Month: December 2018

Is Your Business Data Secure from a Breach? What to do.

By: Kamron Abedi
https://www.omm.com

Every day businesses have their data compromised due to hacking, natural disasters, and human error. In 2017, there were 1,579 publicly recorded data breaches effecting 1.9 billion consumer records and cost the businesses involved an average of $3.62 million in damages. Fires, hurricanes, and other similar natural disasters destroy paper files and servers that store data. Finally, the leading cause of data loss is human error. People make mistakes and delete massive amounts of data accidentally. These incidents can happen to any business, large or small, so it is important to take the necessary steps to make sure your data is secure and backed up. It’s important to know what to do from a legal perspective when this happens.  Below are four steps to take to ensure that your business’ data is protected from hacking, natural disasters, and human error, together with comments from a legal perspective.

Determine What Data Needs to be Secured

Most businesses have employee records, client records, trade secrets, proprietary information, financial records, and marketing information that need to be secure in order for the business to perform successfully and maintain compliance with privacy laws. For example, employee records relating to your employees’ health are protected by HIPPA, and disclosure of those records come with penalties and fines for your business. Trade secrets and proprietary information are crucial to the success of your business and if those records are compromised it can be financially disastrous for your business.  Even though trade secrets and proprietary information are protected by statutes, once they are out,  there is no going back. Therefore, it is important that you identify the information that your business needs to protect before deciding how to protect that information.

Create a Lean Data Retention Plan

Once you have identified the type of data that your business needs to retain and secure, implement a plan to keep only the necessary data and purge all unnecessary data from your business’ files and servers. Keeping unnecessary records and data will only make it more difficult and costly to secure and backup your business’ data. An effective data retention plan ensures that your business’ data is safe and allows your business to focus as little energy and resources to data retention as possible. When the data retention plan is in place, make sure that all of your employees are trained and understand the process.

Backup and Secure the Data

https://www.websta.org/tag/DigitalSafety

It is important to backup your data in multiple locations in order to ensure that your data is not lost completely if one of your storage locations is compromised. If your business has paper files, it is imperative that you electronically backup all of your important or confidential files. A simple pipe burst or even a fire in a neighboring building can destroy paper files, and without a digital backup, they are lost forever. Depending on the amount of data your business needs to backup, you can use a flash drive, external hard drive, cloud backup, or other online data management service. Do not store your backup of your files in the same place where you keep the primary copy of the files as a natural disaster or accident can destroy both copies of your data.

Next, ensure that your data is secured, both in your primary storage space and your backup storage space. When keeping paper files, ensure that you keep them in a locked space and only grant access to the employees that absolutely need access to the records. In the case of a cloud backup or online data management service, ensure that the company you are using to store your has an effective data security plan that will keep your files encrypted and out of the hands of hackers.

Privacy law Updates and Changes

Finally, be sure to keep up with updates in privacy laws and changes in your business’ data retention needs. A data security plan is not effective unless it adapts to the growth of a business and any new regulations that effect the business.

What to do if your data has been breached?

In all states of the USA, there are data breach laws.  There are also federal regulations that apply.   These laws require businesses to notify individuals who have been impacted by security breaches that may compromise their personally identifiable information. It’s important to know when and how you are required to inform individuals who have been impacted.  In some states, you are required to notify individuals within 45 days.  Most states also require written notice.  While it would be impossible to sum all of this up in one short blog post, you can see the complete state-by-state data breach guide here.

Note that if you do business in Europe, the GDPR has laws that apply to you as well.  See Inside Entrepreneurship Law blog post:  What Every Entrepreneur Needs to Know About the GDPR.

In closing, if you have had a breach, contact an attorney who is familiar in this area to help you immediately.  Time is of the essence when it comes to compliance in this area.

Kamron Abedi, at the time of this post, is a third year law student at Penn State’s Dickinson Law. He is originally from Southern California and will start his legal career at Stevens & Lee in Reading, PA as an associate in their Corporate practice group. He is also the Founder & President of the Business Law Society at Dickinson Law.

 

Sources:

https://www.ftc.gov/news-events/blogs/business-blog/2018/09/your-business-prepared-emergency-your-data

https://www.ispartnersllc.com/blog/5-steps-developing-data-retention-policy/

http://www.govtech.com/blogs/lohrmann-on-cybersecurity/new-guide-on-state-data-breach-laws.html

https://www.computerweekly.com/news/450297535/Human-error-causes-more-data-loss-than-malicious-attacks

Was I supposed to provide a “reasonable accommodation” for that?

