RSS Feed LinkedIn Instagram Twitter Facebook
FMG Law Blog Line

Archive for December, 2016

California Strengthens Data Breach Notification Law, Again

Posted on: December 14th, 2016

By: : Kacie L. Manisco

On January 1, 2017, California’s data breach notification law will become even more stringent than it already is, requiring notification to individuals in some instances when encrypted personal information has been breached.

California’s current data breach notification law requires agencies, persons, and companies that conduct business in California, and that own or license computerized data that includes personal information (“Covered Entities”) to notify individuals whose personal information has been compromised, only where unencrypted information has been accessed.  This mirrors the majority of other data breach notification laws that provide a safe harbor for encrypted data that is lost or stolen.

The amendments to California’s law, however, will now require Covered Entities to provide notification of a breach to affected individuals whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person if “the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person, business, or agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable.”  In other words, beginning on January 1, there will no longer be a safe harbor in California for a breach of encrypted data if the Covered Entity knows or has a reasonable basis for believing that the unauthorized person also gained access to the encryption key.

In light of these changes, Covered Entities should review their data security measures and response plans to ensure that they are prepared for and can respond efficiently to a data breach, and detect when one occurs. All organizations also must be attentive to the ever-changing notice requirements under state and federal data breach notification laws.  Indeed, this amendment marks the sixth-time that California has amended its data breach notification statute since its inception in 2002.  Working with experienced and knowledgeable cyber attorneys is important in that regard, and the attorneys in our Cyber Liability, Data Security & Privacy team keep up to date on all of these changes and other developments in the law. Please contact us to discuss how we can help your organization.

For any questions you may have please contact Kacie Manisco at [email protected].

Use It or Lose It: Georgia Court of Appeals Upholds Finding of Arbitration Waiver

Posted on: December 12th, 2016

By: Jake Carroll

Recently, the Georgia Court of Appeals held that a party’s conduct in an original cause of action can constitute a waiver of its right to arbitrate in a renewed action. The opinion brings Georgia jurisprudence in line with related federal courts and clarifies a previously undecided area of arbitration law in Georgia, while also teaching a practical lesson to both practicing attorneys and parties who contract and litigate in Georgia.

In SunTrust Bank v. Lilliston, the Plaintiff, Lilliston, originally filed suit against SunTrust regarding charged and collected interest on loans issued by SunTrust. One of the loan agreements at issue contained an arbitration clause. Lilliston voluntarily dismissed the action twenty-one months after initially filing the case, following removal, discovery, summary judgment, and being placed on the trial calendar. When Lilliston refiled the case sixth months later, SunTrust moved to compel arbitration as provided in one of the loan agreements. The trial court denied the motion—finding that SunTrust waived its right to compel arbitration based on its actions in the original litigation.

The Court of Appeals affirmed the lower court, relying on legal precedent from the Eleventh Circuit, as well as prior decisions from its own docket. The opinion discussed the issue as one of first impression, but also aligned itself with a growing majority of courts in looking at the parties’ conduct to determine if arbitration has been waived. The Court of Appeals also upheld the trial court’s factual finding that “the delay and cost associated with conducting discovery prejudiced the [appellees].” The Court of Appeals again looked to the Eleventh Circuit, which has recognized prejudice in situations where litigation expenses could have been avoided had the parties gone to arbitration.

From this decision, both attorneys, and contracting parties can take away two practical lessons. First, parties should consider arbitration as an option at the outset of a case—not in the middle or end of a case. This can save time and money, and insure that arbitration is still available as an alternative to costly litigation later on in the case. The Court of Appeals makes clear that the purpose of arbitration is to reduce the cost of resolving a dispute, and that behaving inconsistently with that purpose waives the ability to arbitrate in the future.

Second, parties need to be mindful of how costly the litigation is likely to be for both sides if they want to pursue arbitration at a later date. The opinion in SunTrust suggests that a finding of waiver by the court is not governed by a defined set of rules. Instead, a finding of waiver is based on the totality of the circumstances—taking into account inconvenience to the other party, costs, time, involvement in discovery, and motions practice.

This may not be final answer from the Georgia courts on this issue as SunTrust filed certiorari to the Supreme Court of Georgia, yet developments in this area of the law remain important to monitor as courts take a harder line on wasting judicial and private resources.

For any questions you may have, please contact Jake Carroll at [email protected]

OSHA’s New Rule Requires Electronic Filing and Ditching the Post-Accident Drug Test

Posted on: December 5th, 2016

By: Daniel Nicholson

Employers may need to rethink their onsite injury and illness policies after the Occupational Safety and Health Administration (OSHA) released a new rule titled “Improve Tracking of Workplace Injuries and Illnesses.” With the objective of improving the number and accuracy of reported workplace injuries, OSHA is now requiring that employers submit their onsite injury and illness forms with OSHA electronically, citing that by making such information available to the public it will “nudge” employers to focus on safety.  OSHA’s reporting website, which goes live in February 2017, will allow employers to enter onsite injury and illness data manually, upload a CSV file, or file through the employers automated recordkeeping system.

More significantly the new rule is challenging standard employer practices after an onsite injury including disciplinary actions, employee incentive programs for not having injuries (100 days injury free!), and even post-accident drug testing policies. Under the new rule employers are required to inform their employees that they may report work-related injuries and illnesses free of retaliation, and reform any policies that may deter or discourage employees from reporting. Citing to the decision in Burlington Northern & Santa Fe Railway Co. v. White, 548 U.S. 53, 57 (2006) OSHA has stated that policies like the above could dissuade employees from self-reporting.

