RSS Feed LinkedIn Instagram Twitter Facebook
FMG Law Blog Line

Archive for March, 2014

EEOC Holds Meeting on Social Media – Highlights Social Media Issues in Hiring Practices

Posted on: March 21st, 2014

By: Amanda Cash

On March 12, 2014, the EEOC convened a “listening session” to gather information about the growing use of social media and its impact on EEO issues.   For employers, the EEOC meeting highlighted some pertinent concerns.  In particular, a portion of the discussion concerned how employers should use social media in their hiring practices.

Jonathan Segal, testifying on behalf of the Society for Human Resource Management (SHRM), discussed how more and more employers are using social media in the hiring process, both in publicizing new jobs and in screening potential candidates.  SHRM surveyed its members over several years and found that 77 percent of companies surveyed reported in 2013 that they used social networking sites to recruit candidates, up from 34 percent in 2008.

However, using social media to screen candidates may allow an employer to learn about a candidate’s protected characteristics, which could potentially lead to claims of discriminatory hiring practices.  During the EEOC’s meeting, Renee Jackson of Nixon Peabody LLP, provided advice for employers using social media during the hiring process.  For employers who conduct a “social media background check,” these employers should consider having a third party, or at least a designated representative who is not involved in the hiring process, screen social media accounts.  Additionally, employers should only screen publically available information, meaning they should not ask candidates for passwords and user names.

While the EEOC did not indicate its intent to issue guidance on social media in the near future, this meeting suggests that the EEOC may be turning its attention towards social media and its EEO implications.  Employers would be wise to review their social media policies to establish a procedure for the use of social media in the hiring process and ensure that their policies protect against claims of discriminatory hiring practices.  If you have any questions about how to create or revise a social media policy for your workplace, please contact any of the attorneys in our Labor and Employment practice group.

White House Seeks an Increase in the Minimum Guaranteed Salary of Exempt Workers

Posted on: March 17th, 2014

By: Brad Adler  

You may already know about the President’s push to increase the federal minimum wage from $7.25 to $10.10, but it may come as a surprise that the White House is now seeking an increase for even exempt workers.   Under the Fair Labor Standards Act, employees who are exempt under what are commonly known as the “white collar exemptions” must be paid at least $455/week to qualify for the exemption.  If an employer pays the individual lower than that amount (which equates to $23,660/year), the employee does not qualify and is entitled to overtime for working more than 40 hours in a workweek.

The White House has now indicated that it intends to request that the United States Department of Labor issue new regulations which increase the minimum salary guarantee.  While the White House has not indicated the new amount it is seeking, some note that the weekly minimum salary would be $553 if it tracked inflation.  And The Economic Policy Institute, a think tank, recently proposed raising it to $970 a week, or $50,440 a year, so that anyone earning less than that must be paid overtime.

It is noteworthy that any proposed increase would not take effect immediately.  The Department of Labor would have to publish the new rule for comments and, then only after what is typically a very lengthy process, would it be able to issue a regulation setting a higher threshold.  Of course, some states already require companies to pay a higher minimum guaranteed amount to certain exempt workers.  California and New York, for instance, already require companies to pay certain exempt workers at least $600 per week.

Three Steps to Reduce Your Data Breach Exposure

Posted on: March 13th, 2014

By: David Cole

The U.S. is on pace for a record number of data breaches in 2013.  If you think your organization is not at risk, guess again.  Any organization with information about its customers, employees, or other individuals is exposed.  Statistics show that small and medium businesses are increasingly being targeted.  So, as you reflect on the past year and think about your priorities for 2014, here are three steps you can take reduce your data breach exposure.

1.         Buy Cyber Insurance

Costs associated with a data breach can be quite large, but usually are not covered by traditional liability policies.  So, many carriers now offer cyber insurance that is specifically designed for the risks of a data breach.  Coverage may include reimbursement for first-party costs such as legal fees, forensic experts, notification letters, and business interruption.  Other policies may cover third-party claims by individuals harmed by the breach.

According to the Ponemon Institute’s 2013 Cost of Data Breach Study, these expenses cost U.S. organizations an average of $188 per compromised record last year.  When you consider that the average breach involved 28,765 records, you can see why obtaining coverage for your organization is wise move for 2014.

2.         Establish a Culture of Data Security

In its 2013 Data Breach Investigations Report, Verizon reported that, despite the attention often given to the latest technologies, data breach statistics continue to be “dominated by well-known techniques, used against the same sort of assets, again and again.”  It thus cautioned businesses that “most breaches could still be easily prevented.”


To lower your risk, set a goal to make data security a prioritized, “board room” issue in 2014.  Do not relegate it to the IT department.  Conduct a risk assessment, learn what data your organization has, how it stored, how it can be accessed, and what you are doing to protect it.  If you do not yet have data security policies that require firewalls, anti-virus, encryption, and strong passwords, then do it now.

