Mayor, and so the Chief asked her to step outside the meeting so he could explain the removal to her without disturbing the meeting.  At that point, Tisdale ceased her resistance, and so neither the Chief nor anyone else required that she leave.  Even so, Tisdale voluntarily stepped outside and made a phone call.  She then returned to the meeting, at which point she started using a different handheld camera.  An officer reminded Tisdale that the Mayor had asked her not to record the meeting (the third alleged violation), but took no action to stop her from recording.

The OMA requires City Council meetings to be “open to the public,” and provides that “visual and sound recording during open meetings shall be permitted.”  Based on this, the State Attorney General brought a civil action under the OMA against the City and the Mayor, individually.  The trial court: (1) denied the defendants’ motion to dismiss, which was based on sovereign and official immunity; and (2) granted summary judgment in favor of the Attorney General, ruling that the defendants violated the OMA, and imposed civil penalties and attorney fees against both defendants. 

The Court of Appeals affirmed in part and reversed in part.

As to the City, the court concluded that the City was not entitled to sovereign immunity in a civil action brought by the Attorney General on behalf of the State because the City derives its immunity from the State.  In other words, cities cannot use the State-provided immunity to bar actions brought by the State.  The good news for cities, however, is that violations of the OMA allow the imposition of civil penalties on “persons” only.  Since the OMA classifies cities as “agencies,” and not persons, cities are not subject to civil penalties.  For that reason, the court reversed the imposition of civil penalties against the City.

As to the Mayor, the Court concluded that the OMA’s mandate regarding the permissibility of recording open meetings is ministerial in nature because it is “so clear, definite and certain as merely to require the execution of a relatively simple, specific duty.”  Because the court classified this “statutory directive” as ministerial (rather than discretionary), official immunity did not bar the OMA action brought against the Mayor, individually.

Since the Mayor was not shielded by official immunity, and the trial court found that he negligently violated the OMA on three occasions at the meeting, the trial court imposed three civil penalties on him.  The Court of Appeals, however, clarified that the OMA does not permit civil penalties for violations that occurred before the imposition of the first penalty.  Here, the first penalty was imposed in the trial court’s summary judgment order.  The second two alleged violations did not occur after entry of this order.  As a result, the Court affirmed the imposition of the first penalty, and reversed the imposition of the penalties for the two subsequent violations. 

In short, a court cannot impose civil penalties on cities for violations of the OMA.  And a court cannot impose multiple penalties on an individual when he or she commits multiple violations at a single meeting (because a court would not impose the first penalty until after the meeting had ended).  Still, in order to avoid potential liability for even a single violation, local governments and officials should be aware of the OMA’s requirements.

 

 

Third Circuit Expands FMLA Requirements for Employers: Employee Must Have Opportunity to Cure Invalid Medical Leave Certification

Posted on: July 24th, 2015

imagesV882WHUQBy: Barry Brownstein

A recent decision from the Third Circuit expands FMLA requirements, by declaring that employers who receive a medical leave certification from an employee that is vague, ambiguous, and non-responsive, are required to:

(1) inform the employee that the certification is insufficient;

(2) state in writing what additional information is required; and

(3) provide the employee the opportunity to cure the certification within seven (7) days.

Employers who neglect these requirements may be liable for interference under the FMLA.

In Hansler v. Lehigh Valley Hosp. Network[1], plaintiff, Deborah Hansler was hired by Lehigh Valley in 2011 to work as a technical partner.  In early March 2013, Hansler began experiencing shortness of breath, nausea, and vomiting.  On March 13, Hansler’s physician completed a medical certification form requesting intermittent leave for two days a week starting on March 1, 2013 and lasting for approximately one month.   A few weeks later, after Hansler had taken several days off of work, Lehigh Valley terminated her employment without seeking any clarification about her medical certification.  Lehigh Valley cited excessive absences and informed her that the request for leave had been denied because her condition did not qualify as a serious health condition under the FMLA.

Prior to taking leave under the FMLA, an employee must give her employer notice of the request for leave, “stat[ing] a qualifying reason for the needed leave.”  29 C.F.R. § 825.102.  An employer may then require the employee to support the request with a certification issued by a health care provider.  29 U.S.C. § 2601(a).  A “sufficient” medical certification must state:

(1) the date on which the serious health condition began;

(2) the probable duration of the condition;

(3) relevant medical facts;

(4) a statement that the employee is unable to perform the functions of the position;

(5) the dates and duration of any planned medical treatment; and

(6) the expected duration of intermittent leave.

Id. § 2612(b).

In dismissing Hansler’s suit against Lehigh Valley, the District Court held that Hansler was not entitled to leave or a cure period because her certification was “invalid.”  Hansler appealed to the Third Circuit which reversed and remanded.