By: Christopher Harris*

When? Where? What? How Long? and Why? If you are reading this blog post then chances are you are in one of three situations: 1) an Employee is suing you under the Americans with Disabilities Act (“ADA”) for failing to provide a reasonable accommodation; 2) an Employee asked for sick leave or extended leave under the Family Medical Leave Act (“FMLA”) and is now asking for an extension; or 3) an Employee made a comment to you and that comment has made you wonder if you should be doing more. This post is going to focus more on the last two scenarios because if you are being sued for failing to make a reasonable accommodation, you should seek an Attorney pretty fast to ensure you are preserving your best defenses from the beginning.

I also want to make a couple of assumptions known before continuing – this post assumes that you are a qualified employer, the employee is a qualified employee, and your company is subject to the ADA. This is a crucial first step when even determining if a reasonable accommodation, or the interactive process, is needed, but is one that will not be discussed here. Lastly, this is a very broad overview of reasonable accommodations – this subject is very fact intensive and should be analyzed further by an Attorney if you are truly worried.

The ADA is a federal law which does in fact create preferential treatment of one employee over another. In fact, courts have said that by definition, the ADA requires employers to treat employees with disabilities differently that employees without one. Due to this, you have to be careful about what is being asked of you.

When to begin the Interactive Process

FMLA Leave or Sick Leave

As an entrepreneur that is subject to the FMLA and ADA requirements, you may not have known that the two federal regulations could cross paths. Even if you did everything right under the FMLA regulations, you may have failed under the ADA requirements. When an Employee is out on extended leave, or FMLA leave, their disability could qualify under the “covered employee” definition of the ADA. When this happens, you have to be careful with conversations. The Employee may not be knowingly making an ADA request for a reasonable accommodation today, but could find out tomorrow after you have denied it.

Here is one type of scenario that you need to be concerned with. When you receive an FMLA request to be out for the full 12 weeks, and you grant it, you may be required to extend that leave another couple weeks or months.

If an employee brings a doctor’s note to you and the note tells you that the employee is almost ready to come back to work but really needs a couple more weeks off, this should send alarms off in your head. Just because the employee has used all of their sick leave, personal leave, and has exhausted their FMLA leave, you may be required to give them more leave under the ADA’s reasonable accommodation. This is because the courts have found that extending leave is “reasonable” when it is not an “indefinite leave.”

This of course gets a little trickier when the employee has been out for 12 weeks and is then coming back in and asking for an additional 8 months of leave. Or, better yet, the doctor’s note tells you that the employee cannot come back tomorrow and she is unsure when the employee will be able to come back. When you’re dealing with these situations, call your Attorney.

Random Request for an Accommodation

You have to be listening to your employees when they come in and make complaints about their back hurting, or not being able to drive at night time, or not being able to hear or see while at work, or not being able to concentrate without their pet snake being beside them. What you may dismiss as a common complaint could turn around and bite you tomorrow because you dismissed it.

Best practice is to say, “How can I help you?”

That’s right – when an employee comes forward and says something to the effect of “Man, I could really use [Insert Anything Here] because of my [Insert any Condition Here],” you should immediately be wondering if the ADA applies. Worst case scenario, the ADA applied and you ignored it – now having to pay an Attorney to fix everything.

The next most important thing to do is, DOCUMENT EVERYTHING. This part is so important that I am going to bold, italicize, and underline it. As soon as the employee made the request – I could really use X – you should be taking notes about what the employee said and what you said to help. This way, you can send the notes to your attorney and your attorney can make sure you’re protected.

Just because an employee has asked for a specific accommodation, “I could really use my pet snake at work to help me calm down,” does not mean you have to give that specific accommodation! (Let’s be real, who wants to work when their co-worker has a pet snake slithering around!) As the employer, you have the right of choosing what is reasonable. You just have to go through that interactive process of talking it over with the employee.

For a more thorough analysis, check out the EEOC’s Guidance on Accommodations.

* This post was reproduced with permission by author Christopher Harris. Original post dated Dec. 2, 2018 can be found here.

Chris Harris, a Texas native, is a recent grad of Dickinson Law.  He received a B.A. in History from Southern Arkansas University in 2013 and his Master of Laws degree from Radboud University, Nijmegen, Netherlands. He is now an Associate at Stock and Leader, LLP in York, PA.  A more complete bio can be found here.

 

Sources:

Photo source: http://theemplawyerologist.com/2017/02/23/fmla-leave-reasonable-accommodation/

https://www.eeoc.gov/policy/docs/accommodation.html

The Americans with Disabilities Act of 1990, as amended,  42 USCS §§ 12101 et seq

EEOC Fact Sheet – “The FMLA, the ADA, and Title VII of the Civil Rights Act of 1964”

U.S. Airways Inc. v. Barnett, 53 U.S. 391, 122 S. Ct. 1516 (2002).

Ruggiero v. Mount Nittany Medical Center, 2018 US App. LEXIS 15056 (3rd Cir. 2018)(unpublished)

Sessoms v. University of Pennsylvania, 2018 US App. LEXIS 16611 (3rd Cir. 2018)(unpublished)