Of course, policies are useless if not followed by your employees.  According to a recent survey by The Financial Times, 93% of workers admit knowingly violating security policies designed to prevent data breaches.  So for 2014, do not “set it and forget it” with your data security policies.  Regularly communicate the risks of data breach and how to prevent it.  Teach your employees how to recognize phishing techniques that expose your organization to hackers, malware, and viruses.  A little investment now will save you time and money later.

3.         Create a Data Breach Response Plan

No security measures are perfect and most organizations will eventually experience a data breach.  According to the Ponemon study, U.S. organizations that had a data breach response plan reduced their costs by approximately $42 per compromised record in 2012.  Organizations that hired consultants like legal counsel and computer forensics experts lowered costs by another $13 per record.

Your plan should thus identify a Data Breach Response Team, including not just individuals within your organization, but your legal counsel, computer forensics expert, and other consultants.  Map out the procedures to follow in the event of a breach and who will be responsible for which tasks.  You do not want to be sorting through these issues on the fly after a breach occurs.

Working with legal counsel is especially important to protect as much as possible by the attorney-client privilege.  Bear in mind that your data breach counsel may not be your regular attorney, as it is important to work with someone who is experienced with the process, can help you navigate the myriad of notification laws, and help you guard against the potential of third-party claims down the road.  So, if you have more questions about how to implement a data breach response plan and lower your risks in 2014, please contact David Cole or another member of our Cyber Liability practice group.

Best Practices for Gramm-Leach-Bliley Compliance

Posted on: March 12th, 2014

By: David A. Cole

The U.S. Commodity Futures Trading Commission (Commission) recently issued a Staff Advisory on the recommended best practices for covered financial institutions that must comply with Gramm-Leach-Bliley Act (GLBA) provisions on data security and customer privacy.

Congress enacted the GLBA in 1999 to ensure that financial institutions respect the privacy of their customers and protect the security and confidentiality of nonpublic personal information.  Specifically, under the Commission’s regulations, futures commission merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, swap dealers, and major swap participants (covered entities) “must adopt policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”  Those policies and procedures must:

  1. Insure the security and confidentiality of customer records and information;
  2. Protect against any anticipated threats or hazards to the security or integrity of such records; and
  3. Protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

According to the Staff Advisory, the recommended best practices include that each covered entity should develop, implement, and maintain a written information security and privacy program that is appropriate to its size and complexity, as well as to the nature and scope of its activities.  In addition, the program should require the covered entity to, at a minimum:

  1. Designate a specific employee with privacy and security management oversight responsibilities;
  2. Identify, in writing, all reasonably foreseeable internal and external risks to security, confidentiality, and integrity of personal information and systems processing personal information;
  3. Design and implement safeguards, in writing, to control the identified risks;
  4. Training staff to implement the program and provide regular refreshers;
  5. Regularly test and monitor the safeguards;
  6. At least once every two years, arrange for an independent party to test and monitor the safeguards’ controls, systems, policies, and procedures;
  7. Implement third-party service-provider agreements which specify that the third party is maintaining appropriate safeguards;
  8. Regularly evaluate and adjusting the program; and
  9. Design and implement policies and procedures to respond to incidents involving unauthorized access, disclosure, or use of personal information.

These best practices should look familiar to those who already deal with the various state laws that require companies to implement written information security programs, as well as entities that are required to comply with HIPAA.  Ultimately, whether a specific law requires it in one form or another, it is a best practice for every entity that maintains personal information, whether it be that of customers, clients, patients, or employees, should implement a data security program and implement a “culture of security” at their workplace.

President Obama to Seek Expansion of Overtime Pay

Posted on: March 12th, 2014

By: David Cole

In an article this morning, the New York Times is reporting that President Obama will direct the Department of Labor (“DOL”) to revise its regulations enforcing the Fair Labor Standards Act (“FLSA”) to increase the number of people who should receive overtime pay.  The FLSA is the federal law that establishes the minimum wage and requires that certain employees receive overtime pay at time and one-half their regular rate for all hours worked over 40 in a week.

Currently, businesses do not have to pay certain employees overtime if their job duties qualify them for an exemption, such as the “executive” exemption, which generally applies to employees who supervise the work of others.  Since it is unlikely that Congress could pass legislation to actually change the FLSA itself, it appears that President Obama plans to use his executive authority to direct the DOL to change the FLSA regulations instead.  His directions are expected to include, among other things, changes to the executive exemption so that fewer employees qualify for the exemption and, as a result, will have to be paid overtime.

The Washington Post, USA Today, and CNN also have reported on this issue.  More details are sure to follow, but there is likely going to be a lot of disagreement over these moves in the weeks and months ahead.