In reversing, the Third Circuit held that “[r]eceipt of an insufficient or incomplete certification triggers certain regulatory obligations on an employer that are unrelated to its understanding of the employee’s health condition.”  Id. at *4.  After receiving Hansler’s invalid certification, Lehigh Valley was required to:

(1) advise Hansler that her certification was insufficient;

(2) state in writing what additional information was necessary to make it sufficient; and

(3) provide her with an opportunity to cure before denying her request for leave.

The Court declared that Hansler is permitted to premise her interference claim on those alleged regulatory violations.

[1] Hansler v. Lehigh Valley Hosp. Network, No. 14-1772, 2015 WL 3825049, at *1 (3d Cir. June 22, 2015).

EEOC Decides Sex Discrimination Protection Includes Sexual Orientation

Posted on: July 24th, 2015

Male and female gender symbolsBy: Amanda K. Hall

Title VII of the Civil Rights Act of 1964 does not specifically prohibit discrimination on the basis of sexual orientation.  In addition, although some state and local laws prohibit discrimination based on sexual orientation, federal case law throughout the circuits has generally held that sexual orientation does not constitute a protected class.  In a landmark July 15, 2015 ruling, however, the U.S. Equal Employment Opportunity Commission (“EEOC”) held that Title VII’s prohibition of employment discrimination on the basis of sex extends to claims based upon sexual orientation.

In Baldwin v. Foxx, Appeal No. 0120133080, the Complainant, who worked for the FAA as a Supervisory Air Traffic Control Specialist in Miami, alleged that he was not selected for a permanent Front Line Manager position because he is gay.  In support of his argument, the Complainant alleged that his supervisor, who was allegedly involved in the selection process, made several derogatory comments regarding his sexual orientation.

Because the FAA is a federal agency, the Complainant initially brought his complaint through the FAA’s administrative EEO process.  On appeal from a Final Agency Decision denying the Complainant’s claim, the EEOC issued the instant determination, specifically concluding that the “Complainant’s allegations of discrimination on the basis of his sexual orientation state[d] a claim of discrimination on the basis of sex within the meaning of Title VII.”

In support of its decision, the EEOC stated that “sexual orientation” is a concept that “cannot be defined or understood without reference to sex.”  Further, noting that courts have already consistently prohibited “discrimination based on an employee’s association with a person of another race,” the EEOC stated that sexual orientation discrimination is similarly prohibited “because it is associational discrimination on the basis of sex.”  Finally, the EEOC concluded that sexual orientation discrimination falls within the ambit of Title VII because “it necessarily involves discrimination based on gender stereotypes,” which the Supreme Court held to be unlawful in Price Waterhouse v. Hopkins, 490 U.S. 228 (1989).

Baldwin adds to the EEOC’s earlier determination in Macy v. Dep’t of Justice, Appeal No. 0120120821 (April 20, 2012), that gender identity discrimination is discrimination because of sex and is therefore prohibited under Title VII.  Indeed, the EEOC’s website (www.eeoc.gov) now provides that the Commission “interprets [Title VII’s] sex discrimination provision as prohibiting discrimination against employees on the basis of sexual orientation and gender identity.”

In light of the foregoing, it seems clear that the EEOC will aggressively take the position at the charge level that “gender” equates with “sexual orientation” for purposes of Title VII statutory protection.  At present, the EEOC’s new position has not been expressly challenged in the courts, but it most certainly will be when cases eventually move from the administrative stage to federal litigation.  The EEOC likely will face a very uphill challenge in re-interpreting Title VII given the weight of the judicial authority that previously considered the issue and found that sexual orientation protection was outside the scope of the statutory definition of “gender.”  Indeed, Congress has pending before it, and has for several years, the proposed Employee Non-Discrimination Act (“EDNA”), which would amend Title VII to expressly include full LGBT (Lesbian, Gay, Bisexual, Transgender) rights as a protected class.  The fact that Congress apparently believes that Title VII does not yet include sexual orientation protection has been noted by commentators and the courts in concluding that Congress did not intend to include sexual orientation protection when Title VII was passed in 1964.

Still, in the meantime, given the EEOC’s interpretation and enforcement position, employers are faced with the possibility that Title VII could be interpreted to cover sexual orientation.  Likewise, even if the full scope of the EEOC’s position is adopted, it is unclear if it would extend to full LGBT protection, since transgender claims are conceptually distinct.  Thus, employers will have to decide whether to change policies in the meantime to conform with the EEOC’s position or even adopt full LGBT protection, or await the outcome of the inevitable litigation and judicial decisions that will follow.