Challenges to the new rule have already been filed. In July of 2016 several large industry interest groups, including TEXO ABC/AGC, Inc., Associated Builders and Contractors, Inc., the National Association of Manufacturers, and the American Fuel & Petrochemical Manufacturers, brought suit against OSHA claiming that the new rule is too broad and goes too far (see TEXO ABC/AGC, et al. v. Thomas, et al., No. 3:16-CV-1998 (N.D. TX July 8, 2016)). Their motion to stop the rule from being enacted while the case is pending was denied and so the rule is set to go into effect on January 1, 2017. Construction companies with 20-249 or more employees must submit the information from their 2016 Form 300A by July 1, 2017.

For any questions, please contact Daniel Nicholson at [email protected].

Charlotte Officer “Justified” In High-Profile Shooting

Posted on: December 5th, 2016

By: Wes Jackson

Officer Brantley Vinson will not be criminally charged in a court of law for fatally shooting Keith L. Scott in Charlotte, N.C. on September 20, 2016. It appears that charges are still pending in the proverbial “court of public opinion,” however.

Soon after the shooting, two narratives of the incident emerged: according to the police, Scott was armed and refused to drop his weapon after repeated commands. But according to Scott’s family and purported witnesses of the shooting, Scott was unarmed and minding his own business, reading a book, when police confronted him. The divergent narratives fueled days of protests—some violent—throughout Charlotte immediately after the shooting.

On November 30, 2016, Mecklenburg County district attorney R. Andrew Murray announced in a 40-minute news conference that he was “fully satisfied and entirely convinced that Officer Vincent’s use of deadly force was lawful,” and that no criminal charges would be filed against the officer. The same day, the district attorney’s office released a 20-page investigative report on the shooting.

The New York Times noted that the news conference “at times took on the feel of a courtroom argument.” Indeed, it is increasingly apparent in the wake of a police shooting that how officials make their “closing arguments” in the court of public opinion can have drastic consequences for their officers or the community. For instance, after Missouri state prosecutor Bob McCulloch announced a grand jury’s decision not to indict the officer who shot Michael Brown in Ferguson, Missouri in 2014, the community responded with riots and arson. On the opposite end of the spectrum, Baltimore City state’s attorney Marilyn Mosby’s failed attempt to criminally prosecute officers involved in Freddie Gray’s arrest and death has been widely characterized as incompetent by some critics and an “egregious rush to judgment” by the Fraternal Office of Police.

If there is anything to be learned from the Charlotte shooting and the dialogue surrounding it, it’s that the “courts of law” and the “court of public opinion” operate on different planes and by different rules.

First, there are no rules of evidence in the court of public opinion. Statements on social media from purported eyewitnesses to the Charlotte shooting that Scott was unarmed and reading a book when confronted by police spawned days of violent protests and riots across the city. However, the investigation revealed that a gun was found next to Scott’s body after he was shot—cocked and loaded, with Scott’s DNA found in two locations on the gun. No book was found at the scene of the shooting, and several of the “eyewitnesses” who claimed on social media that Scott was unarmed were later determined to have not witnessed the shooting at all.

Second, the court of public opinion demands that the wheels of justice grind faster than they do in a court of law—perhaps to the detriment of discovering the truth. Protesters in Charlotte, along with the ACLU and NAACP, called for the release of police video footage before investigators had interviewed all potential witnesses. The demands for the early release of such evidence pits the public’s need for transparency against the integrity of official investigations.

Third, while Lady Justice’s blindfold represents the objectivity one hopes to find in a court of law, objectivity is less prevalent in the court of public opinion. Charlotte-Mecklenburg Police Chief Kerr Putney recognized this fact when he was asked whether releasing videos of the shooting would calm the violence in Charlotte: “I would like to think that but I can tell you this . . . there’s your truth, my truth, and the truth. Some people already made up their minds what happened.” Indeed, even after the district attorney’s office released the videos and other evidence apparently confirming the officers’ version of the shooting, many in Charlotte still took to the streets to protest the decision not to prosecute.

So, how should police chiefs and other public officials address the court of public opinion after a police shooting? At a minimum, public officials must be aware of the public’s changing attitudes and increased scrutiny on policing, and judge their actions and statements accordingly.

For any questions you may have, please contact the attorneys of the Government Practice Group.


OCR Issues Alert About Phishing Email Scam

Posted on: December 2nd, 2016

By: David Cole

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published an alert notifying HIPAA covered entities and business associates of a phishing email being circulated on fake HHS letterhead and under the alleged signature of OCR’s Director, Jocelyn Samuels. The email suggests to recipients that they are being included in the current HIPAA Audit Program and directs them to click on a link. The link then takes recipients to a nongovernmental website marketing a firm’s cybersecurity services.

OCR states that the phishing email originates from the email address [email protected] and directs individuals to a URL at This is very similar to the official email address for OCR’s HIPAA Audit Program, which is [email protected]. However, OCR has stated that it is in no way associated with the cybersecurity firm apparently behind these emails, and that these emails are not part of the HIPAA Audit Program. Actual communications from OCR about the HIPAA Audit Program are sent to selected auditees from the email address [email protected].

Covered entities and business associates should make their workforce members aware of this phishing campaign and remind them to be vigilant and not click on links or attachments that seem suspicious or come from unknown sources. OCR has stated that you can contact it at [email protected] if you have a question about whether a communication you receive about a HIPAA audit is legitimate.